Information Security all in one place!

Posts tagged “Windows

Intuit Quickbooks: Multiple Vulnerabilities

The following vulnerabilites have been discovered and privately reported for the following versions of Intuit Quickbooks products:

Quickbooks 2009 – Quickbooks 2012; in conjunction with Internet Explorer Versions 7-9


  1. Intuit Help System Protocol URL Heap Corruption and Memory Leak:Image representing Intuit as depicted in Crunc...
  • The vulnerability described in this document can potentially be
    exploited by malicious HTML and/or Javascript to execute arbitrary
    code as the user viewing the malicious content.
  1. Intuit Help System Protocol File Retrieval: 
  • The vulnerability described in this document can be exploited by
    malicious HTML and Javascript to retrieve a file from a ZIP archive to
    which the user viewing the HTML has local or network file system
    access.  The attacker must know or guess the path and file name of the
    target ZIP archive and the target file it contains.  A further
    significant limitation is that files in subdirectories inside of ZIP
    archives have proven inaccessible, based on a sampling of Windows
    ZIPs, Microsoft Office 2007 documents, JARs, and APKs.

No vendor response at the time of public release. More information with be posted has it becomes available.


CA ARCServe: DoS Vulnerability

CA ARCserve

CA Technologies is warning that some versions of CA ARCserve Backup for Windows contain a security vulnerability (CVE-2012-1662) that could be exploited by a remote attacker to cause a denial-of-service (DoS) condition to disable network services. According to the company, the bug occurs due to insufficient validation of certain types of network requests.

Versions r12.0, r12.0 SP1, r12.0 SP2, r12.5, r12.5 SP1, r15, r15 SP1 and r16 are affected. CA ARCserve Backup for Windows r12.5 SP2 and r16 SP1 are not vulnerable. Fixes have been released to close the hole.

Further information about the problem, including instructions on how to determine if an installation is affected and download links to patches, can be found in the company’s security advisory.


More can be found here from the vendor:

Cyberoam Unified Threat Management: Insecure Password Handling

CybeRoam Unified Threat Management appliances offer assured security, connectivity and productivity to Small Office-Home Office (SOHO) and Remote Office-Branch Office (ROBO) users by allowing user identity-based policy controls.

Cyberoam UTM integrates with Active Directory. In order to query data from a configured AD, domain credentials are stored within the device. These credentials are retrievable by an authenticated user.

Domain credentials are stored on the device and passed to web clients on a diagnostic page (Identity –> Authentication –> Authentication Server –> /Select Configured AD/ ).  Authenticated clients can thus easily access stored credentials.

A trivial check for this follows (replace cookie value):

curl -s -b “JSESSIONID=u2ur76lhy4qt” -H “Referer: blah”

The vulnerability allows a malicious user to access potentially privileged domain credentials. Should default passwords not be changed, then this is a trivial entry point onto a Windows domain.

Systems affected: Severity High

Cyberoam CR50ia 10.01.0 build 678

Symantec Reports: New Trojan headed for Win7: Backdoor.Conpee

Symantec has issued a warning about a Trojan horse program that is capable of infecting both 32- and 64-bit versions of Windows 7. The malware can allow attackers to elevate privileges of restricted processes without user knowledge or permission.

The latest fully patched versions of Windows 7 are vulnerable to a Backdoor.Conpee Trojan, warned Mircea Ciubotariu, a security response engineer at Symantec, on a company blog.

Ciubotariu also states in the article: “The new Trojan targets both 32-bit and 64-bit versions of Windows 7, adding to the growing weight of evidence that malware writers are redesigning their software to bypass security features in 64-bit Windows, said Ciubotariu.

Image representing Windows as depicted in Crun...

The 64-bit version of Windows 7 and Vista included Kernel Mode Code Signing and Kernel Patch Protection, that were intended to make them less vulnerable to malware.

But backdoor.Conpee and the recently-discovered Backdoor.Hackersdoor Trojan have both been shown to infect 64-bit operating systems, said Ciubotariu.

“What was just a theory not so long ago is now being used in-the-wild by [these] threats,” he warned.”

More on this topic can be found here:

Safari: Closes Security Holes with version 5.1.4

Safari: Closes 80 Security Holes with version 5.1.4

Apple has released version 5.1.4 of its Safari web browser for Windows and Mac OS X. According to the company, the maintenance and security update addresses more than 80 vulnerabilities. The update also includes includes various stability and performance improvements as well as fixes for other non-security related bugs.

A majority of the security holes closed in 5.1.4 were found in the WebKit browser engine used by Safari. These include several cross-site scripting (XSS), cross-origin and HTTP authentication problems, as well as numerous memory corruption bugs that could be exploited by an attacker, for example, to cause unexpected application termination or arbitrary code execution.

The recent issue, where Google were accused of bypassing Safari’s privacy controls on cookies, also appears to have been addressed. Details of how Apple have fixed this though are not given. A bug in Safari’s Private Browsing mode that allowed page visits to be recorded in the browser history when the mode was active has been fixed.

On Windows systems, the browser update improves domain name validity checking in order to prevent attackers from using look-alike characters in a URL to visually spoof a legitimate domain and direct users to a malicious site – Mac OS X systems were not affected by this issue.

More can be found here:

POSReady 2009 eval Images: Infested with Malware?

POSReady 2009 is a flexible operating system designed to seamlessly connect point-of-service solutions with peripherals, servers, services, and malware?

The system image “\Setup\WIM\setup.wim” on the “POSReady 2009 eval CD“, available from the Microsoft Download Center under or here contains the following registry entries:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SSOExec]

The directory “%windir%\temp” in the system image is present but empty.

The presence of these registry entries is evidence that (one of) the system(s) used to build and capture the POSReady 2009 evaluation system image were infested with malware, and that either the infestation was not detected at all (bad) or the infestation was detected, but incompletely (or accidentially, when “%windir%\temp” was cleared) “removed” and a compromised system used to build the system image (worse).

To complete the picture: the ACLs on the directory “%windir%\temp” in systems installed from this image/CD allow unprivileged users to create a subdirectory “sso” in “%windir%\temp” and then the “ssoexec.dll”, allowing them to have their code run under every (other) user account used to log on afterwards, resulting in a privilege escalation.

This has been brought to the vendors (Microsoft) attention in the following manner. – Stefan Kanthak


English: M in blue square (similar to seen on )
2012-02-03    informed vendor

2012-02-03    vendor replies:
“The registry key and DLL are part of the Windows embedded
software package and their existence is expected.”

.oO(OUCH! they must be joking…)

2012-02-04    informed vendor that SSOEXEC.DLL is NOT part of any Windows
software package

2012-02-06    vendor replies:
“we are still looking and hope to provide clarification soon.”

2012-02-06    vendor replies:
“this reference in no way indicates there is or ever was a
virus on our build systems.”

2012-02-08    asked vendor to consider that both
<> and
only find hits that show problems with malware

2012-03-04    no more answer from vendor, report published

Love and Security: Microsoft Sends us Both

Happy Patch Day

Instead of giving you the same breakdown of the recent critical fixes I have decided to go a different route. NSIT has compiled a list of websites that discuss the vulnerabilities in depth. Microsoft has release fixes for some critical exploits, know what they are is just half of what you need to know. How applying these updates affects your current environment is critical. Read On and keep patching!!

Microsoft’s Security Website

CIO Today:

Andrew Storms, director of security operations at nCircle, quipped that IT security teams are not getting any candy hearts from Microsoft for Patch Tuesday. Instead, every version of Internet Explorer gets a security update. Another analyst pointed to the HTML Layout and GDI Access Violation vulnerabilities as particularly important patches.

Read More:

CSO Blogs:

English: Windows Internet Explorer 9 wordmark

Microsoft has just released its February 2012 security updates. Here’s some analysis from the folks at Symantec, McAfee and Qualys.

Read More:


Microsoft will be offering fixes for a wide range of flaws affecting the company’s Internet Explorer (IE) web browser, every version of its Windows operating system (OS), as well as Microsoft Office.

Read More:

Your feedback is encouraged

Related articles