March 2010 - Posts

Some interesting statistics from a recent survey. 

4.4 percent in China have no AV – that might not be too bad
http://sunbeltblog.blogspot.com/2010/03/44-percent-in-china-have-no-av-that.html
http://www.pcworld.com/businesscenter/article/192994/millions_in_china_have_no_antivirus_software_survey_shows.html

QUOTE: The number for the rest of the world might be 26 percent. There is a story making headlines on the computer security news sources today about estimates that 4.4 percent of Chinese Internet users have no anti-virus software, up from 3.9 percent last year. That’s about 17 million machines. CNNIC said it estimated that 384 million people in China use the Internet

The version matrix in first link below provides a visual illustration that IE8 is safer than IE6 or IE7   

MS10-018: Version Matrix illustrates IE8 is safer than past versions
http://blogs.technet.com/photos/msrcteam/images/3322077/original.aspx

FULL MSRC BLOG ENTRY - MS10-018 Released 
http://blogs.technet.com/msrc/archive/2010/03/30/security-bulletin-ms10-018-released.aspx

QUOTE: MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April.

 

Microsoft issued an out-of-band special security update for all versions of Internet Explorer.  While the most critical update applies to IE 6 and 7, there are also some critical updates for version 8.  The planned IE cumulative update for April 13, 2010 was released for all users two weeks early.

MS10-018 - Critical Internet Explorer Update
http://www.microsoft.com/technet/security/Bulletin/MS10-018.mspx

MSRC - MS10-018 Detailed analysis
http://blogs.technet.com/msrc/archive/2010/03/30/security-bulletin-ms10-018-released.aspx

QUOTE: MS10-018 is a typical cumulative update for Internet Explorer and was originally going to be released during the normal update cycle on the 13th of April.

SANS - Internet Storm Center analysis
http://isc.sans.org/diary.html?storyid=8533

QUOTE: This update resolves 10 different vulnerabilities in Internet Explorer, of which the most severe impact can be execution of arbitrary code. All versions of IE from 5.01 to 8.0 are affected to varying degrees. Both servers and workstations should be updated. The update replaces MS10-002, and addresses the MS Advisory 981374 vulnerability. Time to patch

 

Apple patched a record number of vulnerabilities in it's latest security release. Mac users should apply these patches promptly to improve their safety.

Apple Mac OSX version 10 - Critical Security update
http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update

QUOTE: Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems. Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple's largest patched 67 vulnerabilities.

APPLE SECURITY
http://support.apple.com/kb/HT1222

APPLE SUPPORT DOWNLOADS
http://support.apple.com/downloads/

 

Microsoft will be releasing a special security update tomorrow for versions 6 and 7 of Internet Explorer.  This early release will better protect IE users from current threats circulating in the wild. Please apply these changes as prompted tomorrow to protect your PC.  Better yet, move to IE8  if you use Windows XP or Vista.

Internet Explorer - Out of Band Security Update on March 30, 2010
http://blogs.technet.com/msrc/archive/2010/03/29/internet-explorer-cumulative-update-releasing-out-of-band.aspx

Internet Explorer - Out of Band Security Update Details
http://www.microsoft.com/technet/security/bulletin/ms10-mar.mspx

Key vulnerability patched described in Microsoft Security Advisory 981374
http://www.microsoft.com/technet/security/advisory/981374.mspx

QUOTE: This is an advance notification of an out-of-band security bulletin that Microsoft is intending to release on March 30, 2010. The bulletin is being released to address attacks against customers of Internet Explorer 6 and Internet Explorer 7.  Users of Internet Explorer 8 and Windows 7 are not vulnerable to these attacks.

 

This new attack should be avoided, as there is an embedded EXE inside the RTF based document. Most lawsuits are filed using certified mail
 
 New Email Attack - Copyright Lawsuit filed against you
 http://isc.sans.org/diary.html?storyid=8497
 http://isc.sans.org/diary.html?storyid=8500
 
 QUOTE: An email is being sent out warning the recipient of a "Copyright Lawsuit filed against you." We received a copy here and a number of .EDUs have reported it's receipt. It looks something similar to:
 
 March 24, 2010
 Crosby & Higgins
 350 Broadway, Suite 300
 New York, NY 10013
 

 To Whom It May Concern:
 
 On the link bellow is a copy of the lawsuit that we filed against you in court on March 11, 2010. Currently the Pretrail Conference is scheduled for April 11th, 2010 at 10:30 A.M. in courtroom #36. The case number is 3485934. The reason the lawsuit was filed was due to a completely inadequate response from your company for copyright infrigement that our client Touchstone Advisories Inc is a victim of Copyright infrigement. Touchstone Advisories Inc has proof of multiple Copyright Law violations that they wish to present in court on April 11th, 2010.
 
 Sincerely,
 
 Mark R. Crosby
 Crosby & Higgins LLP

 
 The law-firms named in the email, header, and sending server all appear to be a mish-mash of existing firms. If a user clicks on the link and opens the document it will attempt to download additional payload. Currently only a few AV solutions detect the initial document
 
 Getting the EXE out of the RTF again
 http://isc.sans.org/diary.html?storyid=8506
 
 QUOTE: Since we got some mails from readers who had trouble getting the malware extraction technique to work on yesterday's malicious "copyright lawsuit" sample , here's a quick walk-through again on how to carve an EXE out of a DOC or RTF file.

In recent problem solving for a couple of old Windows 2000 PCs, I discovered that they had not been updated for a considerable period of time.  In manually invoking Windows Update, an error was encountered and the return code was searched on the Internet. The solution that worked for corporate McAfee VSE (versions 7 and 8) was to locate the Windows "SoftwareDistribution" folder and create an exclusion.  McAfee locks up when the data base object is accessed preventing Windows Update. 

To exclude the Software Distribution folder from McAfee VSE scanning:

1. Launch McAfee VSE Console from start menu
2. Select On-Access Scan and double-click (or select properties)
3. Select All Processes
4. Select Detection tab
5. Select Exclusions button
6. Select Add New button
7. Browse for location of Windows "SoftwareDistribution" folder
8. Check also exclude Subfolders
9. Select OK button
10. Select APPLY button
11. Reboot PC so that exclusion changes will properly take place
12. Launch Windows Update manually (and move to Microsoft Update so that Office is also included)

Related Microsoft KB article
http://support.microsoft.com/kb/958048

QUOTE: You receive error code 0xC80001FE when try to connect to the Windows Update Web site or to the Microsoft Update Web site to install updates. This issue may occur if the Windows Update database is corrupted. Or, it may occur if the McAfee antivirus application is configured to scan the %Windir%\SoftwareDistribution directory. When the McAfee antivirus application scans the .edb file, the antivirus application locks the file. Therefore, Windows Update or Microsoft Update cannot access the file.

 

This series of Computerworld articles can be helpful in designing security and efficiences for the WLAN environment

http://blogs.computerworld.com/15816/3_dumb_mistakes_network_admins_make_when_configuring_wlans_part_1

QUOTE: 3. Excessive SSIDs:  Here's the issue with running multiple SSIDs - each radio beacons approximately 10 times per second, per SSID.  Therefore, if you have 5 SSIDs in your environment, you have 50 beacons per second, per radio.  All of these beacons chew into the available free air time, and thereby lower the amount of available bandwidth

http://blogs.computerworld.com/15817/3_dumb_mistakes_network_admins_make_when_configuring_wlans_part_2

QUOTE: 2. "Hiding" the broadcast of the SSID:   SSID stands for Service Set Identifier.  It is the network name that you see when you scan for wireless networks on your computer.  There is an option on most access points to "hide" the SSID so its value is absent from beacon frames.  In basic supplicant software such as the one that comes embedded in Windows, these networks do not show up as available connection options.  Proponents say that disabling the broadcast of the SSID thereby protects the wireless LAN from attack because it adds a layer of defense.

http://blogs.computerworld.com/15818/3_dumb_mistakes_network_admins_make_when_configuring_wlans_part_3

QUOTE:  1. Time slicing wireless intrusion detection:  There are two main ways to conduct wireless intrusion detection - one is through a dedicated sensor and the other is through time slicing.  Access points that use time slicing take a sliver of time when not servicing stations (laptops, etc.) and scan off channel to provide intrusion detection functionality.  One major wireless manufacture defaults to scanning off channel for 50 milliseconds every 15 seconds.  Upon first hearing this statistic, I thought it sounded like a reasonable interval.  However, when I extrapolated this information, I realized that comes out to approximately 4.5 minutes of scanning every 24 hour period.  That's right, less than 5 minutes of scanning per day!  What's the alternative, you ask?  Instead of time slicing, you can use dedicated sensors.  These sensors scan the network 24 hours a day, 7 days a week, 365 days a year. There are two types of dedicated sensors, embedded or overlay sensors. 

The IRS, Census, and many other government agencies do not use email for official contact purposes.  These new threats should be avoided.

New Fake IRS Email Notice Leads to ZBOT
http://blog.trendmicro.com/new-fake-irs-email-notice-leads-to-zbot/

QUOTE: TrendLabs senior advance threat researcher Ivan Macalintal found spammed messages claiming to come from the Internal Revenue Service (IRS). The email message warns recipients of either under-reporting, or not reporting, their incomes in line with the tax season (April). It asks users to click the embedded link to correct the supposed errors. in line with the tax season (April). It asks users to click the embedded link to correct the supposed errors.

Please be careful of malicious email or websites related to the college basketball playoffs.

March Madness Malware Spreading via Search Results
http://www.avertlabs.com/research/blog/index.php/2010/03/17/march-madness-malware-spreading-via-search-results/

QUOTE: This is the time of year when basketball fans go online to fill out their bracket selections. While fans are playing with their brackets, hackers are also playing their own game of spamdexing -– manipulating search results to promote, in this case, malware-infected sites. At the time of this posting, top search results for terms such as ncaa bracket and march madness predictions are already poisoned. Five out of the first ten hot searches on Google Trends, with ncaa+bracket+blank taking second place, are being promoted by a network of legitimate sites that were hacked to serve malware.

 

ECMC has promptly issued notifications, as noted below.  Anyone impacted should watch for any suspicious activities. Information on portable media was stolen which contains name, address, and social security numbers.  However no financial information was compromised.

ECMC Notification to Borrowers of Data Loss
http://www.ecmc.org/details/Announcement.html

Data theft targets 3.3 million with student loans
http://www.msnbc.msn.com/id/36060713/ns/technology_and_science-security/

QUOTE:  ECMC, a guarantor of federal student loans, had a theft occur from its headquarters involving portable media with personally identifiable information. The stolen data contained information on approximately 3.3 million individuals and included names, addresses, dates of birth and social security numbers. No bank account or other financial account information was included in the data. ECMC released this information as soon as it received approval from law enforcement authorities.

 

These testers are top notch in their knowledge of the Windows 7 architecture and it's memory management.  They used fuzzers, which are automated testing tools, to find vulnerable code that might be subject to crashing Windows security layers.

Hacker busts IE8 on Windows 7 in 2 minutes
http://www.computerworld.com/s/article/9174101/Hacker_busts_IE8_on_Windows_7_in_2_minutes
http://blogs.zdnet.com/security/?p=5855

QUOTE: Jumping through a series of anti-exploit roadblocks, Dutch hacker Peter Vreugdenhil pulled off an impressive CanSecWest Pwn2Own victory here, hacking into a fully patched 64-bit Windows 7 machine using a pair of Internet Explorer vulnerabilities. Vreugdenhil, an independent researcher who specializes in finding and exploiting client-side vulnerabilities, used several tricks to bypass ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention), two significant security protections built into the Windows platform.

Nils also sidestepped DEP and ASLR in Windows 7 when he exploited the newest version of Firefox later in the day. Like Vreugdenhil, Nils also was awarded the notebook and $10,000. This was Nils' second Pwn2Own victory; last year he grabbed $15,000 by exploiting not only Firefox, but also Safari and IE8. "As usual, Nils' exploit was very thorough," said TippingPoint's Portnoy, who is the organizer of the Pwn2Own contest.

This release was originally slated for 3/30/2010.

Firefox version 3.6.2 released early to correct critical bug
http://www.mozilla.com/en-US/firefox/3.6.2/releasenotes/
http://www.mozilla.org/security/announce/2010/mfsa2010-08.html

QUOTE: Firefox 3.6.2 fixes the following issues found in previous versions of Firefox 3.6

* Fixed a critical security issue that could potentially allow remote code execution (see bug 552216).
* Fixed several additional security issues.
* Fixed several stability issues.

 

It is important to stay up-to-date with product versions, especially the free upgrades Microsoft provides to it's browser, media player, and other key components.  In fact IE9 is starting to emerge for the Vista and Windows 7 platforms.  Companies that don't stay up to date could be locked into legacy application requirements that could prohibit them from enjoying the best in security and functional capabilities.

IE6 - Ten reasons companies should upgrade to IE8
http://www.eweek.com/c/a/Enterprise-Applications/10-Reasons-Why-Internet-Explorer-6-Needs-to-Be-Laid-to-Rest-302897/

QUOTE: Internet Explorer 6 needs to be laid to rest and forgotten. Here's why:

1. It's brutally ugly - The interface is extremely difficult to maneuver around and the basic design leaves much to be desired. Granted, it was designed at a time when looks didn't mean as much as they do today, but let's be honest, Internet Explorer 6 was never good-looking.

2. It's underpowered - Internet Explorer 6 is extremely underpowered. In fact, it's one of the slowest browsers on the market currently in wide use. Simply put, Internet Explorer 6 lacks the power and functionality to make it relevant today.

3. Security, anyone? - Security is where the major issue with Internet Explorer 6 resides. Unlike so many other versions of the browser, Internet Explorer 6 was overrun with security issues.

4. Reputation matters - After Internet Explorer 6, the company's reputation was diminished as more and more users saw the browser for what it was: a lost cause.

5. Compatibility - Chances are, several of those sites won't work, thanks to the browser's inability to accommodate so many of the Web's new technologies.

6. Google says goodbye - So, when it announced that it would no longer support Internet Explorer 6 in Google Docs or with YouTube, the company sent a clear message: Internet Explorer 6 is dead. When will the rest of the world realize that?

7. The world hates it - the majority of folks can't stand Internet Explorer 6. It makes sense. As mentioned, the browser has been the culprit behind far too many security attacks.

8. Even Microsoft wants to forget about it - Microsoft has suggested on numerous occasions that it wants users to switch from Internet Explorer 6 to a new version of its browser.

9. It moves users to other browsers - Internet Explorer 6 has been a blessing in disguise for Mozilla's Firefox browser, as well as other competitors like Opera and Google Chrome.

10. It's obsolete - Internet Explorer 6 is obsolete. First and foremost, the browser is old. Secondly, it has been improved upon by Internet Explorer 7 and Internet Explorer 8. Worst of all, it can't compete on any level with the competition.

A malicious attack is circulating in email that claims to be a password reset from Facebook. This email should be avoided as Facebook doesn't conduct security changes in this manner.  This attack is designed to compromise your true password and Facebook account.

Facebook - Fake Password Reset email circulating
http://blogs.zdnet.com/security/?p=5787
http://www.facebook.com/security?v=feed&story_fbid=372119944102
http://siblog.mcafee.com/consumer/consumer-threat-alerts/facebook-password-reset-scam-threatens-computers-worldwide/

QUOTE: Facebook Security -- There's another spoofed email going around that claims to be from Facebook and asks you to open an attachment to receive a new password. This email is fake. Delete it from your inbox, and warn your friends. Remember that Facebook will never send you a new password in an attachment. For more information on how to stay safe on Facebook and across the Internet, check out the "Threats" and "Tips" tabs.

More Posts Next page »