Sacred
January 28th, 2003, 08:18 AM
In this months apc (Australian Personal Computing) magazine they feature security alerts
http://www.apcmag.com
--------------------------------------------------------------------------------
Whilst security articles in some should always be taken with a pinch of salt... pg 88the current edition February 2003 magazine has an article entitled : The devil inside that should be taken VERY seriously. WHY? you ask...
Aside from the content being discussed - irrespective of the author's ability etc, the show a visual example of a currenly prolifick security breach. Unfortunately this little diagram entitledInside spyware's dirty tricks is very real.
[hr]
Leading Web Content Providor ~Macromedia ~ It's product Shockwave v 8 is currently responsible for system invasion and security breaching due to it's Radlight Exploits
I was checking through my registry and discovered two very strange references...I couldnt remember ever having programs created by this company... After a little more digging, I discovered everything they showed in the diagram and more.
Some of of it's collected reporting data information is as follows:
there are 2 strings for collection of information (different branches)
there are 2 entries for Statistics collection & reporting
CollectsStatistics
CollectStats
Flash info
flash version **key value ~"851102"
obsolete
version **key value ~"851102"
Shockwave
version **key value ~"851102"
qtassets
version **key value ~"851102"
Xtras
current url
dialogues Viewed
sub category= "downloads" *this is a doozey*
flash ~
description
version **key value ~"851102"
graphics *pure gem this one - subcategory of downloads*
description
1 ~ folder that is a subcategory of graphics and so on
basefolder **key value ~ "CorePlayer"**
expire **key value ~"30"
username
filename **key value ~"SwLogo.bmp"
size **key value ~"2052"
url
version **key value ~"851102"
file size
url **this is the url value it gives**
"http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp"
version **key value** "20000215"
version **key value** "851102"
3 ~ folder that is a subcategory of graphics and so on
basefolder **key value ~ "CorePlayer"**
expire **key value ~"30"
username
filename **key value ~"SwLogo.bmp"
size **key value ~"2052"
url
version **key value ~"851102"
file size
url **this is the url value it gives**
"http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp"
version **key value** "20000215"
version **key value** "851102"
[hr]
this is but a short list...I have a screen res of 1600x1200 and the number of folders (before the key values were expanded) well and truly ran off the screen.
There is also an interesting little log in the main Macromedia directory in windows :
it has this in it: 01:01:30: Starting: 204, C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE, , win, 4.10
reg entry name " NSWStatusCategoryClass"
CLSID= ** too long to put in..**
CurVer= "SWPlugin.NSWStatusCategory1"
DON't FORGET to keep a look out for "netdotnet.dll
etc etc as per the image on page 89 of the apc article.
All of this really BLOWS!!!
btw..... Guess where the Macromedia update came from... a hint : it was part of an Xtra Codec Bundle available for MediaPlayer..
This is an interesting tidbit:
http://support.microsoft.com/default.aspx?scid=KB;en-us;p302463 the source intimated that this kind of behaviour was [i]commonplace words to the affect that 'they have known about these type of exploit holes and activities for some time...sometimes used them to their own gain.
also says (article source} that this is not the first time for Macromedia :(
~Rose
-{ Quote: "Paranoia is obsolete. It's ALL true" }-
DON't go to the .au update site..... grrrrrrrrr F#@* it
don't update at all.....this just isn't worth it!!!!
**SPECIAL NOTE** standard win98se regedit could NOT locate these files on preliminary scans and searches.
I finally used a TweakUI utility with advance reg editing powers to locate them.
ps. If anyone would like to see a complete list of registry keys to help their search, send me a message.
http://www.apcmag.com
--------------------------------------------------------------------------------
Whilst security articles in some should always be taken with a pinch of salt... pg 88the current edition February 2003 magazine has an article entitled : The devil inside that should be taken VERY seriously. WHY? you ask...
Aside from the content being discussed - irrespective of the author's ability etc, the show a visual example of a currenly prolifick security breach. Unfortunately this little diagram entitledInside spyware's dirty tricks is very real.
[hr]
Leading Web Content Providor ~Macromedia ~ It's product Shockwave v 8 is currently responsible for system invasion and security breaching due to it's Radlight Exploits
I was checking through my registry and discovered two very strange references...I couldnt remember ever having programs created by this company... After a little more digging, I discovered everything they showed in the diagram and more.
Some of of it's collected reporting data information is as follows:
there are 2 strings for collection of information (different branches)
there are 2 entries for Statistics collection & reporting
CollectsStatistics
CollectStats
Flash info
flash version **key value ~"851102"
obsolete
version **key value ~"851102"
Shockwave
version **key value ~"851102"
qtassets
version **key value ~"851102"
Xtras
current url
dialogues Viewed
sub category= "downloads" *this is a doozey*
flash ~
description
version **key value ~"851102"
graphics *pure gem this one - subcategory of downloads*
description
1 ~ folder that is a subcategory of graphics and so on
basefolder **key value ~ "CorePlayer"**
expire **key value ~"30"
username
filename **key value ~"SwLogo.bmp"
size **key value ~"2052"
url
version **key value ~"851102"
file size
url **this is the url value it gives**
"http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp"
version **key value** "20000215"
version **key value** "851102"
3 ~ folder that is a subcategory of graphics and so on
basefolder **key value ~ "CorePlayer"**
expire **key value ~"30"
username
filename **key value ~"SwLogo.bmp"
size **key value ~"2052"
url
version **key value ~"851102"
file size
url **this is the url value it gives**
"http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp"
version **key value** "20000215"
version **key value** "851102"
[hr]
this is but a short list...I have a screen res of 1600x1200 and the number of folders (before the key values were expanded) well and truly ran off the screen.
There is also an interesting little log in the main Macromedia directory in windows :
it has this in it: 01:01:30: Starting: 204, C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE, , win, 4.10
reg entry name " NSWStatusCategoryClass"
CLSID= ** too long to put in..**
CurVer= "SWPlugin.NSWStatusCategory1"
DON't FORGET to keep a look out for "netdotnet.dll
etc etc as per the image on page 89 of the apc article.
All of this really BLOWS!!!
btw..... Guess where the Macromedia update came from... a hint : it was part of an Xtra Codec Bundle available for MediaPlayer..
This is an interesting tidbit:
http://support.microsoft.com/default.aspx?scid=KB;en-us;p302463 the source intimated that this kind of behaviour was [i]commonplace words to the affect that 'they have known about these type of exploit holes and activities for some time...sometimes used them to their own gain.
also says (article source} that this is not the first time for Macromedia :(
~Rose
-{ Quote: "Paranoia is obsolete. It's ALL true" }-
DON't go to the .au update site..... grrrrrrrrr F#@* it
don't update at all.....this just isn't worth it!!!!
**SPECIAL NOTE** standard win98se regedit could NOT locate these files on preliminary scans and searches.
I finally used a TweakUI utility with advance reg editing powers to locate them.
ps. If anyone would like to see a complete list of registry keys to help their search, send me a message.