Tuesday, December 30, 2008

New Year Is Around The Corner

Once again 365 days is almost full and it's time to start a new year. I wish all my blog readers successful and safer year 2009!

Tuesday, December 23, 2008

ActiveX Vulnerability In Trend Micro House Call

There has been found a vulnerability in Trend Micro House Call online virus scanner. The vulnerability is in scanner's ActiveX control and may allow an attacker to execute arbitrary code in target system.

Vulnerable versions are:
Trend Micro HouseCall ActiveX Control 6.51.0.1028 and 6.6.0.1278

To fix the issue users of Trend Micro HouseCall should remove vulnerable ActiveX control and install fixed version 6.6.0.1285.

More information:
http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1038646&id=EN-1038646

http://www.securitytracker.com/alerts/2008/Dec/1021481.html

Vulnerability In Microsoft SQL Server

There has been found a vulnerability in Microsoft SQL Server which is related to sp_repwritetovarbin extended stored procedure bundled with SQL Server. The vulnerability may allow an attacker to execute arbitrary code in target system. To exploit the vulnerability successfully an attacker has to have proper username and password. Exception to this is a server to which an attacker has done a successful SQL injection attack already.

At the moment of writing this supported versions of following software are known to be vulnerable against this mentioned vulnerability:
- Microsoft SQL Server 2000 (Service Pack 4)
- Microsoft SQL Server 2005 (Service Pack 2)
- Microsoft SQL Server 2005 Express Edition (with Service Pack 2 or Advanced Services Service Pack 2)
- Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) (Service Pack 4)
- Microsoft SQL Server 2000 Desktop Engine (WMSDE)
- Windows Internal Database (WYukon) (Service Pack 2)

Fix against the vulnerability isn't yet available. Microsoft says that it's investigating the issue and will take appropriate action when the investigation has been finished.


Workarounds to the issue have been released. About these and the status in overall can be read from correspondent Security Advisory.

Thursday, December 18, 2008

Update For Internet Explorer Available

Last Thursday I blogged about a vulnerability in Internet Explorer. Microsoft has now released an update (MS08-078) in order to fix the issue.

By exploiting the vulnerability an attacker may be able to execute arbitrary code in vulnerable system with logged in user's privileges or cause denial of service. The vulnerability can be exploited by luring user to open specially crafted web site. Public method to exploit the vulnerability exists at least for Internet Explorer 7.

Vulnerability affects Internet Explorer versions 5.01, 6, 7 and 8 beta.

Easiest way to update is to use Microsoft update service.

More information can be read form Microsoft security advisory.

Wednesday, December 17, 2008

Opera Update Available

New update for Opera web browser fixes several vulnerabilities of which most may allow an attacker to execute arbitrary code in vulnerable browser. Users with version prior 9.63 are affected and should get the latest version here.

Detailed information about fixed issues and other version changes can be read from Opera 9.63 for Windows changelog.

Updates For Mozilla Products

There has been released version 3.0.5 of Firefox web browser. Fixed are several vulnerabilities of which some may allow an attacker to execute arbitrary code on vulnerable system. Part of vulnerabilities affect also Thunderbird email client which updated version hasn't been released yet. Most Thunderbird related vulnerabilities can be limited by disabling Javascript support. Version 2.0.0.19 will be downloadable here when it becomes available.

Firefox users should get their versions updated either thru built-in updater or by getting the latest version here. Firefox 2 users should make sure they use version 2.0.0.19. SeaMonkey users should have version 1.1.14.

More information:
Firefox 3.0.5 release notes
Firefox 2.0.0.19 release notes
SeaMonkey 1.1.14 release notes

Thursday, December 11, 2008

FTC After Scareware Scammers

"The US Federal Trade Commission (FTC) has announced a successful move to persuade a US district court to shut down a major player in the rogue anti-spyware business", writes Virus Bulletin.

"The defendants in the case are Innovative Marketing, registered in Belize but apparently based in Kiev, Ukraine, and ByteHosting Internet Services, run out of Cincinnati, Ohio, as well as several individuals running or profiting from the companies, both of which operated under a range of other names. The U.S. District Court for the District of Maryland approved the FTC's request to call a halt to the companies' activities and freeze the assets of those behind the scams."

FTC's press release can be read here.

Vulnerability In Internet Explorer 7

There has been found a vulnerability in Microsoft Internet Explorer (IE) 7 web browser. The vulnerability is related to IE 7 way to handle XML content. By exploiting the vulnerability an attacker may be able to execute arbitrary code with currently logged on user's rights or cause a denial of service in vulnerable system.

The vulnerability can be exploited by luring user to open specifically crafted web site. Exploits are publicly available and the issue is being actively exploited in the wild.

Affected are Internet Explorer 7 on Microsoft Windows XP, Windows Server 2003, Windows Server 2008 and Windows Vista; other versions may also be affected.

Currently there's no patch available to fix the issue. Reportedly, Microsoft is investigating the issue and will release updates upon completion of this investigation. Please see the Microsoft advisory for more information.


More information:
- http://www.vupen.com/english/advisories/2008/3391
- http://www.securityfocus.com/bid/32721/info
- http://isc.sans.org/diary.html?storyid=5458
- http://research.eeye.com/html/alerts/zeroday/20081209.html
- http://www.avertlabs.com/research/blog/index.php/2008/12/09/yet-another-unpatched-drive-by-exploit-found-on-the-web/
- http://secunia.com/advisories/33089/

Vulnerability In Microsoft WordPad

Microsoft has released an advisory on a vulnerability in WordPad. Vulnerability is in WordPad text converter and could allow remote code execution. It can be exploited by luring user to open specifically crafted Word 97 file with WordPad. Microsoft says that it's investigating the issue.

Mentioned vulnerability affects Microsoft WordPad on Windows 2000 SP 4, Windows XP SP 2, Windows Server 2003 SP 1 and Windows Server 2003 SP 2. At the moment, general fix doesn't exist. Windows XP users can fix the vulnerability by installing service pack 3.

To limit vulnerability effects opening .doc, .wri or .rtf files with unknown origin should be avoided.

According to the advisory effects can be limited also by disabling the WordPad Text Converter for Word 97 file format. That will be done by running following command:
echo y| cacls "%ProgramFiles%\Windows NT\Accessories\mswrd8.wpc" /E /P everyone:N

About the impact of the workaround can be read from the advisory.

Tuesday, December 9, 2008

Security Update For December 2008 From Microsoft

Microsoft released its monthly security update packet today. December update contains eight updates. Six of those are critical and two important. In total, the updates fix 28 vulnerabilities.

Summary of affected software:
- Windows and its components,
- Microsoft Office,
- Microsoft developer tools and software,
- Sharepoint Server.


Among the updates a new version of Microsoft Windows Malicious Software Removal Tool is released too.

More information about the updates can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

PHP Version 5.2.8 Released

There has been released version 5.2.8 of PHP scripting language. New version fixes security problem that arose in version 5.2.7. The problem was in magic_quotes_gpc functionality and was caused by an incorrect fix to the filter extension.

All users who have upgraded to 5.2.7 are encouraged to upgrade to this release, alternatively they can apply a work-around for the bug by changing "filter.default_flags=0" in php.ini.

Source

Sunday, December 7, 2008

Koobface Spreading On Facebook

Social networking service Facebook told to Computerworld that they're quickly updating their security systems to minimize further impact of malware spreading on Facebook. Passwords of infected accounts are being resetted and spam messages are being removed. Facebook is also coordinating with third parties to remove redirects to malicious content elsewhere on the web.

The guilty one in the problem is a new variant of Koobface worm which is targeting Facebook. Last summer its earlier variants caused harm to Facebook and MySpace users.

In a nutshell, bad guys try to fool Facebook victims by sending spam with a link claiming to contain a video. When user clicks the link (s)he is redirected to a page that then displays a fake error message claiming that Adobe System Inc.'s Flash is out of date, and prompts user to download an update. Instead of being an update the executable file installs variant of Koobface worm which in turn installs a background proxy server that redirects all Web traffic.

On infected system at least all searches made on Google, Microsoft and Yahoo search engines are redirected to find-www.net web address. The hackers are making money by redirecting users' searches to their own results, collecting cash from the ensuing clicks.

Facebook has posted a short message on its security page acknowledging the worm's attack. The notice urged users whose accounts had already been compromised to scan their PCs for malware and then reset their passwords.

Friday, December 5, 2008

PHP Version 5.2.7 Is Out

PHP development team has released 5.2.7 version of PHP scripting language. New version focuses on improving the stability of the PHP 5.2.x branch with over 120 bug fixes. Several of these are security related. All PHP users are recommended to upgrade their versions to this latest release.

More details about 5.2.7 release can be read from official version 5.2.7 release announcement.

Wednesday, December 3, 2008

Java SE Runtime Environment (JRE) Update Available

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's <Java SE Downloads site.

Unlike Update 10, Update 11 is a bug fix and security release. Upgrading to it is advisable. More information about contents of the update can be read from Release Notes of Java SE 6 Update 11.

Wednesday, November 26, 2008

Google's Orkut Being Used To Spread Trojans

Security company Websense warns in its alert about spam that is disguised as an official email sent from Orkut, Google-owned social network.

A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. The message contains several links that appear to lead to the official Orkut Web site. "Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe"", is told in the Websense alert. "The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe"."

Websense says that the trojans used in this attack are hosted on a compromised labor union web site from southern Brazil.

Amount Of Spam Rising Again

Amount of spam messages decreased to the one third of normal for a couple of weeks when criminal operator's lines were disconnected. Restart of botnets has been going on since Monday and spam amounts are rising rapidly again. Amounts would be even higher but the worst botnet is still offline.

American McColo operator operates many controller servers of the world's biggest botnets. According to security companies closure of McColo sent at least Srizbi, Asprox and Rustock botnets offline.

During couple of weeks criminals have moved some of their controlling operations to other parts of the world, to Russia for example. Criminals even used a backup connection they successfully got by tricking internet service operator TeliaSonera to transfer data to new host in Russia. Last Sunday spam amounts decreased to minimal level but rapid increase began on Monday. According to Messagelabs security company (now part of Symantec) the reason behind increase is that Asprox and Rustock botnets have returned online. Also, Cutwail and Mega-D botnets have increased their posting amounts.

Though the spam amount is increasing it's still under half of the peak a few weeks ago. Security companies say that's because the worst botnet Srizbi is still offline. Messagelabs says that even half of the world's spam is sent thru Srizbi. Security researchers have estimated that Srizbi would consist of even over 300,000 PC computers connected to the internet.

Sunday, November 23, 2008

Microsoft's Removal Tool Cleans Fake Security Software

Microsoft added its Malicious Software Removal Tool (MSRT) for November to target fake security software (that has plagued Windows users all over the world. Looks like tool is doing its job. Last Wednesday Microsoft released some results in its Malware Protection Center Blog. According to the results nearly a million PCs were cleaned of fake security software (recognized as "W32/FakeSecSen by MSRT) during the period from November 11 to November 19.

This is one of the biggest clean-up job that Microsoft has ever done. In June 2008, MSRT sniffed out 1.2 million PCs infected with a family of password stealers, while in February, it scrubbed the Vundo Trojan from about a million machines. Over several months at the end of last year, MSRT hit the then-notorious Storm Trojan hard, cleaning it from a half-million PCs.


Source

Tuesday, November 18, 2008

Vulnerable Adobe AIR

There has been found a vulnerability that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability.

As a resolution Adobe recommends AIR users with version below 1.5 to update their software to 1.5 version. AIR 1.5 includes a Flash Player update to resolve the critical issues as outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18.


Source

Friday, November 14, 2008

Version 3.2 of Safari Web Browser Fixes Several Vulnerabilities

Apple has fixed totally 11 vulnerabilities in its Safari web browser. All vulnerabilities are related to Safari for Windows. Four of the vulnerabilities affect also Safari for Mac OS X (CVE-2008-3644, CVE-2008-2303, CVE-2008-2317 and CVE-2008-4216).

Apple updates contain fixes to the 3rd party libraries (zlib, libxslt, libTIFF and ImageIO). Among those patched are also CoreGraphics, WebCore and WebKit. Several of these patched vulnerabilities can be exploited by luring user to specially crafted website.

Vulnerable are following Safari versions:
- Safari for Mac OS X v10.4.11 prior version 3.2
- Safari for Mac OS X v10.5.5 prior version 3.2
- Safari for Windows XP prior version 3.2
- Safari for Windows Vista prior version 3.2

Users with vulnerable Safari can obtain version 3.2 either through Apple Software Update application or at http://www.apple.com/safari/download

More information on the vulnerabilities:

Security content of Safari 3.2
CVE-2005-2096
CVE-2008-1767
CVE-2008-2303
CVE-2008-2317
CVE-2008-2327
CVE-2008-2332
CVE-2008-3608
CVE-2008-3623
CVE-2008-3642
CVE-2008-3644
CVE-2008-4216

Thursday, November 13, 2008

Vulnerabilities In Mozilla Firefox, SeaMonkey and Thunderbird

There have been found several vulnerabilities in Mozilla products. Firefox 2 update fixes totally eleven vulnerabilities. Firefox 3 and SeaMonkey new versions contain fixes to ten vulnerabilities of which five are critical. In Thunderbird there were found six vulnerabilities of which some are critical.

Vulnerabilities enable escalation of user privileges, obtaining sensitive information and a remote attacker cause a denial of service (crash) and possibly execute arbitrary code in target system.

Mozilla recommends disabling JavaScript until updates have been installed. Recommendation concerns especially Thunderbird email client for which hasn't update available yet. In Thunderbird JavaScript is disabled by default.

Vulnerable software:
- Mozilla Firefox prior version 2.0.0.18
- Mozilla Firefox prior version 3.0.4
- Mozilla Thunderbird prior version 2.0.0.18
- Mozilla SeaMonkey prior version 1.1.13

Solution:
Users are instructed to update their versions to following ones:
- Mozilla Firefox 2.0.0.18
- Mozilla Firefox 3.0.4
- Mozilla Thunderbird 2.0.0.18 (version is not released yet)
- Mozilla SeaMonkey 1.1.13

Update can be made with automatic update functionality in correspondent software product or by installing new versions from http://www.mozilla.com/ and http://www.seamonkey-project.org/.

More information on vulnerabilities:
- http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-49.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
- CVE-2008-0017
- CVE-2008-4582
- CVE-2008-5012
- CVE-2008-5013
- CVE-2008-5014
- CVE-2008-5015
- CVE-2008-5016
- CVE-2008-5017
- CVE-2008-5018
- CVE-2008-5019
- CVE-2008-5021
- CVE-2008-5022
- CVE-2008-5023
- CVE-2008-5024

Tuesday, November 11, 2008

Security Update For November 2008 From Microsoft

Microsoft released its monthly security update packet today. This month update contains 2 updates. One of those is critical and the other one important.

Critical update fixes several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The important update fixes vulnerability in Microsoft Server Message Block (SMB). The vulnerability could allow remote code execution on affected systems. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

New version of Microsoft Windows Malicious Software Removal Tool is released too.

More information about the updates can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

Monday, November 10, 2008

Vulnerabilities In VLC Media Player

There has been found two vulnerabilities in VLC media player. When parsing the header of an invalid CUE image file or an invalid RealText subtitle file, stack-based buffer overflows might occur. This might allow attacker to trigger execution of arbitrary code within the context of the VLC media player. To successfully exploit the vulnerabilities victim must be made open specially crafted CUE image file or RealText subtitle file.

Vulnerabilities affect VLC media player versions 0.5.0 - 0.9.5. Users of these versions are recommended to update their versions to 0.9.6.

VideoLAN's security advisory provides more information on the issue.

Saturday, November 8, 2008

Two Vulnerabilities In VMware Software

There has been found two vulnerabilities in VMware software that enable privilege escalation. The first vulnerability is related to VMware's way to emulate CPU hardware in virtual machine (CVE-2008-4915). The second issue is related to VirtualCenter software's way to handle directories (CVE-2008-4281).

Summary of affected versions:
- VMware Workstation 6.0.5 and earlier versions
- VMware Workstation 5.5.8 and earlier versions
- VMware Player 2.0.5 and earlier versions
- VMware Player 1.0.8 and earlier versions
- VMware ACE 2.0.5 and earlier versions
- VMware ACE 1.0.7 and earlier versions
- VMware Server 1.0.7 and earlier versions
- VMware ESXi 3.5 lacking update ESXe350-200810401-O-UG
- VMware ESX 3.5 lacking update ESX350-200810201-UG
- VMware ESX 3.0.3 lacking update ESX303-200810501-BG
- VMware ESX 3.0.2 lacking update ESX-1006680
- VMware ESX 2.5.5 before 'upgrade patch 10' -update
- VMware ESX 2.5.4 lacking 'upgrade patch 21' -update

To solve the issues users of affected versions are instructed to update their products according to the VMware's instructions.

Friday, November 7, 2008

Adobe Patches Vulnerabilities In Flash Player

Adobe has released updated version of its Flash Player that fixes six vulnerabilities:

This update includes a change to the way Flash Player interprets HTTP response headers to prevent a potential cross-site scripting attack. (CVE-2008-4818)

This update introduces a change to mitigate a potential issue that could aid an attacker in executing a DNS rebinding attack. (CVE-2008-4819)

This update introduces stricter interpretation of an ActionScipt attribute to prevent a potential HTML injection issue. (CVE-2008-4823)

This update prevents an issue with policy file interpretation that could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)

This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure. (CVE-2008-4821)

This update prevents a potential Windows-only information disclosure issue in the Flash Player ActiveX control. (CVE-2008-4820)


Affected Flash Player versions are Flash Player 9.0.124.0 and earlier. Users with vulnerable version should update their versions to Flash Player 10.0.12.36. Those users who can't update their versions to Flash Player 10 may use an update to version 9.0.151.0. Both 10.0.12.36 and 9.0.151.0 contain fixes also to the issues reported in Security Advisory APSB08-18.

More information and instructions for updating can be read here.

More Vulnerabilities In Adobe Acrobat And Reader

On Wednesday I blogged about a vulnerability (CVE-2008-2992) in Adobe Acrobat and Reader version 8.1.2. Among that there are seven (7) other vulnerabilities found that version 8.1.3 fixes (version 9.x users aren't affected).

CVE-2008-2549: Adobe Acrobat Reader 8.1.2 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed PDF document.

CVE-2008-4812: Array index error in Adobe Reader and Acrobat, and the Explorer extension (aka AcroRd32Info), 8.1.2, 8.1.1, and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that triggers an out-of-bounds write, related to parsing of Type 1 fonts.

CVE-2008-4813: Adobe Reader and Acrobat 8.1.2 and earlier allow remote attackers to execute arbitrary code via a crafted PDF document that (1) performs unspecified actions on a Collab object that trigger memory corruption, related to a GetCosObj method; or (2) contains a malformed PDF object that triggers memory corruption during parsing.

CVE-2008-4814: Unspecified vulnerability in a JavaScript method in Adobe Reader and Acrobat 8.1.2 and earlier allows remote attackers to execute arbitrary code via unknown vectors, related to an "input validation issue."

CVE-2008-4815: Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.2 and earlier on Unix and Linux allows attackers to gain privileges via a Trojan Horse program in an unspecified directory that is associated with an insecure RPATH.

CVE-2008-4816: Unspecified vulnerability in the Download Manager in Adobe Reader 8.1.2 and earlier on Windows allows remote attackers to change Internet Security options on a client machine via unknown vectors.

CVE-2008-4817: The Download Manager in Adobe Acrobat Professional and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that calls an AcroJS function with a long string argument, triggering heap corruption.

Vulnerable version users are recommended to update their versions by following Adobe's instructions.

More information:
- CVE-2008-2549
- CVE-2008-4812
- CVE-2008-4813
- CVE-2008-4814
- CVE-2008-4815
- CVE-2008-4816
- CVE-2008-4817

Wednesday, November 5, 2008

Vulnerability In Adobe Acrobat And Reader Causes Buffer Overflow

There has been found a vulnerability in Adobe Acrobat and Reader software. By making user open specially crafted PDF file an attacker can cause a buffer overflow by exploiting vulnerability in util.printf() JavaScript function.

Affected software:
Vulnerable to this found vulnerability are Adobe Acrobat 8.1.2 and Reader 8.1.2. Users of either of these two versions are recommended to upgrade to version 9. If stepping to version 9 isn't possible then users should upgrade to version 8.1.3.

Solution:
Update software according to Adobe's instructions by either downloading updated software from Adobe's website or using automatic updating tool. Issue can be also worked around by disabling JavaScript in Adobe Reader and Acrobat (found in software's Edit/Preferences menu). Disabling will also prevent many basic Acrobat and Reader workflows from properly functioning so updating the software is more recommended way to solve the issue.

More information on the issue:
CoreLabs advisory
Secunia advisory
CVE-2008-2992

Monday, November 3, 2008

Over 300,000 Bank Accounts Compromised By Sinowal

Security company RSA writes in its blog about Sinowal Trojan (aka Torpiq and Mebroot) which may be the worst and the most advanced crimeware ever created by fraudsters. During its existence (from early February 2006) Sinowal has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen. In the past six months alone login credientals and information of over 100,000 online bank accounts have been stolen by this Trojan.

The source of Sinowal has been speculated a lot. Some speculations say that it has been operated and hosted by a Russian online gang with past ties to the Russian Business Network (RBN). "Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN", writes RSA in the blog. It's no doubt interesting that the Trojan has stolen banking account information all over the world but Russian accounts have been left alone.

Friday, October 31, 2008

Opera Patches Two Vulnerabilities

Opera has released patched version of its Opera web browser. At this time, the update fixes two vulnerabilities.

The first vulnerability is related to History Search functionality.
"When certain parameters are passed to Opera's History Search, they can cause content not to be correctly sanitized. This can allow scripts to be injected into the History Search results page. Such scripts can then run with elevated privileges and interact with Opera's configuration, allowing them to execute arbitrary code."


There're have already been public demonstrations of this vulnerability.

The second vulnerability is related to links panel in Opera.
"The links panel shows links in all frames on the current page, including links with JavaScript URLs. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting."


Above meantioned vulnerabilities affect Opera versions prior 9.62. Opera instructs users of those versions to update to the latest version found here.

More information on the vulnerabilities:
Advisory: History Search can be used to execute arbitrary code
Advisory: The links panel can allow cross-site scripting

Wednesday, October 29, 2008

Vulnerabilities In OpenOffice 2.x Software

There has been found two vulnerabilities in OpenOffice software. The vulnerabilities are related to WMF and EMF file processing. Due to the lack of proper checks it's possible to cause buffer overflow in target system. Vulnerabilities can be exploited by attracting a user to open specially crafted StarOffice/StarSuite document. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Affected are all OpenOffice 2.x versions prior 2.4.2. OpenOffice users are instructed to update their version to 2.4.2 or 3.0.0 which is not affected by the vulnerabilities.

More information on the vulnerabilities:
CVE-2008-2237
CVE-2008-2238

Tuesday, October 28, 2008

Multiple Vendor Web Browser FTP Client Cross Site Scripting Vulnerability

Multiple vendors' web browsers are prone a cross-site scripting vulnerability that arises because the software fails to handle specially crafted files served using the FTP protocol.

Successfully exploiting this issue may allow an attacker to execute arbitrary script code in the browser of an unsuspecting user in the context of an FTP session. This may allow the attacker to perform malicious actions in a user's browser or redirect the user to a malicious site; other attacks are also possible.

Vulnerable are Mozilla Firefox 3.0.1 - 3.0.3 versions and Google Chrome 0.2.149 30.

Currently, there're no patches available (Firefox version 3.0.4 is under work).
Source

Friday, October 24, 2008

Critical Vulnerability In Windows Operating Systems

Microsoft has released a new security update outside of common update cycle for Microsoft Windows operating systems. Fixed vulnerability is related to RPC message handling in server component. Vulnerability affects to systems which have file-sharing enabled. The file-sharing has not been activated by default in Windows XP SP2 and newer Windows versions.

Vulnerability can be used directly over network and it allows an attacker to execute arbitrary code in target system with full privileges.

Microsoft rates the vulnerability critical in all supported Windows operating systems excluding Windows Vista and Server 2008. In those two the vulnerability has been rated important. Public exploitation method against the vulnerability exists already.

The vulnerability will be very likely exploited in attacks and malicious programs. It is possible that this vulnerability could be used in the crafting of a wormable exploit.

Security update can be downloaded with Windows updating tool. The easiest way to install the update is Windows Update service.

The vulnerability can be also limited by disabling server service or by filtering network traffic into ports 139 and 445 by using either 3rd party or internal firewall. In Vista and Server 2008 it's also possible to filter the affected RPC identifier.

More details can be read from Microsoft Security Bulletin MS08-067.

Wednesday, October 22, 2008

Opera Patches Vulnerabilities

Opera Software has released updated version of its Opera web browser. New version fixes three vulnerabilities.

The first vulnerability makes it possible for an attacker to inject Javascript code into browsing history search page making it possible to look through the user's browsing history, including the contents of the pages user has visited.

The second vulnerability makes it possible to execute scripts in the context of an unrelated frame, which allows cross-site scripting.

The third vulnerability is related to an incomplete blocking of Javascript code while previewing news feed. These scripts are able to subscribe the user to any feed URL that the attacker chooses, and can also view the contents of any feeds that the user is subscribed to. These may contain sensitive information.

Opera users with version below 9.61 are instructed to update their browsers to the latest version.

Monday, October 20, 2008

Software Update Monitor (Sumo)

As Internet has become more widespread different security holes of programs and operating systems have risen to a major security threat. Program vulnerabilities are exploited constantly, and often a worm or Trojan horse may use one of these holes to get into system.

Program authors publish quite well updates for found problems nowadays. Unfortunately, all programs are not yet using the automatic update, in which case updating is left to the user's responsibility. Hunting fresh versions is not an easy task, so it's no wonder that system contains quite often outdated programs which may also contain serious security holes.

Software Update Monitor (Sumo) is a wonderful tool to keep track on installed software versions. The program can monitor installed programs and check if any new updates for these programs exists. Sumo can also tell, will the available update fix security holes, and whether updating is important.


List of features in a nutshell (list taken from program homepage):
* Automatic detection of installed software
* Detects required updates / patchs for your software
* Filter / authorize Beta versions (user setting)
* Ignore list : only tracks software YOU want to track
* More compatibility and less false positive than others Update Monitors (according to users feedback ;-)
* Internationalization support.

Saturday, October 18, 2008

Emerging Cyber Threats Report for 2009

On October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit on emerging security threats and countermeasures affecting the digital world. At the conclusion of the event, GTISC released Emerging Cyber Threats Report—outlining the top five information security threats and challenges facing both consumer and business users in 2009.

Interesting report can be obtained here.

Thursday, October 16, 2008

Vulnerabilities In Adobe Flash Player

Adobe has reported about several vulnerabilities in Adobe Flash Player -software. Vulnerabilities affect to Flash Player for Windows, Mac OS X, Linux operating systems.

Vulnerable are Adobe Flash Player 9.0.124.0 and previous versions. There isn't an update for version 9 available yet. Adobe has announced that it will release a fix for version 9 in the beginning of November. However, if possible, Adobe recommends updating directly to version 10.0.12.36. It can be downloaded here.

More information about reported vulnerabilities can be read from corresponding Adobe Security Advisory.

Wednesday, October 15, 2008

Oracle Update Packet Released

Oracle has released updates that contains fixes to 36 different vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update).

Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.

Next critical patch update Oracle plans to release in January 2009.

Tuesday, October 14, 2008

Security Update For October 2008 From Microsoft

Microsoft will release today, 14.10.2008, its monthly security update packet. This month update contains 11 updates. Four of the updates are critical, six important and one moderate. Critical vulnerabilities have been found in Windows, Internet Explorer, Microsoft Office and Host Integration Server.

New version of Microsoft Windows Malicious Software Removal Tool will be released too.

More information about the updates can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

Monday, October 13, 2008

Russian Company Uses NVidia Graphics Cards To Break WiFi Encryption

According to Russian security company Global Secure Systems WiFi networks' WPA and WPA2 encryption systems can be broken even 100 times faster than before using NVidia graphics cards' processors.

David Hobson, managing director of GSS, told SC Magazine that companies can no longer view standards-based WiFi transmission as sufficiently secure against eavesdropping to be used with impunity but VPN encryption system should be used too to secure data.

Saturday, October 11, 2008

Fast-Flux Botnet Observations

New research brings more light into the matter of how botnets work. Domain names and victim systems used by attacking network are changed all the time. Single victim or domain won't last very long.

Two professionals from Arbor Networks company and University of Mannheim have researched botnets. Especially they researched how the criminals hide themselves behind captured systems and several domains. Interesting report can be found here.

Thursday, October 9, 2008

Opera Patches Vulnerabilities

Opera has released a new version of its Opera web browser. Among other changes version 9.60 contains also patch to two vulnerabilities.

First vulnerability makes it possible to execute arbitrary code in target system using specially crafted addresses. If a malicious page redirects Opera to a specially crafted address (URL), it can cause Opera to crash. Given sufficient address content, the crash could cause execution of code controlled by the attacking page.

Another, Java applets related vulnerability, makes it possible to read sensitive information. Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it to run in the context of the local machine. This allows it to read other cache files on the computer or perform other normally more restrictive actions. These files could contain sensitive information, which could then be sent to the attacker.

Opera users are recommended to update their versions to version 9.60.

Changelogs can be found here.

More information on the vulnerabilities:
http://www.opera.com/support/search/view/901/
http://www.opera.com/support/search/view/902/
http://www.securityfocus.com/bid/31631
http://www.securityfocus.com/bid/31643
http://www.matasano.com/log/1182/i-broke-opera/

Flash Player workaround available for "Clickjacking" issue

Adobe has released a workaround for so called "clickjacking" issue in Adobe Flash Player versions 9.0.124.0 and earlier.

Below is a quote from Adobe's security advisory

Customers:

To prevent this potential issue, customers can change their Flash Player settings as follows:

1. Access the Global Privacy Settings panel of the Adobe Flash Player Settings Manager at the following URL:
http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager02.html
2. Select the "Always deny" button.
3. Select ‘Confirm’ in the resulting dialog.
4. Note that you will no longer be asked to allow or deny camera and / or microphone access after changing this setting. Customers who wish to allow certain sites access to their camera and / or microphone can selectively allow access to certain sites via the Website Privacy Settings panel of the Settings Manager at the following URL: http://www.adobe.com/support/documentation/en/flashplayer/help/settings_manager06.html.

IT Administrators:

IT Administrators can change the AVHardwareDisable value in client mms.cfg files from 0 to 1 to disable client Flash Player camera and microphone interactions. For more information on the mms.cfg file and AVHardwareDisable, please refer to page 57 of the Adobe Flash Player Administration Guide: http://www.adobe.com/devnet/flashplayer/articles/flash_player_admin_guide/flash_player_admin_guide.pdf#page=57.

Adobe is working to address the issue in an upcoming Flash Player update, scheduled for release before the end of October. Further details will be published on the Adobe Security Bulletin page at http://www.adobe.com/support/security.

Additionally, all documented security vulnerabilities and their solutions are distributed through the Adobe security notification service. You can sign up for the service at the following URL: http://www.adobe.com/cfusion/entitlement/index.cfm?e=szalert. Users may also monitor the latest information on the Adobe Product Security Incident Response Team blog at the following URL: http://blogs.adobe.com/psirt

Wednesday, October 8, 2008

Vulnerabilities In WMware Software

There has been released new updates for VMware products that fix several vulnerabilities:
1) Privilege escalation on 64-bit Windows and 64-bit FreeBSD guest operating systems and possibly other 64-bit operating systems (Linux guest operating systems excluded)
2) Password displayed in cleartext under certain circumstances in VirtualCenter -software.
3) Java JRE update in VirtualCenter -software

Vulnerable versions:
-VirtualCenter 2.5 before Update 3 build 119838
-VMware Workstation 6.0.4 and earlier
-VMware Workstation 5.5.7 and earlier
-VMware Player 2.0.4 and earlier
-VMware Player 1.0.7 and earlier
-VMware ACE 2.0.4 and earlier
-VMware ACE 1.0.6 and earlier
-VMware Server 1.0.6 and earlier
-VMware ESXi 3.5 without patch ESXe350-200809401-I-SG
-ESX 3.5 without patch ESX350-200809404-SG
-ESX 3.0.3 without patch ESX303-200809401-SG
-ESX 3.0.2 without patch ESX-1006361
-ESX 3.0.1 without patch ESX-1006678


More information regarding found vulnerabilities and their fixes can be read from VMware Security Advisory.

Tuesday, October 7, 2008

Symantec's Report Reveals: Increase Of Spam-Sending Zombie PCs In September

Symantec has released its monthly State of Spam report.

After a 37 percent drop in botnet-related spam for August, Symantec observed a 101 percent increase in September. The growth appears to be focused in Europe, the Middle East, and Asia, with South Korea experiencing the largest increase at 4,236 percent. It was followed by Kazakhstan (761 percent), Romania (607 percent), Saudi Arabia (555 percent), and Vietnam (540 percent).

Biggest amount of active zombie machines was in Turkey, 12 percent. It was followed by Brazil (9 percent), Russia (8 percent), United States (6 percent), India (6 percent) and China (6 percent).

Symantec says that it's difficult to determine an exact reason behind the one month increase but admits that it coincides with the increase in email messages carrying links to downloadable exploits which were characterized by their use of sensational news headlines. It also coincides with an increase in email messages carrying attached viruses in the form of zip and RAR files. When looking at the geography of the virus attacks versus the zombie data there can be seen similar increases in certain countries on both accounts.

O.J. Simpson Guilty Verdict Could Lead To Malicious Spam

IT security company MX Logic warns in its blog about possible spam related to the OJ Simpson guilty verdict from last week.

"It appears that some search engines are already being poisoned with links to malicious video downloads based off of certain search criteria related to the verdict. It is typical for these types of tactics to start bleeding into email as well", writes Sam Masiello, vice president of information security at MX Logic.

Similar to the CNN and MSNBC campaigns from August it is likely that these spam emails will use a lure to an online video to trick users into visiting malicious web sites that download alleged video codecs that are actually malware.

Sunday, October 5, 2008

Microsoft Updated CAPTCHA protections - Busted Again By Criminals

Cat and mouse game of security has expanded itself to protections of web services. Earlier criminals developed a program that could pass Hotmail email service CAPTCHA tests. Microsoft updated protection but criminals have now busted the new protection too. Accuracy isn't big but it's enough for computer.

Internet's big free email services like Google's Gmail and Microsoft's Hotmail are attracting targets for criminals. These services are not put to block lists and email can be sent for free through them. The services use so called CAPTCHA tests to prevent mass account creation with criminals' automatic programs.

Security company Websense presents details about new attack in its blog. Microsoft's old CAPTCHA protections based on text scrambled with lines. Revised CAPTCHA contains badly twisted text but automatic program can now read this too.

Accuracy isn't big. According to Websense only every 8th or 10th attempt is successful (a success rate of 10 to 15%). For computer program this isn't obstacle since attempts can be made continuously.

This latest spambot targeting Microsoft's revised CAPTCHA system includes the combined features of spambots used to target Google's Blogger and Microsoft's Live Hotmail. Websense reported on these anti-CAPTCHA operations earlier this year (2008).

Friday, October 3, 2008

Unpatched Vulnerability In Adobe Flash Player Plug-in

There has been found a vulnerability in Adobe Flash Player plug-in. If a Flash 9 SWF loads two SWF files with different SWF version numbers from two distinct HTTP requests to the exact same URL (including query string arguments), then Adobe's Flash Player plug-in will try to dereference a null pointer. For browsers where plug-ins run in the same process (e.g., Internet Explorer 6 and 7, Firefox 3, and Safari 3 on Windows
and OS X) the vulnerability causes the entire browser process to crash.

Vulnerable are at least following versions on Windows, OS X and Linux:
- 9.0.45.0
- 9.0.112.0
- 9.0.124.0
- 10.0.12.10

At the moment of writing this there isn't patch available for the vulnerability.

More information:
SecurityFocus BugTraq note
Adobe Flash Player plug-in browser crash (bug reporter's site)

Google Trend Exploited By Hackers

Criminals have once again found a new way to trick net users to load dangerous malware tells security company Webroot in its Threat Advisory. This time Google Trend service is used to reach the target. Google Trend is a service that lists the day's most frequently searched topics.

According to Webroot criminals check some top story of the day using Google Trends and then copy the topic to their fake blogs. Into these blogs they insert links that appear to be pointing to topic related videos. That way criminals can attract users to visit the site and it raises higher in the search engine results. When user tries to watch video behind the link the site tells that to see a video a codec must be installed. This codec is actually malware.

Anything new there? Well, yes and no. The codec trick itself is old one but exploiting Google Trends is a new thing which unfortunately raises amount of users who end up to these malicious sites.

Webroot gives 5 step recommendations to users to prevent this kind of malware attack. Those are:
1. Always have a current version of antispyware, antivirus and firewall product
2. Never download free product or purchase them from unknown Web sites and vendors, or peer to peer networks
3. Download videos and other multimedia files only from known and trusted Web sites or blogs
4. Make sure the computer is up-to-date by always installing the latest Microsoft or Apple security updates and
5. Use a credit card that has sufficient fraud protection when shopping and never use a debit card online.

Thursday, October 2, 2008

Sandbox Security Clients Versus Web Threats

"Many sandbox security vendors claim that their products stop all known and unknown attacks. Even assuming the ability to curtail all known attacks could be proven, it's simply impossible to believe that any piece of software could halt all unknown attacks. Of course, that doesn't prevent the vendors from making empty promises or the malware authors from proving them wrong." writes Roger A. Grimes in his article in PCWorld.

In Grimes' testing of five sandbox security clients -- Authentium's SafeCentral, Check Point's ZoneAlarm ForceField, Prevx, Sandboxie, and SoftSphere Technologies' DefenseWall HIPS -- he exposed all the products to dozens of malicious attacks, both well known and not so well known. Two malware programs, in particular, stretched the various competitors to their breaking points: the Adobe Flash clipboard hijack exploit and the XP Antivirus malware program. None of the tested sandbox clients passed the first meantioned and most failed to accurately clean up from the XP Antivirus. In the end, Grimes' favourite products were Prevx and Sandboxie.

Grimes' review can be read here.

Tuesday, September 30, 2008

Different Way To Tamper Windows Kernel

"Security researchers have discovered one of the most subtle and sophisticated examples of Windows rootkit software known to date," writes The Register.

Worm.Win32.AutoRun.nox, as F-Secure calls it, extends the standard virus writer trick of using software vulnerabilities to infect systems, by including functionality that allows the worm to exploit Windows security bugs to hook into parts of the Windows system that operate below the radar of anti-virus packages.

"Most malware with rootkit functionality will tamper with the Windows kernel and attempt to execute code in kernel mode. Typically, a special driver is used to do this, " writes F-Secure. "AutoRun.nox is different — it uses "GDI Local Elevation of Privilege Vulnerability (CVE-2006-5758)" to do the job. For malware, its rather unique to see such a technique being used." Microsoft patched the vulnerability in April 2007 update (MS07-017).

More detailed description of AutoRun.GM can be read from F-Secure Blog.

Saturday, September 27, 2008

Firefox 3.0.3 released

Firefox 3.0.3 contains the following change:

* Fixed a problem where users were unable to retrieve saved passwords or save new passwords (bug 454708)

Friday, September 26, 2008

Thunderbird 2.0.0.17 Released

Mozilla has released updated version of Thunderbird email client. New version contains patches for two critical and five moderate vulnerabilities.

Critical:
MFSA 2008-46 Heap overflow when canceling newsgroup message
MFSA 2008-37 UTF-8 URL stack buffer overflow

Moderate:
MFSA 2008-44 resource: traversal vulnerabilities
MFSA 2008-43 BOM characters stripped from JavaScript before execution
MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
MFSA 2008-38 nsXMLDocument::OnChannelRedirect() same-origin violation


Thunderbird 2.0.0.17 Release Notes

Wednesday, September 24, 2008

Mozilla Releases Updates

Mozilla has released a new version of Firefox web browser. Version 3.0.2 fixes bunch of issues including following five vulnerabilities:
-MFSA 2008-44 resource: traversal vulnerabilities
-MFSA 2008-43 BOM characters stripped from JavaScript before execution
-MFSA 2008-42 Crashes with evidence of memory corruption (rv:1.9.0.2/1.8.1.17)
-MFSA 2008-41 Privilege escalation via XPCnativeWrapper pollution
-MFSA 2008-40 Forced mouse drag

Of these -42 and -41 are categorized as critical, -44 and -43 are moderate and -40 low.

Version 2.0.0.17 fixes above mentioned and couple of other security issues for Firefox 2 series users.

Mozilla released also updated version of SeaMonkey (1.1.12). Part of listed five security issues affects Thunderbird too. 2.0.0.17 version should fix these but it's not yet available for downloading at the moment of writing this.


More information on the updates:
Firefox 3.0.2 Release Notes
Firefox 2.0.0.17 Release Notes
SeaMonkey 1.1.12 Release Notes

Monday, September 22, 2008

McAfee Makes A $465 Million Offer Of Secure Computing

Security company McAfee announced on Monday (22-09-08) that it has placed a deal to acquire security company Secure Computing. Deal is worth around US$465 million.

With Secure Computing, McAfee expects to be able to deliver the complete content and data lifecycle management at the network, spanning detection, filtering, encryption, blocking, archiving, reporting and compliance. Also, McAfee hopes to expand its security as a service offering and to sell more products and services to Secure Computing's 22,000 customers worldwide.

The deal is expected to close toward the end of the fourth quarter, McAfee said.

McAfee's press release

Saturday, September 20, 2008

VMware Fixes Vulnerabilities

VMware has fixed critical security vulnerabilities in two of its virtualization products, ESXi and ESX 3.5. The patches fix two buffer overflow bugs that reside in a component known as openwsman. It provides web services management functionality and is enabled by default. The vulnerabilities could be exploited by people without login credentials to the system. However, to exploit the vulnerabilities the attacker has to have access to the service console network. Security best practices provided by VMware recommend that the service console be isolated from the VM network.

More information can be read from the correspondent VMware security advisory.

Tuesday, September 16, 2008

Hackers Attempt To Spread Malware On BusinessWeek Website

Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, tells Graham Cluley from security company Sophos in his Blog.

The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek website. Injected code was pointing to a website behind a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.

At the moment the Russian website is offline. Cluley points out that it’s status could potentially change at any time though.

The amount of SQL injections has increased a lot this year. "As we reported in our recent Security Threat Report, over 16,000 new infected webpages are discovered every single day. That’s one every five seconds - three times faster than the rate we saw during 2007", says Cluley.


Video containing more information on the matter can be seen on Graham Cluley's Blog.

Saturday, September 13, 2008

Fake YouTube Page Generator On Loose

Panda Security writes in its Blog about new virus constructor type malware.

Tool called as Constructor/YFakeCreator allows to create fake YouTube web pages with the objective to deceive users and distribute malware through them. Distributed malware can be of any type like for example worm, Trojan, virus or adware.

YTFakeCreator makes it easy for even unskilled people to set up an attack. It has a configuration menu that lets the would-be attacker select a warning message to be displayed on the fake video page and properties of the video, among other options.

"They've really commercialized malware. There's been an upsurge of sophisticated custom-built Trojans that come with service level agreements and tech support sold in underground forums," Ryan Sherstobitoff, a chief corporate evangelist of Panda Security, said according to CNET News.

More details about YTFakeCreator can be read in Panda's Encyclopedia.

Version 1.28 of Malwarebytes' Anti-Malware Released

Small update contains two changes:
1. (FIXED) Problem with heuristics on Windows 2000.
2. (ADDED) Better malware regeneration prevention on reboot.


New version can be downloaded here

Wednesday, September 10, 2008

WordPress Version 2.6.2 Released

There's been released a new version of WordPress which contains handful of bug fixes and updates for two found vulnerabilities. These vulnerabilities together may provide a way to hijack username.

Due to wide spread of WordPress software it's very likely that vulnerability will be actively exploited. Blogs that allow open user registration should update WordPress as soon as possible.

More information can be read here.

Apple Patches Its Products

Apple has released four bulletins of 18 vulnerabilities in its products. Vulnerabilities affect iPod Touch device, iTunes and QuickTime mediaplayers and their components.

Summary of vulnerable versions:
- Apple iPod Touch prior version v2.1
- Apple iTunes prior version 8.0
- Apple QuickTime prior version 7.5.5
- Bonjour for Windows 1.0.5

Vulnerable versions should be updated by following Apple's instructions (see the links above in this post). iPod Touch -update is available through iTunes -software. Bonjour for Windows 1.0.5 is included in iTunes 8.0 -installation.

GDI+ interface update pack (MS08-052) problematic

Yesterday patched GDI+ interface sets specific challenges for system administrators. Interface is spread together with many Windows components and other Microsoft software, and also together with many 3rd party software installations. With 3rd party software spread interfaces are installed into either System32 directory of Windows or into product's own directory. Both cases bring problems.

If interface is installed into product's own directory must also these versions of interface be updated to protect system from vulnerabilities. If 3rd party software installs interface into System32 directory of Windows later into system installed software product may install vulnerable version of interface over Microsoft's version. If that happens the update must be re-installed.

System administrators should be careful when installing MS08-052 update. Installing Microsoft's update isn't enough to secure the system but all existing gdiplus.dll libraries in the system must be updated to the fixed version.

Monday, September 8, 2008

Google Fixes Chrome Vulnerabilities - Details Not Revealed Yet

Google has begun releasing update to its Chrome web browser to fix some security problems, reports CNET.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Update releasing was started on Friday.

"149.29 is a security update and we released it as fast as we could," said Mark Larson, Google Chrome program manager, in a mailing list posting on Sunday. "We would've liked more time to prepare things, but some of the vulnerabilities were made public without giving us a chance to respond, update, and protect our users first. Thanks for being patient as we work out the kinks in all of our processes."

Google doesn't tell yet what security issues the update fixes. The reason for this is that the company wants to wait until all Chrome users have got the update. To check if an update is available, Chrome users can click the wrench icon in Chrome's upper-right corner, then select "about Google Chrome." That will show both the version number and a message indicating whether an update is available.

Though Google didn't tell what vulnerabilities the 149.29 update fixes it revealed that the update contains a fix to JavaScript. That among others fixes a problem that would crash the entire browser if a person typed "about:%" into the address bar.

Saturday, September 6, 2008

Microsoft Security Update For September 2008

Microsoft will release security update for September 2008 on Tuesday 9th of September 2008. This month's update packet consists of four updates which all are categorized as critical. Affected software are Microsoft Windows, Internet Explorer, .NET Framework, Office, SQL Server and Visual Studio.

New version of Microsoft Windows Malicious Software Removal Tool will be released too.

Details about the update can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

Wednesday, September 3, 2008

Google Chrome Beta Released - Security Flaws Found Already

Google released yesterday beta version of its own web browser, Google Chrome. The more popular Chrome becomes the more it will attract malware authors. Keeping that in mind Google has implemented some security features like sandboxing of each tab, built-in web reputation service and special privacy mode into Chrome.

Despite of that, there's already been found some vulnerabilities of Chrome. The first one was discovered just some hours after the browser release by researcher Aviv Raff. Rishi Narang for one discovered URL Handler Crash vulnerability in Chrome (version 0.2.149.27). Person using nickname "nerex" has released an example script that shows how Chrome can be made to allow files (e.g., executables) to be automatically downloaded to the user's computer without any user prompt.

Monday, September 1, 2008

Watch Out For Possible Gustav Related Scams

SophosLabs warns in its blog of possible scams related to the threat of Hurricane Gustav. Some years ago attackers exploited Hurricane Katrina in order to infect victims with malware.

Over the weekend, posts to the Internet Storm Center diary highlight the number of Gustav-related domains that are being registered (set 1, set 2, set 3, set 4). Though the domains may not be up to bad it's good to be aware of the potential scam sites appearing online in the next few days.

Sunday, August 31, 2008

Updates To VMware Software Released

There has been found eight vulnerabilities in VMware software which among other things might result in denial of service attack or allow an attacker run arbitrary code. Updates fix vulnerabilities in ISAPI extension and in Cairo, FreeType, libpng and bind libraries. One update sets a killbit in VMware's ActiveX controls and one fixes VMware Consolidated Backup (VCB) command-line utilities.

Vulnerable versions:
- VMware ACE 2.0.4 and earlier versions
- VMware ACE 1.0.6 and earlier versions
- VMware Player 2.0.4 and earlier versions
- VMware Player 1.0.7 and earlier versions
- VMware Workstation 6.0.4 and earlier versions
- VMware Workstation 5.5.7 and earlier versions
- VMware Server 1.0.6 and earlier versions
- VMware ESX 3.0.3 without fixes ESX303-200808404-SG, ESX303-200808403-SG and ESX303-200808406-SG
- VMware ESX 3.0.2 without fixes ESX-1005109, ESX-1005113 and ESX-1005114
- VMware ESX 3.0.1 without fixes ESX-1005108, ESX-1005112, ESX-1005111, ESX-1004823 and ESX-1005117


Non-vulnerable versions:
VMware ACE 2.0.5 and 1.0.7
VMware Player 2.0.5 and 1.0.8
VMware Workstation 6.0.5
VMware Workstation 5.5.8
VMware Server 1.0.7
VMware ESX 3.0.3, 3.0.2 and 3.0.1: please see the VMware's Security-announce.

Wednesday, August 27, 2008

Asprox Botnet Punishes Of Incorrectly Filled Forms

SecureWorks reports that Asprox botnet, used specially for phishing banking details, has adopted a "special" way to treat users who fill out for phishing used forms incorrectly. Wrongly filled out form causes a malware attack which tries to exploit web browser's and Windows operational system's vulnerabilities.

This kind of action will be taken if form is filled out with details that doesn't seem to be real or contains words like "phish" or NSFWUYAS (Not Safe For Work Unless You’re a Sailor) language. If system is vulnerable against these exploits it will end up as a part of Asprox botnet.

According to SecureWorks if the form is filled out with details that looks correct system won't be attacked.

Tuesday, August 26, 2008

Microsoft Adds Privacy Tools To IE8

Microsoft is going to bring new privacy tools to IE8. Andy Zeigler, IE Program Manager, shares some details about these tools on Team Blog. In a nutshell, IE8 will contain following features:

* InPrivate™ Browsing lets users control whether or not IE saves their browsing history, cookies, and other data
* Delete Browsing History helps users control their browsing history after they’ve visited websites.
* InPrivate™ Blocking informs users about content that is in a position to observe their browsing history, and allows them to block it.

* InPrivate™ Subscriptions allow users to augment the capability of InPrivate™ Blocking by subscribing to lists of websites to block or allow.

For more specific details please see the IE Team's blog entry.

Saturday, August 23, 2008

Opera 9.52 Released

Opera Software released new version of Opera web browser on last Wednesday (20th of August). Version 9.52 of the Windows version of the software fixes seven vulnerabilities, including a startup crash that creates a means for hackers to inject hostile code on certain systems. There's also a fix for a cross-site scripting (XSS) bug, details of which Opera hasn't released.

XSS flaws, in general, allow hackers to present the content of third party sites under their control in the context of a site they wish to impersonate. The approach is therefore useful in phishing attacks or other similar scams.

Links to advisories about six other fixed vulnerabilities can be read from Release Notes which contains also details about numerous stability and performance improvements made in this latest version of the browser.

New version can be downloaded here.

Wednesday, August 20, 2008

Britney Spears Spam Spreading

Among all present spam there seems to be spreading spam with Britney Spears related title now. Spam message contains a picture with a link to a malicious file named as mov.exe. A bit over 12 hours ago detection rates (Result: 12/36 (33.33%)) weren't too good.

Title of the spam varies. So far I've seen following titles:
Oops I did it again - new photos of Brithey's pussy!
Britney sues vagina for divorce
Britney Spears and Brad Pitt naked video

China Netcom DNS Cache Poisoning

Websense® Security Labs™ ThreatSeeker™ Network has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code.

When users mistype a domain name they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. In the case of CNC its customers are directed to a web site under the control of an attacker. Malicious sites contain an iframe with malicious code that attempts to exploit RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player vulnerabilities.

Sunday, August 17, 2008

Malware Hijacks Clipboard

The Register writes that recently there's been reported about several cases in which surfers have noticed their clipboard content has been replaced with a link to rogue antispyware program. The rogue link won't go away even after the user copies a new batch of text. The only way to remove it is to reboot the system.

Thus far the attack has been reported by Firefox users running both OS X and Windows. At the moment it's not clear how the attack spreads exactly but the culprit might be Flash using malware.

By using clipboard functionality people behind the attack try to get the user paste the bad url in emails, blog/forum posts or directly into a browser's address bar spreading the link further.

Friday, August 15, 2008

Shadow Botnet Smashed By The Authority Of The Netherlands

The Dutch High Tech Crime Unit has arrested two persons and closed down Shadow botnet which is estimated to be consisted of over 100,000 computers. A 19-year-old Dutch national is accused of running the botnet. Another arrested person is a Brazilian man who tried to rent the botnet. Security company Kaspersky is asked to help close the botnet down.

Eddy Willems, security evangelist with Kaspersky Labs Benelux, who worked closely with the High Tech Crime Unit, believes this case clearly illustrates how the security industry can help law enforcement in the fight against cybercrime.

The Dutch police is asking anyone who finds that they were part of the Shadow botnet to contact them and register a complaint. Kaspersky provides instructions for locating and removing the Shadow bot malware on its web site.

FBI is also reported to have taken part in the case.


Source

New Gpcode Variant Not As Dangerous As Earlier Variants

On Tuesday I blogged about Kaspersky's report of new Gpcode variant. Closer analyzes has shown this be less dangerous than its predecessors. " The claims made by the author about the use of AES-256 and the enormous number of unique keys were a bluff. The author even didn’t use a public key in encryption, so all the information needed to decrypt files is right there in the body of the malicious program", is told in Kaspersky's Blog.

Kaspersky analysis shows that the Trojan uses the 3DES algorithm but the author dug up an off-the-peg Delphi component rather than going to the trouble of creating his own encryption routine. Also, the Trojan's code is quite messy making it look like the author isn't much of a programmer.

Kaspersky calls this new Gpcode variant as Trojan-Ransom.Win32.Gpcode.am. The trojan was spread by another malicious program, P2P-Worm.Win32.Socks.fe.

Thursday, August 14, 2008

Bogus 'msnbc.com - BREAKING NEWS' Alerts

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new replica wave of 'msnbc.com - BREAKING NEWS' alerts that are being sent out via spam emails. Similar to previous attacks related to 'Bogus CNN Custom Alerts', these emails contain links to a legitimate news page, but are designed to encourage users to download a malicious application posing as a video codec.

The malicious payload is only accessed when the user clicks on the ‘breakingnews.msnbc.com’ link, which takes users to a Web page named up.html. This page issues a pop-up encouraging users to download a ‘missing’ video codec, a file called adobe_flash.exe.


Here are some examples of the varied subjects used in this campaign:
msnbc.com - BREAKING NEWS: Arsenal buys Ronaldo from Man Utd
msnbc.com - BREAKING NEWS: Copycat murderer beheads woman on Greyhound bus
msnbc.com - BREAKING NEWS: Too much freedom will destroy America
msnbc.com - BREAKING NEWS: Mary-Kate Olsen responsible for Heath Ledger's death
msnbc.com - BREAKING NEWS: Stupid Asians lose lawsuits against Americans
msnbc.com - BREAKING NEWS: West Nile virus spreads in Europe

Tuesday, August 12, 2008

New Version of Gpcode On Loose

Kaspersky reports in its blog about new variant of Gpcode. This version is currently spread via a botnet which name is withheld for security purposes.

Gpcode leaves a text file named crypted.txt which includes a ransom demand of $10. The file also contains the author's contact details: an email address, an ICQ number and a URL. In addition to encrypting files and leaving the message Gpcode changes the desktop wallpaper to a giant red skull with crossbones on white background (screenshot).

The ransom shouldn't be paid since it encourages the author to produce new variants. Also, the authors' details about used encryption algorithm can't be verified at this point. Kaspersky's analysts are analyzing it to find way to crack the encryption and restore files. Meanwhile, victims of latest Gpcode variant are suggested to attempt to restore their files using methods described here. Some victims have reported that the method does partially restore encrypted files.

Gpcode victims are instructed to contact Kaspersky on stopgpcode at kaspersky dot com and watch the blog space for new updates on the matter.

Monday, August 11, 2008

Microsoft Security Update For August 2008 To Be Released Tomorrow

Microsoft will release its monthly security update for August 2008 tomorrow, Tuesday 8/11/2008. This month's update packet consists of 12 updates of which seven are critical and five important categorized. New version of Microsoft Windows Malicious Software Removal Tool will be released too.

Details about the updates can be read here. The easist way to get the updates is to use Microsoft automatic update service.

Thursday, August 7, 2008

Zlob Enters Search Engine Market

TrendMicro reports in its TrendLabs Malware Blog that people behind ZLOB malware have now entered the multibillion-dollar search engine market.

Over a year ago, last spring, Trend Micro (TM) threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. Recently TM researchers discovered that this network is now targeting four of the most popular search engines.

In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”. Found ZLOB Trojans change the local DNS settings of affected systems to use two of abovemeantioned 900+ rogue DNS servers. These trojans spread by advanced social engineering tricks. One good example of this would be professional-looking web sites that promise internet users access to pornographic movies after installing malware that pose as video codecs.

"Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers," is told in the TrendLabs Blog.

The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. TM has taken steps to get in touch with its security contacts in all four affected search engine companies. However, there isn't much these contacts could do since the DNS hijacking is done locally on ZLOB Trojan infected systems.

Tuesday, August 5, 2008

Malware Spread Through Twitter Profile

Security company Kaspersky reports in its Analyst's Diary about an attack that is targeting both social networking service provider Twitter's users and whole internet community at large. A malicious Twitter profile with a name that is Portuguese for ‘pretty rabbit’, has a photo with malware advertisement of a fake video. Profile contains no other data than the photo with a link to the video making it look obvious that the profile has been created to infect users.

Clicking on the link will open a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. This technique is currently very popular and the file is actually a Trojan downloader that proceeds to download more files onto the infected machine, all of which are disguised as MP3 files. The downloader is labeled as Heur.Downloader and Trojan-Downloader.Win32.Banload.sco by Kaspersky.

The footprints of this particular crime are pure Brazilian, ranging from the Portuguese, to the web servers hosting the malware to the email embedded in the malware which is used for receiving data from infected machines.

This technique does not require any serious programming skills and Google indexes un-protected Twitter profiles, so malicious pages built and marketed with good social engineering tactics end up high in the rankings.

Twitter suffers also from a vulnerability which allows an attacker to make user follow him automatically. Twitter has partially fixed the vulnerability on the 1st of August 2008 but it can still be exploited on Internet Explorer web browser.

Saturday, August 2, 2008

Malware Spreads In Social Networking Services

Security company Kaspersky Lab warns about new worm named as Koobface which uses social networking services, Facebook and MySpace to spread itself. Thus far four different variants of the worm exist.

Koobface makes infected systems part of botnet which clients spread malware links using friends lists of MySpace & Facebook. "The messages and comments include texts such as Paris Hilton Tosses Dwarf On The Street; Examiners Caught Downloading Grades From The Internet; Hello; You must see it!!! LOL. My friend catched you on hidden cam; Is it really celebrity? Funny Moments and many others."

Links in messages guide user to site containing video clip. If the user tries to watch the clip (s)he's been shown a message that asks to get the latest version of Flash Player to be able to watch the clip. Instead of the latest version of Flash Player, a file named as codesetup.exe is downloaded to the victim machine. That file is actually Koobface worm.

“Unfortunately, users are very trusting of messages left by 'friends' on social networking sites. So the likelihood of a user clicking on a link like this is very high. At the beginning of 2008 we predicted that we'd see an increase in cybercriminals exploiting MySpace, Facebook and similar sites, and we're now seeing evidence of this. I'm sure that this is simply the first step, and that virus writers will continue to target these resources with increased intensity”, says Alexander Gostev, Senior Virus Analyst at Kaspersky Lab.

Wednesday, July 30, 2008

Severe Vulnerability In Oracle WebLogic Server

There has been found a critical vulnerability in Oracle WebLogic Server (known previously as BEA WebLogic Server).

With a specifically crafted HTTP POST call an attacker can cause a buffer overflow in WebLogic component (mod_weblogic) made for Apache. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password.

Vulnerability affects all platforms. Servers which use Apache mod_security module are not vulnerable. Vulnerable WebLogic Server and WebLogic Express versions are:
- WebLogic Server 10.0 Maintenance Pack 1 and earlier versions
- WebLogic Server 9.2 Maintenance Pack 3 and earlier versions
- WebLogic Server 9.1 and earlier versions
- WebLogic Server 9.0 and earlier versions
- WebLogic Server 8.1 Service Pack 6 and earlier versions
- WebLogic Server 7.0 Service Pack 7 and earlier versions
- WebLogic Server 6.1 Service Pack 7 and earlier versions


Oracle has promised to provide a fix before its next quarterly released CPU (critical patch update) in October. Until the fix is released Oracle recommends limiting maximum URL length to 4000 bytes. Another way is to enable Apache mod_security module. More information can be read here.

Monday, July 28, 2008

Updates For RealPlayer

RealNetworks has released updated version of its RealPlayer software that fixes a few security vulnerabilities.

Vulnerable are following RealPlayer versions:
- RealPlayer 10
- RealPlayer 10.5 (builds 6.0.12.1040 - 6.0.12.1663, 6.0.12.1698,6.0.12.1741)
- RealPlayer Enterprise
- Mac RealPlayer 10 (10.0.0.305 - 352)
- Mac RealPlayer 10.1 (10.0.0.396 - 10.0.0.503)
- Linux RealPlayer 10


More information and instructions for updating can be read from RealNetworks site

Thursday, July 24, 2008

DoubleClick's Open Redirects Abused By Malware

TrendMicro writes in its blog about malware's abuse of DoubleClick's Open Redirects. The Trend Micro Advanced Threat Research has discovered a number of malicious URLs under the domain of DoubleClick, global Internet advertising company.

All found links are leading to the file msvideoc.exe which causes the affected system to connect to a remote site. Upon connection it downloads a file which Trend Micro detects as TROJ_DLOAD.DI. This file in turn downloads a file detected as TROJ_MUTANT.GC. Following list of DoubleClick links are already blocked.

- hxtp://ad.doubleclick.net/click;h=ADWAJJzSVGmEDCBbJkMiTUfmdIhuADWAJJzS;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aHPDZwqljHnlNScXoBJgzRzaFppDaHPDZwql;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=ahRQJQoWHYpFFYzgAFizZJdQnlgvahRQJQoW;~ss cs=%3fhttp://www.{BLOCKED}otel.eu/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aKXFNafnFbXukmAZjmqAhawpjVYYaKXFNafn;~ss cs=%3fhttp://www.{BLOCKED}ola.lv/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=aMwjNqwdSMZFJUDKSnOUSUwsRiQLaMwjNqwd;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe
- hxtp://ad.doubleclick.net/click;h=AMZEPQvqcklBUaAiRxzguoHmlydDAMZEPQvq;~ss cs=%3fhttp://www.{BLOCKED}ina.com/msvideoc.exe


This kind of methods make it harder for antispam to identify the links malicious since the redirector is under a legitimate domain. Also, familiar-looking domain at the beginning of the URL makes the link look legitimate by a quick look. However, the ending of the URL shows that its far from legit.

Thursday, July 17, 2008

Vulnerabilities In Mozilla Firefox, SeaMonkey and Thunderbird

There's been found a vulnerability related to CSS object handling in Firefox and SeaMonkey web browsers. By exploiting the vulnerability an attacker could cause a crash and then take an advantage of it by running arbitrary code on the victim's computer. Vulnerability affects only to Thunderbird email software if it's JavaScript support is enabled. By default support is disabled.

Among meantioned vulnerability there was found also another vulnerability in Firefox browsers. That vulnerability is related to the way Firefox handles URIs (Uniform Resource Identifier) entered from command-line. By exploiting the vulnerability an attacker could open multiple into browser while Firefox is not running, access system information and run arbitrary code on the victim's computer.

Vulnerable versions are:
- Mozilla Firefox prior version 3.0.1
- Mozilla Firefox prior version 2.0.0.16
- Mozilla Thunderbird prior version 2.0.0.16
- Mozilla SeaMonkey prior version 1.1.11

As a resolution it's advisable to update vulnerable versions to these versions:
- Mozilla Firefox 3.0.1 and 2.0.0.16
- Mozilla Thunderbird 2.0.0.16
- Mozilla SeaMonkey 1.1.11

Update can be made using automatic update functionality or by installing the latest versions from http://www.mozilla.com and http://www.seamonkey-project.org.

Wednesday, July 16, 2008

Vulnerability In Microsoft Word Application

There's been found a vulnerability in Microsoft Word text editor application. The vulnerability could allow for remote code execution and it's reported to be used in targeted attacks. To exploit the vulnerability an attacker has to lure the user to open specifically crafted Word file.

According to Microsoft Office Word 2002 Service Pack 3 is the only version affected by the vulnerability. As a workaround, until proper fix is released, Microsoft advises to use Microsoft Office Word 2003 Viewer- or MicrosoftOffice Word 2003 Viewer SP3 -application for opening Word files.

More information on the vulnerability:
Microsoft Security Advisory
SANS Internet Storm Center