May 2009 - Posts
I've applied the "Fix it" workaround and so far no issues noted. This workaround might help corporate and home users until a more permanent patch becomes available. There is also a disabling "Fix it" icon to undo the workaround also
Microsoft DirectShow is Vulnerable
http://www.f-secure.com/weblog/archives/00001692.html
QUOTE: The vulnerability exploits quartz.dll Quicktime parsing. However, you don't have to have QuickTime installed.
Update: Microsoft has published a "Fix It" tool that does the registry changes for you.
Microsoft Direct Show vulnerability (971778) - Fix it Workaround available
http://support.microsoft.com/kb/971778
QUOTE: To implement the workaround that disables QuickTime parsing automatically on a computer that is running Windows 2000, Windows XP or Windows Server 2003, click the Fix this problem link under Enable workaround. To undo the workaround, click the Fix this problem link under Disable workaround. In either scenario, click Run in the File Download dialog box, and follow the steps in the Fix it wizard.
MORE ON VULNERABILITY
http://www.microsoft.com/technet/security/advisory/971778.mspx
Bing it on: Microsoft overhauls search, again
http://www.msnbc.msn.com/id/30983177/
QUOTE: SEATTLE - Microsoft Corp. is rolling out a redesigned search site in the coming days and hopes it will lure more Web surfers than the two most recent incarnations, Live Search and MSN Search. The new site, Bing, adds touches intended to make everyday Web searching a little less haphazard. Bing also tries to make it easier for people to buy things, book travel and find credible health information.
Bing.com - Microsoft's new Search facility coming soon
http://www.bing.com/ComingSoon
In testing Chrome, it offers excellent speed and stability as a basic browser. Version 2.0 continues to add a few needed features. Google's design approach is to hide customization details from users. This includes even browser security updates. For IT professionals and corporate usage, an "advanced mode" to better customize settings would be beneficial from a security perspective (e.g., turn off vulnerable services like JavaScript or Flash easily as in other browsers).
First look: Google Chrome 2.0 - Fast but lacking features
http://blogs.zdnet.com/hardware/?p=4404
QUOTE: Google has released Chrome 2.0. The speed-demon browser gets an additional kick of speed, a few more features, and a load of bug fixes. First, let’s look at the speed side of things. Google’s Chrome browser was already fast, but the 2.0 update loads JavaScript-heavy web pages about 30% faster than version 1.0.
Well, for those who like an all-singing, all-dancing browser, Google’s Chrome as always been a poor choice because while the browser packed plenty of power, it was very basic. Chrome 2.0 is no different. Here are some of the most significant newly added features to Chrome 2.0:
-- Ability to delete thumbnails from new tab page
-- Full page zoom
-- Full screen mode (by pressing F11)
-- Autofill for web forms
Google - More information
http://www.google.com/chrome
http://www.google.com/chrome/intl/en/features.html
http://googleblog.blogspot.com/2009/05/put-pedal-to-metal-with-faster-google.html
This is an excellent resource to learn more about MS products or for resolution of issues
Microsoft Blogs - Master Index
http://blogs.technet.com/blogms/pages/directory-of-microsoft-team-blogs.aspx
As reflected in the charts, malware continues to grow in volume, sophistication, and in numbers of variants (i.e., polymorphism). Technical safeguards and best practices are always required.
Sunbelt - Growth of Malware Statistics
http://sunbeltblog.blogspot.com/2009/05/growth-of-malware-update.html
Dramatic Increase due numerous variants within malware families
http://sunbeltblog.blogspot.com/2008/01/growth-of-malware.html
Hopefully, all phone calls associated with the "second notice of your car's factory warranty is expiring" have now been stopped. I'm glad that the FTC was successful in stoping these fradulent attacks.
FTC shuts down massive robocall scam
http://www.msnbc.msn.com/id/30852785/
QUOTE: We spend so much time worrying about Internet fraud. But it’s easy to forget that many con artists still make their living the old-fashioned way: dialing for dollars. Last week, the Federal Trade Commission shut down one of the biggest and most flagrant telemarketing scams ever. The automated calls (known as robocalls) pitched extended car warranties. They went to phones across the country, including cell phones and home phones on the national Do Not Call Registry. Federal law prohibits such calls.
EXAMPLE OF RECENT ATTACKS
http://msmvps.com/blogs/harrywaldron/archive/2009/01/16/cell-phone-scam-this-is-the-second-notice-that-the-factory-warranty-on-your-vehicle-is-expiring.aspx
Unfortunately, this new Javascript multi-stage attack is spreading on vulnerable websites. Sophos notes that it accounted for almost half of all malware infections found at websites. Be careful with website visitation, Internet searches, and keep AV protection updated.
Gumblar JavaScript Exploit - Major New Threat to websites
http://www.sophos.com/blogs/sophoslabs/v/post/4405
http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
http://news.cnet.com/8301-1009_3-10244529-83.html
http://www.theregister.co.uk/2009/05/19/gumblar_google_poisoning_update/
http://www.internetnews.com/security/article.php/3821151/Gumblar+Biggest+Threat+on+the+Web+Today.htm
QUOTE: US-CERT is aware of public reports of a malware exploit circulating. This is a drive-by-download exploit with multiple stages and is being referred to as Gumblar. The first stage of this exploit attempts to compromise legitimate websites by injecting malicious code into them. Reports indicate that these website infections occur primarily through stolen FTP credentials but may also be compromised through poor configuration settings, vulnerable web applications, etc.
Andrew Martin's Analysis - Excellent detailed writeup
http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/
QUOTE: Responsible for 42% of “all malicious infections found on websites” (Sophos) during a 7 day period, Gumblar (JSRedir-R) has been extremely effective at propagating. Many bloggers have been focusing on the script involved in the attack, not so much on what happens when a client is compromised
F-Secure has announced a new beta AV product for the Mac. They used to offer this previously in the floppy era. Apple PCs should be protected by some AV product, as there are increased threats circulating in-the-wild.
F-Secure reintroduces Apple AV Protection
http://www.f-secure.com/weblog/archives/00001686.html
QUOTE: But look closely and you'll see that the image above is for Mac Protection.
We used to have a Mac solution back in the days of sneakernets. The updates were distributed via floppies. This new Mac Protection (with antivirus) is part of our Technology Preview program and you can download it from our Beta Programs page. An Intel processor based Mac with OS X version 10.5 (Leopard) is a requirement.
Macs are popular, with consumers… and also with malware authors. There's plenty of Zlob codec trojans that will infect a Mac if given the chance. Mac's popularity is such that we feel it's time once again for our own Mac solution.
Hackers are actively exploring this vulnerability and CERT has noted possible attacks for the new IIS vulnerability. While there is no current patch, there are ways of mitigating this (e.g., disabling WebDAV if no applications use it, greater restrictions on anonymous accounts, etc).
IIS 5/6 vulnerability - Hackers actively exploring possible attacks (971492)
http://www.eweek.com/c/a/Security/Mitigations-for-Microsoft-Server-Software-Vulnerability-as-Hackers-Circle-541660/
http://www.us-cert.gov/current/index.html#microsoft_internet_information_services_iis
Microsoft Security Advisory (971492)
Vulnerability in Internet Information Services Could Allow Elevation of Privilege
http://www.microsoft.com/technet/security/advisory/971492.mspx
QUOTE: Microsoft's Internet Information Services software has a privilege escalation vulnerability that US-CERT says is under attack by hackers. While users wait for a patch, here are ways to mitigate the vulnerability. Exploit code for a vulnerability in Microsoft's Internet Information Services software is circulating around the Web, leaving organizations in search for ways to keep hackers at bay.
According to US-CERT, attacks leveraging the vulnerability are already under way, though Microsoft said in an advisory it was unaware of any exploits. Still, US-CERT urged users waiting for a patch to consider disabling WebDAV.
These rogue AV products are not truly security applications, but designed to trick users into sharing their credit card or PayPal account information with fake "you are infected" pop-up messages. F-Secure describes how UA strings may be manipulated to provide information on the specific version back to malicious websites.
AntiVirus 2009 - May actually update User Agent information
http://www.f-secure.com/weblog/archives/00001684.html
QUOTE: How big an issue are Rogue antivirus applications? Some rogues modify the browser's user agent. We've seen hundreds of AntivirXP08 string variations. The modified string is possibly used to identify the affiliates responsible for the installation which drives "business" to the rogue's website.
How many infected user agents are out there? Toni examined one of our sinkholes and its April 2009 logs contained 63,000 unique IP addresses using agents that contain AntivirXP08. And that doesn't include other strings we've seen such as "Antimalware2009". It's a small measure of a very large problem.
How to test your UA Information
http://whatsmyuseragent.com/
What is UA Information?
http://whatsmyuseragent.com/WhatsAUserAgent.asp
http://whatsmyuseragent.com/CommonUserAgents.asp
Gaining confidence in yourself in 3 easy steps
IT professionals must also work with people in addition to machines 
This article provides some key advice in working with others effectively
Gaining confidence in yourself in 3 easy steps
http://www.knowledgetrain.co.uk/management-development-gaining-confidence-3-easy-steps.php
QUOTE: It is a common misconception that self-confidence is innate. While it is true that some people are naturally self-assured or have had the luck or the upbringing to trust in their own abilities, self-confidence is a craft, and must be learned like any other.
There are three easy steps to teaching yourself self- confidence
1) Know yourself
2) Do your research
3) Reflect
Additional discussion in ALLPM forums
http://www.allpm.com/index.php?name=PNphpBB2&file=viewtopic&t=2871
Always obtain any software product or update from the true website.
Fake Adobe Flash Update closely resembles real site
http://www.f-secure.com/weblog/archives/00001682.html
QUOTE: One of our Web Security Analysts came across a website (118,000 ranking in Alexa) that drives users into installing a fake Adobe Flash Player file. The site prompts a message requesting the user download "a new version of Adobe Flash Player" in order to view a video on the site. Based on a reverse domain lookup on the malware link, the fake site is hosted in Bulgaria. Updates to the latest antivirus definitions to detect this threat.
More Posts
Next page »