Tuesday, December 29, 2009

The Five Essential Security Patches of 2009

To find out the most essential security patches of 2009 Computerworld polled a panel of patch and vulnerability experts to find the five security fixes everyone should deploy from the last 12 months.

The five essential patches are:
- Microsoft's ATL fixes, July and later (MS09-035)
- Latest Adobe Reader patch (here, at the moment one from October but Adobe has promised new patch in the middle of January)
- Microsoft .Net Framework, October (MS09-061)
- SMBv2, October (MS09-050)
- Conficker patch (MS08-067) from last year but still essential to have installed

Read the whole article here.

Thursday, December 24, 2009

New Winamp Version Released

Nullsoft has released version 5.571 of their popular media player, Winamp. New version contains some new features like full support for Windows 7. Even more important thing is that there're security vulnerabilities fixed as well. By exploiting these vulnerabilities in 5.56 and older versions an attacker may be able to compromise the vulnerable system. Complete version history can be viewed here.

Monday, December 21, 2009

"Real World" 0Day Malware Blocking Test Published

AV-Test GmbH has published a report of their test that measured how well 12 major security suites protected Internet-connected physical computers against up-to-the-minute threats. Three best scored products were Norton Internet Security 2010, Kaspersky Internet Security 2010 and PC Tools Internet Security 2010. More test results can be read here.

Friday, December 18, 2009

Comeback of mp3 Spam

Spammers have decided to dig up from the naftaline a trick they used over two years ago. Instead of easily detectable subjects and message contents just a small mp3 file has been attached to the spam message. A few seconds long mp3 file contains voice promoting Viagra pills and advertising site address that leads to infamous Canadian pharmacy sites.

Some related posts in security vendors' blogs:
http://www.symantec.com/connect/blogs/recycled-mp3-spam-cheap-pills
http://blog.trendmicro.com/mp3-spam-is-back/
http://www.viruslist.com/en/weblog?weblogid=208187948

Wednesday, December 16, 2009

Firefox Updates Available

Mozilla has released new updates for Firefox 3.5.x and older 3.0.x versions. 3.5.6 version fixes seven vulnerabilities of which three are categorized as critical, one as high, two as moderate and one as low. Update 3.0.16, meant for older 3.0.x series, fixes five vulnerabilities of which one is categorized as critical, one as high, two as moderate and one as low.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually.

Download links and related extra information:
Release notes for 3.5.6 version
Release notes for 3.0.16 version

Mozilla recommends 3.0.x series users to switch to 3.5.x series version. Security and stability updates for 3.0.x versions will be released until January 2010.

Tuesday, December 15, 2009

Vulnerability Affecting Adobe Reader And Acrobat

Adobe is investigating currently in wild exploited vulnerability (CVE-2009-4324) in Adobe Reader and Acrobat 9.2 and earlier versions. At the moment of writing this there is no patch available yet. Adobe has promised to update their blog as soon as they have new information available. While the fix is under work the issue can be mitigated by disabling Javascript support in vulnerable version.

Saturday, December 12, 2009

Fake Microsoft Support endorsement Used For Selling Rogues

Security company Sunbelt Software describes in their blog post how new DefenceLab rogue security program is taking advantage of social engineering by tricking infected users to believe Microsoft recommends it.

What it does is that it redirects infected systems to Microsoft Support portal. Instead of showing the real content it injects HTML code into the page making it look like Microsoft is recommending the purchase of the full version of the rogue. Users visiting the link on the Windows Support site referenced in the DefenceLab from a clean system will get a 404 'page not found' message.

Wednesday, December 9, 2009

Updates For Adobe Flash Player And Adobe AIR

There has been found critical categorized vulnerabilities in Adobe Flash Player 10.0.32.18 and earlier. The vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Flash Player 10.0.32.18 and earlier versions update to Adobe Flash Player 10.0.42.34. Users of Adobe AIR version 1.5.2 and earlier versions are recommended to update to Adobe AIR 1.5.3.

More information on Adobe's security advisory.

The latest Adobe Flash Player version can be downloaded here and Adobe AIR version here

Tuesday, December 8, 2009

December 2009 Updates From Microsoft

Microsoft has released December updates for their products. This time there are six updates included of which three are critical and three important.

Critical:
MS09-071: Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
MS09-074: Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
MS09-072: Cumulative Security Update for Internet Explorer (976325)

Important:
MS09-069: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
MS09-070: Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
MS09-073: Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)


New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Friday, December 4, 2009

2009 Q4 Security Threat Summary From F-Secure

F-Secure has released the final threat summary report for year 2009. Topics of this latest report are:
- Conficker
- Windows 7
- Social Networking
- SEO Attacks and Rogue Scareware
- iPhone Worms
- Cloud Security

The Data Security Wrap-up 2009 -video can be viewed here. Written version of the report here.

Tuesday, December 1, 2009

Ransomware Locks Internet Access

Zarestel Ferrer, Senior Research Engineer in CA Internet Security, writes in company's blog about a nasty pest that takes internet access hostage.

CA detects the pest as Win32/RansomSMS.AH. It arrives bundled with uFast Software Manager named software and gets installed without end user's permission. When installed, it blocks internet access and only way to unlock is to send an SMS message to given number to get activation code. CA has released activation code generator that can be used to generate working code and unlock the access.

Screenshots and other info about the pest can be viewed here.

Monday, November 30, 2009

Koobface Campaign Using Christmas Theme

December is knocking on the door and Christmas is becoming closer and closer. Websense warns about Koobface malware campaign that is using Christmas theme to spread bad stuff.

The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal.

Corresponding threat alert with sample screenshots can be read here.

Friday, November 27, 2009

IT Security Predictions for 2010

IMB X-Force research team has published their top 3 predictions of threats for year 2010:

1) Pirated software:
"Users of pirated software are afraid to download updates, thus are exposed to security risks because their software is entirely unpatched." Also, newer versions of pirated software have malware pre-installed.

2) Social networks:
"Criminal organizations are increasingly sophisticated in how they attack different social networking sites." Not all sites are attacked in same way. Twitter is being used to spread malicious links while LinkedIn is being used for highly targeted attacks against high-value individuals.

3) Criminals take to the cloud:
"We have already seen the emergence of “exploits as a service.” In 2010 we will see criminals take to cloud computing to increase their efficiency and effectiveness."

The eWEEK article can be read here.

Tuesday, November 24, 2009

Opera Update Released

Opera Software has released an update for their Opera web browser. Version 10.10 contains fixes to three vulnerabilities, one categorized as "extremely severe", one "highly severe" and one "moderately severe".

Extremely severe:
Passing very long strings through the string to number conversion using JavaScript in Opera may result in heap buffer overflows. This also affects the dtoa routine, and was reported in CVE-2009-0689. In most cases Opera will just freeze or terminate, but in some cases this could lead to a crash which could be used to execute code. To inject code, additional techniques will have to be employed.

Highly severe:
Scripting error messages are normally available only to the page that caused the error. In some cases, the error messages could be passed to other sites as the contents of unrelated variables, and may contain sensitive information. If those sites write the content into the page markup, this could allow cross-site scripting, using code provided by the attacking site. This issue only affects installations that have enabled stacktraces for exceptions, these are disabled by default.

Details of "moderately severe" vulnerability was not released.

Opera users are strongly recommended to update to 10.10 version. New version can be downloaded here.

Changelog of Windows version

Monday, November 23, 2009

Vulnerability In Internet Explorer

VUPEN security has reported about a vulnerability in Microsoft Internet Explorer web browser. The vulnerability could be exploited by an attacker to take over a vulnerable system. "This issue is caused due to a memory corruption error in the Microsoft HTML Viewer (mshtml.dll) when retrieving certain CSS/STYLE objects via the "getElementsByTagName()" method, which could allow attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a malicious web page", states VUPEN in their advisory.

Symantec verifies the vulnerability affects Internet Explorer versions 6 and 7.

At the moment, there's no patch for the vulnerability available yet. To minimize the chances of being affected by this issue, users of affected Internet Explorer versions are recommended to disable JavaScript support in the browser until Microsoft releases patch to the vulnerability.

More information:
http://isc.sans.org/diary.html?storyid=7624

EDIT:
Microsoft has released Security Advisory (977981) of the issue.

Friday, November 20, 2009

Maintenance Release For PHP 5.3.x Series Available

PHP development team has released 5.3.1 version of 5.3.x series of PHP scripting language. New version fixes big amount of bugs of which some are security related. All PHP 5.3 users are recommended to upgrade their versions to this latest release. For 5.2.x release users there's a migration guide available here.

More details about 5.3.1 release can be read from the official release announcement.

Tuesday, November 17, 2009

Fake Mailbox Deactivation Notices Spreading

Security company Sophos warns of malware that is being spammed in fake mailbox deactivation notices.

Contents of the email is following:

Subject: your mailbox has been deactivated

Body: We are contacting you in regards to an unusual activity that was identified in your mailbox. As a result, your mailbox has been deactivated. To restore your mailbox, you are required to extract and run the attached mailbox utility.

Best regards, [domain name] technical support.


To message attached utility.zip file contains trojan horse that Sophos detects as Mal/EncPk-LP.

Source

Sunday, November 15, 2009

Microsoft Investigates Reported Issue In SMB Protocol

Microsoft has released a security advisory in which they tell that they are investigating reported DoS (Denial of Service) vulnerability in the Server Message Block (SMB) protocol. The security advisory states that reported vulnerability can't be used to take control of the system or install malicious software on it.

Affected operating systems are Windows 7 (32-bit & 64-bit) and Windows Server 2008 R2 (for x64-based systems & for Itanium-based systems).

More information:
Microsoft Security Advisory (977544)
The Microsoft Security Response Center (MSRC) blog

Thursday, November 12, 2009

Safari 4.0.4 Released

Apple has released version 4.0.4 of their Safari web browser. New version fixes six vulnerabilities:


*ColorSync
CVE-ID: CVE-2009-2804
Available for: Windows 7, Vista, XP
Impact: Viewing a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution
Description: An integer overflow exists in the handling of images with an embedded color profile, which may lead to a heap buffer overflow. Opening a maliciously crafted image with an embedded color profile may lead to an unexpected application termination or arbitrary code execution. The isssue is addressed by performing additional validation of color profiles. This issue does not affect Mac OS X v10.6 systems. The issue has already been addressed in Security Update 2009-005 for Mac OS X 10.5.8 systems. Credit: Apple.

*libxml
CVE-ID: CVE-2009-2414, CVE-2009-2416
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11,
Windows 7, Vista, XP
Impact: Parsing maliciously crafted XML content may lead to an
unexpected application termination
Description: Multiple use-after-free issues exist in libxml2, the most serious of which may lead to an unxexpected application termination. This update addresses the issues through improved memory handling. The issues have already been addressed in Mac OS X 10.6.2, and in Security Update 2009-006 for Mac OS X 10.5.8 systems.

*Safari
CVE-ID: CVE-2009-2842
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2, Windows 7, Vista, XP
Impact: Using shortcut menu options within a maliciously crafted website may lead to the disclosure of local information Description: An issue exists in Safari's handling of navigations initiated via the "Open Image in New Tab", "Open Image in New Window", or "Open Link in New Tab" shortcut menu options. Using these options within a maliciously crafted website could load a local HTML file, leading to the disclosure of sensitive information. The issue is addressed by disabling the listed shortcut menu options when the target of a link is a local file.

*WebKit
CVE-ID: CVE-2009-2816
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2, Windows 7, Vista, XP
Impact: Visiting a maliciously crafted website may result in unexpected actions on other websites
Description: An issue exists in WebKit's implementation of Cross-Origin Resource Sharing. Before allowing a page from one origin to access a resource in another origin, WebKit sends a preflight request to the latter server for access to the resource. WebKit includes custom HTTP headers specified by the requesting page in the preflight request. This can facilitate cross-site request forgery. This issue is addressed by removing custom HTTP headers from preflight requests.
Credit: Apple.

*WebKit
CVE-ID: CVE-2009-3384
Available for: Windows 7, Vista, XP
Impact: Accessing a maliciously crafted FTP server could result in an unexpected application termination, information disclosure, or arbitrary code execution
Description: Multiple vulnerabilities exist in WebKit's handling of FTP directory listings. Accessing a maliciously crafted FTP server may lead to information disclosure, unexpected application termination, or execution of arbitrary code. This update addresses the issues through improved parsing of FTP directory listings. These
issues do not affect Safari on Mac OS X systems. Credit to Michal Zalewski of Google Inc. for reporting these issues.

*WebKit
CVE-ID: CVE-2009-2841
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.1 and v10.6.2, Mac OS X Server v10.6.1 and v10.6.2
Impact: Mail may load remote audio and video content when remote image loading is disabled
Description: When WebKit encounters an HTML 5 Media Element pointing to an external resource, it does not issue a resource load callback to determine if the resource should be loaded. This may result in undesired requests to remote servers. As an example, the sender of an HTML-formatted email message could use this to determine that the message was read. This issue is addressed by generating resource load callbacks when WebKit encounters an HTML 5 Media Element. This issue does not affect Safari on Windows systems.



New version can be downloaded here.

Tuesday, November 10, 2009

November 2009 Updates From Microsoft

Microsoft has released its monthly security update packet. November 2009 update contains six updates of which three critical and three important.

Critical updates:
MS09-063: Vulnerability in Web Services on Devices API Could Allow Remote Code Execution (973565)
MS09-064: Vulnerability in License Logging Server Could Allow Remote Code Execution (974783)
MS09-065: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)


Important updates:
MS09-066: Vulnerability in Active Directory Could Allow Denial of Service (973309)
MS09-067: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (972652)
MS09-068: Vulnerability in Microsoft Office Word Could Allow Remote Code Execution (976307)


New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update pack and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Monday, November 9, 2009

Google Reader Abused By Koobface

Jonell Baltazar, Advanced Threats Researcher in TrendMicro, writes in company's blog that bad guys behind Koobface are using Google's Google Reader service to spread malicious links in social networking sites such as Facebook, MySpace, and Twitter.

"The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URL are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all too familiar fake YouTube page that hosts the Koobface downloader component", Baltazar writes.

Whole blog post can be read here.

Wednesday, November 4, 2009

Adobe Shockwave Player Updated

There has been released a new version of Adobe Shockwave Player. Version 11.5.2.602 fixes critical vulnerabilities which could allow an attacker, who successfully exploits the vulnerabilities, to run malicious code on the affected system.

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.1.601 and earlier on their systems, restart, and install Shockwave version 11.5.2.602.

More information:
Adobe's security bulletin

New Java Update Released

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 17.

Java users are recommended to update their versions to the latest one available.

Monday, November 2, 2009

In-depth Analysis of Bredolab

David Sancho, Senior Threat Researcher in Trend Micro, has written an interesting in-depth analysis of Bredolab malware and its connections to FakeAV and Zeus/Zbot malware families. "You Scratch My Back…BREDOLAB’s Sudden Rise in Prominence" -report can be downloaded here.

Thursday, October 29, 2009

Security And Stability Patch For Opera Available

Opera Software has released patch for their Opera web browser. Version 10.01 fixes a few security issues of which the most severe one could allow execution of arbitrary code.

Changelog of Windows version can be read here.

Wednesday, October 28, 2009

New Updates For Firefox

Mozilla has released new updates for Firefox 3.5.x and older 3.0.x versions. 3.5.4 version fixes 11 vulnerabilities of which six are categorized as critical, three as moderate and two as low. Update 3.0.15, meant for older 3.0.x series, fixes ten vulnerabilities of which five are categorized as critical, three as moderate and two as low.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually.

Download links and related extra information:
Release notes for 3.5.4 version
Release notes for 3.0.15 version

Mozilla recommends 3.0.x series users to switch to 3.5.x series version. Security and stability updates for 3.0.x versions will be released until January 2010.

Security updates For VMware Products Available

VMware has released security update to patch two vulnerabilities in their virtualization applications:

*Mishandled exception on page faults (CVE-2009-2267). An improper setting of the exception code on page faults may allow for local privilege escalation on the guest operating system. This vulnerability does not affect the host system.
*Directory Traversal vulnerability (CVE-2009-3733). A directory traversal vulnerability allows for remote retrieval of any file from the host system. In order to send a malicious request, the attacker will need to have access to the network on which the host resides.


Affected versions:
VMware Workstation 6.5.2 and earlier,
VMware Player 2.5.2 and earlier,
VMware ACE 2.5.2 and earlier,
VMware Server 2.0.1 and earlier,
VMware Server 1.0.9 and earlier,
VMware Fusion 2.0.5 and earlier,
VMware ESXi 4.0 without patch ESXi400-200909401-BG,
VMware ESXi 3.5 without patches ESXe350-200910401-I-SG,
ESXe350-200901401-I-SG,
VMware ESX 4.0 without patch ESX400-200909401-BG,
VMware ESX 3.5 without patches ESX350-200910401-SG
ESX350-200901401-SG,
VMware ESX 3.0.3 without patches ESX303-200910401-BG,
ESX303-200812406-BG,
VMware ESX 2.5.5 without Upgrade Patch 15.


Further information including updating instructions can be read from VMware's security advisory

Tuesday, October 27, 2009

Fake Facebook Password Reset Confirmation Email Spreads Trojan

MX Lab warns in their blog about Bredolab trojan that is spread in fake Facebook Password Reset Confirmation email messages.

The body of message looks like this:

Hey <"receiver here"> ,

Because of the measures taken to provide safety to our clients, your password has been changed.
You can find your new password in attached document.

Thanks,
The Facebook Team


Attached file contains variant of the trojan. Virustotal uploaded sample was detected bad by 14/41 scanners.

More details in MX Lab's blog.

Malicious Halloween Surprises

It's once again time for Halloween on the upcoming Saturday. Malware authors are also out taking advantage of the occasion. Tom Kelchner from Sunbelt Software introduces in their blog a few "Classic Threats to Watch Out For". Some of those bring malware on user's system and some other harvest user's personal and financial data. List of these non pleasant treats, like dancing skeleton bundled with Storm trojan, can be checked on Sunbelt's blog entry.

Sunday, October 25, 2009

WordPress 2.8.5 Released

There's been released a new version of WordPress which contains bug fixes and also patches a vulnerability that could make it possible to cause a Denial-of-Service attack.

More information can be read from WordPress project blog.

Wednesday, October 21, 2009

Quarterly Security Update Packet From Oracle

Oracle has released updates that contains fixes to 38 different vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update).

Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.

Next critical patch update Oracle plans to release in January 2010.

Fake Microsoft Alerts Under Conficker Worm Theme

Malware authors are once again spreading their creations thru email. Sophos warns in their blog about bogus Microsoft alerts regarding Conficker worm. Message looks like one below (other variants may exist):

Subject: Conflicker.B Infection Alert
Attached file: install.zip
Message body:

Dear Microsoft Customer,

Starting 18/10/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please install attached file to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division


Attached file contains malware that Sophos detects as Mal/ZipMal-C and Mal/EncPk-KP.

Friday, October 16, 2009

Mozilla Opens Plugin Check Site For Firefox Users

Nowadays, most web browsers can be equipped with different handy plugins. There's a catch though: outdated browser plugins can put whole system under threat with their vulnerabilities. Mozilla has promised that its upcoming Firefox 3.6 version will have inbuilt check for installed plugins. While waiting for that release, Firefox users can surf to Plugin Check site to find out if any of their plugins is outdated and needs updating.

Mozilla gave some pre-taste of this new feature in Firefox 3.5.3 and 3.0.14 versions in which it introduced inbuilt check for Adobe Flash Player plugin.

Wednesday, October 14, 2009

Critical Update For Adobe Reader And Acrobat Available

Adobe has released patched versions for its Adobe Reader and Acrobat products. In total, the updates patch 29 vulnerabilities.

Affected versions are Adobe Reader 9.1.3 and Acrobat 9.1.3, Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh and UNIX, and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh.

"Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates."

More information about this critical categorized update with links to non-vulnerable versions can be read from the official security advisory.

Tuesday, October 13, 2009

Big Bunch Of Updates For October 2009 From Microsoft

Microsoft has released its monthly security update packet. October 2009 update consists of total of 13 different updates of which eight are critical and five important.

Critical updates:
MS09-050: Vulnerabilities in SMBv2 Could Allow Remote Code Execution (975517)
MS09-051: Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution (975682)
MS09-052: Vulnerability in Windows Media Player Could Allow Remote Code Execution (974112)
MS09-054: Cumulative Security Update for Internet Explorer (974455)
MS09-055: Cumulative Security Update of ActiveX Kill Bits (973525)
MS09-060: Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution (973965)
MS09-061: Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution (974378)
MS09-062: Vulnerabilities in GDI+ Could Allow Remote Code Execution (957488)


Important updates:
MS09-053: Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution (975254)
MS09-056: Vulnerabilities in Windows CryptoAPI Could Allow Spoofing (974571)
MS09-057: Vulnerability in Indexing Service Could Allow Remote Code Execution (969059)
MS09-058: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (971486)
MS09-059: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (975467)



New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Saturday, October 10, 2009

Eight Things About Koobface

Koobface malware has been one of the hottest names lately. Ryan Flores, Advanced Threats Researcher, has posted a list containing eight things about this social networking sites bothering pest in Trend Micro blog.

Ryan, Jonell Baltazar, Joey Costoya have also published an interesting research report of KOOBFACE named as The Heart of KOOBFACE: C&C and Social Network Propagation.

Wednesday, October 7, 2009

SMS Spam In Finland

F-Secure writes in their blog about SMS spam that some Finnish mobile phone users have received. Message contains Finnish text that translates as "Video message, click" with a link to website (other variants may exist). If opened, the link directs user to "Mobile Tube" service. On the bottom of the page fine print in Finnish says that "the user has accepted a premium rate service, and if he wishes, he can cancel the contract".

"The scam works if the user has a WAP access point enabled, as is per default with most operators. The scammers will get the necessary information for billing just by having the user click a link and visiting the web page."

F-Secure reported of similar scam in their blog in July. However, this is the first time such thing appears in Finnish language.

"So whenever you see unexpected links via SMS, just delete the message and do not click them. If you clicked on a link, check if the page has an unsubscribe link. If it does, unsubscribe from the service and then file a complaint to your phone operator if you are billed by the premium service vendor", F-Secure guides.

Tuesday, October 6, 2009

Big Scam Hits Email Accounts

BBC News reports about a big scam that has hit more than 30,000 email account. Account details had been posted online in two lists. First list of over 10,000 Hotmail account credientals had been reported yesterday and today there was a report of second list that contains over 20,000 email account credientals. The Credientals on this list include Hotmail, Yahoo, AOL, Gmail and also some from Earthlink and Comcast. It's still unclear whether or not both lists are related to same phishing scam.

Email scam related BBC articles:
Phishing attack targets Hotmail
Scam hits more e-mail accounts
Google targeted in e-mail scam

Test Versions of Mozilla's Content Security Policy Out

Mozilla tells in their blog that they have completed first test versions of new Content Security Policy (CSP) technology and that it will be included in the upcoming Firefox versions. The main target of CSP is to prevent XSS -attacks (cross site scripting) that have become important tool for data criminals. In XSS -attack criminals inject malicious code to web site. Code redirects browser to download contents direct from criminal servers while user sees the site .

The idea of CSP is that website administrators specify which domains the browser should treat as valid sources of script. This prevents Firefox users from accessing malicious contents even if criminals would have success in injecting xss in the website. Clickjacking attacks can be prevented in the same way.

Detailed explanation of CSP and how it works can be viewed here.

Saturday, October 3, 2009

Report Of Phishing Activity Trends From APWG

The Anti-Phishing Working Group (APWG) has published Phishing Activity Trends report of the 1st half of year 2009. The report can be read here.

Wednesday, September 30, 2009

Microsoft Security Essentials SEO Poisoning

Microsoft released yesterday its new Security Essentials real-time protection software for home users. Bad guys haven't let their chance to slip away.

Websense's alert warns about rogue links that malware authors have been able to get between legit results by using Search Engine Optimization (SEO) techniques. Results for Soft_71.exe file, one of those malicious files spread, were pretty low when the file was scanned on VirusTotal some hours ago.

Tuesday, September 29, 2009

Microsoft Security Essentials Is Out

Microsoft has released public version of their new real-time protection software, Microsoft Security Essentials (MSE). Program is meant mainly for home PC use. "For business customers, Microsoft continues to offer Forefront Client Security, providing centralized, comprehensive management and reporting capabilities", is stated on the press release.

More information and download link for the program can be found on the official site of MSE.

Monday, September 28, 2009

"Inside the Password Stealing Business" -Report

Avert Labs has published a research paper called “Inside the Password-Stealing Business: the Who and How of Identity Theft”.

The report uncovers technical details on the capabilities, level of sophistication, and inner workings of the most infamous contemporary password-stealing malware families such as Zbot, Sinowal, and Steam Stealer. Discussed topics are also the prevalence of such malware, distribution channels, how criminals keep up with the changes banks make to keep transactions secure, and how they exploit today’s economic climate.

The report can be found here.

Source

Tuesday, September 22, 2009

Razer Support Site Distributed Malware

"The support website at gaming hardware manufacturer Razer, has been compromised to distribute malware", writes Rik Ferguson from Trend Micro in their blog. According to Ferguson, Razer took their support website down after it was found out that a big amount of the device drivers offered for download at the site were infected with a Trojan. The Trojan delivers the original installer but then goes on to drop a copy of WORM.ASPXOR.AB in the system directory. 7 of 41 scanners at Virustotal flagged the infection.

At the moment of writing this, Razer Support Downloads page is still under maintainence. Announcement recommends to run a virus scan if one has "downloaded and installed drivers or firmware from www.razersupport.com from the 19th of September 2009".

PHP Version 5.2.11 Released

There has been released a new version of branch 5.2.x of scripting language PHP. New version fixes over 75 bugs of which four are security related:
* Fixed certificate validation inside php_openssl_apply_verification_policy. CVE-2009-3291
* Fixed sanity check for the color index in imagecolortransparent(). CVE-2009-3292
* Added missing sanity checks around exif processing. CVE-2009-3293
* Fixed bug #44683 (popen crashes when an invalid mode is passed). CVE-2009-3294


PHP 5.2.x branch users are advised to upgrade their current versions to this latest one.

More information can be read here.

Friday, September 18, 2009

Microsoft Goes After The Malvertising Threat

Microsoft has filed five civil lawsuits, the first of their kind against a phenomenon known as malvertising that hit also New York Times website last weekend. It is a term used of malicious online advertising.

"The lawsuits allege that individuals using the business names “Soft Solutions,” “Direct Ad,” “qiweroqw.com,” “ITmeter INC.” and “ote2008.info” used malvertisements to distribute malicious software or present deceptive websites that peddled scareware to unsuspecting Internet users. Although we don’t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits", states Tim Cranton, associate general counsel for Microsoft in a blog post that announced the lawsuits.

These five filings build on other recent actions that Microsoft has taken against click fraud and instant messaging spam.

Wednesday, September 16, 2009

Cyber Security Risks Report From SANS

SANS (SysAdmin, Audit, Network, Security) has published a report about cyber security risks.

The report sums up popular unpatched 3rd party programs (i.e. Adobe PDF Reader, QuickTime, Adobe Flash) as biggest risk on client-side. The biggest risk on server-side in turn are web applications. The combination of vulnerable web applications and vulnerable client software is frequently used to inject a client exploit into a web application in order to pivot and attack inside the attacked network.

Full report can be read here.

Tuesday, September 15, 2009

Trojan Uses Google Groups To Deliver Botnet Commands

Gavin O Gorman from Symantec writes in the company's blog how data criminals are using trojan, named as Trojan.Grups by Symantec, to distribute botnet commands in Google Groups newsgroups. Trojan distribution via newsgroups is not very uncommon, but this is the first instance of newsgroup C&C (command and control) usage that Symantec has detected.

Detailed analysis of how the Trojan.Grups trojan works can be read in Symantec blog here.

Source: TheRegister

Friday, September 11, 2009

Vulnerabilities In QuickTime player

Apple has released new version of its QuickTime media player. Version 7.6.4 patches four critical vulnerabilities that when exploited may lead to an unexpected application termination or allow execution of arbitrary code.

Apple's QuickTime 7.6.4 related security document can be found here.

Users of vulnerable version are advised to download the latest version available.

Version 3.5.3 of Firefox Released

Mozilla has released version 3.5.3 of its Firefox web browser. New version contains fixes for four vulnerabilities of which three are critical and one low. New version contains also fixes for several stability issues and brings earlier blogged check for Flash version.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually. More details in Firefox 3.5.3 Release Notes.

Tuesday, September 8, 2009

Security Updates For September 2009 From Microsoft

Microsoft has released its monthly security update packet. September 2009 update consist of five different packets that all patch found vulnerabilities in Windows and are categorized as critical:
MS09-045: Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
MS09-046: Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
MS09-047: Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
MS09-049: Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)

New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Saturday, September 5, 2009

Upcoming Firefox Versions Check Flash Version Freshness

Mozilla states in their blog that from the upcoming versions of Firefox 3.5.3 and Firefox 3.0.14 onwards Firefox users will be warned if their version of Adobe Flash Player plugin is not up-to-date. This will be a welcome add since old Flash versions are often exploited in cyber criminals' attacks. "For now our focus is on the Adobe Flash Player both because of its popularity and because some studies have shown that as many as 80% of users currently have an out of date version", is stated in the blog.

Mozilla plans to work with other plugin vendors to provide similar checks for their products in the future too.

Tuesday, September 1, 2009

Opera 10 Released

Opera Software has released version 10 of its Opera web browser.

About Opera Turbo and other new and updated features can be read from version 10 changelog.

Saturday, August 29, 2009

MessageLabs Intelligence Report: August 2009

MessageLabs has published their Intelligence report that sums up the latest threat trends for August 2009.

Report highlights:
• Spam – 88.5% in August (0.9% decrease since July)
• Viruses – one in 296.6 emails in August contained malware (almost unchanged since July)
• Phishing – one in 341.2 emails comprised a phishing attack (0.01% decrease since July)
• Malicious websites – 3,510 websites blocked per day (2.9% decrease since July)
• Latvian ISP closure dents Cutwail botnet
• Shortened-URL spam runs continue
• Social networking websites get hit by DDoS attacks

The report can be found here.

Wednesday, August 26, 2009

Pink Floyd Worm Spreads In Chinese Social Networking Site

Virus Researcher Boris Lau from SophosLabs writes in their blog about a worm that is spreading on Chinese social networking website, renren.com. The worm, known as W32/PinkRen-A by Sophos, poses as a flash file for the “Pink Floyd - Wish You Were Here” video - which tries to execute an external javascript file.

"The technique used in this worm exploits a simple XSS hole in the website - with a payload which has a flash component with the AllowScriptAccess=”always” attribute to allow the above “non-malicious” javascript to spread the worm via renren.com’s API", Lau writes.

First analysis of the found variant show that W32/PinkRen-A doesn't seem to do anything else than just spreads itself across renren site.

Monday, August 24, 2009

Delphi Compilers Targeted By File Infector

Trend Micro writes in their blog about new file infector that targets Borland Delphi Compilers. The file infector, detected by Trend Micro as PE_INDUC.A, tampers with Borland Delphi Compilers installed in targeted systems, causing all files compiled using the compromised Delphi compiler to be infected.

So far there is no known payload for this malware except for infecting the compiled files.

Source

Saturday, August 22, 2009

Symantec Lists Top 100 Dirtiest Web Sites

Symantec has released its top 100 list of dirtiest web sites. 48 percent of those feature adult content. Rest 52 percent of sites are dedicated to different things like deer hunting, catering, figure skating, legal services, and buying electronics. Malware is the most common threat represented on the dirtiest list, followed by security risks and browser exploits.

Complete article here.

Monday, August 17, 2009

New Koobface Variant On Loose

Security company Panda Security warns in their blog of new wave of Koobface worm that is spreading in social networking site Facebook. Spam messages come with text "CooooL Video" and a web link. When the link is clicked, victim is redirected to a Koobface controlled server that routes to a fake codec site. On fake codec site victim is shown "Flash Player upgrade required" -message that tries to make user open a malicious executable file.

Source

Sunday, August 16, 2009

Jaiku Used For Sending Botnet Commands

Twitter doesn't seem to be the only social service criminals have used for sending commands to botnet clients. Kaspersky's lab blog tells that similar service, though not as popular as Twitter, Jaiku had also account with name "upd4t3" set up sending similar commands like suspended Twitter account used to send.

Jose Nazario tells in updated post at Arbor Networks blog that he had found also "upd4t3″ profile in Tumblr. However, that profile was abandoned of some reason.

Friday, August 14, 2009

Twitter Account Used As Botnet Command Channel

Microblogging service Twitter has been one of the hottest topic for the past couple of weeks due to attacks putting more traffic than it could handle towards the service. Jose Nazario, the manager of security research at Arbor Networks made the latest add to Twitter related news by telling in the company's blog how he noticed Twitter account "upd4t3" (now suspended) been used to send commands to botnet of infected computers.

More details in Arbor Networks' blog.

Wednesday, August 12, 2009

Safari 4.0.3 Released

Apple has released version 4.0.3 of its Safari web browser. New version fixes six vulnerabilities:
-CoreGraphics
CVE-ID: CVE-2009-2468
Available for: Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A heap buffer overflow exists in the drawing of long text strings. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit to Will Drewry of Google Inc for reporting this issue.

-ImageIO
CVE-ID: CVE-2009-2188
Available for: Windows XP and Vista
Impact: Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in the handling of EXIF metadata. Viewing a maliciously crafted image may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

-Safari
CVE-ID: CVE-2009-2196
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: A maliciously crafted website may be promoted into Safari's Top Sites view
Description: Safari 4 introduced the Top Sites feature to provide an at-a-glance view of a user's favorite websites. It is possible for a malicious website to promote arbitrary sites into the Top Sites view through automated actions. This could be used to facilitate a phishing attack. This issue is addressed by preventing automated website visits from affecting the Top Sites list. Only websites that the user visits manually can be included in the Top Sites list. As a note, Safari enables fraudulent site detection by default. Since the introduction of the Top Sites feature, fraudulent sites are not displayed in the Top Sites view. Credit to Inferno of SecureThoughts.com for reporting this issue.

-WebKit
CVE-ID: CVE-2009-2195
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A buffer overflow exists in WebKit's parsing of floating point numbers. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking. Credit: Apple.

-WebKit
CVE-ID: CVE-2009-2200
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Visiting a maliciously crafted website and clicking "Go" when viewing a malicious plug-in dialog may lead to the disclosure of sensitive information
Description: WebKit allows the pluginspage attribute of the 'embed' element to reference file URLs. Clicking "Go" in the dialog that appears when an unknown plug-in type is referenced will redirect to the URL listed in the pluginspage attribute. This may allow a remote attacker to launch file URLs in Safari, and lead to the disclosure of sensitive information. This update addresses the issue by restricting the pluginspage URL scheme to http or https. Credit to Alexios Fakos of n.runs AG for reporting this issue.

-WebKit
CVE-ID: CVE-2009-2199
Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Mac OS X v10.5.8, Mac OS X Server v10.5.8, Windows XP and Vista
Impact: Look-alike characters in a URL could be used to masquerade a website
Description: The International Domain Name (IDN) support and Unicode fonts embedded in Safari could be used to create a URL which contains look-alike characters. These could be used in a malicious website to direct the user to a spoofed site that visually appears to be a legitimate domain. This update addresses the issue by supplementing WebKit's list of known look-alike characters. Look-alike characters are rendered in Punycode in the address bar. Credit to Chris Weber of Casaba Security, LLC for reporting this issue.



Windows version users can get the latest version from Apple Downloads.

Tuesday, August 11, 2009

Microsoft Updates For August 2009

Microsoft has released security updates for August. The release contains nine packets. Five of those are categorized as critical:
- MS09-037: Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908)
- MS09-038: Vulnerabilities in Windows Media File Processing Could Allow Remote Code Execution (971557)
- MS09-039: Vulnerabilities in WINS Could Allow Remote Code Execution (969883)
- MS09-043: Vulnerabilities in Microsoft Office Web Components Could Allow Remote Code Execution (957638)
- MS09-044: Vulnerabilities in Remote Desktop Connection Could Allow Remote Code Execution (970927)



and other four as important:
- MS09-036: Vulnerability in ASP.NET in Microsoft Windows Could Allow Denial of Service (970957)
- MS09-040: Vulnerability in Message Queuing Could Allow Elevation of Privilege (971032)
- MS09-041: Vulnerability in Workstation Service Could Allow Elevation of Privilege (971657)
- MS09-042: Vulnerability in Telnet Could Allow Remote Code Execution (960859)



New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Twitter Suspending Malware Affected Accounts

Twitter has released a status message in which they state that they are suspending a number of accounts that have been affected by malware. Users of compromised accounts will be sent instructions how to restore access.

Reason behind this suspending appears to be Koobface variant and hacked accounts in general, states Mashable, which received following response to their inquiry about the compromised Twitter accounts:
“Unfortunately, it appears to be a number of groups working together; some phished accounts, a sprinkling of hacked accounts — but a large percentage of accounts affected appear to have a Koobface/Win32 variant. We’re attempting to identify the precise variants affecting these folks but have been pushing out notifications to those affected as is.”

Thursday, August 6, 2009

Java SE 6 Update 15 Available

Sun has released update for Java SE Runtime Environment (JRE) 6. JRE allows end-users to run Java applications. The latest update can be downloaded from Sun's Java SE Downloads site.

More information about contents of the update can be read from Release Notes of Java SE 6 Update 15.

Java users are recommended to update their versions to the latest one available.

Tuesday, August 4, 2009

New Updates For Supported Firefox Versions Available

Mozilla has released new updates for Firefox 3.5.x and older 3.0.x versions. 3.5.2 version fixes six vulnerabilities of which four are categorized as critical, one as moderate and one as low. Update 3.0.13, meant for older 3.0.x series, fixes three vulnerabilities of which two are categorized as critical and one as moderate.

Update can be obtained by using inbuilt updater of Firefox or by downloading it manually.

Download links and related extra information:
Release notes for 3.5.2 version
Release notes for 3.0.13 version

Saturday, August 1, 2009

Batch Of Security Updates From Adobe

Adobe has released new security updates for its Flash Player, Shockwave Player and Adobe Acrobat and Reader applications.

Affected Flash Player versions are 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions. More information can be found here and here.

Affected Shockwave Player versions are 11.5.0.600 and earlier on Windows only. More information

Affected Adobe Acrobat and Reader versions are 9.1.2 and earlier 9.x versions. More information.

It's recommended to update affected versions to the latest ones available. Instructions for updating can be found in the links listed above.

Tuesday, July 28, 2009

Two Security Updates From Microsoft

Microsoft has released two extra security bulletins out of their normal monthly patch cycle:
MS09-034: Cumulative Security Update for Internet Explorer (972260)

MS09-035:Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706)


Update MS09-034 is categorized as critical while MS09-035 update is categorized as moderate.

Updated security bulletin summary for July 2009 can be found here.

Thursday, July 23, 2009

Unpatched Vulnerabilities In Adobe Reader, Acrobat And Flash Player

Adobe has published a security advisory regarding critical unpatched vulnerability in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems.

Adobe expects to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). They expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows and Macintosh by July 31, 2009 (the date for Adobe Reader for UNIX is still pending).

While waiting for the update users may mitigate the threat by following the instructions given in the advisory.

Adobe will release updated information in its Adobe Product Security Incident Response Team blog.

Update For Firefox 3.0.x Available

Mozilla has released new update for older 3.0.x series of its web browser. Version 3.0.12 fixes six vulnerabilities of which five are categorized as critical and one as important.

Update can be obtained by using inbuilt updater of Firefox or by downloading it here.

Mozilla continues supporting Firefox 3.0.x series with security and stability updates until January 2010. All users are recommended to upgrade to Firefox 3.5 version.

Version 3.0.12 Release Notes

Tuesday, July 21, 2009

Malicious Spam Spread Under Swine Flu Theme

Swine flu is one of the biggest discussion topics in the world at the moment. Criminals are taking advantage of this too. F-Secure reports about malicious file spreading in emails. The file is named as Novel H1N1 Flu Situation Update.exe and icon is made to look like a Word document file. When opened, the file creates a few new files of which the executables contain backdoor functionality, including keylogger.

Friday, July 17, 2009

Firefox Version 3.5.1 Available

Mozilla has released update for its Firefox web browser. New version contains a fix to vulnerability in Just-in-time (JIT) JavaScript compiler. Affected is Firefox version 3.5.

Update can be obtained thru the browser's in-built updater or from Firefox download site.

Release notes for Firefox 3.5.1

Wednesday, July 15, 2009

Unpatched vulnerability In Firefox 3.5

There has been found an unpatched vulnerability in Firefox 3.5. The vulnerability exists in Just-in-time (JIT) JavaScript compiler and it can be used to execute malicious code. To exploit vulnerability an attacker has to trick user to open specially crafted web page containing the exploit code.

Mozilla offers two methods to workaround the problem until patch is available:
1) Temporary disabling the javascript.options.jit.content setting in about:config
2) Windows users can disable JIT by running Firefox in safe mode. This can be done by selecting Mozilla Firefox (Safe Mode) from the Mozilla Firefox folder.

The third method would be to disable Javascript by default by using NoScript add-on for Firefox.

More information:
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
http://isc.sans.org/diary.html?storyid=6796
http://www.h-online.com/security/First-Zero-Day-Exploit-for-Firefox-3-5--/news/113761

Updates For July From Microsoft

Microsoft has released security updates for July. The release contains six packets. Three of those are categorized as critical:
- MS09-029: Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution (961371)
- MS09-028: Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution (971633)
- MS09-032: Cumulative Security Update of ActiveX Kill Bits (973346)

and other three as important:
- MS09-033: Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege (969856)
- MS09-031: Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege (970953)
-MS09-030: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (969516)


New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft Update service.

Tuesday, July 14, 2009

Critical Patch Update From Oracle

Oracle has released updates that contains fixes to 30 different security vulnerabilities. The fixes are part of the company's quarterly CPU (critical patch update). Of the updates 10 are for Oracle Database, two for Oracle Secure Backup, two for Oracle Application Server, five for Oracle E-Business Suite and Applications, two for Oracle Enterprise Manager, three for PeopleSoft Enterprise and JDEdwards Suite, one for Oracle Siebel Suite and five updates for BEA Products Suite.

Exact list of the vulnerabilities and instructions how to apply the fixes can be read from Oracle's Critical Patch Update Advisory.

Next critical patch update Oracle plans to release 13 October 2009.

Vulnerability In Microsoft Office Web Components

Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. If successfully exploited, the vulnerability could give an attacker same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.

Affected products are:
- Microsoft Office XP Service Pack 3
- Microsoft Office 2003 Service Pack 3
- Microsoft Office XP Web Components Service Pack 3
- Microsoft Office 2003 Web Components Service Pack 3
- Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1
- Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3
- Microsoft Internet Security and Acceleration Server 2006
- Internet Security and Acceleration Server 2006 Supportability Update
- Microsoft Internet Security and Acceleration Server 2006 Service Pack 1
- Microsoft Office Small Business Accounting 2006

Customers may prevent the Microsoft Office Web Components from running in Internet Explorer either manually, using the instructions in the Workaround section of the advisory, or automatically, using the solution found in Microsoft Knowledge Base Article 973472.


More information:
Microsoft Security Response Center (MSRC) Blog
Microsoft Security Research & Defense Blog

Thursday, July 9, 2009

Version 4.0.2 For Safari Available

Apple has released version 4.0.2 of its Safari web browser. New version fixes two vulnerabilities:
* WebKit

CVE-ID: CVE-2009-1724

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to a cross-site scripting attack

Description: An issue in WebKit's handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.

* WebKit

CVE-ID: CVE-2009-1725

Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista

Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution

Description: A memory corruption issue exists in WebKit's handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references. Credit to Chris Evans for reporting this issue.


Windows version users can get the latest version from Apple Downloads.

Monday, July 6, 2009

Vulnerability In Microsoft DirectShow

There has been found a vulnerability in msvidctl component of Microsoft DirectShow. According to CSIS the vulnerability is actively being exploited through drive-by attacks using thousands of newly compromised web sites.

There isn't a patch available for the vulnerability yet. As a work around, the vulnerable msvidctl.dll component can be stopped from running in Internet Explorer by setting a kill bit for it by using following registry fix (it's recommended to always backup registry before making any modifications to it):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}]
"Compatibility Flags"=dword:00000400


More information:
Sans
SecurityFocus

Saturday, July 4, 2009

Waledac Independence Day Theme Campaign In The Wild

There's a Waledac campaign going on under Independence Day theme. According to Websense, malicious email messages that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.

The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. Sites look like YouTube site with a video on it. When user clicks the video (s)he is offered an .exe file that would install the latest variant of Waledac.

Source

Thursday, July 2, 2009

Firefox 3.5 Released

Mozilla released version 3.5 of its popular Firefox web browser on Tuesday 30/6. New version contains lots of improved features and some new ones are included too. More about the features can be read here.

New version is available for download here.

Monday, June 29, 2009

Malware Riding on Michael Jackson's Death

The tragic death of Michael Jackson, the "King of Pop", has made bad guys to take advantage of the situation. The most recent attacks try to make news hungry users install irc bot with backdoor capability to their systems.

Michael Jackson Malware

Michael Jackson Video Leads to Malware Download

Wednesday, June 24, 2009

New Version of Shockwave Player Available

There has been released a new version of Adobe Shockwave Player. Version 11.5.0.600 fixes a critical vulnerability which could allow an attacker to take control of the affected system.

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600.

More information:
Adobe's security bulletin
Secunia advisory

Vulnerability In Google Chrome

There has been found a vulnerability in Google Chrome -web browser:
CVE-2009-2121: Buffer overflow processing HTTP responses
Google Chrome is vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially crafted response from a server could crash the browser and possibly allow an attacker to run arbitrary code.


The vulnerability is categorized as critical and affects users of Google Chrome versions below 2.0.172.33. Users of vulnerable versions can update browser to patched version with in-built automatic updater or alternatively install new version from Google Chrome homepage.

More info here.

Saturday, June 20, 2009

Security Update For Foxit Reader Available

Foxit software has released an update to Foxit Reader 3.0 that fixes following two vulnerabilities:
1. Fixed a problem related to negative stream offset (in malicious JPEG2000 stream) which caused reading data from an out-of-bound address. We have added guard codes to solve this issue.
2. Fixed a problem related to error handling when decoding JPEG2000 header, an uncaught fatal error resulted a subsequent invalid address access. We added error handling code to terminate the decoding process.


Instructions for updating are provided here.

Thursday, June 18, 2009

Nine-Ball Compromises more than 40,000 Legitimate Web Sites

Websense reports about a large mass injection attack that has so far compromised thousands of web sites. "We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine", writes Websense.

This is the third time within a short period when a big amount of web sites gets compromised. Earlier two mass injections were made by Gumblar and Beladen.

Friday, June 12, 2009

New Firefox Update Available

Mozilla has released a new version of its Firefox web browser. Version 3.0.11 contains fixes to nine vulnerabilities of which four are critical, one high, two moderate and two low.

Update can be obtained thru the browser's in-built updater or from Firefox download site.

Release Notes for Firefox 3.0.11

Wednesday, June 10, 2009

Updates For Adobe Reader & Acrobat Available

Adobe has released updated versions of Adobe Reader and Acrobat. Versions 9.1.1 and older contain vulnerabilities that would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe has categorized the update as critical and recommends that users of Adobe Reader/Acrobat update their versions to 9.1.2, 8.1.6 or 7.1.3. At the moment, updated versions are available for Windows and Macintosh platforms. Security updates for Adobe Reader on the UNIX platform are expected to be available on June 16, 2009.

More information about vulnerabilities and update instructions can be found from the correspondent security bulletin.

Updated Version Of Apple Safari Available

Apple has released an updated version of Apple Safari web browser that fixes multiple vulnerabilities. Part of those allow an attacker to run arbitrary code in target system.

Affected are: Apple Safari for Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP or Vista versions prior 4.0.

Users of affected version should update by getting updated version here.

More information can be read from the correspondent support documentary.

Tuesday, June 9, 2009

Microsoft Security Update For June 2009

Microsoft has released security update packet for June. This time vulnerabilities have fixed with ten separate update packets. Of those six are critical, three important and one moderate.

New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update and its contents can be read from here.

For consumer the easist way to get the update is to use Microsoft automatic update service.

Friday, June 5, 2009

FTC Shuts Down Web Hosting Firm

US Federal Trade Commission (FTC) has shut down web hosting provider Pricewert that operated at least under 3FN and APS Telecom names. FTC states that Pricewert was criminal ISP that sold services to other cyber criminals. Company hosted botnet servers and also helped in distributing spam, child pornography and rogue antivirus products.

It's not clear yet how the shutdown will affect. Similar shutdown happened in last November when net provider McColo was sent offline. That time spam amounts decreased a lot. Though 3FN was a major provider for Cutwail spam botnet it's possible that criminals have learnt their lessons and have programmed the botnet to use backup commands.

More on the subject:
Washington Post article
The Register article
Court documents

Thursday, June 4, 2009

Rogue Software Campaigned In Twitter

PandaLabs write in their blog about rogue software campaigns that cyber-criminals are having in Twitter. In the attack, criminals are using zombie Twitter accounts to post messages with url links included. Clicking these links starts a series of redirections that finally ends up to malware serving websites.

Yesterday, all links were posted in messages under "PhishTube Broadcast" topic. However, new PandaLabs' blog entry states that over the past 24 hours the Twitter trends based attack has expanded to several thousand tweets targeting trendy topics on Twitter and the figures keep rising.

Tuesday, June 2, 2009

Security Updates For Apple iTunes And QuickTime

Apple has released new versions of iTunes and QuickTime products. iTunes version 8.2 fixes a vulnerability that would cause an unexpected application termination or execution of arbitrary code if maliciously crafted website is visited. QuickTime 7.6.2 version itself fixes ten vulnerabilities that could all lead to an unexpected application termination or execution of arbitrary code.

New versions can be downloaded and installed from Apple Downloads.

Sunday, May 31, 2009

The Most Dangerous Search Terms

Security company McAfee made a research for the most dangerous search terms. The research was made with more than 2,500 popular keywords. The report shows that chances to end up browsing malicious site are the highest with terms like "free music downloads" or "screensaver". The most dangerous search terms varied a lot between the countries.

The report can be viewed here.

Friday, May 29, 2009

Vulnerability In DirectShow Component Of DirectX

There has been found a vulnerability in DirectShow component of Microsoft DirectX. The vulnerability is related to handling of QuickTime media file. By luring a user to open specially crafted QuickTime media file an attacker may be able to execute arbitrary code in target system. According to Microsoft the vulnerability has been exploited in attacks.

Affected software:
* Windows 2000 SP4, DirectX 7.0, 8.1 and 9.0 versions
* Windows XP SP2 and SP3, DirectX 9.0 version
* Windows Server 2003 SP2, DirectX 9.0 version

Microsoft says that the vulnerability doesn't affect different versions of Windows Vista or Windows Server 2008.


More information (including available workarounds) can be read from correspondent Microsoft Security Advisory.

Thursday, May 28, 2009

MessageLabs Intelligence Report: May 2009

MessageLabs has published their Intelligence report that sums up the latest threat trends for May 2009.

Report highlights:
• Spam – 90.4% in May (an increase of 5.1% since April)
• Viruses – One in 317.8 emails in May contained malware (a decrease of 0.01% since April)
• Phishing – One in 279.0 emails comprised a phishing attack (an increase of 0.11% since April)
• Malicious websites – 1,149 new sites blocked per day (a decrease of 67.7% since April)
• Spammers continue to abuse reputable domains and web-based malware more likely to be found on older domains
• Geographic location determines at what time of day you receive spam
• “Russian” spam squarely rooted in Cutwail botnet

The report can be found here.

Monday, May 25, 2009

Scammers Fool P2P Users With Fake P2P Download Booster

What would be attractive enough to trick heavy P2P users? Of course a program that makes it possible to download torrents faster than normally. Scammers are taking advantage of that and post spam messages to torrent forums advertising Bittorrentbooster program that they say will take download speeds to totally new level. In truth the program doesn't improve download speeds but installs aggressive advertising program.

Full story here.

Sunday, May 24, 2009

Google Users Targeting Gumblar Worm Spreads Fast

"A computer virus that targets Google users is mutating rapidly, turning it into what some are calling the biggest threat to online security today," writes The Guardian.

Gumblar worm exploits vulnerabilities in some unpatched Adobe PDF Reader and Flash player versions. After infecting the system the worm redirects victim's Google search results to sites that serve malware or allow criminals to do "phishing" attacks to steal login details.

The worm has been spreading for a while already but recently its authors changed attacking method so that malicious code is downloaded from a China based website. New techniques have also been developed to avoid worm getting detected.

According to security company Sophos the spread of Gumblar has over doubled itself in a week. The worm was responsible for 42% of all cases of malicious code found on websites.

US-Cert has issued a related warning about Gumblar. Security company ScanSafe recommends that people concerned about the security of their own sites should visit a third-party site called "Unmask Parasites".

Thursday, May 21, 2009

Possible Vulnerability In Microsoft Internet Information Server (IIS)

Microsoft tells that it's investigating reports of possible vulnerability in Microsoft IIS. "An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that typically requires authentication."

More information:
http://www.microsoft.com/technet/security/advisory/971492.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1535
http://www.auscert.org.au/render.html?it=11001
http://isc.sans.org/diary.html?storyid=6397
http://www.milw0rm.com/exploits/8704

Friday, May 15, 2009

Rogue Antivirus Program Takes System A Hostage

McAfee writes in their blog about fake antivirus program, branded as System Security 2009 and detected as FakeAlert-CO, that disables ability to run any application if user doesn't pay activation of the rogue. User is offered two subscription types: 2 year license for $49.95 or lifetime support license at a "discount". Rogue product website is made to look professional trying to make user more convinced.

Removal of the rogue is tricky since it doesn't offer remove -option and it doesn't appear in add/remove programs -window. Removal has to be done by rebooting system into safe mode and then remove it there.

Wednesday, May 13, 2009

Adobe Reader & Acrobat Updates Available

Adobe has released fixes for two vulnerabilities which were reported a few weeks ago.

Instructions for updating can be found in the correspondent Adobe Security bulletin.

Tuesday, May 12, 2009

Security Update Of May 2009 From Microsoft

Microsoft has released an update (MS09-017) that fixes 14 vulnerabilities in Microsoft Office PowerPoint. The Update is categorized as critical. By luring user to open specially crafted PowerPoint file an attacker may have a possibility to execute arbitrary code in target system.

New version of Microsoft Windows Malicious Software Removal Tool was released too.

More information of the update can be read from here.

For consumer the easist way to get the update is to use Microsoft automatic update service.

Saturday, May 9, 2009

PDF Most Used File Type In Targeted Attacks At The Moment

F-Secure have published in their Weblog some results related to file types used in targeted attacks.

In 2008 they identified about 1968 targeted attack files. The most popular file type was DOC (Microsoft Word) having 34.55% of the files. The second common was PDF (Adobe Acrobat Reader) 28.61% share. This year, F-Secure have discovered 663 targeted attack files and the most common file type has been PDF with 48.87% of the files. DOC is now second common with 39.22% share.

According to F-Secure explanation for this is mainly cos Adobe Acrobat & Reader have had more vulnerabilities than Microsoft Office applications. Two vulnerabilities are still waiting for patching. Adobe expects to have resolving updates ready by May 12th, 2009.

F-Secure's video about targeted attacks is watchable in YouTube.

Wednesday, May 6, 2009

Adobe Flash Media Server Vulnerability

There has been found a potential vulnerability in Flash Media Server. This RPC (remote procedure call) execution issue could potentially allow an attacker to execute remote procedures within a server side ActionScript file running on Flash Media Server.

Vulnerability affects Adobe Flash Media Streaming Server 3.5.1, Adobe Flash Media Interactive Server 3.5.1 and earlier.

To resolve the issue, Flash Media Server administrators should install Flash Media Server 3.5.2 or 3.0.4 update.

Related Adobe's security bulletin can be read here.

Tuesday, May 5, 2009

Taking Over The Torpig Botnet - Report

The researchers of Santa Barbara University of California have published report of their ten days long takeover of Torpig (a.k.a. Sinowal,
Anserin) botnet took place at the beginning of 2009. Over this period, they observed more than 180 thousand infections and recorded more than 70 GB of data that the bots collected.

Collected data contained e.g. over 1,200,000 Windows passwords, over 54,000 mailbox account items and near 12,000,000 form data items which means the content of HTML forms submitted via POST requests by the victim’s browser.

Even more severe is that Torpig obtained credientals of over 8,310 accounts at 410 different financial institutions and 1,660 unique credit and debit card numbers.

"Quantifying the value of the financial information stolen by Torpig is an uncertain process because of the characteristics of the underground markets where it may end up being traded. A report by
Symantec
indicated (loose) ranges of prices for common goods
and, in particular, priced credit cards between $0.10–$25 and bank
accounts from $10–$1,000. If these figures are accurate, in ten days
of activity, the Torpig controllers may have profited anywhere be-
tween $83k and $8.3M"

Complete report can be found here.

Monday, May 4, 2009

Time for PDF Reader Change

All these exploits targeting vulnerabilities in Adobe Reader around it makes many of us wonder if the time was right for a PDF reader change. It certainly is. There are lots of different alternatives available for popular Adobe Reader. Not only are those more secure but also much smaller in size than the most famous one. I made a decision to switch to a lighter solution a few years ago when Adobe's product seemed to become larger and larger.

What product am I using then? Well, instead of telling that I give a link to a site with a list of free software PDF readers: http://pdfreaders.org/ :-) Not on the list but still also a good alternative is Foxit Reader from Foxit Software. If you're going to install Foxit Reader be careful with options during the install or otherwise you may end up with Foxit Toolbar installed. To avoid this, uncheck all three boxes in "Foxit Toolbar powered by Ask.com" -screen during the install.

Wednesday, April 29, 2009

Vulnerabilities In Adobe Reader & Adobe Acrobat

Adobe warns about two vulnerabilities in its Adobe Reader and Acrobat products. The vulnerabilities are related to the way of handling getAnnots() and customDictionaryOpen() JavaScript calls. The vulnerabilities can be exploited by luring user to open specially crafted PDF file. Successful exploitation makes it possible to execute arbitrary code in target system.

Vulnerable versions are:
* Adobe Reader and Acrobat 9.1 and earlier versions (Windows, Unix, Mac)
* Adobe Reader and Acrobat 8.1.4 and earlier versions (Windows, Unix, Mac)
* Adobe Reader and Acrobat 7.1.1 and earlier versions (Windows, Mac)

Currently, there's no update or schedule of upcoming one available. Adobe recommends disabling JavaScript support in Adobe products until update is available and installed.

Disabling can be done by following these steps:
1. Launch Acrobat or Adobe Reader.
2. Select Edit>Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK

Opening PDF documents received or found from dubious sources should be avoided.


More information can be found here.