|
Sharing Security Developments, and Best Practices for corporate and home users
April 2008 - Posts
-
The e-Week cartoon above is excellent in illustrating the dangers of using a "good worm" to clean-up perhaps the top botnet infection in the world. While DV Labs might be able to accomplish this, there are always dangers that the bad guys might be able to manipulate this worm, plus if something were to go wrong with either individual PCs being cleaned there might be unintended consequences, even for a good deed.
A better idea is for DV Labs to work with MSRC and share the Kraken encyption techniques so that it may be included in a future version of MSRT ... And as previously shared, there is no such thing as a good worm 
http://dvlabs.tippingpoint.com/blog/2008/04/28/kraken-botnet-infiltration
QUOTE: We have the ability to provide an 'update' through the existing Kraken protocol that can simply remove the Kraken zombie (again see "Owning Kraken" for a video demonstrating this capability). Is it wrong to do so? Although this discussion is similar to that of writing "good worms" that roam the internet patching vulnerable servers, there is a key difference in that a good worm can't be stopped. Once it has been released it is a self spreading uncontrollable entity. In our specific case however we have the ability to cease at any point. It is simply a one to one relationship.
|
-
A new major security attack occurred over the weekend, where over one half million web pages became infected with malware agents. 
A major wave of automated SQL Injection attacks are occurring. These have been designed and coded for the IIS and SQL-Server environments. There are no new vulnerabilities in these projects, as the attacks are occurring on sites where the best security practices have not been designed into applications (e.g., safety techniques that prevent the injection of malware using a vulnerable SQL statement into the website)
Due to an increasing number of SQL Injection attacks in-the-wild, web developers need to ensure they are using the best developmental practices. Users should continue to be cautious in the sites they visit and stay up-to-date on security patches and AV protection.
Huge SQL Injection attacks infect 500,000 pages
http://www.f-secure.com/weblog/archives/00001427.html
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9080580
http://hackademix.net/2008/04/26/mass-attack-faq/
QUOTE: There's another round of mass SQL injections going on which has infected hundreds of thousands of websites. Performing a Google search results in over 510,000 modified pages. We've received some questions on the platform and operating systems affected by this attack. So far we've only seen websites using Microsoft IIS Web Server and Microsoft SQL Server being hit. Do note that this attack doesn't use vulnerabilities in any of those two applications. What makes this attack possible is poorly written ASP and ASPX (.net) code.
IIS Blog - SQL Injection Attacks on IIS Web Servers
http://blogs.iis.net/bills/archive/2008/04/25/sql-injection-attacks-on-iis-web-servers.aspx
QUOTE: Instead, attackers have crafted an automated attack that can take advantage of SQL injection vulnerabilities in web pages that do not follow security best practices for web application development. While these particular attacks are targeting sites hosted on IIS web servers, SQL injection vulnerabilities may exist on sites hosted on any platform.
MSRC Blog - Questions about Web Server Attacks
http://blogs.technet.com/msrc/archive/2008/04/25/questions-about-web-server-attacks.aspx
QUOTE: The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies. SQL injection attacks enable malicious users to execute commands in an application's database. To protect against SQL injection attacks the developer of the Web site or application must use industry best practices outlined here.
BEST PRACTICES - How to protect against SQL Injections
http://msdn2.microsoft.com/en-us/library/ms998271.aspx
-- Learn how SQL injection attacks work.
-- Constrain input to prevent SQL injection.
-- Use type safe SQL command parameters to prevent SQL injection.
-- Use a least privileged account to connect to the database.
-- Learn additional countermeasures to further reduce risk.
What are SQL Injection attacks?
http://en.wikipedia.org/wiki/SQL_injection
http://msdn2.microsoft.com/en-us/library/ms161953.aspx
http://msdn2.microsoft.com/en-us/library/bb671351.aspx
QUOTE: SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It is in fact an instance of a more general class of vulnerabilities that can occur whenever one programming or scripting language is embedded inside another.
|
-
 The most recent Government Computer newsletter is warning of a new well-designed IRS phishing scam. This attack appears to related to the upcoming IRS rebates that are part of the 2008 Government Stimulus Package. While the email looks official and the social engineering is well done, it is important to recognize that the IRS and banks do not use email as a method of contacting individuals. They usually will call or conduct official business by mail only. Please avoid these attacks, as entering your bank account information into the realistic but false website could mean real losses of money from these criminals. It could also take months to clean up activity after an individuals credit or bank account information has been compromised.
Phishing scam uses IRS rebate line to reel in victims
http://www.gcn.com/online/vol1_no1/46153-1.html
http://www.mxlogic.com/itsecurityblog/1/20...us-Payments.cfm
http://mxlogic.com/itsecurityblog/1/2008/0...shing-Twist.cfm
QUOTE: The tax filing season is past, the economic stimulus rebate season is upon us, and the phishers are changing their bait. The lure this time is the $600 rebate ($1,200 per household) that the Internal Revenue Service will begin sending to taxpayers in May and a supposed opportunity to speed up the process. E-mails purporting to be from the IRS are arriving in inboxes with instructions to recipients that if they visit the linked Web site and provide bank account and routing numbers their rebate can be deposited directly to the account more quickly. To add an element of urgency, the message includes a deadline — April 24 — for providing information, but that is likely to change.
Right on cue we are starting to see phishing scams with an economic stimulus payment flavor. As we discussed in one of the IRS phishing scam blog entries we predicted that as the economic stimulus payment distribution got closer (currently scheduled to begin May 2nd based on the last two digits of your Social Security Number) we would start to see more scams around these payments. We are starting to see some of the first iterations of those scams today.
EXAMPLE OF NEW PHISHING ATTACK:
TO: ***************
FROM: service@irs.gov
SUBJECT: 2008 Economic Stimulus Refund.
Over 130 million Americans will receive refunds as
part of President Bush program to jumpstart the economy.
Our records indicate that you are qualified to receive the
2008 Economic Stimulus Refund.
The fastest and easiest way to receive your refund is by
direct deposit to your checking/savings account.
Please click on the link and fill out the form and submit
before April 24th, 2008 to ensure that your refund will be
processed as soon as possible.
Submitting your form on April 24th, 2008 or later means that
your refund will be delayed due to the volume of requests we
anticipate for the Economic Stimulus Refund.
|
-
 The IT Security website features a good categorized list of free security utilities. Some of these a trial versions, limited versions of the full product, or web based facilities. Even folks on a very tight budget can protect their systems well with many of these free tools.
IT Security website - 103 Free Security Utilities featured
http://www.itsecurity.com/features/103-best-free-security-utilities-041608/
QUOTE: Competition drives prices down, regardless of the industry. With a crowded field of vendors jockeying to be the trusted source of computer security for your home and office, prices for many of the essential elements of your security system have reached zero. Free downloads, free trials, free scans and freeware is everywhere. If you’re willing to go without premium features like phone support, you can have a simple version of powerful software that large companies pay big bucks for.
|
-
Hackers use XSS flaw to attack Barack Obama's web site
XSS scripting flaws are a common weakness in many websites. From a web development standpoint, secure designs and programming techiques are essential. It is always important to keep IE and all other browsers on the latest version and security patches. This is especially important, as phishing attacks are increasing and may even appear geniune at times.
Hackers use XSS flaw to attack Barack Obama's web site
http://blogs.pcmag.com/securitywatch/2008/04/a_hack_we_can_believe_in.php
http://news.netcraft.com/archives/2008/04/21/hacker_redirects_barack_obamas_site_to_hillaryclintoncom.html
QUOTE: A security weakness in Barack Obama's website has been exploited to redirect visitors to Hillary Clinton's website. Visitors who viewed the Community Blogs section of the site were instead presented with Clinton's website as a result of a cross-site scripting vulnerability.
The Obama hack used a cross-site scripting flaw in the site to redirect users from Obama's Community Blogs section to HillaryClinton.com. XSS bugs are getting far more attention lately than they had been in the past, perhaps because they are so widespread. And since the answer to them is good programming practices rather than running some security product, they can be difficult to snuff out.
Good overview of XSS redirect issues
http://en.wikipedia.org/wiki/Cross-site_scripting
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts. An exploited cross-site scripting vulnerability can be used by attackers to bypass access controls such as the same origin policy. Vulnerabilities of this kind have been exploited to craft powerful phishing attacks and browser exploits.
|
-
 The storm worm attacks continue to change change as they use malicious blog or U-tube like streaming video links in order to trick users. Everyone should be as cautious with URLs found in an email attachment as they are with attachments. Clicking on these links can lead to possible infections, as the malware agent is advanced (e.g., root kit) and highly polymorphic (i.e., MD5 based signatures change almost hourly).
 Storm Worm - Blog Attacks
http://www.f-secure.com/weblog/archives/00001415.html
Storm has once again turned its eye to the blogging community, specifically the Blogspot.com community. Several blogger sites with random or very quirky names have been sporting a love theme, Storm style. These sites appear to have been created solely for Storm's purposes and no legitimate blogger site has of yet been reported as infected.
Visiting these sites will lead you to another page, while keeping the Blogger menu at the top. Clicking the site's image downloads a file called love.exe while clicking the link will provide withlove.exe.
Storm Worm - Codec based Video Attacks
http://blog.trendmicro.com/storm-now-on-video/
QUOTE: Looks like the Storm gang (or at least the Russian/Ukrainian criminals behind it) is expanding its business. Is it because of the “arrival” of Kraken, which, following the footsteps of MayDay and Mega-D, is challenging the said gang for the “Biggest Zombie Network” title? Whatever the case, only days after re-professing its love to unsuspecting users via blog pages, the Storm malware is at it again, this time posing as a video codec.
TrendLabs researchers discovered several sites that offer, what looks like, a YouTube-look-alike streaming video. The infection vector and messaging is actually still the same, that is, users are most likely to access this site via links on specially crafted, love-themed blogs. What is interesting this time is that on the said site, users are required to download the so-called Storm Codec in order to view the said video. Yes, you read that right: the codec is called Storm Codec. Below is a screenshot:
If the social engineering tactic of using video codecs is familiar, it’s because it is — ZLOB Trojans became infamous because of it, after all (see some detailed analysis here). Thus, the Storm gang’s attempt to venture into the said codec “business” has our researchers speculating whether they are now in cahoots with the ZLOB authors, or that they are trying to take over ZLOB’s niche, much like they did with STRATION when the two first started battling it out late 2006. Or maybe the gang is just trying to reaffirm to their competition that they’re still the one to beat.
|
-
Adobe Photoshop - Unpatched BMP image vulnerability
Adobe is working to promptly correct this security issue. Users should be careful in loading image files into the Photoshop environment (esp. from email, USB devices, or any other untrusted sources)
Adobe Products BMP Handling Buffer Overflow Vulnerability
http://secunia.com/advisories/29838/
QUOTE: Successful exploitation may allow execution of arbitrary code via a specially crafted BMP file. Reportedly, the vulnerability can also be exploited when a malicious storage device (e.g. USB drives, cameras) is being attached to a vulnerable computer. The vulnerability is reported in Adobe Photoshop Album Starter Edition 3.2 and Adobe After Effects CS3. Other versions may also be affected.
Solution: Do not process untrusted BMP files using the affected applications. Do not connect untrusted storage devices to the local computer.
Original Advisory - Adobe:
http://www.adobe.com/support/security/advisories/apsa08-04.html
http://archives.neohapsis.com/archives/fulldisclosure/2008-04/0551.html
|
-
The latest versions of the Internet Information Services (IIS) facilities have enjoyed an excellent track record in the area security. Recently, a new vulnerability was discovered that could allow user privileges to the manipulated and escalated in an unauthorized manner.
Additional resources are noted below, including a highly technical overview on Token Kidnapping. Thankfully, the details related to this exposure have been confidentially shared with Microsoft in a responsible manner. Currently, there are no known exploits related to this vulnerability circulating in the wild.
Microsoft Security Advisory (951306)
Vulnerability in Windows Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/951306.mspx
QUOTE: Microsoft is investigating new public reports of a vulnerability which could allow elevation of privilege from authenticated user to LocalSystem, affecting Windows XP Professional Service Pack 2 and all supported versions and editions of Windows Server 2003, Windows Vista, and Windows Server 2008. Customers who allow user-provided code to run in an authenticated context, such as within Internet Information Services (IIS) and SQL Server, should review this advisory. Hosting providers may be at increased risk from this elevation of privilege vulnerability.
Currently, Microsoft is not aware of any attacks attempting to exploit the potential vulnerability. Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through a service pack, our monthly security update release process, or an out-of-cycle security update, depending on customer needs.
IIS Vulnerability Documented by Microsoft - Includes Workarounds
http://isc.sans.org/diary.html?storyid=4306
Token Kidnapping and Impersonation - by Cesar Argeniss
http://www.argeniss.com/research/TokenKidnapping.pdf
|
-
I enjoyed this article and agree in principle with most of the recommendations. While leaders must manage by walking around and inspecting work, they should also allow the team members some space as professionals to do their job well.
Folks who are constantly watched and critiqued on every move they make will become nervous and less effective in their work. They may withdraw ideas and participation from the manager and team, that can help make essential differences on the project.
Article: If you micromanage, no one wins
http://blogs.techrepublic.com.com/career/?p=297
QUOTE: So do you want to break the micromanaging habit? The Dallas Morning News offers this list of tips to avoid micromanaging:
Part 1 - Methods to change leadership styles
* Focus on communication and trust.
* Assign tasks that include clear, specific, and time-bound expectations.
* Allow employees to figure out how they’ll accomplish the task.
* Set up status reports that fit the scope of the assignment but aren’t too burdensome.
* Let employees know that you’re trying to change and give them a safe way to point it out if you slip.
Part 2 - Be a leader
Leadership skills bring more value and will increase satisfaction for everyone, including you. Options include:
* Investing in each employee through coaching, challenging work, and development.
* Removing barriers to success that your team members face.
* Expressing a meaningful vision to your employees.
Below is also an additional related article:
Article: Can a Micromanager be cured
http://blogs.techrepublic.com.com/career/?p=196
|
-
Apple has just released critical security updates for the Windows version of Safari that should be applied promptly for folks using this complementary browser in the Windows environment.
Apple Safari 3.1.1 for Windows - Critical Security Release
http://secunia.com/advisories/29846/
http://support.apple.com/kb/HT1467
http://www.apple.com/downloads/
Windows XP or Vista Safari -- CVE-ID: CVE-2007-2398
Impact: A maliciously crafted website may control the contents of the address bar
Description: A timing issue in Safari 3.1 allows a web page to change the contents of the address bar without loading the contents of the corresponding page. This could be used to spoof the contents of a legitimate site, allowing user credentials or other information to be gathered. This issue was addressed in Safari Beta 3.0.2, but reintroduced in Safari 3.1. This update addresses the issue by restoring the address bar contents if a request for a new web page is terminated. This issue does not affect Mac OS X systems.
Windows XP or Vista Safari -- CVE-ID: CVE-2008-1024
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Description: A memory corruption issue exists in Safari's file downloading. By enticing a user to download a file with a maliciously crafted name, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of file downloads. This issue does not affect Mac OS X systems.
|
-
As Firefox is a popular complementary or stand-alone browser, users should apply this fix and stay up-to-date. Most users will be automatically updated and they should apply this update if prompted.
Firefox 2.0.0.14 - Security release
http://www.mozilla.com/en-US/firefox/2.0.0.14/releasenotes/
Fixed in Firefox 2.0.0.14
MFSA 2008-20 Crash in JavaScript garbage collector
http://www.mozilla.org/security/announce/2008/mfsa2008-20.html
QUOTE: Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.
|
-
 The good news in this annual survey approach is that folks are more aware of the dangers of password disclosures, as the percentages of folks who would be willing to disclose their password has dropped when compared to prior years.
However, I do have a weakness for chocolate 
People still give passwords for chocolate
http://sunbeltblog.blogspot.com/2008/04/people-still-give-passwords-for.html
QUOTE: A survey by Infosecurity Europe of 576 office workers have found that women far more likely to give away their passwords to total strangers than their male counterparts, with 45% of women versus 10% of men prepared to give away their password, to strangers masquerading as market researches with the lure of a chocolate bar as an incentive for filling in the survey. The survey was actually part of a social engineering exercise to raise awareness about information security. The survey was conducted outside Liverpool Street Station in the City of London.
This year’s survey results were significantly better than previous years. In 2007 64% of people were prepared to give away their passwords for a chocolate bar, this year it had dropped to just 21% so at last the message is getting through to be more infosecurity savvy.
Another slightly worrying fact discovered by researchers is that over half of people questioned use the same password for everything (e.g. work, banking, web, etc.)
|
-
This new facility provides tracking of malware developments and is recommended to be added to Favorites or Bookmarks for folks in the security profession.
Malware Threat Center - General Information
http://www.msnbc.msn.com/id/24049307/
http://mtc.sri.com/about_mtc/
MAIN SITE FOR MONITORING MALWARE DEVELOPMENTS
http://mtc.sri.com/
QUOTE: MENLO PARK, CA - SRI International, an independent nonprofit research and development organization, today announced the launch of the Malware Threat Center (http://mtc.sri.com), a website dedicated to fighting malware. SRI's Malware Threat Center posts daily updates of firewall filters, malware-related domain name system (DNS) names, antivirus statistics, intrusion detection system (IDS) signatures, and malware binary data to help network administrators understand current and emerging computer security threats and provide key network defense information that can be configured into security products to help network administrators fend off the latest malware threats.
|
-
DBAs and Admins should deploy these patches expediently after lab testing, to ensure the best levels of security and information protection
http://isc.sans.org/diary.html?storyid=4283
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
QUOTE: Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 41 new security fixes across all products. The Critical Patch Update Advisory is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Supported Products that are not listed in the "Supported Products and Components Affected" Section of the advisory do not require new patches to be applied. Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Critical Patch Update Advisory is available at any of the following locations:
Oracle Technology Network
Oracle, PeopleSoft and JD Edwards products
The next four Critical Patch Update release dates are:
July 15, 2008
October 14, 2008
January 13, 2009
April 14, 2009
|
-
-
AV researchers have recently discovered a new botnet that may be as large and as sophisticated than the Storm Worm network. This new botnet uses some of the following advanced techniques:
-- encrypted communications (to evade firewall, IDS, and AV detections)
-- encrypted payloads (to evate AV detections)
-- polymorphic droppers (malicious web based downloads that constantly change)
-- multi-threaded spam engine (over 500,000 spam entries observed to be sent from one "zombie" PC owned by this network)
-- command-and-control server redundancy (when a master server is taken offline by authorities, new master servers are automatically re-hosted)
There are still many unknowns at this point. Only 20% of AV vendors are estimated to have coverage at this point, but this is expected to improve as more technical details of this new threat emerge.
Kraken - Large sophisticated botnet discovered
http://www.symantec.com/enterprise/security_response/weblog/2008/04/kracken_to_out_do_storm.html
http://en.wikipedia.org/wiki/Kraken_botnet
http://isc.sans.org/diary.html?storyid=4250
http://www.f-secure.com/weblog/archives/00001418.html
http://www.darkreading.com/document.asp?doc_id=150292&WT.svl=news1_1
http://www.theregister.co.uk/2008/04/07/kraken_botnet_menace/
http://www.theregister.co.uk/2008/04/09/kraken_disagreement/
QUOTE: There is news that there is a new botnet in town, over twice the size of the Storm Worm in town called Kraken. Researchers from Damballa have discovered and tracked it the last two weeks and I'm guessing from news reports have presented their findings at RSA.
The so-called Kraken botnet has been spotted in at least 50 Fortune 500 companies and is undetectable in over 80 percent of machines running antivirus software. Kraken appears to be evading detection by a combination of clever obfuscation techniques, including regularly updating its binary code and structuring the code in such a way that hinders any static analysis, says Paul Royal, principal researcher at Damballa.
"It's easy to trace but slow to get antivirus coverage. It seems to imply [the creators] have a good understanding of how AV tools operate and how to evade them," Royal says.
Just how Kraken is infecting machines is still unclear, but Royal says the malware seems to appear as an image file to the victim. When the victim tries to view the image, the malware is loaded onto his or her machine. "We know the picture... ends in an .exe, which is not shown" to the user, Royal says.
Kraken's bots and command and control servers communicate via customized UDP and TCP-based protocols, he says, and the botnet has built-in redundancy features that automatically generate new domain names if a C&C server gets shut down or becomes disabled. "And the actual payload is encrypted," Royal says.
Kraken is thought to be infecting computers by using social engineering methods similar to those used by Storm. The malicious code is believed to be posing as an image file to the user, although this has yet to be confirmed. At the time of writing, the Trojan is serving up debt consolidation and gambling-related spam linking to Chinese sites.
|
-
Security is always a predominant concern for any Internet or Intranet hosted application. Corporate developers should carefully research how information, web applications, and users would be protected in this environment. While security controls are built into the new facility, Google is one of the attacked sites on the Internet due to it's popularity.
Below are some recent security concerns:
1. Google needs to continue improving privacy protection:
http://arstechnica.com/news.ars/post/20070611-google-named-worst-privacy-offender-in-study.html
2. Sunbelt continues to note recent issues, as Google is one of the most popular sites on the Internet and it is subject to constant attacks:
http://sunbeltblog.blogspot.com/2008/04/google-groups-continues-to-be-inundated.html
3. Google poisoning attacks have taken place, where the cloud has been seeded with malicious web links. Google has quickly cleaned these up in the past.
http://redtape.msnbc.com/2007/12/virus-experts-w.html
-----------------------------------------
Google’s App Engine lets you run your apps in the Google cloud
http://blogs.techrepublic.com.com/hiner/?p=654
QUOTE: Google on Tuesday launched its App Engine, which allows developers to run their Web applications on the search giant’s computing cloud. With Google App Engine, developers can write web applications based on the same building blocks that Google uses, like GFS and Bigtable. Google App Engine packages those building blocks and provides access to scalable infrastructure that we hope will make it easier for developers to scale their applications automatically as they grow. This means they can spend less time dealing with system administration and maintenance, and more time building and improving their applications.
Google App Engine - Home Page
http://code.google.com/appengine/
Google App Engine - New Blog
http://googleappengine.blogspot.com/2008/04/introducing-google-app-engine-our-new.htm
Google App Engine - Details including Security controls
http://code.google.com/appengine/docs/whatisgoogleappengine.html
QUOTE: SANDBOX SEUCRITY CONTROLS -- Applications run in a secure environment that provides limited access to the underlying operating system. These limitations allow App Engine to distribute web requests for the application across multiple servers, and start and stop servers to meet traffic demands. The sandbox isolates your application in its own secure, reliable environment that is independent of the hardware, operating system and physical location of the web server. Examples of the limitations of the secure sandbox environment include:
* An application can only access other computers on the Internet through the provided URL fetch and email services and APIs. Other computers can only connect to the application by making HTTP (or HTTPS) requests on the standard ports.
* An application cannot write to the file system. An app can read files, but only files uploaded with the application code. The app must use the App Engine datastore for all data that persists between requests.
* Application code only runs in response to a web request, and must return response data within a few seconds. A request handler cannot spawn a sub-process or execute code after the response has been sent.
|
-
 Microsoft has released several important monthly updates that improve the security of Windows, IE, and Office. These should be applied promptly to protect against malicious exploit developments that could surface later. So far, these updates are working well on my two XP based systems at work.
Microsoft Security Bulletins - April 2008
http://www.microsoft.com/technet/security/bulletin/ms08-apr.mspx
Microsoft Security Bulletins - Additional Resources
ISC provides excellent updates on issues or exploit developments
http://isc.sans.org/diary.html?storyid=4264
http://www.f-secure.com/weblog/archives/00001417.html
MS08-018: Vulnerability in Microsoft Project Could Allow Remote Code Execution (950183)
Summary: This security update resolves a privately reported vulnerability in Microsoft Office Project that could allow remote code execution if a user opens a specially crafted Project file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Rating: Critical
Impact: Remote Code Execution
Affected Software: Project 2000, 2003
http://www.microsoft.com/technet/security/Bulletin/MS08-018.mspx
MS08-021: Vulnerabilities in GDI Could Allow Remote Code Execution (948590)
Summary: This security update resolves two privately reported vulnerabilities in GDI. Exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted EMF or WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows
http://www.microsoft.com/technet/security/Bulletin/MS08-021.mspx
MS08-022: Vulnerability in VBScript and JScript Scripting Engines Could Allow Remote Code Execution (944338)
Summary: This security update resolves a privately reported vulnerability in the VBScript and JScript scripting engines in Windows. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows
http://www.microsoft.com/technet/security/Bulletin/MS08-022.mspx
MS08-023: Security Update of ActiveX Kill Bits (948881)
Summary: This security update resolves one privately reported vulnerability for a Microsoft product. This update also includes a kill bit for the Yahoo! Music Jukebox product. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer.
http://www.microsoft.com/technet/security/Bulletin/MS08-023.mspx
MS08-024: Cumulative Security Update for Internet Explorer (947864)
Summary: This security update resolves one privately reported vulnerability. The vulnerability could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Rating: Critical
Impact: Remote Code Execution
Affected Software: Microsoft Windows, Internet Explorer.
http://www.microsoft.com/technet/security/Bulletin/MS08-024.mspx
MS08-020: Vulnerability in DNS Client Could Allow Spoofing (945553)
Summary: This security update resolves a privately reported vulnerability. This spoofing vulnerability exists in Windows DNS clients and could allow an attacker to send specially crafted responses to DNS requests, thereby spoofing or redirecting Internet traffic from legitimate locations.
Rating: Important
Impact: Spoofing
Affected Software: Microsoft Windows.
http://www.microsoft.com/technet/security/Bulletin/MS08-020.mspx
MS08-025: Vulnerability in Windows Kernel Could Allow Elevation of Privilege (941693)
Summary: This security update resolves a privately reported vulnerability in the Windows kernel. A local attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
Rating: Important
Impact: Elevation of Privilege
Affected Software: Microsoft Windows.
http://www.microsoft.com/technet/security/Bulletin/MS08-025.mspx
MS08-019: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (949032)
Summary: This security update resolves privately reported vulnerabilities in Microsoft Office Visio that could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Rating: Important
Impact: Remote Code Execution
Affected Software: Microsoft Visio
http://www.microsoft.com/technet/security/Bulletin/MS08-019.mspx
|
-
Emails with the subject line of "Critical Patch Released: Microsoft Security Bulletin MS08-64738" should be deleted as malware could be automatically downloaded and silently installed on vulnerable PCs.
Email Attack Targeting Microsoft's April Security Bulletin Release Cycle
http://www.us-cert.gov/current/index.html#email_attack_targeting_microsoft_s
QUOTE: US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan.
|
-
-
Microsoft targets Windows 7 for 2010
Windows 7 is the code name for the operating system that will replace Vista in the future, as Microsoft's most current version. While beta versions will most likely emerge in 2009, Windows 7 will most likely emerge sometime in 2010 after extensive internal and public testing.
Windows 7 In 2010, Microsoft Says
http://www.informationweek.com/news/windows/operatingsystems/showArticle.jhtml?articleID=207100040
QUOTE: "We are currently in the planning stages for Windows 7 and development is scoped to three years from Windows Vista consumer" general availability, a Microsoft spokesman said in an e-mail Friday to InformationWeek. Windows Vista was released to consumers in late January 2007. That means Windows 7 would not be released until January 2010, according to Microsoft's statement.
|
-
All users of the Opera browser should move to the latest version. In most cases, they will be prompted and version 9.27 offers improved protection for two recently discovered security vulnerabilities (that are rated as critical).
Opera 9.27 - Important Security Release
http://isc.sans.org/diary.html?storyid=4235
http://www.opera.com/support/search/view/881/
http://www.opera.com/support/search/view/882/
Changelog for Opera 9.27 for Windows
http://www.opera.com/docs/changelogs/windows/927/
QUOTE: Changes Since Opera 9.26
* Security - Fixed an issue where newsfeed prompts could cause Opera to execute arbitrary code, as reported by Michal Zalewski. See our advisory.
* Security - Solved an issue where resized canvas patterns could cause Opera to execute arbitrary code, as reported by Michal Zalewski. See our advisory.
* Improved keyboard handling of password inputs, as reported by Trystan S.
* Fixed a BitTorrent transfer stability issue.
* Resolved stability issues with the Acid 3 test.
* Additional stability fixes.
Opera 9.27 - Download site
http://www.opera.com/download/
|
-
 As Tax preparation season is in full swing in the USA, attacks continue to surface. Sunbelt reports a highly convincing targeted attack, that was made to one of their key financial contacts. The IRS, government agencies, and banks do not use email as a primary method of contact, and when messages are received please avoid selecting any links or attachments. When in doubt on any email message, please contact the originating party by phone.
IRS Phishing Attack - Dangerous new customized scam steals data
http://sunbeltblog.blogspot.com/2008/04/heads-up-dangerous-new-customized-irs.html
QUOTE: This afternoon, we got a highly customized email purporting to come from the IRS, which of course, does nothing more than load malware. The email is made out to a key financial contact here at Sunbelt.
Once clicked, the.scr file downloads several other files and reaches out to several servers including the "Office of the Attorney General - California Department of Justice" - where a PDF file is downloaded from and opened using your default PDF viewer. The entire purpose of this PDF is to make things look official. Otherwise, it’s meaningless, and does not appear to be malicious.
Then, a number of other URLs are contacted to download malware, and the user is left with keylogger on their system. It also appears that malware is downloaded from a number of compromised sites.
The Internet Storm Center team also shares more information:
Internet Storm Center - More on TAX Day based Attacks
http://isc.sans.org/diary.html?storyid=4237
EMAIL FORMAT USED:
Dear [Name of Executive]
I am sorry but in order for [Name of Firm] to get a tax refund, all the fields must be completed. Please complete the missing fields on the attached form and re-send it to me.
nicely adorned with bells & whistles to make it look like it really comes from the IRS. Another series uses the old "A tax complaint has been filed against you" line, which probably is less likely to get the Execs to click. But who doesn't want a refund ...
|
-
 Recently DV Labs sponsored a security contest between laptops using Mac, Vista, and Linux operating systems. Vista did well in these tests, until a new unknown vulnerability in Adobe Flash was discovered. This vulnerability was disclosed only to Adobe and it is not a current threat. It will most likely be fixed quickly .
While this threat is not in the wild, I wanted to better learn how to toggle Flash off and on. In using other complementary browsers, I've gotten along well without Flash or other plug-ins installed. Using Internet Explorer (IE8 beta), I decided to turn Flash off, as this was invoked mainly for advertising purposes in about 90% of websites visited. It worked well in blocking Flash animation.
The only issue is a warning message which asks: "the website is requesting a service, would you like to install?". If you ignore the message and continue, it disappears quickly. I'd rather have the message than the Flash presentation sometimes. Still, when you need Flash restored, it can be toggled back on as noted in the steps below.
Later, Adobe PDF and Windows Media player were added to the list of disabled services in IE, as I rarely start these in browser mode. IE performance improved substantially, as all 3 services are complex. Our family PC is also an older model and these types of service reducing tweaks throughout IE and Windows have helped with throughput. I'm staying with these settings and will toggle them back on, if there's a good requirement to do so.
IE Settings - Disable/enable add-in services (e.g., Flash)
 Tools >>> Internet Options >>> Program Tab >>> Manage add-on options button >>> Filters >>> Add-ons that run without requiring permission >>> Select Shockwave Object >>> Click Disable button at bottom
To re-enable Flash, all you need to do is follow the steps in green above and select Enable button in last step. If desired, you can also disable Adobe PDF Reader and Windows Media Player from starting within IE. They will still work properly in starting outside of IE if desired. As the settings work like the Flash process noted in green above, these services can also be toggled back on if needed.
CAUTIONARY NOTES IN SETTINGS ABOVE:
1. Avoid making these changes unless you are familiar with IE settings and understand the technical steps noted in green.
2. Avoid setting off other services as it could affect or break browser functions.
3. Flash might be used often in an email website or forum you might be posting frequently to, and the warning message could appear often.
4. The technical settings were specifically for IE 8 and they should work for IE 7. I'm not certain if IE 6 supports service disabling in the same manner as described above. If the technical settings don't match up well, users should avoid making these changes. |
|
-
Virus, Trojan Horse, and Worm attacks have changed substantially in the past couple of years. Previously, malware authors seeded "true" viruses that replicated from PC to PC, manipulating unpatched email or system vulnerabilities. This still occurs, however most attacks are massively spammed to trick users into selecting a malicious web link or attachment.
Most current attacks usually don't spread to other vulnerable PCs from an infected system, although there are still many "true" viruses circulating (e.g., network walkers, USB flash drives, email worms, etc). However Botnets using fast-flux servers (i.e., that hide the true malware master servers) are creating highly polymorphic (i.e., rapidly changing) malware threats. Each attack wave is spammed with a unique MD5 hash., that AV vendors key on in some cases to detect malware (along with pattern matching algorithms).
Botnets (e.g., Storm Worm) use a master malware "template" approach. These master blueprints can change hourly on the fast-flux servers to create new variants that AV software may or may not detect. Wave after wave of unique malware can be spammed out which is creating the potential for one million different viruses in 2008.
In reality, there are only a few thousand active virus families, but some of these families have several thousand variants within them. Still, each of the million unique MD5 patterns must be handled successfully by the AV vendors. This new attack style is challenging and explains why only 30% of AV vendors may provide coverage shortly after a new virus wave is massively spammed to the public.
F-Secure expects possibly one million unique viruses in 2008
http://www.heise-online.co.uk/news/F-Secure-expecting-a-million-viruses-this-year--/110451
QUOTE: Finnish antivirus software vendor F-Secure has published its statistics for the first quarter of 2008. The company estimates that a total of a million new viruses will be born this year – 25,000 malicious programs per day have made their way onto the firm's servers.
This number agrees with other research. Service provider AV-Test last year had already registered viruses at the same daily rate, but from all antivirus vendors and other sources such as honeypots combined. According to AV Test general manager Andreas Marx, in the 13 hours to one o'clock on Tuesday 21,439 unique samples – viruses with a unique MD5 "fingerprint" – had already made their way onto the company's servers.
|
-
|
|
|