http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2008-10-15 15:49:22 - Uninformed Journal : In August 2008 Verizon Wireless released a firmware upgrade for theirxv6800 rebranded HTC Titan line of Windows Mobile smartphones thatprovided a number of new features previously unavailable on the deviceon the initial release firmware In particular, support for accessingthe device's built-in Qualcomm gpsOne assisted GPS chipset wasintroduced with this update However, Verizon Wireless elected toattempt to lock down the GPS hardware on xv6800 such that onlyapplications authorized by Verizon Wireless would be able to accessthe device's built-in GPS hardware and perform location-basedfunctions such as GPS-assisted navigation The mechanism used tolock down the GPS hardware is entirely client-side based, however, andas such suffers from fundamental limitations in terms of how effectivethe lockdown can be in the face of an almost fully user-programmableWindows Mobile-based device This article outlines the basicphilosophy used to prevent unauthorized applications from accessingthe GPS hardware and provides a discussion of several of the flawsinherent in the chosen design of the protection mechanism Inaddition, several pitfalls relating to debugging and reverseengineering programs on Windows Mobile are also discussed Finally,several suggested design alterations that would have mitigated some ofthe flaws in the current GPS lock down system from the perspective ofsafeguarding the privacy of user location data are also presentedhttp://www.secuobs.com/revue/news/28823.shtmlhttp://www.secuobs.com/revue/news/28823.shtml Secuobs.com : 2008-10-15 15:49:22 - Uninformed Journal - This paper illustrates how IPv6-enabled systems with link-local andauto-configured addresses can be compromised using existing securitytools While most of the techniques described can apply to "real" IPv6networks, the focus of this paper is to target IPv6-enabled systems onthe local networkhttp://www.secuobs.com/revue/news/28822.shtmlhttp://www.secuobs.com/revue/news/28822.shtml Secuobs.com : 2008-10-15 15:49:22 - Uninformed Journal - This paper analyzes three vulnerabilities that were found in win32ksysthat allow kernel-mode code execution The win32ksys driver is amajor component of the GUI subsystem in the Windows operating systemThese vulnerabilities have been reported by the author and patched inMS08-025 The first vulnerability is a kernel pool overflow with anold communication mechanism called the Dynamic Data Exchange DDEprotocol The second vulnerability involves improper use of theProbeForWrite function within string management functions The thirdvulnerability concerns how win32k handles system menu functions Theirdiscovery and exploitation are coveredhttp://www.secuobs.com/revue/news/28821.shtmlhttp://www.secuobs.com/revue/news/28821.shtml Secuobs.com : 2008-10-15 15:49:22 - Uninformed Journal - Automated unpackers such as Renovo, Saffron, and Pandora's Bochs attemptto dynamically unpack executables by detecting the execution of codefrom regions of virtual memory that have been written to While thisis an elegant method of detecting dynamic code execution, it ispossible to evade these unpackers by dual-mapping physical pages totwo distinct virtual address regions where one region is used as aneditable mapping and the second region is used as an executablemapping In this way, the editable mapping is written to during theunpacking process and the executable mapping is used to execute theunpacked code dynamically This effectively evades automated unpackerswhich rely on detecting the execution of code from virtual addressesthat have been written tohttp://www.secuobs.com/revue/news/28820.shtmlhttp://www.secuobs.com/revue/news/28820.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This installation of What Were They Thinking illustrates some of theannoyances that can be caused when developing software that has tointer-operate with third-party applications Two such cases http://www.secuobs.com/revue/news/15091.shtmlhttp://www.secuobs.com/revue/news/15091.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Developing shellcode for Mac OS X is not particularly difficult, butthere are a number of tips and techniques that can make the processeasier and more effective The independent data and instruction http://www.secuobs.com/revue/news/15090.shtmlhttp://www.secuobs.com/revue/news/15090.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Malicious code is so common in today's Internet that it seems impossiblefor an average user to keep his or her system clean It's estimatedthat several hundred thousand machines are infected by trojans to beabused in a variety of ways, including the theft http://www.secuobs.com/revue/news/15089.shtmlhttp://www.secuobs.com/revue/news/15089.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - During the course of this paper the reader will gain new knowledge aboutprevious and new research on the subject of loop detection The topicof loop detection will be applied to the field of binary analysis andhttp://www.secuobs.com/revue/news/15088.shtmlhttp://www.secuobs.com/revue/news/15088.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Security through obscurity is unfortunately much more common than peoplethink: many interfaces are built on the premise that since they are a"closed system" they can ignore standard security practices Thispaper http://www.secuobs.com/revue/news/15087.shtmlhttp://www.secuobs.com/revue/news/15087.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - When exploiting software vulnerabilities it is sometimes impossible tobuild direct communication channels between a target machine and anattacker's machine due to restrictive outbound http://www.secuobs.com/revue/news/15086.shtmlhttp://www.secuobs.com/revue/news/15086.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - During the course of this paper the reader will be reintroduced to manyconcepts and tools essential to understanding and controlling nativeWin32 applications through the eyes of http://www.secuobs.com/revue/news/15085.shtmlhttp://www.secuobs.com/revue/news/15085.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - The goal of this paper is to introduce the reader to a technique thatcould be used to implement something analogous to VLANs found in wiredmedia into a typical IEEE 80211 environment http://www.secuobs.com/revue/news/15084.shtmlhttp://www.secuobs.com/revue/news/15084.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes a technique that can be used to bypass Windowshardware-enforced Data Execution Prevention DEP on defaultinstallations of Windows XP Service Pack 2 and Windows 2003 ServerService Pack 1 This technique makes it possible to execute http://www.secuobs.com/revue/news/15083.shtmlhttp://www.secuobs.com/revue/news/15083.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Nearly all existing exploitation vectors depend on some knowledge of aprocess' address space prior to an attack in order to gain meaningfulcontrol of execution flow In cases where this is necessary, exploithttp://www.secuobs.com/revue/news/15082.shtmlhttp://www.secuobs.com/revue/news/15082.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper intends to describe a variety of the problems BlizzardEntertainment has encountered from a practical standpoint throughtheir implementation of the large-scale online game matchmaking andchat http://www.secuobs.com/revue/news/15081.shtmlhttp://www.secuobs.com/revue/news/15081.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - When designing thick-client based solutions,developers often suffer fromthe incorrect assumption that end-users are incapable of modifying,examining, or emulating the packaged client Throughout this document,http://www.secuobs.com/revue/news/15080.shtmlhttp://www.secuobs.com/revue/news/15080.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Since the introduction of FU, the rootkit world has moved away fromimplementing system hooks to hide their presence Because of thischange in offense, a new defense had to be developed The newalgorithms http://www.secuobs.com/revue/news/15079.shtmlhttp://www.secuobs.com/revue/news/15079.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper discusses the combination of a userland scheduler and runtimeprocess infection for a virus These two concepts complete each otherThe runtime process infection opens the door to http://www.secuobs.com/revue/news/15078.shtmlhttp://www.secuobs.com/revue/news/15078.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Breaking encrypted passwords has been of interest to hackers for a longtime, and protecting them has always been one of the biggest securityproblems operating systems have faced, with http://www.secuobs.com/revue/news/15077.shtmlhttp://www.secuobs.com/revue/news/15077.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - With just about one file format bug being consistently released on aweekly basis over the past six to twelve months, one can only hopedevelopers would look and learn The reality of it http://www.secuobs.com/revue/news/15076.shtmlhttp://www.secuobs.com/revue/news/15076.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper discusses the theoretical and practical implementations ofkernel-mode payloads on Windows At the time of this writing,kernel-mode research is generally regarded as the http://www.secuobs.com/revue/news/15075.shtmlhttp://www.secuobs.com/revue/news/15075.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - The version of the Windows kernel that runs on the x64 platform hasintroduced a new feature, nicknamed PatchGuard, that is intended toprevent both malicious software and third-party vendors http://www.secuobs.com/revue/news/15074.shtmlhttp://www.secuobs.com/revue/news/15074.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Anti-virus software is becoming more and more prevalent on end-usercomputers today Many major computer vendors such as Dell bundleanti-virus software and other personal security suites in the defaulthttp://www.secuobs.com/revue/news/15073.shtmlhttp://www.secuobs.com/revue/news/15073.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - As rootkits continue to evolve and become more advanced, methods that canbe used to detect hidden objects must also evolve For example,relying on system provided APIs to http://www.secuobs.com/revue/news/15072.shtmlhttp://www.secuobs.com/revue/news/15072.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper discusses the security implications of Mach being integratedwith the Mac OS X kernel A few examples are used to illustrate howMach support can be used to bypass some of the BSD security features,http://www.secuobs.com/revue/news/15071.shtmlhttp://www.secuobs.com/revue/news/15071.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes a technique that can be applied in certainsituations to gain arbitrary code execution through software bugs thatwould not otherwise be exploitable, such http://www.secuobs.com/revue/news/15070.shtmlhttp://www.secuobs.com/revue/news/15070.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - As Windows x64 becomes a more prominent platform, it will becomenecessary to develop techniques that improve the binary analysisprocess In particular, automated techniques that can http://www.secuobs.com/revue/news/15069.shtmlhttp://www.secuobs.com/revue/news/15069.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - The research presented in this paper provides the reader with a set ofalgorithms and techniques that enable the user to remotely determinewhat chipset and device driver an 80211 device is usinghttp://www.secuobs.com/revue/news/15068.shtmlhttp://www.secuobs.com/revue/news/15068.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - In this paper I will uncover the information exchange of what may beclassified as one of the highest money making schemes coordinated by'organized crime' I will elaborate on information gathered from athird party individual directly involved in all aspects of the schemeat playhttp://www.secuobs.com/revue/news/15067.shtmlhttp://www.secuobs.com/revue/news/15067.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Sophisticated methods are currently being developed and implemented formitigating the risk of exploitable bugs The process of researchingand discovering vulnerabilities in modern code will require changes toaccommodate the shift in vulnerability mitigationshttp://www.secuobs.com/revue/news/15066.shtmlhttp://www.secuobs.com/revue/news/15066.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper proposes a technique that can be used to prevent theexploitation of SEH overwrites on 32-bit Windows applications withoutrequiring any recompilationhttp://www.secuobs.com/revue/news/15065.shtmlhttp://www.secuobs.com/revue/news/15065.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes the process of implementing a custom encoder for thex86 architecture To help set the stage, the McAfee SubscriptionManager ActiveX control vulnerability, which was discovered by eEye,will be used as an example of a vulnerability that requires theimplementation of a custom encoderhttp://www.secuobs.com/revue/news/15064.shtmlhttp://www.secuobs.com/revue/news/15064.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes the process of identifying and exploiting 80211wireless device driver vulnerabilities on Windows This process isdescribed in terms of two steps: pre-exploitation and exploitationhttp://www.secuobs.com/revue/news/15063.shtmlhttp://www.secuobs.com/revue/news/15063.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper presents a proof of concept executable packer that does notuse any custom code to unpack binaries at execution time This isdifferent from typical packers which generally rely on packedexecutables containing code that is used to perform the inverse of thepacking operation at runtime Instead of depending on custom code, thetechnique described in this paper uses documented behavior of thedynamic loader as a mechanism for performing the unpacking operationhttp://www.secuobs.com/revue/news/15062.shtmlhttp://www.secuobs.com/revue/news/15062.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Windows Vista x64 and recently hotfixed versions of the Windows Server2003 x64 kernel contain an updated version of Microsoft's kernel-modepatch prevention technology known as PatchGuard This new version ofPatchGuard improves on the previous version in several ways, primarilydealing with attempts to increase the difficulty of bypassingPatchGuard from the perspective of an independent software vendorISV deploying a driver that patches the kernel The feature-set ofPatchGuard version 2 is otherwise quite similar to PatchGuard version1; the SSDT, IDT/GDT, various MSRs, and several kernel global functionpointer variables as well as kernel code are guarded againstunauthorized modification This paper proposes several methods thatcan be used to bypass PatchGuard version 2 completelyhttp://www.secuobs.com/revue/news/15061.shtmlhttp://www.secuobs.com/revue/news/15061.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - The current information technology landscape is cluttered with a largenumber of information systems that each have their own individualauthentication schemes Even with single sign-on and multi-systemauthentication methods, systems within disparate management domainsare likely to be utilized by users of various levels of involvementwithin the landscape as a whole Due to this complexity and theabundance of authentication requirements, many users are required tomanage numerous credentials across various systems This has givenrise to many different insecurities relating to the selection andmanagement of passwords This paper details a subset of issues facingusers and managers of authentication systems involving passwords,discusses current approaches to mitigating those issues, and finallyintroduces a new method for password management and recalls termedMnemonic Password Formulashttp://www.secuobs.com/revue/news/15060.shtmlhttp://www.secuobs.com/revue/news/15060.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes strategies for dynamically analyzing anapplication's memory access behavior These strategies make itpossible to detect when a read or write is about to occur at a givenlocation in memory while an application is executing An application'smemory access behavior can provide additional insight into itsbehavior For example, it may be able to provide an idea of how datapropagates throughout the address space Three individual strategieswhich can be used to intercept memory accesses are described in thispaper Each strategy makes use of a unique method of interceptingmemory accesses These methods include the use of Dynamic BinaryInstrumentation DBI, x86 hardware paging features, and x86segmentation features A detailed description of the design andimplementation of these strategies for 32-bit versions of Windows isgiven Potential uses for these analysis techniques are described indetailhttp://www.secuobs.com/revue/news/15059.shtmlhttp://www.secuobs.com/revue/news/15059.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper describes a technique that can be used to reduce the effectiveentropy in a given GS cookie by roughly 15 bits This reduction ismade possible because GS uses a number of weak entropy sources thatcan, with varying degrees of accuracy, be calculated by an attackerIt is important to note, however, that the ability to calculate thevalues of these sources for an arbitrary cookie currently relies on anattacker having local access to the machine, such as through the localconsole or through terminal services This effectively limits the useof this technique to stack-based local privilege escalationvulnerabilities In addition to the general entropy reductiontechnique, this paper discusses the amount of effective entropy thatexists in services that automatically start during system boot It ishypothesized that these services may have more predictable states ofentropy due to the relative consistency of the boot process While thetechniques described in this paper do not illustrate a complete breakof GS, any inherent weakness can have disastrous consequences giventhat GS is a static, compile-time security solution It is notpossible to simply distribute a patch Instead, applications must berecompiled to take advantage of any security improvements In thatvein, the paper proposes some solutions that could be applied toaddress the problems that are outlinedhttp://www.secuobs.com/revue/news/15058.shtmlhttp://www.secuobs.com/revue/news/15058.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Generalizing information is a common method of reducing the quantity ofdata that must be considered during analysis This fact has beenplainly illustrated in relation to static data flow analysis whereprevious research has described algorithms that can be used togeneralize data flow information These generalizations have helpedsupport more optimal data flow analysis in certain situations In thesame vein, this paper describes a process that can be employed togeneralize and persist data flow information along multiplegeneralization tiers Each generalization tier is meant to describethe data flow behaviors of a conceptual software element such as aninstruction, a basic block, a procedure, a data type, and so on Thisprocess makes use of algorithms described in previous literature tosupport the generalization of data flow information To illustrate theusefulness of the generalization process, this paper also presents analgorithm that can be used to determine reachability at eachgeneralization tier The algorithm determines reachability startingfrom the least specific generalization tier and uses the set ofreachable paths found to progressively qualify data flow informationfor each successive generalization tier This helps to constrain theamount of data flow information that must be considered to a minimalsubsethttp://www.secuobs.com/revue/news/15057.shtmlhttp://www.secuobs.com/revue/news/15057.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper presents a detailed catalog of techniques that can be used tocreate local kernel-mode backdoors on Windows These techniquesinclude function trampolines, descriptor table hooks, model-specificregister hooks, page table modifications, as well as others that havenot previously been described The majority of these techniques havebeen publicly known far in advance of this paper However, at the timeof this writing, there appears to be no detailed single point ofreference for many of them The intention of this paper is to providea solid understanding on the subject of local kernel-mode backdoorsThis understanding is necessary in order to encourage the thoughtfuldiscussion of potential countermeasures and perceived advancements Inthe vein of countermeasures, some additional thoughts are given to thecommon misconception that PatchGuard, in its current design, can beused to prevent kernel-mode rootkitshttp://www.secuobs.com/revue/news/15056.shtmlhttp://www.secuobs.com/revue/news/15056.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Apple's Mac OS X operating system is attracting more attention from usersand security researchers alike Despite this increased interest, thereis still an apparent lack of detailed vulnerability developmentinformation for OS X This paper will attempt to help bridge this gapby walking through the entire vulnerability development process Thisprocess starts with vulnerability discovery and ultimately finishedwith a remote code execution To help illustrate this process, a realvulnerability found in the OS X wireless device driver is usedhttp://www.secuobs.com/revue/news/15055.shtmlhttp://www.secuobs.com/revue/news/15055.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - With the introduction of Windows Vista, Microsoft has added a new form ofmandatory access control to the core operating system Internallyknown as "integrity levels", this new addition to the security managerallows security controls to be placed on a per-process basis This isdifferent from the traditional model of per-user security controlsused in all prior versions of Windows NT In this manner, integritylevels are essentially a bolt-on to the existing Windows NT securityarchitecture While the idea is theoretically sound, there does exista great possibility for implementation errors with respect to howintegrity levels work in practice Integrity levels are the core ofInternet Explorer Protected Mode, a new "low-rights" mode whereInternet Explorer runs without permission to modify most files orregistry keys This places both Internet Explorer and integrity levelsas a whole at the forefront of the computer security battle withrespect to Windows Vistahttp://www.secuobs.com/revue/news/15054.shtmlhttp://www.secuobs.com/revue/news/15054.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Since the publication of previous bypass or circumvention techniques forKernel Patch Protection otherwise known as ``PatchGuard'', Microsofthas continued to refine their patch protection system in an attempt tofoil known bypass mechanisms With the release of Windows Server 2008Beta 3, and later a full-blown distribution of PatchGuard to WindowsVista / Windows Server 2003 via Windows Update, Microsoft hasintroduced the next generation of PatchGuard to the general public``PatchGuard 3'' As with previous updates to PatchGuard, versionthree represents a set of incremental changes that are designed toaddress perceived weaknesses and known bypass vectors in earlierversions Additionally, PatchGuard 3 expands the set of kernelvariables that are protected from unauthorized modification,eliminating several mechanisms that might be used to circumventPatchGuard while co-existing as opposed to disabling it Thisarticle describes some of the changes that have been made inPatchGuard 3 This article also proposes several new techniques thatcan be used to circumvent PatchGuard's defenses Countermeasures forthese techniques are also discussedhttp://www.secuobs.com/revue/news/15053.shtmlhttp://www.secuobs.com/revue/news/15053.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Real-time Transfer Protocol RTP is used by nearly all Voice-over-IPsystems to provide the audio channel for calls As such, it providesample opportunity for the creation of a covert communication channeldue to its very nature While use of steganographic techniques withvarious audio cover-medium has been extensively researched, mostapplications of such have been limited to audio cover-medium of astatic nature such as WAV or MP3 file audio data This paper details acommon technique for the use of steganography with audio datacover-medium, outlines the problem issues that arise when attemptingto use such techniques to establish a full-duplex communicationschannel within audio data transmitted via an unreliable streamingprotocol, and documents solutions to these problems An implementationof the ideas discussed entitled SteganRTP is included in the referencematerialshttp://www.secuobs.com/revue/news/15052.shtmlhttp://www.secuobs.com/revue/news/15052.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Reliable exploitation of security vulnerabilities has continued to becomemore difficult as formidable mitigations have been established and arenow included by default with most modern operating systems Futureexploitation of software vulnerabilities will rely on eitherdiscovering ways to circumvent these mitigations or uncovering flawsthat are not adequately protected Since the majority of themitigations that exist today lack universal bypass techniques, it hasbecome more fruitful to take the latter approach It is in this veinthat this paper introduces the concept of exploitation properties anddescribes how they can be used to better understand the exploitabilityof a system irrespective of a particular vulnerability Perceivedexploitability is of utmost importance to both an attacker and to adefender given the presence of modern mitigations The ANIvulnerability MS07-017 is used to help illustrate these points byacting as a simple example of a vulnerability that may have been moreeasily identified as code that should have received additionalscrutiny by taking exploitation properties into considerationhttp://www.secuobs.com/revue/news/15051.shtmlhttp://www.secuobs.com/revue/news/15051.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - A common goal of payload encoders is to evade a third-party detectionmechanism which is actively observing attack traffic somewhere alongthe route from an attacker to their target, filtering on commonly usedpayload instructions The use of a payload encoder may be easilydetected and blocked as well as opening up the opportunity for thepayload to be decoded for further analysis Even so-called keyedencoders utilize easily observable, recoverable, or guessable keyvalues in their encoding algorithm, thus making decoding on-the-flytrivial once the encoding algorithm is identified It is feasible thatan active observer may make use of the inherent functionality of thedecoder stub to decode the payload of a suspected exploit in order toinspect the contents of that payload and make a control decision aboutthe network traffic This paper presents a new method of keying anencoder which is based entirely on contextual information that ispredictable or known about the target by the attacker andconstructible or recoverable by the decoder stub when executed at thetarget An active observer of the attack traffic however should beunable to decode the payload due to lack of the contextual keyinginformationhttp://www.secuobs.com/revue/news/15050.shtmlhttp://www.secuobs.com/revue/news/15050.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - This paper provides a general introduction to the topic of understandingsoftware vulnerabilities that affect ActiveX controls A briefdescription of how ActiveX controls are exposed to Internet Exploreris given along with an analysis of three example ActiveXvulnerabilities that have been previously disclosedhttp://www.secuobs.com/revue/news/15049.shtmlhttp://www.secuobs.com/revue/news/15049.shtml Secuobs.com : 2008-03-31 00:14:35 - Uninformed Journal - Near the end of 2006, Blizzard deployed the first major update to theversion check and client software authentication system used to verifythe authenticity of clients connecting to Battlenet using the binarygame client protocol This system had been in use since just after therelease of the original Diablo game and the public launch ofBattlenet The new authentication module Lockdown introduced avariety of mechanisms designed to raise the bar with respect tospoofing a game client when logging on to Battlenet In addition, thenew authentication module also introduced run-time integrity checks ofclient binaries in memory This is meant to provide simple detectionof many client modifications often labeled "hacks" that patch gamecode in-memory in order to modify game behavior The Lockdownauthentication module also introduced some anti-debugging techniquesthat are designed to make it more difficult to reverse engineer themodule In addition, several checks that are designed to make itdifficult to simply load and run the Blizzard Lockdown module from thecontext of an unauthorized, non-Blizzard-game process After all, ifan attacker can simply load and run the Lockdown module in his or herown process, it becomes trivially easy to spoof the game client logonprocess, or to allow a modified game client to log on to Battlenetsuccessfully However, like any protection mechanism, the new Lockdownmodule is not without its flaws, some of which are discussed in detailin this paperhttp://www.secuobs.com/revue/news/15048.shtmlhttp://www.secuobs.com/revue/news/15048.shtml