Friday, March 28, 2008

New Exploit Targets Corporate Users of CA Apps

Update: We should note that CA has offered a patch for this vulnerability. What is not clear is how widely adopted that patch is.

Hi folks,

On about March 17, 2008, some folks, such as frsirt started talking about a vulnerability in dll/ ocx used in various CA products. See here http://www.frsirt.com/english/advisories/2008/0902 , for example.

Today we found it in the wild, in none other than a new NeoSploit framework.

This means several things...

Firstly, the Neo developers are _very_ active.

Secondly, the vulnerability is likely to be quite widespread, simply because of CA's size and spread within the corporate market.

Thirdly, the exploit will likely soon also be quite widespread, simply because it is Neo, and Neo is quite popular as an exploit package.

Fourthly, corporate clients should probably be pretty nervous, because their firewall is unlikely to protect them against this. Remember, web traffic is usually permitted to go right thru the firewall, because it _starts_ from a trusted place ... _inside_ the firewall.

Another contributing factor to corporate nervousness is that they rarely allow automatic patching. This is an example where they probably should.

The current list of exploits is therefore:-

Mdac/ MS06-014
SuperBuddy
CaListCtrl
NctAudio
GomWebCtrl
SetSlice
DaxCtle

In other words, they've added the CaListCtrl exploit, and dropped the Yahoo Jukebox and Microsoft xVoice exploits, presuambly because they were not productive.

Folks, this appears to be one for the corporates rather than consumers, but it highlights that the Bad Guys are still thinking hard and probing hard.

Natuarally, LinkScanner and AVG 8 users have little to fear, as we detect it and block it just fine (which is how we noticed it in the first place)

Cheers

Roger

Labels:

2 Comments:

At 5:30 PM, Blogger -=[ dxp ]=- said...

Do you mean that these products detect Neosploit's obfuscated javascript or just any obfuscated javascript?

 
At 5:54 PM, Blogger Roger Thompson said...

Hi dxp,

They detect both Neosploit's javascript and other javascript, both obfuscated and plain, and a bunch of other things too.

LinkScanner is not meant to be a 100% solution, but more a 90/10 or 95/5 solution.

Cheers

Roger

 

Post a Comment

<< Home