New Adobe vulnerability (NEW)

Published: 2006-11-29,
Last Updated: 2006-11-29 18:34:37 UTC by Toby Kohlenberg (Version: 1)

Frank Klein has written to let us know that there are new vulnerabilities in Adobe Acrobat and Acrobat Reader that have the potential for code execution as a result of incorrect argument handling in the ActiveX control for IE. There is no patch currently available and Adobe is offering a mitigation of deleting the control. FrSIRT has provided a kill bit option that you can set that should disable the control.

The vulnerable versions are:
Adobe Standard, Reader & Professional 7.0.0 - 7.0.8

http://www.frsirt.com/english/advisories/2006/4751
http://www.adobe.com/support/security/advisories/apsa06-02.html

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

BuddyProfile used to spread exploits

Tuesday November 28, 2006 at 4:07 pm CST
Posted by Allysa Myers

Trackback

Alright, back to the doom and gloom!

A little background info - BuddyProfile.com is a site meant to allow you to spiff up your Buddy Profile for AOL Instant Messenger (AIM). It seems to be popular with a youngish teenage audience; it’s in the top 100,000 sites according to Alexa. It’s this particular fact which makes all the drama that follows just that more disturbing.

The basic problem is one we’ve seen before - When users are free to add their own HTML content with minimal restrictions, people will find a way to add objectionable content like malware and adware.
A SiteAdvisor crawl today turned up some profiles on BuddyProfile.com which immediately redirect the user to an adult site, which points to a file which is detected as Exploit-ANIfile, which is being used to install Adware-PestTrap which then displays “security warnings” to the user.
Just to recap:

1. Popular site, frequented by a large number of kids
2. Allows users to add their own HTML content
3. HTML content is being used on profiles to redirect people browsing this site (presumably said kids) to porn and surreptitiously-installed adware programs

Yuck. Seriously.
I think one of our Site Advisor researchers, Harry Sverdlove, put it best. He likened sites allowing users to embed their own HTML content into profile pages to restaurants letting people bring in their own food to be served to everyone:

“I’ll take the salmonella and the botulism ‘to go’ please.”

Computer Security Research - McAfee Avert Labs Blog.

Backdoor Trojans significant and tangible threat to Windows users - MS Antimalware Team

Published: 2006-11-26,
Last Updated: 2006-11-26 17:04:40 UTC by Patrick Nolan (Version: 1)

Windows Malicious Software Removal Tool: Progress Made, Trends Observed is a paper published in early November by the Microsoft Antimalware Team giving "perspective of the malware landscape based on the data collected by the MSRT". The tool, by default, "only looks for malware that are currently running or linked to through an auto-start point, such as in the registry.".

Anyone with network security monitoring or malware IR responsibilities should consider giving it a read. Some highlights (ymmv) include;

"Backdoor Trojans" .... "are a significant and tangible threat to Windows users.".

"Out of the 5.7 million computers cleaned, the MSRT has removed a backdoor Trojan from over 3.5 million (62%) of them.". "Bots, a sub-category of backdoor Trojans" ..... "represent a majority of the removals.". Rbot, Sdbot, and Gaobot "compose three of the top five slots in terms of total number of removals.".

"The increase in Win32/Rbot removals is due to a large number of variants of that malware family being added to the MSRT each release. On average, approximately 2,000 new variants of Win32/Rbot have been added to the tool each month.".

Correlations in the paper;

"The largest correlation shown" .... "is between rootkits and backdoor Trojans. In approximately 20% of the cases in which a rootkit was found on a computer, at least one backdoor Trojan was found as well. This emphasizes the trend of a large number of rootkits being distributed or leveraged by backdoor Trojans."  (handler emphasis/bold). "The percentages are also high between P2P worms and backdoor Trojans and IM worms and backdoor Trojans. The high values here are also expected given that many P2P worms and IM worms will often drop bots on the computer when they are run."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Zero day Warezov	Posted by Mikko @ 09:52 GMT

We've been busy with the latest spam runs of the Warezov family over the last hours.

We've added detection for the following variants, and there are probably more on the way:

  W32/Warezov.HB
  W32/Warezov.HC
  W32/Warezov.HD
  W32/Warezov.HE
  W32/Warezov.HF
  W32/Warezov.HG
  W32/Warezov.HH
  W32/Warezov.HI
  W32/Warezov.HJ

Updated to add: New domain - RXFF - See the list.

F-Secure : News from the Lab - November of 2006.

Reverse Cross-Site Request (RCSR) vulnerability (NEW)

Published: 2006-11-22,
Last Updated: 2006-11-22 14:43:18 UTC by Adrien de Beaupre (Version: 1)

A new vulnerability in Firefox has been recently disclosed. The password saving functionality of Firefox can be exploited to expose usernames and passwords to other sites, such as those used for blogs or any page requesting user input. The proof of concept page shows the username and password input in a google URL. They are calling it a Reverse Cross-Site Request (RCSR) vulnerability. The advisory appears here. This type of attack vector appears to also affect Internet Explorer.

Bugzilla link.

Mozilla has apparently been advised of the vulnerability, there currently is no vendor patch. The workaround in this particular case would be to never use Firefox to save passwords for any web site. The option is under Tools, Options, Security. Here is a link showing how to disable it.

Thanks to our reader Carsten for letting us know.

Cheers,
Adrien de Beaupre

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Time to get patching!!

“Microsoft is aware of public proof of concept code targeting the vulnerability addressed by security update MS06-070. At this time Microsoft has not seen any indications of active exploitation of the vulnerability Microsoft has activated its emergency response process and is continuing to investigate this public report.

Microsoft continues to recommend that customers apply the November updates as soon as possible with additional urgency and consideration given to the update detailed in MS06-070. Customers can ensure that the updates are being installed by enabling the Automatic Updates feature in Windows or by using their deployment infrastructure in their enterprise or small business.”

- http://www.microsoft.com/technet/security/advisory/928604.mspx

Exploit-CVE2006-5198

This detection covers exploits targeting a WinZip FileView ActiveX Control vulnerability that can result in the execution of arbitrary code.

As this threat utilizes script in order to carry out exploitation, VirusScan's ScriptScan component, or a gateway scanner, is required for the DAT files to offer protection from this threat. Identification is available via other DAT consuming scanners.

For more details on the vulnerability that is exploited by this threat, see:
http://www.winzip.com/wz7245.htm

Exploit-CVE2006-5198.

Bloodhound.Exploit.99
Discovered: November 16, 2006
Updated: November 16, 2006 11:23:20 AM PST
Type: Trojan Horse, Virus, Worm
Systems Affected: Windows 2000, Windows XP
CVE References: CVE-2006-4691


Bloodhound.Exploit.99 is a heuristic detection for the Microsoft Windows Workstation Service Could Allow Remote Code Execution Vulnerability, (as described in Microsoft Security Bulletin MS06-070).

Bloodhound.Exploit.99 - Symantec.com.

Honeypot Mirroring .edu domains under .eu / Active Threat (NEW)

Published: 2006-11-16,
Last Updated: 2006-11-16 20:50:04 UTC by John Bambenek (Version: 1)

 

The .eu top-level domain is relatively new and in the build-up phase and had a co-worker notice something fun.

When ssh'ing to a local server, he typo'd and finished the DNS name as .eu, it connected with an SSH handshake (it was a new server so the key warning wasn't considered a big deal) and took a password. The individual immediately recognized the problem when the password wasn't accepted and we investigated.

It appears any DNS name at ourdomain.eu would resolve to this machine.  Not only that, but the machine in question was hosting at least 7 other domains under .eu that would map to an educational institution. For instance, for "fake" educational institution at ufoo.edu you could search for ufoo.eu and get a response to this machine.

nslookup www.ufoo.edu
response: 111.222.111.222 (good)

nslookup www.ufoo.eu
response: 200.100.200.100 (bad)

nslookup XXX.ufoo.eu (XXX = anything whether or not it exists on the .edu side)
response: 200.100.200.100 (bad)

It appears that this machine will take anything from certain domains and resolve it, whether or not the dnsname actually exists on your end. (i.e. wildcard)

What is appears, for the moment, is that this machine is running a honeypot to capture passwords for people who typo .edu as .eu.  However, with a little ingenuity they could turn this enterprise into something truly evil. Right now it is only running a few token services and the webpage appears to be hosting "non-content". There are some who think this is "legit".

With this main .edu's pointing to the same place to a box with non-content, I'm not buying it. Incidents like this are a good reason to be cautious, particularly when the mitigation is as non-involved as it is.

Mitigation:

Check your .edu to see if it resolves as an .eu (i.e. nslookup www.yourdomain.eu and see what happens).

If you get 212.79.243.140, they are mirroring your .edu.

Filter that IP in both directions and pursue what other avenues your lawyers think necessary (i.e. lock down the .eu equivalent of your domain).

I'm interested in how wide-spread this is, and would like a report if your .edu is affected.

----
John Bambenek
bambenek /at/ gmail [dot] com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft patches 11 critical vulnerabilities, one worm candidate

Thursday November 16, 2006 at 7:17 am CST
Posted by Monty Ijzerman

Trackback

This month, Microsoft has patched 13 vulnerabilities. Among them is one that can be used to create a worm targeting Windows 2000 systems. The MS06-070 Workstation Service vulnerability can be remotely exploited without user interaction. On Windows 2000, no authentication is needed when sending traffic to this service. Details on this vulnerability have been published.
The vulnerabilities in Internet Explorer DirectAnimation.PathControl AxtiveX object and in XML Core Service, both exploited in the wild, have been addressed in this month’s patch cycle.
The update of our graphs of last month is found below. The graphs show that Microsoft is continuing the trend of patching a large number of critical vulnerabilities each month.

Computer Security Research - McAfee Avert Labs Blog.

- http://www.microsoft.com/technet/security/bulletin/ms06-020.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-069.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-071.mspx

The 2007 Botnet Package - 0-day + Parasite + Google ?

Wednesday November 15, 2006 at 2:01 pm CST
Posted by Geok Meng Ong

Trackback

On Sunday November 5th, we blogged about a 0-day exploit discovered in the wild that was targeting a Microsoft XML Core Services vulnerability. McAfee Avert Labs had been tracking and monitoring the payload deployed by this exploit.

W32/Kibik.a was the detection name assigned on Sunday, which was soon included in the McAfee VirusScan DAT release the following week. With rootkit heuristics, behavioral detection and IP blacklists being the talk of the (security) town in recent years, W32/Kibik.a makes an interesting attempt to survive in this competitive matrix of today.

W32/Kibik.a is a parasite that attaches to Windows Explorer (explorer.exe), even covering backup copies of explorer.exe in system restore, service pack installation and windows installer folders, making it a hard time for the victims to restore the original system file. On the process list, explorer.exe has its perfectly legitimate presence; on disk, the infected explorer.exe file has no distinction in filesize because W32/Kibik.a attaches to unused segments in the original file. Behavioral detection products looking for rootkit characteristics or autorun register keys will find nothing, because there isn’t any rootkit or autorun key.

To make it even difficult to track for network administrators, W32/Kibik.a sends innocent looking search requests to Google Blogsearch - only the search keywords are unique hexadecimal strings. Google Blogsearch, unlike Google Web Search that we are most familiar with, indexes blog entries with RSS and Atom feeds from blog authors. This makes blog content more readily searchable than Web search. When indexed, search results can return dynamic data, such as URLs to download, or commands to execute in a synchronized manner. At the time of writing, W32/Kibik.a’s searches have not yielded any results thus far.

From silent installation via a 0-day exploit, to silent residence and operations and virtually silent and innocent looking Google search; W32/Kibik.a could well be the start of a new trend in scalable remote controlled malware (a.k.a. botnet) in 2007. It is no wonder with its stealthy elements, few security vendors had detected or repaired W32/Kibik.a to date.

McAfee Avert Labs continues to monitor W32/Kibik.a and other malware using these techniques.

Computer Security Research - McAfee Avert Labs Blog.

Critical security vulnerability in WinZip 10 (NEW)

Published: 2006-11-15,
Last Updated: 2006-11-15 09:40:27 UTC by Bojan Zdrnja (Version: 2(click to highlight changes))

WinZip Computing released a new build of WinZip 10 that fixes a critical security vulnerability in this popular ZIP program.

The vulnerability exists in an ActiveX component that is shipped with WinZip 10 only (so if you are running previous versions of WinZip you are not affected by this vulnerability). This ActiveX component is marked safe for scripting which means that a remote attacker can exploit it if you visit a web page hosting the exploit.

Build 7245 of WinZip 10 is available at http://www.winzip.com/wz7245.htm. If you, for some reason, can not upgrade, you should disable the affected ActiveX control (WZFILEVIEW.FileViewCtrl.61) – its CLSID is A09AE68F-B14D-43ED-B713-BA413F034904.

UPDATE:

MS06-067 (http://isc.sans.org/diary.php?storyid=1854) actually disables this vulnerability. Beside the other things that this update does, it also sets the kill bits for vulnerable ActiveX components.

Thanks to Carl for spotting this.

W32/Realor.worm - Infecting Movies for Fun and Profit

Tuesday November 14, 2006 at 7:38 pm CST
Posted by Geok Meng Ong

Trackback

After Exploit-WMF and umpteen image file format exploits that followed, general computer users should understand that something not baring the file extension *.EXE
does not imply they are safe to view. Malware crafted out of document and media file formats are nothing new; nor are they a threat unique to Windows users. Before Word document 0-day’s made it into mainstream news headlines, there were text file exploits. More recently, there was Exploit-WinAmpPLS playing a spyware note; and a Microsoft security advistory for five critical Flash Player vulnerabilities today; as the music plays on.

Today, McAfee Avert Labs discovered W32/Realor.worm in the wild that was actively modifying all Real Media (*.rmvb) files in its path. These “infected” media files launch a malicious webpage without prompting, as they are being viewed by the user in Real media player. These files can be music or videos hosted on a network drive containing corporate presentations, a personal media server, or a P2P shared folder et cetera. When was the last time you hesitated in opening a movie file ?

As much as the new world of broadband multimedia presents new channels for entertainment and business opportunities, it is an attractive breeding ground for malware like any other popular application. Whether through a worm, using tools or hand-crafted, they are a penetration vector hard to resist for profiteering malware authors. McAfee Avert Labs recognises a rising trend in the manipulation of media files to embed or install malware. Heuristics and generic detection such as New Downloader.b
and Generic Downloader.bl are only some of the proactive measures to block such attempts. Internet users are advised to be precautious with sharing media files on a publicly writable folder or viewing media files from unknown sources — like you would with unsolicited e-mails and *.EXE files.

Computer Security Research - McAfee Avert Labs Blog.

- http://www.microsoft.com/technet/security/advisory/927892.mspx

- http://www.microsoft.com/technet/security/advisory/925444.mspx

- http://www.microsoft.com/technet/security/advisory/925143.mspx

Microsoft Black Tuesday Overview (NEW)

Published: 2006-11-14,
Last Updated: 2006-11-14 19:35:42 UTC by Swa Frantzen (Version: 1)

Overview of the November 2006 Microsoft patches and their status.

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
clients	servers
MS06-066	Netware client services - remote code execution & DoS CVE-2006-4688 CVE-2006-4689	No known problems KB 923980	No known exploits	Important	Less Urgent	Less Urgent
MS06-067	Internet Explorer - remote code execution CVE-2006-4446 CVE-2006-4777 CVE-2006-4687	No known problems KB 922760	Actively exploited according to Microsoft	Critical	PATCH NOW	Important
MS06-068	Microsoft Agent - remote code execution CVE-2006-3445	No known problems KB 920213	No known exploits	Critical	Critical	Less urgent
MS06-069	Adobe flash player - remote code execution CVE-2006-3014 CVE-2006-3311 CVE-2006-3587 CVE-2006-3588 CVE-2006-4640	No known problems KB 923789	No known exploits	Critical	Critical	Less urgent
MS06-070	Workstation service - remote code execution CVE-2006-4691	No known problems KB 924270	No known exploits	Critical	Critical	Critical
MS06-071	XML Core services CVE-2006-5745	No known problems KB 928088	Exploits publicly available	Critical	PATCH NOW	Important

We will update issues on this page as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

• We use 4 levels:
• PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
• Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
  
• Important: Things where more testing and other measures can help.
  
• Less urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
• The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leaisure work.
• The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-caserole.
• Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
• All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them.

--
Swa Frantzen -- Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Microsoft XP SP2 wireless hotfix (NEW)

Published: 2006-11-14,
Last Updated: 2006-11-14 14:00:49 UTC by Swa Frantzen (Version: 1)

Jakob sent in a good find over at Microsoft: http://support.microsoft.com/?kbid=917021 . It's an hotfix update to the wireless system of XP SP2 that claims to do a number of useful things:

• Allows group policy to control WPA2 settings.
• Allows networks in the preferred network list to be set as broadcast or non-broadcast. Setting all to broadcast prevents the computers from leaking the list of preferred networks when they do not find one in their list.
• 'parked' wireless cards are given encryption. Parking a card is according to Microsoft: "Wireless Auto Configuration may create a random wireless network name and put the wireless network adapter in infrastructure mode.  In this situation, the wireless adapter is not connected to any wireless network. However, the wireless adapter continues to scan for preferred wireless networks every 60 seconds".
  They go on with: "Some wireless network adapter drivers may interpret this parking operation as a request to connect to a wireless network. Therefore, these drivers may send probe requests in search of a network that has the random name. Because the parking operation passes no security configuration the driver, the random wireless network might be an open system-authenticated wireless network that uses no encryption. An observer could monitor these probe requests and establish a connection with a parked Windows XP wireless client".
  Now encrypting will surely help, but it does feel funny to let it sit there configured randomly while there is no use for it doing anything.
• Stop trying to connect to ad-hoc networks in the preferred network list.
  

Test it well before you deploy it widely, but it does seem a worthwhile hotfix.

See also Microsoft security advisory 917021, it contains more background information.

SWA
--
Swa Frantzen -- Section 66

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Broadcom Wireless Vulnerability

Published: 2006-11-12,
Last Updated: 2006-11-12 01:09:18 UTC by Johannes Ullrich (Version: 2(click to highlight changes))

The "Month of Kernel Bug" project released an advisory with details about a bug in Broadcoms Windows driver for its Wireless card. The high/low points:

• Only effects the wireless driver, not the broadcom wired cards.
• The resepective file is BCMWL5.SYS Version 3.50.21.10 (this is the version pointed out as vulnerable. Others may be vulnerable as well).
• Only Linksys published an official update at this time.
• Other vendors have later versions of this file available as patches. It is not clear if they patch the problem or not.
  
• The problem is triggered by an overly long SSID
• the MOKB project published a metasploit module to ease exploitation of this problem.

So much for now. Expect updates as we learn more.

Go ahead and patch your driver with whatever version they offer. If you get a chance, test the exploit and see if it works against some of the later versions. Of course, take care when doing so. The "known to be fixed" version from Linksys is 4.100.15.5.

Whenever you don't use your wireless network, turn off the wireless card. In particular if you are in a public space (airport, hotel).

Update: also see the ZERT advisory (no patch though. but the advisory explains why)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

New Monster Phish Bait (NEW)

Published: 2006-11-10,
Last Updated: 2006-11-10 19:26:04 UTC by Tony Carothers (Version: 1)

A reader recently submitted for review a new phish attempt which asks readers to download the "new Monster Job Seeker Tool".  The email looks authentic, as the HTML source code is pulling images from monster.com, as well as having links to other monster.com pages, however the download does not come from monster.com.  The download software link pulls the download from monster-freesoftware.com.  Of course, what is downloaded is not something monster.com would approve of.

I have sent a copy of the email to abuse@monster.com for their records as well.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

An Imaginative Phishing Attack on MySpace

A fairly imaginative phishing attack was live on the MySpace.com site for a few hours on the morning of Friday, October 27, 2006. The attack was interesting not so much because of its technical prowess, but because the attackers were imaginative. The attack was initially reported by Netcraft who discovered it when one of their customers encountered the page.

The attackers were able to create a login page located at http://www.myspace.com/login_home_index_html, which solicited the visiting user’s MySpace username and password. When entered, these values would go to a server operated out of France.

How did the attackers manage to pull this off? They tossed the wealth of complex phishing techniques aside and did something that was remarkably simple, and yet, pretty clever. Like millions before them, they just went to MySpace.com and registered an account. When asked what user ID to pick for their account, they simply gave “login_home_index_html” as the login name to use. Now, the page hosted at "http://www.myspace.com/login_home_index_html" automatically became their login page.

I’ve spent a considerable amount of time studying phishing attacks and there are a few which really stand out. This attack is one of them. What makes this attack so remarkable was that the attackers did not have to be familiar with the bevy of tricks one might use to make a site look believable. They didn’t exploit a browser vulnerability, they didn’t hack into a Web server to host the page, and they didn’t compromise the domain name system (DNS). The attackers just exercised their imagination and came up with a very simple phishing site that does the trick. Einstein was definitely on to something when he said “Imagination is more important than knowledge.”

To MySpace’s credit, the site did get taken down within hours after it was first reported. This attack differs somewhat from your typical phishing attack. Here, phishers were hosting a legitimately created page claiming to be a MySpace login page on the MySpace site itself. They could instantly take advantage of the fact that the MySpace name would be displayed prominently on the browser’s address bar. That alone would make the site seem that much more believable. The phishers did not have to go out of their way to achieve the right look and feel – that was just there by default.

MySpace and a number of similar sites rely on their users to provide content. One lesson to be learned is that any user-defined input a site employs has to be appropriately vetted. This vetting especially applies to content that will get reflected back to users somehow. This kind of idea is often seen in cross-site scripting attacks (which I blogged about in the past).

One question to consider is, why someone would be interested in gathering the usernames and passwords of MySpace users? There are a couple of reasons. First, some users who surf on MySpace are more likely to let their guard down when looking at their friends’ pages. Consequently, a compromised MySpace page could succesfully lead an unsuspecting victim to malicious software like a keystroke logger. Second, users may use the same login ID and password for multiple accounts. Therefore, if an attacker has a user’s MySpace credentials, he or she may be able to use them in other places, like banks or credit card sites.

Overall, this phishing attack caught my attention not because of its technical sophistication, but because the attackers were imaginative. Just as attackers are getting more creative in designing their sites, we must also get more creative in how we detect and defend against them.

Further Reading:
A Washington Post article that articulates why phishers are interested in social networking sites like MySpace: http://www.washingtonpost.com/wp-dyn/content/article/2006/07/15/AR2006071500119.html

A previous blog I wrote on phishing and cross-site scripting: http://www.symantec.com/enterprise/security_response/weblog/2006/07/phishing_and_crosssite_scripti.html

Posted by Zulfikar Ramzan on November 9, 2006 08:00 AM

Symantec Security Response Weblog: An Imaginative Phishing Attack on MySpace.

MySpace in China - When Malware Worlds Collide

Thursday November 9, 2006 at 11:38 am CST
Posted by Allysa Myers

Trackback

It would seem MySpace is looking at the possibility of expanding to China, while at the same time Chinese websites are experiencing a significant amount of traffic in malware comment-spam. It seems to me, unless MySpace gets significantly more involved in making sure the possibility of the XSS vulnerabilities that were used by previous malware are covered, this could be a recipe for disaster. This is a potentially huge source of revenue for the people at News Corp, but also for adware affiliates and malware distributors.

But really, MySpace isn’t the only one that needs to take note of this. It’s really time for Web 2.0 to have a paradigm shift.
These websites were started by individuals, and intentionally left to be developed and made great by its user base. They’re all highly customizable, letting you include an incredible amount of your own content. On the one hand this is a brilliant idea, and has made the internet a much more compelling “place”. (Or is that “tube”?) On the other hand, no one gave much thought to security as these places were being built up. The news has been liberally littered lately, with stories about various user-driven sites being used to distribute malware.

Without this change of direction, it could be that within a couple years these sites may become functionally unusable - they’ll be crushed by the very thing that made them revolutionary.

I, for one, hope this does not come to pass.

Computer Security Research - McAfee Avert Labs Blog.

-----Original Message-----
From: msftconn@microsoft.com [mailto:msftconn@microsoft.com]
Sent: November 09, 2006 7:16 PM
To: Mosby, Chris
Subject: Fix for ITMU Setup Error and Close of Pre-Release Product Evaluation

Several customers reported a setup error with the RTM build of ITMU Revision 3.  This error was isolated to running the installation in a TS session that was not the console session.  A fix for this has been incorporated into a new build and has been reposted on the public Microsoft site.  Please download and install this new build immediately to ensure your environment continues to receive new updates as they become available.

At this time, we have closed down the ITMU Revision 3 program on the Connect website.  The ITMUV3TH email alias has also been retired.  If you should encounter any further issues with the product, please leverage your standard methods of support.

Thank you again for your efforts in evaluating and providing feedback on the pre-release version of ITMU Revision 3!

The SMS 2003 ITMU Product Team

I am downloading a new copy of ITMU v3 now, and I will report any differences that I find.