Chris Mosby at myITforum.com

Spam Excel(s)

July 23rd, 2007 by Miray Lozada

Spammers are Excel-ing, literally. Text and image spam as PDF files are now old news as MS Excel enters the spam scene. Last July 22, Trend Micro researchers started noticing email messages that carry ZIP-packed Excel files. When opened, these Excel files stink of pump-and-dump schemes that spam mails are now notorious for. See images below:

Email

Zip Archive

Excel File

Using ZIP as carrier of malicious files is already a known routine of many malware families like WORM_BAGLE and TROJ_YABE. Using ZIP as carrier or as part of a spam scheme, however, is quite new and may be a social engineering tactic more than anything else. The fact that the email arrives as an Excel file packed in ZIP may have more to do with an attempt to lend credence to a stock-related email at a time when authorities are seriously running after pump-and-dump spammers. That the spammer chose Excel, an application usually associated with accounting ergo money, may not be a coincidence as well.

Spam Excel(s) now and it is not far off the mark that it Word(s) and PowerPoint(s) in the future…and Photoshop(s) and Outlook(s) and ….

Source: Spam Excel(s) - TrendLabs | Malware Blog - by Trend Micro

Funny.zip
Posted by Mikko @ 12:27 GMT

---

There's a fairly large seeding of Trojan-Downloader.Win32.Agent.brk going on.

The emails that are sent typically contain funny.zip as the attachment.

Email subjects vary but are typically "spammy" in nature:

  Action for pleasure
  Life is good!
  life is beautiful!
  Double energy
  Paradice in your bed
  View this price
  Return sunrise to your life!
  You can be young again!
  Paradice in your bed

We had detection for this particular malware already out before the spamming really began in large scale.

Source: F-Secure : News from the Lab

I already have one of these (if i could just get a damn battery!!), but for the rest of you...

Blog@Newsarama » ‘Beware my power … Green Lantern’s light!’

‘Beware my power … Green Lantern’s light!’

Monday July 23, 2007, 7:53 am

Make your own Green Lantern ring

Are you itching for your own Green Lantern replica ring, but unwilling to shell out $90 for it? Well, itch no more. The good folks at Instructables provide a step-by-step explanation of how to make a resin-cast Green Lantern ring — including a glow-in-the-dark version.

(Via Neatorama)

New Trend in Attacking the Java Runtime Environment?

Attacks targeting vulnerabilities in the Java Runtime Environment are anything but new. Several researchers have previously visited this topic and the results have been some fantastic research. However, in recent weeks the DeepSight Threat Analyst Team has been investigating several Java issues resulting from a notable increase in vulnerabilities reported affecting the Java Runtime Environment and its associated components.

The threat landscape has seen a dramatic increase in attacks targeting client-side vulnerabilities in recent years. Vulnerabilities have been exposed in a variety of applications including media players, Web browsers, ActiveX controls and mail clients, to name just a few. The ubiquitous nature of the Java Runtime Environment makes it a prime candidate for attackers. With this in mind, it is not surprising to see much of the preliminary research into exploitation of environments like the Java Virtual Machine manifest itself both in recently disclosed vulnerabilities and the consequent exploitation of these issues “in the wild.” This research has likely been (or will be) exacerbated by the fact that portions of Java are now open-source.

On January 16, 2007, Sun Microsystems published a vulnerability in the Java Runtime Environment which was submitted to the Zero Day Initiative in December 2006. The issue is a heap-corruption vulnerability which can be triggered when parsing a GIF image with a width attribute of 0 (Sun Java Runtime Environment GIF Images Buffer Overflow Vulnerability). On June 26, 2007, a DeepSight honeypot was compromised by a malicious Web site targeting this vulnerability (among several others). Although several vulnerabilities in the Java Runtime Environment have been disclosed previously, the DeepSight Threat Analyst Team had witnessed very few cases of exploitation of these vulnerabilities in the wild, making this a notable event.

Coincidently on July 3, 2007, another heap-corruption flaw related to image parsing in the Java Runtime Environment was disclosed (Sun JDK JPG/BMP Parser Multiple Vulnerabilities). This issue was due to insufficient validation when parsing ICC profiles (a cross-platform way to describe color spaces for displaying images). On July 9, 2007, eEye disclosed a trivially exploitable stack-overflow when parsing JNLP files (Sun Java Runtime Environment WebStart JNLP Stack Buffer Overflow Vulnerability). This vulnerability is due to a lack of bounds checking when parsing the codebase parameter. This sudden influx of high-profile JRE vulnerabilities provides some interesting insight into the current state of Java security. These issues suggest a shift (or at least an increase in disclosure) to more contemporary research targeting the Java Runtime Environment.

Perhaps one of the most interesting points regarding vulnerabilities in the Java Runtime Environment is the advantage inadvertently provided for attackers to leverage these vulnerabilities. First and foremost are Java Applets, which provide an excellent delivery vehicle for vulnerabilities affecting the Java Runtime Environment. Applets make it easy for exploits targeting JRE’s to be delivered via malicious Web sites as “drive-by” attacks. Applets can easily be hidden via an iframe or scaled down in size and placed in an inconspicuous portion of the Web site, making them difficult to notice.

Second, due to the way Java allocates heap-memory, scenarios where the attacker can repeatedly “spray” the heap with a nop sled and associated payload across a large portion of memory can be used to add reliability to an exploit. This technique was initially pioneered by Skylined for use in JavaScript when targeting browser vulnerabilities, but similar techniques have since proven useful inside the JRE as well (see JvmGifVulPoc.java). Additionally, by returning to the heap (particularly in the case of stack-overflow vulnerabilities), an attacker is able to circumvent many of the security mechanisms provided by Windows XP SP2 (DEP and SafeSEH). The ability to reliably bypass these security mechanisms makes the exploitation of these vulnerabilities even more enticing.

The solution for mitigating these types of attacks is the old standard. First and foremost, ensure that Java is kept up to date with the most recently available patches, along with IPS/IDS signatures. Whenever browsing an untrusted Web site, do so with caution and avoid enabling Java, JavaScript or other types of active content whenever they are unnecessary (for Firefox users there is a great extension called NoScript that makes this process very easy).

Research into flaws affecting the Java Runtime Environment is not a new topic; however, the use of these issues in the wild is beginning to become a reality. The effectiveness of attack toolkits like MPack reiterates the dangers associated with client-side vulnerabilities. Due to the intrinsic complexities associated with file format parsers, it is unlikely that these types of bugs will be hunted into extinction anytime soon; a class of vulnerability of which Java appears to be anything but exempt.

Coincidentally, recently we have seen the disclosure of three high-profile vulnerabilities in the Microsoft .Net Framework. Two of these are of particular interest, the Microsoft .Net Framework PE Loader Remote Buffer Overflow Vulnerability and the Microsoft .Net Framework JIT Compiler Remote Buffer Overflow Vulnerability which are very reminiscent of the types of bugs disclosed in the Java Runtime Environment, suggesting that the race to find these types of vulnerabilities in .Net is on.

Posted by Darren Kemp on July 23, 2007 05:00 AM

Source: Symantec Security Response Weblog: New Trend in Attacking the Java Runtime Environment?

 This is getting bad, I get several of these a day that slip past my usual spam controls.

Recent change in Stock-Spam Tactics (PDF and excel)

Published: 2007-07-22,
Last Updated: 2007-07-22 19:14:00 UTC
by Kevin Liston (Version: 1)

It started nearly a month ago, a shift from image-based spam to spams containing PDF files.

I'm sure that you've seen these in your mailbox, the shift over to PDF was effective in evading spam-filters.  You have also likely noted their shift in tactics from a simple text message in the PDF over to encoded images in the PDF (to foil pdf2text-like tools, I presume.)

I would have thought that this shift would have had an impact on the efficacy of the scheme.  "Certainly people won't open unsolicited PDF files," I thought.  Based on the number of submissions past month asking if these were PDF-exploit attempts I felt that this shift would have had some impact on the success of this type of scheme.

In January, I performed an unscientific experiment monitoring the impact of Pump and Dump schemes on the targeted companies.  My hypothesis was that Pump and Dump schemes have an overall negative impact on the company who's symbol was targeted.  I was unable to prove this hypothesis, the stock price quickly returns to normal three to four weeks after an event (in the population of stocks that I tracked in the first quarter of 2007, that is.)

This morning I did a bit of comparison with symbols identified in the few PDF files that I had left in my mailbox.  Looking at this small sample it seems that these schemes are just as effective in manipulating the stock price as text-only and image-based spam messages.

The consequence of this is that there exists a large population of people with a fair amount of assets in the stock market that willingly open up unsolicited PDF files.  This makes for a concerning scenario when a arbitrary-code-execution vulnerability is identified in popular PDF readers.

A reader submitted a report that they were receiving a large number of spam messages consisting of an Excel file.  Examination of this file showed that it contained a Pump and Dump message.  This could serve as an indicator of another shift if tactics.  The VERY interesting part is that the formatting of this Excel file is extremely similar to the first PDF version reported by Maarten.  This group appears to target German stock market.  I look forward to US penny-stock schemes to employ this technique shortly.  I'm similarly concerned about the number of people who will open unsolicited Excel files too.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Security Cost of Social Computing

Friday July 20, 2007 at 8:37 am CST
Posted by Nishad Herath

Trackback

As recently as five years ago, most of us probably communicated electronically only through either e-mail or phone. If someone wanted to pry into these communications, they had to tap our phones, steal our phone records or hack our e-mail accounts. But today, we voluntarily leave bits and pieces of our personal lives scattered all over the Internet. From elaborate profiles on social networking sites (such as Facebook, which, for example, has experienced a growth explosion in Australia as of late) to innocuous comments on personal blogs of others, we publish our likes and dislikes, our affiliations, political views and even our day to day routine for pretty much the whole world to see. In fact, younger Internet users appear to be leading the way. And it’s not all just play either. We increasingly rely on sites like Seek, monster.com and LinkedIn to advance our careers as well. These days, not only do we seem to leave a part of our digital personality wherever we spend a lot of time online, but we also seem to bundle a much greater part of our lives into this digital personality.

Now, is it too much of a stretch to imagine digital identity thieves and other fraudsters working hard, even as we speak, using the awesome power of modern search engines to put together these various online clues to piece the puzzle that is the digital you? I think not! I believe that this is already happening on a wider scale than any of us would like to believe. We’ve made it easier for anyone to discover who we are and increased their chances to get acquainted with us, no matter where in the world they are. Especially with social networking sites and online dating sites, shady characters could easily work their way into our trust gradually, starting off as a “friend of a friend of a friend” or a potential love interest. From the stories I’ve heard, this seems to be taking place a lot more than I would have considered to be the case.

To compound the issue, online services are becoming extremely complex. With a diverse set of functionalities and the ability to “host applications” or mash-ups, these online platforms are getting as complex as operating systems themselves. What does this all mean? Well, it means that online service are increasingly becoming exposed to various attacks like Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) not to mention the oldest trick in the book - social engineering. Unfortunately, traditional anti-virus software, personal firewalls or host-based intrusion prevention products sometimes are not very well suited to address some of these threats at present.

Our online world is changing and it’s changing fast. With the explosion of exciting new possibilities also come a set of unfamiliar risks. So what do we do? Do we curb our enthusiasm and say no to progress? Not at all. Fear is hardly the solution. All we have to do is to be a bit more proactive about our online security. Make sure we educate ourselves on the latest threats. Think twice about what personal information we share online and with whom. If you happen to notice something “fishy” going on, please notify someone who could look into that. While the security industry is moving fast, innovating new technology to provide better protection, you are still the single most important contributor to online security; both yours and ours that is.

Be safe and have a great social computing experience!

Source: Computer Security Research - McAfee Avert Labs Blog

The Nduja Job: Into The World Of XSS Worms

Thursday July 19, 2007 at 1:40 pm CST
Posted by Rahul Mohandas

Trackback

Cross-site scripting (XSS) is as a type of vulnerability typically found in web applications, which allows code injection by malicious web users into the web pages viewed by other users. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy.

One of the older stories of XSS worms dates back to 2002, where there were claims of XSS flaws in hotmail which could be exploited to broadcast e-mail to all the people in the address book of the infected user. Last year there was a surge in worms targeting websites with XSS flaws like Samy and Yamanner.

With the advent of many popular websites that post XSS cheat sheets online and its constant updates could make the hackers cognizant of the XSS filters and the possible ways of evading them. To add to the woes are “Javascript XSS Scanners” which are automated tools for finding cross-site scripting vulnerabilities in web pages.

XSS worms are becoming more and more sophisticated. Lately there’s been a lot of attention on this POC worm which goes by the name Nduja. The worm spreads by exploiting cross-site scripting vulnerabilities in 4 leading webmail providers.

The life cycle of Nduja worm is similar to a classic e-mail worm and is capable of:

1. Harvest e-mails present in the Inbox.
2. Collecting the contacts email addresses from address book.
3. Self Propagate to the contacts.

Recent advancement towards this side is the creation of a hybrid worm which involves client side and server side component. The technology uses XSS tunneling. Portcullis Computer Security have published a whitepaper describing in detail about XSS tunneling. A typical attack scenario (also described in the paper) is as follows:

1. An attacker infects a website with a persistent or reflected (temporary) XSS attack which calls remote XSS Shell JavaScript.
2. The Victim follows a link or visits the page and executes the JavaScript within that domain.
3. The Victim’s browser begins to perform periodic requests to the XSS Shell Server and looks for new commands.
4. When the victim browser receives a new command such as it is processed and returns the results to the XSS Shell.
5. The Attacker can push new commands to victim(s) browser and view the results from the XSS Shell administration interface.

Could this technology transform into a XSS based botnet? Keep your eyes peeled on this space while we will keep you posted with updates as it happens.

Source: Computer Security Research - McAfee Avert Labs Blog

Web is the way to go?

Published: 2007-07-20,
Last Updated: 2007-07-20 03:03:36 UTC
by Jason Lam (Version: 1)

We have all seen the recent web related incidents such as Mpack that leverages compromised web sites. These tactics are gaining popularity in malware distribution. Web technologies have been advancing at sonic speed everyday, new technologies such as Web 2.0 mashup are getting attention from everybody. If not carefully deployed, these technologies will bite us back.

Some of the traditional (old school) security folks still thinks, if I patch all the vulnerabilities according to advisories released by the vendor, I would be safe. As we get more and more 0-day vulns with OSes and related software packages, this practice not acceptable anymore. On the web application front, this is totally unsafe. If you developed your own web application, no vendor will knock on your door to get the application fixed.

Some people may like to think the custom code written would be hard to mass-exploit (using a worm) and therefore unlikely to be attacked. The truth is - scanning for vulnerability (at least the common ones) is not difficult at all. Use XSS Assistant as example, it leverages Greasemonkey which is an add-on to Firefox, as you are surfing, you can click a few times and it will be able to tell you whether a site is vulnerable to Cross Site Scripting. Locating the vulnerability may be the easy part but exploiting it isn't hard either, there is exploitation framework like BeEF that can assist in creating damaging exploits. And that's just for XSS only, the other web related vulnerabilities are all getting their share of tools to ease attack process.

A few persistent people might still think web site compromised, no big deal, just web site getting defaced.... Wrong! There is a whole lot more than that when a web site get compromised, deploying malware distribution point like Mpack is one possibility but it could easily cause a serious threat to the overall network security as well. SQL injection, in its more serious form can easily get binaries and executables onto the database server and start running malicious code, how does running nmap from your database server sound to you? If that is all too theoretical to you. Take a look at these reverse shell designed to run on web server yielding a command shell back to the attacker. Once the attacker can upload the code or remotely include those code into the running web applications, they can get a command shell on your web server.

The reverse shell technique is a lot like the traditional infrastructure type of attack where an initial exploit is used to get a shell back to the attacker. The major changes here is web applications are used as the medium instead of OS or other software packages. If your application security practice is not as good as some of the large software manufacturers, it might be cause of concern.

Does your current incident handling plan include scenarios of compromised web applications? If not, I suggest you look at it seriously.

If you want to learn more about web attack techniques, SANS offers  Web Application Security Workshop, Breaking Web Applications and AJAX and Web Services Security Overview.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

********************************************************************
Title: Microsoft Security Bulletin Minor Revision
Issued: July 19, 2007
********************************************************************

Summary
=======
The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-040 - Critical

Bulletin Information:
=====================

* MS07-040 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
- Reason for Revision: Bulletin Updated: Corrected KB933854 file manifest table for .NET Framework 1.1 on supported versions of Windows Server 2003. The Bulletin has also been updated providing an additional link to the main Bulletin Knowledge Base Article which will document all non-security functionality changes introduced in this .NET Framework security update.
- Originally posted: July 10, 2007
- Updated: July 19, 2007
- Bulletin Severity Rating: Critical
- Version: 1.2

Microsoft Patch support not Free?

Published: 2007-07-15,
Last Updated: 2007-07-18 09:43:31 UTC
by Swa Frantzen (Version: 2)

Update: We got the following statement from Microsoft.

We are aware that some customers have expressed confusion about whether Microsoft provides no-charge support for issues related to security updates. Microsoft has provided no-charge support for issues related to security updates and viruses for several years and there has been no change to that policy.

If a customer believes they're experiencing a security or virus related issue they may contact Microsoft directly for support using the country specific numbers provided at support.microsoft.com/security. In North America, customers can call 1-866-PCSAFETY for this support.

To help improve the customer experience, Microsoft has recently made changes to the PC Safety line in order to ensure customers are connected directly to a PC Safety agent, at no charge, when they dial the PC Safety line.

If customers feel that they have been inappropriately charged for a security or virus related issue they should contact: 1-800-Microsoft.

We got reactions to some of our previous stories that some of the patch support relating to the recently released patches was not being offered for free in reality.  We are being assured by our Microsoft contacts that it is indeed intended to be free, and that they are willing to work with us to find out what went wrong.

So if you want to participate in a little study together with Microsoft, let us know what you tried that they (tried to) make you pay for and add in your contact details such as telephone numbers to be shared privately with our Microsoft contacts.

More anonymous reactions can go to the new poll, but we're looking for a few cases that are usable to find out where it goes wrong.

--
Swa Frantzen -- NET2S

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

New Version of FireFox

Published: 2007-07-18,
Last Updated: 2007-07-18 05:46:09 UTC
by Scott Fendley (Version: 1)

Earlier today, Mozilla Firefox 2.0.0.5 was released which has a number of bug fixes including a couple of privacy related bugs and a few security related ones.

Mozilla's Forum show many of the details of these fixes for those that would like to peruse until the release notes are updated.  You can download the newest version from mozilla.com or through its automated update facility.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Microsoft Patch support not Free?

Published: 2007-07-15,
Last Updated: 2007-07-15 16:47:42 UTC
by Swa Frantzen (Version: 1)

We got reactions to some of our previous stories that some of the patch support relating to the recently released patches was not being offered for free in reality.  We are being assured by our Microsoft contacts that it is indeed intended to be free, and that they are willing to work with us to find out what went wrong.

So if you want to participate in a little study together with Microsoft, let us know what you tried that they (tried to) make you pay for and add in your contact details such as telephone numbers to be shared privately with our Microsoft contacts.

More anonymous reactions can go to the new poll, but we're looking for a few cases that are usable to find out where it goes wrong.

--
Swa Frantzen -- NET2S

SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

Patch your Flash Player and Java Runtime Environment *NOW*
Posted by SGMasood @ 21:59 GMT

---

Adobe and Sun have released patches today for several critical vulnerabilities that affect their respective Flash Player and Java Runtime Environment. Many of these vulnerabilities can be exploited to execute arbitrary code on victims' computers just by making them access a malicious URL using any application that invokes Flash Player or JRE. In English, this means that you can get hacked just by viewing a webpage that contains malicious Flash or Java content.

Many of the vulnerabilities are cross-platform, and between them, they have most OS-browser combinations covered. You are vulnerable until you install the patches. Read the advisories from the vendors and grab the patches here and here.

There are no reported in-the-wild exploits yet, but we might see some soon as enough technical information required to build an exploit has been released publicly for atleast a few of these vulnerabilities.

F-Secure : News from the Lab

Java Run Time Advisory Issued

Published: 2007-07-13,
Last Updated: 2007-07-13 16:44:38 UTC
by Deborah Hale (Version: 1)

According to an article on line at ZDNet there is yet another potential problem with Java. 

news.zdnet.com/2100-1009_22-6196493.html

Australia's Computer Emergency Response Team analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk.

www.auscert.org.au/render.html

This flaw may have an impact on PDA's and mobile phones as well as PC's.  Because Java is browser independent it has potential to impact many, many devices.  It is recommended that you patch all java devices as soon as possible.

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc

QuickTime Update Equals Update QuickTime
Posted by Sean @ 15:33 GMT

---

Apple released QuickTime version 7.2 yesterday. The update includes eight important security fixes in which viewing a maliciously crafted H.264 movie/movie/.m4v/SMIL file or visiting a malicious Webster may lead to arbitrary code execution. Apple's Webster has additional details.

The QuickTime update is available from Apple's Software Download for both Mac OS X and Windows. If you have iTunes or Apple Software Update installed, then you can just install iTunes 7.3.1 and QuickTime 7.2 will be included. If you only have QuickTime installed, perhaps on a corporate network, then you'll need to manually download the update.

It's important to update. Why? Because of stuff like MPack.

MPack is a PHP based malware kit that's sold as if it were commercial software. It includes updates, support, and additional modules can be purchased. It's very successful at the moment.

The kit uses compromised passwords to hack web servers and to insert an IFrame. If you visit a web page with such an IFrame, MPack's PHP script will be run and it will attempt to infect your computer. The PHP script is structured so that OS and browser versions are identified. The IFrame redirects to other PHP scripts depending on the details. These various scripts are easily updated by MPack's authors. Among the list of exploits it tries is one for QuickTime.

This new update may fix some of the QuickTime flaws known to malware authors. And it may also tip them off to new exploits. Apple's iTunes and therefore QuickTime is a very popular application. If everyone updates sooner than later it will shorten the window of opportunity for the bad guys. Patch your applications as well as your operating system.

Source: F-Secure : News from the Lab

********************************************************************
Title: Microsoft Security Bulletin Minor Revisions
Issued: July 12, 2007
********************************************************************

Summary
=======
The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS07-038 - Moderate
* MS07-039 - Critical
* MS07-040 - Critical
* MS07-041 - Important

Bulletin Information:
=====================

* MS07-038 - Moderate

- http://www.microsoft.com/technet/security/bulletin/ms07-038.mspx
- Reason for Revision: Bulletin revised. CVE hyperlink updated to correct CVE id. Workarounds Section updated to correct command line instructions.
- Originally posted: July 10, 2007
- Updated: July 12, 2007
- Bulletin Severity Rating: Moderate
- Version: 1.1

* MS07-039 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-039.mspx
- Reason for Revision: Bulletin Revised: Updating bulletin to add FAQ section for ADAM dependencies and why this update was deployed to all 2000 and 2003 systems.
- Originally posted: July 10, 2007
- Updated: July 12, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1
* MS07-040 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
- Reason for Revision: Bulletin Updated: Corrected Windows Vista severity rating in the "Affected Software" table to Important. Corrected several instances in the file manifest tables incorrectly referencing a version of Mscordacwks.dll that is not installed on the system. Added an additional FAQ explaining why customers installing .NET Framework 3.0 should update .NET Framework 2.0 on their system. Added an additional FAQ for ASP.NET Web application developers.
- Originally posted: July 10, 2007
- Updated: July 12, 2007
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS07-041 - Important

- http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx
- Reason for Revision: Bulletin Updated: additional clarification has been added explaining that the vulnerability lies in an object IIS 5.1 uses to maintain statistics on hosted applications.
- Originally posted: July 10, 2007
- Updated: July 12, 2007
- Bulletin Severity Rating: Important
- Version: 1.1

********************************************************************
Title: Microsoft Security Bulletin Re-Release
Issued: July 12, 2007
********************************************************************

Summary
=======
The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS07-036 - Critical

Bulletin Information:
=====================

* MS07-036 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms07-036.mspx
- Reason for Revision: Bulletin updated. Affected Products updated to include Microsoft Office 2004 for Mac. File Manifest information updated for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007.
- Originally posted: July 10, 2007
- Updated: July 12, 2007
- Bulletin Severity Rating: Critical
- Version: 2.0

Symantec Products Real-Time Scanner Notification Window Privilege Escalation

Secunia Advisory:
SA26054

Release Date:
2007-07-12

Critical:

Less critical

Impact:
Privilege escalation

Where:
Local system

Solution Status:
Vendor Patch

Software:
Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 9.x
Symantec Client Security 2.x
Symantec Client Security 3.x

Description:
A vulnerability has been reported in some Symantec products, which can be exploited by malicious, local users to gain escalated privileges.

The vulnerability is caused due to an error in the Real-Time scanner (RTVScan) component when displaying a notification window containing information on threats found on a system. This can be exploited to execute arbitrary code with SYSTEM privileges.

The vulnerability is reported in the following products and versions:
* Symantec AntiVirus Corporate Edition versions 9.0, 10.0 and 10.1
* Symantec Client Security versions 2.0, 3.0, and 2.1

Solution:
Apply updates.
http://www.symantec.com/enterprise/support/all_products.jsp

Symantec AntiVirus Corporate Edition 9.0:
SAV 9.0.6 MR6 MP1- build 1100 or later

Symantec AntiVirus Corporate Edition 10.0/10.1:
10.1.4 MR4 MP1- build 4010 or later

Symantec Client Security 2.0:
SCS 2.0.6 MR6 MP1 - build 1100 or later

Symantec Client Security 3.0/3.1:
SCS 3.1.4 MR4 MP1 - build 4010 or later

Provided and/or discovered by:
The vendor credits Ali Rhabar, Sysdream.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11c.html

Source: Symantec Products Real-Time Scanner Notification Window Privilege Escalation - Advisories - Secunia

Symantec Products Internet Email Auto-Protect Stack Overflow

Secunia Advisory:
SA26036

Release Date:
2007-07-12

Critical:

Not critical

Impact:
DoS

Where:
Local system

Solution Status:
Vendor Patch

Software:
Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 9.x
Symantec Client Security 2.x
Symantec Client Security 3.x

Description:
A vulnerability has been reported in some Symantec products, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the Internet Email Auto-Protect feature when scanning outgoing email messages. This can be exploited to cause a stack overflow via an email message containing an overly long (greater than 951 characters) string in the "To:", "From:", or "Subject" fields.

Successful exploitation crashes the Internet E-mail real-time protection service and results in subsequent outgoing SMTP email messages not being scanned.

The vulnerability is reported in the following products:
* Symantec AntiVirus Corporate Edition version 9.x and 10.0
* Symantec Client Security 2.0.x and 3.0.x

Solution:
Apply updates.
https://fileconnect.symantec.com/

Symantec AntiVirus Corporate Edition 9.x:
SAV 9 MR6 (SAV 9.0.6.1000) or later

Symantec AntiVirus Corporate Edition 10.0:
Update to version 10.1 or later

Symantec Client Security 2.0.x:
MR6 (build 1000-31)

Symantec Client Security 3.0.x:
Update to version 3.1 or later

Provided and/or discovered by:
The vendor credits Jordi Corrales.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11b.html

Source: Symantec Products Internet Email Auto-Protect Stack Overflow - Advisories - Secunia

Symantec Products SYMTDI.SYS IOCTL Handler Privilege Escalation

Secunia Advisory:
SA26042

Release Date:
2007-07-12

Critical:

Less critical

Impact:
Privilege escalation

Where:
Local system

Solution Status:
Vendor Patch

Software:
Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 9.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Symantec Norton AntiSpam 2005
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton Personal Firewall 2005
Symantec Norton Personal Firewall 2006
Symantec Norton SystemWorks 2005
Symantec Norton SystemWorks 2006

CVE reference:
CVE-2007-3673 (Secunia mirror)

Description:
A vulnerability has been reported in various Symantec products, which can be exploited by malicious, local users to gain escalated privileges.
Insufficient address space verification within the 0x83022323 IOCTL handler in SYMTDI.SYS can be exploited to overwrite arbitrary memory and execute code with kernel privileges via specially crafted IRP parameters passed to the affected IOCTL handler.
The vulnerability is reported in SYMTDI.SYS versions prior to 7.0.0 and affects the following products:

* Norton AntiSpam 2005
* Norton AntiVirus 2005/2006
* Norton Internet Security 2005/2006
* Norton Personal Firewall 2005/2006
* Norton System Works 2005/2006
* Symantec AntiVirus Corporate Edition 9.x
* Symantec AntiVirus Corporate Edition 10.0/10.1
* Symantec Client Security 2.0/3.0/3.1

Solution:
Apply updates or run LiveUpdate. Please see the vendor's advisory for details.
Provided and/or discovered by:
Zohiartze Herce, reported via iDefense Labs.
Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11d.html
iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=554

Source: Symantec Products SYMTDI.SYS IOCTL Handler Privilege Escalation - Advisories - Secunia

Symantec Products CAB and RAR Archive Handling Vulnerabilities

Secunia Advisory:
SA26053

Release Date:
2007-07-12

Critical:

Highly critical

Impact:
DoS
System access

Where:
From remote

Solution Status:
Vendor Patch

OS:
Symantec Gateway Security 5000 Series 3.x
Symantec Gateway Security 5400 Series 2.x

Software:
Symantec AntiVirus Corporate Edition 10.x
Symantec AntiVirus Corporate Edition 9.x
Symantec AntiVirus Corporate Edition for Linux
Symantec AntiVirus for Macintosh 10.x
Symantec AntiVirus for Network Attached Storage 4.x
Symantec AntiVirus Scan Engine 4.x
Symantec AntiVirus/Filtering for Domino 3.x
Symantec Brightmail AntiSpam 4.x
Symantec Brightmail AntiSpam 5.x
Symantec Brightmail AntiSpam 6.x
Symantec Client Security 2.x
Symantec Client Security 3.x
Symantec Mail Security for Domino 4.x
Symantec Mail Security for Domino 5.x
Symantec Mail Security for Exchange 4.x
Symantec Mail Security for Microsoft Exchange 5.x
Symantec Mail Security for Microsoft Exchange 6.x
Symantec Mail Security for SMTP 5.x
Symantec Norton AntiVirus 2004
Symantec Norton AntiVirus 2005
Symantec Norton AntiVirus 2006
Symantec Norton AntiVirus for Macintosh 10.x
Symantec Norton AntiVirus for Macintosh 9.x
Symantec Norton Internet Security 2004
Symantec Norton Internet Security 2004 Professional
Symantec Norton Internet Security 2005
Symantec Norton Internet Security 2006
Symantec Norton Internet Security for Macintosh 3.x
Symantec Norton Personal Firewall 2006
Symantec Norton SystemWorks 2004
Symantec Norton SystemWorks 2005
Symantec Norton SystemWorks 2006
Symantec Norton SystemWorks for Macintosh 3.x
Symantec Scan Engine 5.x
Symantec Web Security 3.x

Description:
Two vulnerabilities have been reported in various Symantec products, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) A boundary error within the Symantec Decomposer component when handling CAB archives can be exploited to execute arbitrary code via a specially crafted CAB archive.

2) An input validation error within the Symantec Decomposer component when handling RAR archives can be exploited to cause an infinite loop.

The vulnerabilities are reported in the following products and versions:
* Symantec Mail Security 8200 (all builds)
* Symantec Mail Security for Microsoft Exchange versions 4.6.3 and prior, 5.0.0.204, and 6.0.0 (all builds)
* Symantec Mail Security for Domino NT versions 4.1.4 and prior and 5.0.0.47 (all builds)
* Symantec AntiVirus/Filtering for Domino MPE(AIX, Linux, Solaris) versions 3.0.12 and prior (all builds)
* Symantec Scan Engine version 5.0.1 and prior (all builds)
* Symantec AntiVirus Scan Engine versions 4.1.8 and prior and 4.3.12 and prior (all builds)
* Symantec AntiVirus Scan Engine for MS ISA versions 4.3.12 and prior (all builds)
* Symantec AntiVirus Scan Engine for MS Sharepoint versions 4.3.12 and prior (all builds)
* Symantec AntiVirus Scan Engine for Messaging versions 4.3.12 and prior (all builds)
* Symantec AntiVirus for Network Attached Storage versions 4.3.12 and prior (all builds)
* Symantec AntiVirus Scan Engine for Clearswift versions 4.3.12 and prior (all builds)
* Symantec AntiVirus Scan Engine for Caching versions 4.3.12 and prior (all builds)
* Symantec Client Security versions 3.0, 3.x, and 2.x (all builds)
* Symantec Web Security versions 3.0.1.76 and prior (all builds)
* Symantec Gateway Security 5000 Series version 3.01 (all builds)
* Symantec Gateway Security 5400 Series version 2.0.1 (all builds)
* Symantec Brightmail AntiSpam versions 6.0.x, 5.5, and 4.x (all builds)
* Symantec AntiVirus Corporate Edition versions 10.1, 10.0, and 9.0 (10.1.5.5000 and prior and 9.0.6.1000 and prior)
* Symantec AntiVirus Corperate Edition for Linux
* Symantec AntiVirus for Macintosh version 10.x (all builds)
* Symantec Web Security for Microsoft ISA 2004 version 5.0 (all builds)
* Symantec Mail Security for SMTP version 5.0.0 (Windows/Linux/Solaris) and 5.0.1 (all builds)
* Norton AntiVirus 2004/2005/2006
* Norton Internet Security 2004/2005/2005.5 AntiSpyware Edition/2006
* Norton SystemWorks 2004/2005/2006
* Norton Personal Firewall 2006
* Norton AntiVirus for Macintosh versions 9.x and 10.x
* Norton Internet Security for Macintosh version 3.x
* Norton SystemWorks for Macintosh version 3.x

Solution:
Apply updates or run LiveUpdate. Please see the vendor's advisory for details.

Provided and/or discovered by:
The vendor credits the Zero Day Initiative.

Original Advisory:
Symantec:
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html

Source: Symantec Products CAB and RAR Archive Handling Vulnerabilities - Advisories - Secunia

Government Servers Hosting Phishing Sites

In recent months, Symantec has detected a number of phishing sites that have been hosted on government URLs. In June alone, phishing sites were identified on government sites from the following countries: Thailand (.go.th), Indonesia (.go.id), Hungary (.gov.hu), Bangladesh (.gov.bd), Argentina (.gov.ar), Sri Lanka (.gov.lk), Ukraine (.gov.ua), China (.gov.cn), Brazil (.gov.br), Bosnia and Herzegovina (.gov.ba), Columbia (.gov.co), and Malaysia (.gov.my).

This might come as a surprise to some people, as governments are thought to have very secure computer systems. However, the quantity of phishing sites hosted on government domains around the world seems to suggest otherwise. These fraudulent sites look like legitimate Web sites and are designed to trick users into divulging personal information such as government-issued identity numbers, bank password, or credit card numbers. Most phishing sites are placed on government Web servers by hackers who have gained access to the server through a backdoor, a vulnerable Web interface, or some other means.

Hosting a phishing Web page on a government site has a number of advantages for a phisher. Government Web sites often receive a high volume of traffic, so their servers can handle the extra traffic generated by a phishing site. This extra traffic might not be noticed immediately, giving the phishing site a longer lifespan before it is detected and shut down. Perhaps most importantly, hosting a phishing site on an actual government URL gives the phishing site a sense of authenticity that’s hard to beat.

Posted by Nick Sullivan on July 12, 2007 05:00 AM

Source: Symantec Security Response Weblog: Government Servers Hosting Phishing Sites

Crime dramas in Internet-land

Wednesday July 11, 2007 at 1:53 pm CST
Posted by Allysa Myers

Trackback

Security news lately is starting to sound like an episode of CSI these days. Death, muggings, theft rings, racketeering, rogue phone taps… it’s the juiciest of evening news fodder!!

Today brings three articles pertaining to the real effects of cybercrime and its implications for the future. The first article discusses arrests that have been made due to the TJX and Polo Ralph Lauren data breaches, and why this was such a lucrative target. The second is a detailed account of a rogue wire-tap in a Greek cellphone provider’s network. The third deals with virtual muggings and the possibility of very real racketeering in Second Life.

To me, there are two things that stick out as particularly important messages:

1. Technology is far outpacing our ability to deal with its implications.
2. Cybercrime is simply crime and should be treated accordingly.

It’s been said a million times, but it bears repeating: The internet is very much the new “Old West”. We’re in a state of almost total lawlessness, because we have not yet found efficient ways to find and bring criminals to justice. And it’s not just Netizens who’re being harmed by cybercrimes. The victims of the TJX data breach were people who’d visited their brick and mortar stores. So, why is it that security has become such a monumentally complicated issue?

1. Incredible financial incentive
2. Lack of knowledge
3. Lack of data retention
4. Lack of cooperation

Put simply, the return on investment for cybercrime is enormous. The chance of being harmed in the process of crime is little to none, the time-span before the crime is noticed is longer, and arrests are still reasonably rare.

Both hardware and software change on a rapid basis. Being an expert on even one operating system is a never-ending learning process, and as a result the number of true experts is very few (especially when you consider how many are truly needed). Few governments, corporations or individuals adequately understand or prepare for cybercrime incidents. The “Athens Affair” and TJX incidents illustrate this in living color.

Because it is simply unfeasible to be an expert on more than a narrow range of computing knowledge, it’s of utmost importance for us to cooperate. E.g. Security companies working with ISPs and Law Enforcement, different departments within government bodies, companies or law enforcement agencies working with each other, etc. It’s the knowledge that comes through this cooperation which will be the most vital piece of the puzzle in finally getting cybercrime under control.

For every person reading this blog, here are some questions I put to you:

What is it you are doing, or could be doing, to share information to help end cybercrime? Do your friends and neighbors, your family, your political officials, or your company understand the importance of preparing for or dealing with cybercrime?

Source: Computer Security Research - McAfee Avert Labs Blog

U.S. Drug Enforcement Keylogging
Posted by Sean @ 11:29 GMT

---

Should police "hack"? We asked this question last February. That post was about Germany's law enforcement and hinged on a legal analysis from the German courts.

Should police hack is still an open question. Do they hack is a different question…

CNET reporter Declan McCullagh has details on a United States Drug Enforcement Administration (DEA) investigation of alleged "ecstasy" makers that utilized keylogger software to gather evidence. This is only the second U.S. case that McCullagh has found any such activity approved by a judge. You can listen to News.com's July 10th podcast for the full story. Listen to the first five minutes of the podcast.

Source: F-Secure : News from the Lab

MS07-040: .NET update trouble

Published: 2007-07-12,
Last Updated: 2007-07-12 12:28:30 UTC
by Swa Frantzen (Version: 1)

It seems there are a number of readers struggling with the MS07-040 patch for the .NET framework on what appears to be mostly clients.

The reports we got so far seem not to lead to any specific thing that happens in many cases, just various things going haywire. We really do appreciate the heads-up warnings we get from our readers as it allows to write little warnings like this one.

We'd like to offer a double advise at this time:

• If you run into trouble do call Microsoft and open a case, it's the only way to get attention to the problem from those who know best how to fix it. It should be free. In the US: call 1-866-PCSAFETY, check their website for other countries, support with patches should always be free.
• Do read through for your specific combination of .NET framework version and you specific OS the relevant KB, some of them were prepared in anticipation of certain problems. They are all linked from KB 931212.

--
Swa Frantzen -- NET2S

Source: SANS Internet Storm Center; Cooperative Network Security Community - Internet Security - isc