HEADS UP ~ Security Breach YOU MAY have been exposed to

Discussion in 'other software & services' started by Sacred, Jan 28, 2003.

Thread Status:
Not open for further replies.
  1. Sacred

    Sacred Registered Member

    Joined:
    Jan 20, 2003
    Posts:
    7
    In this months apc (Australian Personal Computing) magazine they feature security alerts

    http://www.apcmag.com
    --------------------------------------------------------------------------------

    Whilst security articles in some should always be taken with a pinch of salt... pg 88the current edition February 2003 magazine has an article entitled : [glow=yellow,2,300]The devil inside[/glow] that should be taken VERY seriously. [shadow=yellow,left,300]WHY?[/shadow] you ask...

    Aside from the content being discussed - irrespective of the author's ability etc, the show a visual example of a currenly prolifick security breach. Unfortunately this little diagram entitled[glow=yellow,2,300]Inside spyware's dirty tricks[/glow] is very real.
    [hr]

    Leading Web Content Providor ~Macromedia ~ It's product Shockwave v 8 is currently responsible for system invasion and security breaching due to it's Radlight [glow=yellow,2,300]Exploits[/glow]


    I was checking through my registry and discovered two very strange references...I couldnt remember ever having programs created by this company... After a little more digging, I discovered everything they showed in the diagram and more.

    Some of of it's collected reporting data information is as follows:

    there are 2 strings for collection of information (different branches)

    • there are 2 entries for Statistics collection & reporting
    • CollectsStatistics
    • CollectStats
    • Flash info
    • flash version **key value ~"851102"
    • obsolete
    • version **key value ~"851102"
    • Shockwave
    • version **key value ~"851102"
    • qtassets
    • version **key value ~"851102"
    • Xtras
    • current url
    • dialogues Viewed
    • sub category= "downloads" *this is a doozey*
    • flash ~
    • description
    • version **key value ~"851102"

    • graphics *pure gem this one - subcategory of downloads*
    • description

    • 1 ~ folder that is a subcategory of graphics and so on
    • basefolder **key value ~ "CorePlayer"**
    • expire **key value ~"30"
    • username
    • filename **key value ~"SwLogo.bmp"
    • size **key value ~"2052"
    • url
    • version **key value ~"851102"
    • file size
    • url **this is the url value it gives**
      "[glow=yellow,2,300]http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp[/glow]"
    • version **key value** "20000215"
    • version **key value** "851102"


    • 3 ~ folder that is a subcategory of graphics and so on
    • basefolder **key value ~ "CorePlayer"**
    • expire **key value ~"30"
    • username
    • filename **key value ~"SwLogo.bmp"
    • size **key value ~"2052"
    • url
    • version **key value ~"851102"
    • file size
    • url **this is the url value it gives**
      "[glow=yellow,2,300]http://download.macromedia.com/pub/shockwave/director/english/win95nt/850000/SwLogo.bmp[/glow]"
    • version **key value** "20000215"
    • version **key value** "851102"

    [hr]

    this is but a short list...I have a screen res of 1600x1200 and the number of folders (before the key values were expanded) well and truly ran off the screen.



    There is also an interesting little log in the main Macromedia directory in windows :

    it has this in it: 01:01:30: Starting: 204, C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE, , win, 4.10

    [I do believe this is the date I was handed thids little B*tch*)



    Be on the look out for the following entries:

    reg entry name "netmedia" (case specific)

    2 subfolders on the tree of netmedia

    sub 1 = "app1"

    No further expansion of "app 1"


    sub 2= "app 3"

    CLSID= "01242003010027"

    VN= "4.52.0"

    [hr]
    reg entry name " NSWStatusCategoryClass"

    CLSID= ** too long to put in..**

    CurVer= "SWPlugin.NSWStatusCategory1"



    DON't FORGET to keep a look out for "netdotnet.dll
    etc etc as per the image on page 89 of the apc article.

    All of this really BLOWS!!!

    btw..... Guess where the Macromedia update came from... a hint : it was part of an Xtra Codec Bundle available for MediaPlayer..


    This is an interesting tidbit:

    http://support.microsoft.com/default.aspx?scid=KB;en-us;p302463 the source intimated that this kind of behaviour was commonplace words to the affect that 'they have known about these type of exploit holes and activities for some time...sometimes used them to their own gain.

    also says (article source} that this is not the first time for Macromedia :(

    ~Rose



    DON't go to the .au update site..... grrrrrrrrr F#@* it

    don't update at all.....this just isn't worth it!!!!


    **SPECIAL NOTE** standard win98se regedit could NOT locate these files on preliminary scans and searches.

    I finally used a TweakUI utility with advance reg editing powers to locate them.

    ps. If anyone would like to see a complete list of registry keys to help their search, send me a message.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.