Wednesday, November 26, 2008

Google's Orkut Being Used To Spread Trojans

Security company Websense warns in its alert about spam that is disguised as an official email sent from Orkut, Google-owned social network.

A spoofed personal message, in Portuguese, is sent from a user allegedly on the Orkut network seeking love. The message contains several links that appear to lead to the official Orkut Web site. "Clicking on a link actually leads to a malicious executable file, which is a Trojan Downloader named "imagem.exe"", is told in the Websense alert. "The malicious file opens the legitimate Orkut network login page, and in the background downloads a password stealing Trojan named "msn.exe"."

Websense says that the trojans used in this attack are hosted on a compromised labor union web site from southern Brazil.

Amount Of Spam Rising Again

Amount of spam messages decreased to the one third of normal for a couple of weeks when criminal operator's lines were disconnected. Restart of botnets has been going on since Monday and spam amounts are rising rapidly again. Amounts would be even higher but the worst botnet is still offline.

American McColo operator operates many controller servers of the world's biggest botnets. According to security companies closure of McColo sent at least Srizbi, Asprox and Rustock botnets offline.

During couple of weeks criminals have moved some of their controlling operations to other parts of the world, to Russia for example. Criminals even used a backup connection they successfully got by tricking internet service operator TeliaSonera to transfer data to new host in Russia. Last Sunday spam amounts decreased to minimal level but rapid increase began on Monday. According to Messagelabs security company (now part of Symantec) the reason behind increase is that Asprox and Rustock botnets have returned online. Also, Cutwail and Mega-D botnets have increased their posting amounts.

Though the spam amount is increasing it's still under half of the peak a few weeks ago. Security companies say that's because the worst botnet Srizbi is still offline. Messagelabs says that even half of the world's spam is sent thru Srizbi. Security researchers have estimated that Srizbi would consist of even over 300,000 PC computers connected to the internet.

Sunday, November 23, 2008

Microsoft's Removal Tool Cleans Fake Security Software

Microsoft added its Malicious Software Removal Tool (MSRT) for November to target fake security software (that has plagued Windows users all over the world. Looks like tool is doing its job. Last Wednesday Microsoft released some results in its Malware Protection Center Blog. According to the results nearly a million PCs were cleaned of fake security software (recognized as "W32/FakeSecSen by MSRT) during the period from November 11 to November 19.

This is one of the biggest clean-up job that Microsoft has ever done. In June 2008, MSRT sniffed out 1.2 million PCs infected with a family of password stealers, while in February, it scrubbed the Vundo Trojan from about a million machines. Over several months at the end of last year, MSRT hit the then-notorious Storm Trojan hard, cleaning it from a half-million PCs.


Source

Tuesday, November 18, 2008

Vulnerable Adobe AIR

There has been found a vulnerability that could allow an attacker who successfully exploits this potential vulnerability to execute untrusted JavaScript with elevated privileges. An Adobe AIR application must load data from an untrusted source to trigger this potential vulnerability.

As a resolution Adobe recommends AIR users with version below 1.5 to update their software to 1.5 version. AIR 1.5 includes a Flash Player update to resolve the critical issues as outlined in Flash Player Security Bulletin APSB08-22, as well as issues included in Flash Player Security Bulletins APSB08-20 and APSB08-18.


Source

Friday, November 14, 2008

Version 3.2 of Safari Web Browser Fixes Several Vulnerabilities

Apple has fixed totally 11 vulnerabilities in its Safari web browser. All vulnerabilities are related to Safari for Windows. Four of the vulnerabilities affect also Safari for Mac OS X (CVE-2008-3644, CVE-2008-2303, CVE-2008-2317 and CVE-2008-4216).

Apple updates contain fixes to the 3rd party libraries (zlib, libxslt, libTIFF and ImageIO). Among those patched are also CoreGraphics, WebCore and WebKit. Several of these patched vulnerabilities can be exploited by luring user to specially crafted website.

Vulnerable are following Safari versions:
- Safari for Mac OS X v10.4.11 prior version 3.2
- Safari for Mac OS X v10.5.5 prior version 3.2
- Safari for Windows XP prior version 3.2
- Safari for Windows Vista prior version 3.2

Users with vulnerable Safari can obtain version 3.2 either through Apple Software Update application or at http://www.apple.com/safari/download

More information on the vulnerabilities:

Security content of Safari 3.2
CVE-2005-2096
CVE-2008-1767
CVE-2008-2303
CVE-2008-2317
CVE-2008-2327
CVE-2008-2332
CVE-2008-3608
CVE-2008-3623
CVE-2008-3642
CVE-2008-3644
CVE-2008-4216

Thursday, November 13, 2008

Vulnerabilities In Mozilla Firefox, SeaMonkey and Thunderbird

There have been found several vulnerabilities in Mozilla products. Firefox 2 update fixes totally eleven vulnerabilities. Firefox 3 and SeaMonkey new versions contain fixes to ten vulnerabilities of which five are critical. In Thunderbird there were found six vulnerabilities of which some are critical.

Vulnerabilities enable escalation of user privileges, obtaining sensitive information and a remote attacker cause a denial of service (crash) and possibly execute arbitrary code in target system.

Mozilla recommends disabling JavaScript until updates have been installed. Recommendation concerns especially Thunderbird email client for which hasn't update available yet. In Thunderbird JavaScript is disabled by default.

Vulnerable software:
- Mozilla Firefox prior version 2.0.0.18
- Mozilla Firefox prior version 3.0.4
- Mozilla Thunderbird prior version 2.0.0.18
- Mozilla SeaMonkey prior version 1.1.13

Solution:
Users are instructed to update their versions to following ones:
- Mozilla Firefox 2.0.0.18
- Mozilla Firefox 3.0.4
- Mozilla Thunderbird 2.0.0.18 (version is not released yet)
- Mozilla SeaMonkey 1.1.13

Update can be made with automatic update functionality in correspondent software product or by installing new versions from http://www.mozilla.com/ and http://www.seamonkey-project.org/.

More information on vulnerabilities:
- http://www.mozilla.org/security/announce/2008/mfsa2008-47.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-48.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-49.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-50.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-51.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-52.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-53.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-55.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-56.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-57.html
- http://www.mozilla.org/security/announce/2008/mfsa2008-58.html
- CVE-2008-0017
- CVE-2008-4582
- CVE-2008-5012
- CVE-2008-5013
- CVE-2008-5014
- CVE-2008-5015
- CVE-2008-5016
- CVE-2008-5017
- CVE-2008-5018
- CVE-2008-5019
- CVE-2008-5021
- CVE-2008-5022
- CVE-2008-5023
- CVE-2008-5024

Tuesday, November 11, 2008

Security Update For November 2008 From Microsoft

Microsoft released its monthly security update packet today. This month update contains 2 updates. One of those is critical and the other one important.

Critical update fixes several vulnerabilities in Microsoft XML Core Services. The most severe vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

The important update fixes vulnerability in Microsoft Server Message Block (SMB). The vulnerability could allow remote code execution on affected systems. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

New version of Microsoft Windows Malicious Software Removal Tool is released too.

More information about the updates can be read here.

The easist way to get the updates is to use Microsoft automatic update service.

Monday, November 10, 2008

Vulnerabilities In VLC Media Player

There has been found two vulnerabilities in VLC media player. When parsing the header of an invalid CUE image file or an invalid RealText subtitle file, stack-based buffer overflows might occur. This might allow attacker to trigger execution of arbitrary code within the context of the VLC media player. To successfully exploit the vulnerabilities victim must be made open specially crafted CUE image file or RealText subtitle file.

Vulnerabilities affect VLC media player versions 0.5.0 - 0.9.5. Users of these versions are recommended to update their versions to 0.9.6.

VideoLAN's security advisory provides more information on the issue.

Saturday, November 8, 2008

Two Vulnerabilities In VMware Software

There has been found two vulnerabilities in VMware software that enable privilege escalation. The first vulnerability is related to VMware's way to emulate CPU hardware in virtual machine (CVE-2008-4915). The second issue is related to VirtualCenter software's way to handle directories (CVE-2008-4281).

Summary of affected versions:
- VMware Workstation 6.0.5 and earlier versions
- VMware Workstation 5.5.8 and earlier versions
- VMware Player 2.0.5 and earlier versions
- VMware Player 1.0.8 and earlier versions
- VMware ACE 2.0.5 and earlier versions
- VMware ACE 1.0.7 and earlier versions
- VMware Server 1.0.7 and earlier versions
- VMware ESXi 3.5 lacking update ESXe350-200810401-O-UG
- VMware ESX 3.5 lacking update ESX350-200810201-UG
- VMware ESX 3.0.3 lacking update ESX303-200810501-BG
- VMware ESX 3.0.2 lacking update ESX-1006680
- VMware ESX 2.5.5 before 'upgrade patch 10' -update
- VMware ESX 2.5.4 lacking 'upgrade patch 21' -update

To solve the issues users of affected versions are instructed to update their products according to the VMware's instructions.

Friday, November 7, 2008

Adobe Patches Vulnerabilities In Flash Player

Adobe has released updated version of its Flash Player that fixes six vulnerabilities:

This update includes a change to the way Flash Player interprets HTTP response headers to prevent a potential cross-site scripting attack. (CVE-2008-4818)

This update introduces a change to mitigate a potential issue that could aid an attacker in executing a DNS rebinding attack. (CVE-2008-4819)

This update introduces stricter interpretation of an ActionScipt attribute to prevent a potential HTML injection issue. (CVE-2008-4823)

This update prevents an issue with policy file interpretation that could potentially lead to bypass of a non-root domain policy. (CVE-2008-4822)

This update prevents an issue with the Flash Player interpretation of jar: protocol on Mozilla browsers that could potentially lead to information disclosure. (CVE-2008-4821)

This update prevents a potential Windows-only information disclosure issue in the Flash Player ActiveX control. (CVE-2008-4820)


Affected Flash Player versions are Flash Player 9.0.124.0 and earlier. Users with vulnerable version should update their versions to Flash Player 10.0.12.36. Those users who can't update their versions to Flash Player 10 may use an update to version 9.0.151.0. Both 10.0.12.36 and 9.0.151.0 contain fixes also to the issues reported in Security Advisory APSB08-18.

More information and instructions for updating can be read here.

More Vulnerabilities In Adobe Acrobat And Reader

On Wednesday I blogged about a vulnerability (CVE-2008-2992) in Adobe Acrobat and Reader version 8.1.2. Among that there are seven (7) other vulnerabilities found that version 8.1.3 fixes (version 9.x users aren't affected).

CVE-2008-2549: Adobe Acrobat Reader 8.1.2 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a malformed PDF document.

CVE-2008-4812: Array index error in Adobe Reader and Acrobat, and the Explorer extension (aka AcroRd32Info), 8.1.2, 8.1.1, and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that triggers an out-of-bounds write, related to parsing of Type 1 fonts.

CVE-2008-4813: Adobe Reader and Acrobat 8.1.2 and earlier allow remote attackers to execute arbitrary code via a crafted PDF document that (1) performs unspecified actions on a Collab object that trigger memory corruption, related to a GetCosObj method; or (2) contains a malformed PDF object that triggers memory corruption during parsing.

CVE-2008-4814: Unspecified vulnerability in a JavaScript method in Adobe Reader and Acrobat 8.1.2 and earlier allows remote attackers to execute arbitrary code via unknown vectors, related to an "input validation issue."

CVE-2008-4815: Untrusted search path vulnerability in Adobe Reader and Acrobat 8.1.2 and earlier on Unix and Linux allows attackers to gain privileges via a Trojan Horse program in an unspecified directory that is associated with an insecure RPATH.

CVE-2008-4816: Unspecified vulnerability in the Download Manager in Adobe Reader 8.1.2 and earlier on Windows allows remote attackers to change Internet Security options on a client machine via unknown vectors.

CVE-2008-4817: The Download Manager in Adobe Acrobat Professional and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a crafted PDF document that calls an AcroJS function with a long string argument, triggering heap corruption.

Vulnerable version users are recommended to update their versions by following Adobe's instructions.

More information:
- CVE-2008-2549
- CVE-2008-4812
- CVE-2008-4813
- CVE-2008-4814
- CVE-2008-4815
- CVE-2008-4816
- CVE-2008-4817

Wednesday, November 5, 2008

Vulnerability In Adobe Acrobat And Reader Causes Buffer Overflow

There has been found a vulnerability in Adobe Acrobat and Reader software. By making user open specially crafted PDF file an attacker can cause a buffer overflow by exploiting vulnerability in util.printf() JavaScript function.

Affected software:
Vulnerable to this found vulnerability are Adobe Acrobat 8.1.2 and Reader 8.1.2. Users of either of these two versions are recommended to upgrade to version 9. If stepping to version 9 isn't possible then users should upgrade to version 8.1.3.

Solution:
Update software according to Adobe's instructions by either downloading updated software from Adobe's website or using automatic updating tool. Issue can be also worked around by disabling JavaScript in Adobe Reader and Acrobat (found in software's Edit/Preferences menu). Disabling will also prevent many basic Acrobat and Reader workflows from properly functioning so updating the software is more recommended way to solve the issue.

More information on the issue:
CoreLabs advisory
Secunia advisory
CVE-2008-2992

Monday, November 3, 2008

Over 300,000 Bank Accounts Compromised By Sinowal

Security company RSA writes in its blog about Sinowal Trojan (aka Torpiq and Mebroot) which may be the worst and the most advanced crimeware ever created by fraudsters. During its existence (from early February 2006) Sinowal has compromised and stolen login credentials from approximately 300,000 online bank accounts as well as a similar number of credit and debit cards. Other information such as email, and FTP accounts from numerous websites, have also been compromised and stolen. In the past six months alone login credientals and information of over 100,000 online bank accounts have been stolen by this Trojan.

The source of Sinowal has been speculated a lot. Some speculations say that it has been operated and hosted by a Russian online gang with past ties to the Russian Business Network (RBN). "Our data confirms the Sinowal Trojan has had strong ties to the RBN in the past, but our research indicates that the current hosting facilities of Sinowal may have changed and are no longer connected to the RBN", writes RSA in the blog. It's no doubt interesting that the Trojan has stolen banking account information all over the world but Russian accounts have been left alone.