Monday, November 30, 2009

Koobface Campaign Using Christmas Theme

December is knocking on the door and Christmas is becoming closer and closer. Websense warns about Koobface malware campaign that is using Christmas theme to spread bad stuff.

The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal.

Corresponding threat alert with sample screenshots can be read here.

Friday, November 27, 2009

IT Security Predictions for 2010

IMB X-Force research team has published their top 3 predictions of threats for year 2010:

1) Pirated software:
"Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched." Also, newer versions of pirated software have malware pre-installed.

2) Social networks:
"Criminal organizations are increasingly sophisticated in how they attack different social networking sites." Not all sites are attacked in same way. Twitter is being used to spread malicious links while LinkedIn is being used for highly targeted attacks against high-value individuals.

3) Criminals take to the cloud:
"We have already seen the emergence of “exploits as a service.” In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness."

The eWEEK article can be read here.

Tuesday, November 24, 2009

Opera Update Released

Opera Software has released an update for their Opera web browser. Version 10.10 contains fixes to three vulnerabilities, one categorized as "extremely severe", one "highly severe" and one "moderately severe".

Extremely severe:
Passing very long strings through the string to number conversion using JavaScript in Opera may result in heap buffer overflows. This also affects the dtoa routine, and was reported in CVE-2009-0689. In most cases Opera will just freeze or terminate, but in some cases this could lead to a crash which could be used to execute code. To inject code, additional techniques will have to be employed.

Highly severe:
Scripting error messages are normally available only to the page that caused the error. In some cases, the error messages could be passed to other sites as the contents of unrelated variables, and may contain sensitive information. If those sites write the content into the page markup, this could allow cross-site scripting, using code provided by the attacking site. This issue only affects installations that have enabled stacktraces for exceptions, these are disabled by default.

Details of "moderately severe" vulnerability was not released.

Opera users are strongly recommended to update to 10.10 version. New version can be downloaded here.

Changelog of Windows version

Monday, November 23, 2009

Vulnerability In Internet Explorer

VUPEN security has reported about a vulnerability in Microsoft Internet Explorer web browser. The vulnerability could be exploited by an attacker to take over a vulnerable system. "This issue is caused due to a memory corruption error in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page", states VUPEN in their advisory.

Symantec verifies the vulnerability affects Internet Explorer versions 6 and 7.

At the moment, there's no patch for the vulnerability available yet. To minimize the chances of being affected by this issue, users of affected Internet Explorer versions are recommended to disable JavaScript support in the browser until Microsoft releases patch to the vulnerability.

More information:
http://isc.sans.org/diary.html?storyid=7624

EDIT:
Microsoft has released Security Advisory (977981) of the issue.

Friday, November 20, 2009

Maintenance Release For PHP 5.3.x Series Available

PHP development team has released 5.3.1 version of 5.3.x series of PHP scripting language. New version fixes big amount of bugs of which some are security related. All PHP 5.3 users are recommended to upgrade their versions to this latest release. For 5.2.x release users there's a migration guide available here.

More details about 5.3.1 release can be read from the official release announcement.

Tuesday, November 17, 2009

Fake Mailbox Deactivation Notices Spreading

Security company Sophos warns of malware that is being spammed in fake mailbox deactivation notices.

Contents of the email is following:

Subject: your mailbox has been deactivated

Body: We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, [domain name] technical support.


To message attached utility.zip file contains trojan horse that Sophos detects as Mal/EncPk-LP.

Source

Sunday, November 15, 2009

Microsoft Investigates Reported Issue In SMB Protocol

Microsoft has released a security advisory in which they tell that they are investigating reported DoS (Denial of Service) vulnerability in the Server Message Block (SMB) protocol. The security advisory states that reported vulnerability can't be used to take control of the system or install malicious software on it.

Affected operating systems are Windows 7 (32-bit & 64-bit) and Windows Server 2008 R2 (for x64-based systems & for Itanium-based systems).

More information:
Microsoft Security Advisory (977544)
The Microsoft Security Response Center (MSRC) blog

Thursday, November 12, 2009

Safari 4.0.4 Released

Apple has released version 4.0.4 of their Safari web browser. New version fixes six vulnerabilities:


*ColorSync
CVE-ID: CVE-2009-2804
Available for: Windows 7, Vista, XP
Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of images with an embedded color profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The isssue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X v10.6 systems. The issue has already been addressed in Security Update 2009-005 for Mac OS X 10.5.8 systems. Credit: Apple.

*libxml
CVE-ID: CVE-2009-2414, CVE-2009-2416
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Windows 7, Vista, XP
Impact: Parsing maliciously crafted XML content may lead to an
unexpected application termination
Description: Multiple use-after-free issues exist in libxml2, the most serious of which may lead to an unxexpected application termination. This update addresses the issues through improved memory handling. The issues have already been addressed in Mac OS X 10.6.2, and in Security Update 2009-006 for Mac OS X 10.5.8 systems.

*Safari
CVE-ID: CVE-2009-2842
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2, Windows 7, Vista, XP
Impact: Using shortcut menu options within a maliciously crafted website may lead to the disclosure of local information Description: An issue exists in Safari's handling of navigations initiated via the "Open Image in New Tab", "Open Image in New Window", or "Open Link in New Tab" shortcut menu options. Using these options within a maliciously crafted website could load a local HTML file, leading to the disclosure of sensitive information. The issue is addressed by disabling the listed shortcut menu options when the target of a link is a local file.

*WebKit
CVE-ID: CVE-2009-2816
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2, Windows 7, Vista, XP
Impact: Visiting a maliciously crafted website may result in unexpected actions on other websites
Description: An issue exists in WebKit's implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. This issue is addressed by removing custom HTTP headers from preflight requests.
Credit: Apple.

*WebKit
CVE-ID: CVE-2009-3384
Available for: Windows 7, Vista, XP
Impact: Accessing a maliciously crafted FTP server could result in an unexpected application termination, information disclosure, or arbitrary code execution
Description: Multiple vulnerabilities exist in WebKit's handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code. This update addresses the issues through improved parsing of FTP directory listings. These
issues do not affect Safari on Mac OS X systems. Credit to Michal Zalewski of Google Inc. for reporting these issues.

*WebKit
CVE-ID: CVE-2009-2841
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2
Impact: Mail may load remote audio and video content when remote image loading is disabled
Description: When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element. This issue does not affect Safari on Windows systems.



New version can be downloaded here.

Tuesday, November 10, 2009

November 2009 Updates From Microsoft

Microsoft has released its monthly security update packet. November 2009 update contains six updates of which three critical and three important.

Critical updates:
MS09-063: Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
MS09-064: Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)


Important updates:
MS09-066: Vulnerability in Active Directory Could Allow Denial of Service (973309)
MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
MS09-068: Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)


New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update pack and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Monday, November 9, 2009

Google Reader Abused By Koobface

Jonell Baltazar, Advanced Threats Researcher in TrendMicro, writes in company's blog that bad guys behind Koobface are using Google's Google Reader service to spread malicious links in social networking sites such as Facebook, MySpace, and Twitter.

"The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component", Baltazar writes.

Whole blog post can be read here.

Wednesday, November 4, 2009

Adobe Shockwave Player Updated

There has been released a new version of Adobe Shockwave Player. Version 11.5.2.602 fixes critical vulnerabilities which could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.1.601 and earlier on their systems, restart, and install Shockwave version 11.5.2.602.

More information:
Adobe's security bulletin

New Java Update Released

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 17.

Java users are recommended to update their versions to the latest one available.

Monday, November 2, 2009

In-depth Analysis of Bredolab

David Sancho, Senior Threat Researcher in Trend Micro, has written an interesting in-depth analysis of Bredolab malware and its connections to FakeAV and Zeus/Zbot malware families. "You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence" -report can be downloaded here.