5 Acid consoles
2 Base consoles
1 Open Aanval console

The power of Google’s cache…. All were wide open with no passwords. Someone with malicious intent could delete all alerts, alert groups, cache and probably more. Not to mention the topology info they could get. I didn’t make note of the versions but I remember both Acid and Base having security issues….Base I believe was affected by a cross-site scripting vulnerability at one point.
It’s not Google’s fault really, the spiders are just doing thier jobs. My recommendation to anyone delpoying Acid / Base, create a robots.txt file in the Acid / Base root directory. In that file put these lines:

User-agent: *
Disallow: /

This will tell any Search Engine spiders not to index that site. You could also put this on each php page as well:

–Chris

Technorati Tags: Snort, Base, Acid, Google, robots.txt

As you can see the exploit displays Chinese writing which seems to be a clue to it’s origin. There are several similarities between how this exploit was released and how a 0-Day for Microsoft Word was released in June. Many speculate that the same person(s) are behind both.

Fortunately Symantec (and probably others) have virus definitions for this Trojan. The problem is it could and probably will be a different Trojan next time. Secunia is calling this one Extremely Critical in their write-up. I agree and here are some factors that make this one very bad news.

1. The number of vulnerable systems is very large.
This looks to affect all versions of Microsoft PowerPoint. Microsoft sells somewhere around $10 Billion worth of Office products per year. Folks, that is a lot of applications.

2. Relatively few, if any vulnerabilities with PowerPoint files before.
I did a quick search to see if PowerPoint files have been the entry point for vulnerabilities before and did not see any. This means in general people “trust” that opening a PPT file will not cause them problems.

3. PowerPoint files are almost ubiquitous in the enterprise.
With this being the case IT and Security managers may have to do a lot of tap dancing if they try to block PPT files at the gateway, mail server, etc. I know of one case today where the CEO had to step in and publicly support the blocking of PPT files until a resolution is available.

All these coupled with the usual problems like outdated AV definitions, users running as local admin, no egress filtering on the gateway…..make this a sticky situation.

Should you want to block PPT files and you have Snort (or a Snort-like IPS), here are some Snort signatures that will help. The first one will detect inbound PowerPoint files in an email. The second two will detect PowerPoint files on any TCP port. A big thanks to Steve Reynolds ( sreynolds @ nitrosecurity . com ) from NitroSecurity for providing the signatures. These are not official NitroSecurity signatures, they are ones he wrote.

Although commercial IPS vendors may have signatures to detect the exploit, I have not seen any free Snort signatures that do. I suspect that Bleeding Snort will post them if some become available.

Remember to have your $SMTP_SERVERS variable set correctly and change alert to drop if you want to block them.

****NOTE**** These signatures block ALL PowerPoint attachments. You have been warned.

alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )

alert TCP $EXTERNAL_NET any -> $SMTP_SERVERS 25 (msg:”PowerPoint attachment detected in SMTP’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )

alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Disposition|3a|”; content:”filename=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; ) alert TCP $EXTERNAL_NET any -> $HOME_NET any (msg:”PowerPoint attachment detected’”; content:”Content-Type|3a|”; content:”name=|22|”; distance:0; within:50; content:”.ppt|22|”; distance:0; within:50; nocase; classtype:suspicious-filename-detect; )–Chris

Technorati Tags: PowerPoint, Vulnerability, Snort, Exploit

UPDATE 

Microsoft has released an advisory on this vulnerability here