Monthly Binary Analysis Update (December)

By Carsten Eiram

A new month and year has begun and it is therefore time for me to wrap up the old year with a December update on our binary analysis shenanigans.

Exciting Vulnerabilities This Month

When thinking back on December, I remember it as ridiculously busy. However, after having counted the 20 issued binary analyses, then it was apparently not terribly busy – at least not based on quantity. On the BA team, we did find it a busy month, though, with 12 of the analyses covering various Microsoft vulnerabilities.

Of particular interest is, naturally, the Internet Explorer Data Binding Vulnerability, which was reported as a 0-day with working exploits quickly popping up everywhere. As I already ranted about this vulnerability here, I will not include it in this month's overview.

There was a fair number of vulnerabilities discovered by the Secunia Research team among all the advisories and accompanying BAs issued this month. These vulnerabilities affect products like Microsoft Office Word, Microsoft Office Excel, Microsoft Visual Basic 6.0 Runtime Extended Files, CA ArcServe Backup, and Trend Micro HouseCall. Most of them are quite interesting and I've therefore decided to highlight a couple of these.

* Trend Micro HouseCall ActiveX Control "notifyOnLoadNative()" Vulnerability (SA31583 / CVE-2008-2435)
* Trend Micro HouseCall ActiveX Control Arbitrary Code Execution (SA31337 / CVE-2008-2434)

Let me start out by quickly answering a question that some probably are dying to ask: "Yes, we did, naturally, have a vulnerability discovery competition to see who deserved SAID 31337". All members of the Secunia Research team had a month to find the sexiest Trend Micro vulnerability, which would then be assigned this elite number.

Trend Micro HouseCall is one of the more popular online AV scanning engines available. This just makes these two vulnerabilities all the more serious as code execution can be achieved in an extremely reliable manner for both of them. It only requires a user to view a malicious web page. Both vulnerabilities were found during our Trend Micro vulnerability month and they were nice finds indeed.

In the past, Trend Micro was one of the security vendors, who did not really impress in their responding to and handling of vulnerability reports. That has definitely changed. While their engineers still too often provide insufficient fixes (they're quick at developing them, though), then Trend Micro definitely have a nice team of handlers in place now.

Our TM vulnerability month cranked out a very decent number of vulnerabilities so we had a good opportunity to test their abilities and the Trend Micro 24×7 Support team was very responsive and handled the cases nicely. Overall, coordination was very smooth (even though it did take a while to get the engineers to acknowledge that one of the vulnerabilities was their fault and not the Internet Explorer team at Microsoft).

Fixes are available for these two vulnerabilities and it is highly recommended that people ensure that they are using a fixed version of the ActiveX control. Similarly, security vendors should have some effective rules in place to successfully detect exploitation attempts.

* CA ARCserve Backup RPC "handle_t" Argument Vulnerability (SA27299 / CVE-2008-5415)

This vulnerability discovery is actually a remnant from our 2007 research in the product, which just finally got fixed. The vulnerability is extremely easy to exploit for code execution as certain RPC request "handle_t" arguments are used directly as object pointers.

Back in the beginning of 2008, after having finished our research, our CTO, Thomas Krisensen, stated (based on our findings and the historically large number of vulnerabilities in the product) that CA ARCserve Backup is "inherently insecure", which generated a lot of attention. We haven't been looking at it again since then, but after the many vulnerabilities fixes, it may now be in a better state. However, we still recommend anyone using this product to ensure that they have some solid protection in place. Maybe CA ARCserve Backup is an interesting vulnerability target for 2009 to determine if it looks better…

This Month's Sample Analysis

I've uploaded an analysis of SA30285#1 / CVE-2008-4024 to our sample page (This link has been deprecated). It's a nice vulnerability, but it was especially interesting to figure out as the reporter did not seem to understand the core security problem and thus provided incorrect information.

Starting out on an analysis adventure – especially in Microsoft products when multiple vulnerabilities are fixed by a single patch – it is always nice to have as many details as possible about the vulnerability. It obviously makes it easier to pair it when the time comes to determine which vulnerability fix you just came across when bindiffing. However, when the information is incorrect, it can definitely add some confusion to the whole thing whether something is a silent fix or not.

Ultimately, we did manage to write up a nice analysis of the vulnerability and determined that although provided with some wrong information, Microsoft did figure out the real problem and thus fixed it fully.

I hope everyone enjoyed the holidays and got nicely into 2009.

Stay secure,

Carsten Eiram,
Chief Security Specialist