Critical Bugs Discovered In Yahoo Messenger and Microsoft GDI+
Three new vulnerabilites have been make publicly this week. Two for Yahoo Messenger Webcam ActiveX and one for Microsoft GDI+
Yahoo! Messenger Webcam Upload ActiveX Control Buffer Overflow
Security company eEye Digital Security has discovered two vulnerabilities for Yahoo’s instant messenger client software that were reported to Yahoo. The bugs are critical because allow remote [code] execution. Yahoo gave them its highest security threat rating.
The vulnerable control is part of the code for Webcam image upload and viewing (ywcupl.dll). Yahoo is working in a patch, nevertheless two publicly available exploits have been submited to Bugtraq and Full-Disclousre mailing lists. We think it willl be actively exploited by malware in a few days.
The PoC's are inoffensive (execution of calc.exe) but it would be very easy to add a more dangerous shellcodes.
Yahoo! Messenger version 8.1.0.249, incorporating ywcupl.dll version 2.0.1.4 is vulnerable. This vulnerability is currently unpatched.
Microsoft GDI+ Integer division by zero flaw handling .ICO files
CSIS Security group has found an "integer division by zero" flaw in GDI+ when parsing .ICO files. The vulnerability doesn't allow remote code execution but it allow to crash Windows Explorer and other components like "Windows Picture and Fax Viewer". The flaw was reported to Microsof and MSRC confirmed the vulnerability. It will be fixed in next Service Pack. The full advisory can be downloaded at the following link: http://www.csis.dk/dk/forside/GdiPlus.pdf
About Panda Software
May spyware list
This month there have been changes in the first two positions. Adware/Lop occupies the first position and 47 detections below, the seconds position is occupied by Application/MyWebSearch. Meanwhile, Adware/Gator goes down to the third position of the ranking.
1: Adware/Lop
2: Application/MyWebSearch
3: Adware/Gator
4: Application/Winantivirus2006
5: Spyware/Virtumonde
6: Adware/SaveNow
Adware/SpyLocked goes up from the 23rd to 17th position. This adware promotes the rogue antipysware called SpyLocked and is mainly distributed by the fakecodecs.
Trj/Abwiz.A is in the 34th position, which is a Trojan that registers itself as a BHO and steals passwords from the computer.
Exploit/LoadImage joins the ranking in the 44th position. It is a generic detection of an exploit we had already mentioned that affects ANI files. Moreover, this exploit is one of the most used by kits for installing malware using exploits, such as Mpack.
The Cimuz uninstaller
Checking a server that installs a variant of Trj/Cimuz, I came across a link that pointed to remover.exe file:
After analyzing the code of the file, I noticed that it uninstalled the same variant of Trj/Cimuz that had been previously installed from that very same server.
I suppose this is the way the author uses to make tests in order to check if the Trojan works properly and then, get easily disinfected using the uninstaller.
Pirates of the Caribbean: At World’s End
No, it’s not about the Disney’s movie that you can see today at cinemas. There has been a massive sending of a message with a file attached that is supposed to be the movie trailer, the name of the file is:
Official_Trailer_Pirates_of_the_Caribbean_At_World’s_End.exe
We have received some hundreds samples proactively blocked by TruPrevent, most of them coming from Italy. Once you run the file (detected as Trj/Pirabbean.A), it shows you the following message:
At the same time, it downloads & installs a dialer, and also creates two shortcuts in the desktop:
It also changes some settings of Internet Explorer (adding 2 URLs in the Trusted Sites). In case you visit those URLs it will install you some more dialers.