June 2010 - Posts

I was prompted this morning to move to Microsoft Security Essentials Version 1.0.1963.0 and encourage all users to do so when prompted. I also pressed the UPDATE NOW button after updating to ensure the latest signatures were pulled in. The MSE icon in the SYSTRAY will turn orange and anytime the icon is not GREEN it indicates you should update or scan your system.  MSE continues to be a great lightweight version for basic protection of all my home systems.

Microsoft Security Essentials - New version available
http://www.microsoft.com/security_essentials/

MSE Support Forums
http://answers.microsoft.com/en-us/protect/default.aspx

F-Secure is warning of new targeted attack campaigns using Excel with versions from 2002-2007 potentially vulnerable.  Please be careful in handling all unusual or unexpected attachments received by email.

Microsoft Excel - Be careful of new Targeted attacks
http://www.f-secure.com/weblog/archives/00001975.html

QUOTE: But here's a fresh set of attacks done with XLS files instead. This is some sort of personnel list. Like the other examples here, it drops and runs a backdoor when viewed. The exploit in these files targets Excel Pointer Offset Memory  Corruption Vulnerability CVE-2009-3129. As you can see, such attack files can look like perfectly normal and credible document files.

CVE-2009-3129 Information
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3129

QUOTE: Microsoft Office Excel 2002 SP3, 2003 SP3, and 2007 SP1 and SP2; Office 2004 and 2008 for Mac; Open XML File Format Converter for Mac; Office Excel Viewer 2003 SP3; Office Excel Viewer SP1 and SP2; and Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats SP1 and SP2 allows remote attackers to execute arbitrary code via a spreadsheet with a FEATHEADER record containing an invalid cbHdrData size element that affects a pointer offset, aka "Excel Featheader Record Memory Corruption Vulnerability."

This month a large number of important security updates were provided by Microsoft that should be promptly applied.  It may not be widely known, but Microsoft will also use Windows Update to schedule highly important non-security updates on the fourth Tuesday of each month.  These should also be updated to ensure critical functions work accurately for Windows.

June 8, 2010 - Large Patch Tuesday update
http://isc.sans.edu/diary.html?storyid=8929
https://www.microsoft.com/technet/security/bulletin/ms10-jun.mspx

June 22, 2010 - Microsoft non-security updates
http://isc.sans.edu/diary.html?storyid=9061

QUOTE: As a number of readers have reported, Microsoft released a few non-security updates on Tuesday via Windows Update/Automatic Updates.  Most of our readers will recognize that the 4th Tuesday of the month is when Microsoft usually releases non-security updates.  From the results of a couple of computers here in my office, the updates involve the .NET Framework versions 3.x and 2.x.  As with all updates, please remember to test the update in your respective environment prior to wholesale deployment.  More information on the .NET Framework update available at KB982524.

On May 6, 2010, the stock market was suddenly down 998 points with most of the sell off occuring within 10 minutes. Out of control selling by automated systems most likely led to this event that the SEC continues to investigate and look for ways to improve. 

Stock Market Flash Crash of May 6th
http://isc.sans.edu/diary.html?storyid=9067
http://www.nanex.net/20100506/FlashCrashAnalysis_Intro.html

Stock Market Flash Crash of May 6th - COMPLETE TEXT
http://www.nanex.net/20100506/FlashCrashAnalysis_CompleteText.html

SEC Preliminary Findings
http://www.sec.gov/sec-cftc-prelimreport.pdf

QUOTE: On the afternoon of May 6, 2010 the Dow Jones Industrial Average (DJIA) dropped approximately 600 points (5.7%), and then quickly recovered. Other Major Market Indexes dropped by similar amounts. We have read numerous articles attempting to explain this event including the SEC report "Preliminary Findings Regarding the Market Events of May 6, 2010" dated May 18, 2010. Our report assumes the reader is familiar with the SEC report.

Recommendations:

1. Quote and trade data must be time stamped by the exchanges at the time it is generated.
2. Quote-stuffing should be banned to avoid overloading system.
3. Add a simple 50 millisecond quote expiration rule

While I use a corporate Blackberry, the latest version of Apple's iPhone is indeed innovative.  Hopefully, the new iOS4 will provide security improvements to ensure users stay safe while using this advanced technology.

Apple iPhone 4 Home
http://www.apple.com/iphone/

Apple iPhone 4 Features
http://www.apple.com/iphone/features/

* Video calling with FaceTime
* Retina display with 960 by 640 resolution
* HD video recording
* 5-megapixel camera with LED flash
* Dual-mic noise suppression
* Apple A4 processor
* MMS
* Voice Control

Apple iOS4 - Apple's new Mobile Operating System
http://www.apple.com/iphone/ios4/

QUOTE: OS 4 is a desktop-class OS that’s been reinvented for mobile devices. Because it’s based on the world’s most advanced computer operating system — Mac OS X — performance in iOS 4 is fast and stability is rock-solid. iOS 4 introduces a whole new way of multitasking. Now you can run your favorite third-party apps — and switch between them instantly — without slowing down the performance of the foreground app or draining the battery unnecessarily. This smarter approach to multitasking is available only in iOS 4.

Symantec and Message Labs continue to warn of malicious email, scams and websites, using the 2010 Soccer World cup theme. Some of these continuing attacks are arriving in my own email, so please be careful:   

FIFA World Cup Soccer - Malware based attacks continue
http://www.symantec.com/connect/blogs/fifa-world-cup-scams-continue-circulate

QUOTE: As reported in the June MessageLabs Intelligence Report, MessageLabs Intelligence is seeing a great variety of different threats relating to the upcoming FIFA World Cup. We’ve seen 419-style scams, including emails offering tickets to games; fake accommodation providers; offers of contracts to supply clothing and boots; offers of free mobile phones; scams looking for companies to provide additional electricity/power for the World Cup; and more.  All designed to ultimately obtain the recipient’s personal details, and/or money by means of deception and fraud. 

MessageLabs Intelligence has also seen fake World Cup tickets for sale on well known auction websites, or advertisements offering tickets, that in reality are unlikely to give the buyer access to any games.  Moreover, we’ve seen a huge volume of spam that contains World Cup related content, but is actually not about the World Cup. 

AVERT Labs shares an informative article related to privacy concerns in using social networks:

Social networks and privacy studies from Europe
http://www.avertlabs.com/research/blog/index.php/2010/06/25/social-networking-privacy-concerns-worry-europeans/

QUOTE: This week I’ve seen several interesting articles and posts about the effect and consequences of social networking sites within Europe. Here are a few links:

European Parliament
Dagens Nyheter
IDG Sweden
Travolution

McAfee recognizes the development of social networking as a fundamental business tool as well as a personal tool. What we find particularly interesting are the increased concerns that are being raised lately within Europe.  

Recently, a security researcher and vendor could not reach agreement privately on a new security weakness. Unfortunately, Proof of Concept (POC) exploit code was later published by the researcher, which led to harmful zero day attacks being circulated in-the-wild within a few days.

Fortunately, the area of vulnerability is invoked rarely by users and exploits are not in wide circulation. Anti-virus protection and other workarounds are helpful in mitigating this risk, until the issue is patched.

In reflecting on this incident, it's difficult to see the value in forcing vendors to patch their products within a specific timeline. Individuals who care about security should never give vendors an ultimatum or else the POC code will be published to the underground.

Some Limited Benefits of Public Disclosure

* There are a few cases, where vendors have known about issues for years.  However, they go unpatched because the issues are minor or very difficult to exploit.  Some security researchers believe that public disclosure is the only leverage they have to accomplish improved security.

* Public disclosure will bring immediate pressures to vendor to patch a serious issue. Some security researchers are also tuned into the underground and may point out valuable emerging developments.  When the vendor does not respond, they feel a need to illustrate the importance with POC code.

* I believe H. D. Moore and Aviv Raff's "Month of Bugs" projects were beneficial in improving security.  For example, they picked a topic like browsers and demonstrated why almost all vendors had weaknesses.  Most items were minor in nature. Their daily bug publications prompted all vendors to commit more money and focus to security.  This type of "wakeup" call led to a better security focus by most vendors.

Disadvantages of Public Disclosure

Yet for the most part, the negatives outweigh positives for public disclosure, as follows:

* Zero Day attacks may be introduced resulting in emergency workarounds and patches by the vendor and anti-virus providers

* Malicious developers can take POCs and ramp them up a few notches. They may discover possibly something even more harmful.

* Some folks don't patch promptly or defend their systems well with up-to-date Anti-virus protection. Even after a vendor has patched, innocent users are still vulnerable for attacks that may have not been implemented in the wild, if the POCs were kept private.

* Vendors only have a certain number of qualified people in working on security patches. Public disclosure and the resulting exploits force them to patch or create workarounds immediately. It may delay them for the work in process in patching more mainstream attacks.

* Sixty or ninety days may not be enough time to work in changes, given work in process and the need for a quality release for the different permutations of hardware/software.

If the security researcher has shared privately and exploits emerge because of a slow response by the vendor, they have done their job.   It's the vendor's fault if they fail to respond in a timely fashion.  The researcher can even document they privately shared an issue in a generic way, to keep it private from malicious authors who may harm others with attacks.   

Certainly, security researchers want to enhance their reputations, income, and careers. I believe many have an altruistic mission in wanting to protect the public. Many are highly talented professionals and provide valuable protective contributions for society. I encourage them to put their talents to work for the good of society through private responsible disclosure.

At work and home, I use Office 2010 extensively and it's the most well designed and capable version I've used so far.   While many of the components I use extensively like Excel and Word are similar to their Office 2007 counterparts, the User Interface is much more intuitive in the latest version. 

The capability to create Pivot tables is greatly improved in Excel 2010, as it's more naturally built into Excel.  In building sophisticated spreadsheets, Microsoft also offers an Excel plug-in called PowerPivot 2010 that can work with huge data bases exceeding even the million line row limitations of Excel.  While I prefer using Access for these types of queries, PowerPivot allows you to stay within tool to create summary views.

PowerPivot 2010 - Great writeup on value of processing large external data bases
http://www.eweek.com/c/a/Enterprise-Applications/PowerPivot-Raises-the-Bar-on-Row-Limitations-441592/

QUOTE: Microsoft’s PowerPivot add-in for its forthcoming Excel 2010 spreadsheet enables users to work with much larger sets of data than is possible with Excel alone.  Microsoft’s PowerPivot is an add-in for the company’s forthcoming Excel 2010 spreadsheet application, which first grabbed my attention by the way it enables users to work with much larger sets of data than is possible with Excel alone. For instance, I used PowerPivot to load and browse through a data set that ran 3.9 million rows—about four times Excel’s existing upper limit—and I had no more trouble scrolling around in the set than I would with a spreadsheet of only several hundred rows.

AVERT Labs shares this key threat to avoid:

Waka Waka FIFA 2010: Targeted PDF attack uses World Cup theme as bait
http://www.avertlabs.com/research/blog/index.php/2010/06/22/waka-waka-fifa-2010-targeted-pdf-attack-uses-world-cup-theme-as-bait/

QUOTE: We have seen instances from recent times where WorldCup themes have been extensively used as bait to lure unsuspecting users into opening malicious attachments. With lots of recently discovered vulnerabilities and wide spread distribution, pdf files appear to be a perfect vector for these kind of attacks. These threats could be delivered as emails or poisoned search engine results leading to malicious pdf’s.

This particular pdf file is directed at certain high profile targets. Upon executing the malicious pdf file on a vulnerable version of Adobe reader/ Acrobat, it drops an innocent pdf file as shown in the figure below to spoof the unsuspecting user.  This malicious pdf file drops and executes a malicious payload detected as BackDoor-ERZ, while the malicious pdf is detected as Exploit-pdf.b with 6022 DATS.

While most individuals aren't protecting mobile devices, there are a few emerging threats as documented below by Internet Storm Center

Thoughts on Malware for Mobile Devices
http://isc.sans.edu/diary.html?storyid=9046

QUOTE: If you have some creative ways you're protecting your mobile devices, send them in and I'll post them. While 130 people is not a statistically large sample we do have some interesting preliminary results. Of 130 people, only 15 are scanning for malware. Of those 15, 3 (20%) have detected malware. If you extrapolate that percentage out to the entire sample, 23 people who responded who do not scan would be infected with malware

Idea Apple recently released it's latest version of the Safari browser. I downloaded a copy to evaluate for the Windows XP environment.  The RSS Reader facility is truly an outstanding feature which will transform lengthy text based articles into a nicely formatted large print presentation.  The performance is excellent and hopefully security will continue to improve from prior releases as over 48 problem areas were fixed in the last release. 

Apple Safari 5.0 release
http://www.informationweek.com/blog/main/archives/2010/06/safari_5_has_a.html

QUOTE: Safari 5 is the latest version of the Apple web browser and among the new features in the browser is a Reader mode that makes it a pleasure to read long articles on the Web. Though Safari is the dominant web browser on the Macintosh (and on Apple mobile devices), it is still very much a minor player on Windows systems. Still, Safari 5 has a few capabilities that make it worth a look for both Mac and Windows users.

Chief among these is the Reader mode. Essentially what this feature does is make it possible to read a multi-page web article in a single scrollable view but it really is much more than that (and much better than simply opening the Print view of an article). And it appears to work with most articles on websites without the sites having to do anything to enable the feature.

When I browsed to a web article, a Reader button appeared on the right hand side of the address bar in Safari 5. By clicking this button I brought up a scrollable window in the middle of the browser screen that displayed the entire article, no matter how many pages the site had broken it up into. The Reader view was very attractive and easy to read, making an article on a webpage look more like something that had been configured for an ebook format. I enjoyed the Reader view so much that if I ran into a long article while using another browser, I fired up Safari and switched over so I could read the article in Reader mode.

Safari 5 also includes several other new features, including the ability to configure the search bar to use Bing, Google or Yahoo for the integrated search features. There are also several new developer tools included.  Like Chrome, Safari has expanded its ability to be extended by developers and there are already a good number of extensions available for the browser, though no where near the number currently available for Firefox.

Also like Chrome and Firefox, Safari 5 continues the Apple browser’s move to support the forthcoming HTML 5 standard. This version of Safari includes new support for many HTML 5 capabilities, including video improvements such as full screen video and closed captioning.

Safari - RSS Reader Mode is highlight of new release 
http://www.businessweek.com/idg/2010-06-14/safari-5-in-depth-has-it-sped-past-chrome-.html

Apple launches Safari 5, patches record 48 bugs
http://www.computerworld.com/s/article/9177860/Apple_launches_Safari_5_patches_record_48_bugs

Safari 5 Download site
http://www.apple.com/safari

 

Malware writers use popular news stories or sporting events to lure unsuspecting users.  Please avoid potential harmful email messages or websites related to the World Soccer championship games.   As noted in the warning by AVERT, just visiting some site may expose users to zero day attacks.

Scammers Go Phishing for World Cup Soccer Fans
http://www.avertlabs.com/research/blog/index.php/2010/06/15/scammers-going-phishing-for-world-cup-fans/

QUOTE: If you do receive one of these lottery scams in your inbox, always be very careful. Don’t assume that you are smarter than the spammer. Don’t lull yourself into a false sense of security. Don’t believe that visiting the site just to see what it looks like–with no intention of giving away any information–won’t leave you open to attack. In some cases these phishing sites are just a facade for pages that are also looking to exploit new zero-day vulnerabilities. The best advice in these situations is to follow safe computing practices and delete these emails immediately.

Some of the subject lines that we have seen associated with this scam include:

•***south africa 2010 fifa world cup lottery promotions***
•,,,sa 2010 world cup lotto drew;;;;;;;
•claim your fifa world cup football award/ticket
•congratulation! you have won us$1,220,000.00 for soccer world cup 2010 promotional draw
•congratulation!!! for 2010 world cup promotion
•fifa 2010 world cup lottery department
•fifa-mtn world cup team official prize notification
•final notification for south africa fifa 2010 world cup lottery
•south africa 2010 world cup award notification!!!
•south african 2010 fifa world cup lottery award
•south african 2010 world cup bid lottery award
•south african world cup 2010 free lottery draw
•winner – fifa world cup online draw
•world cup bid lottery award
•you have won south africa 2010 world cup lottery
•you have won south africa 2010 world cup lottery computer promotional draw
•your email just won 2010 world cup in south africa & fifa promotion

Sunbelt documents an increase of users who have encountered this new malware agent that is difficult to remove.  Many individuals may be encountering this at P2P and other potentially malicious sites.

Sunbelt Blogs - The Mysterious Tango Toolbar
http://sunbeltblog.blogspot.com/2010/06/mysterious-tango-toolbar.html

QUOTE: Two common themes: nobody seems to know where they get it from, and nobody can uninstall it. Out of all the threads posted, there seems to be only one that potentially gives some specifics with regards a possible source. If you don’t want to read his long ramble, here is his post in a nutshell: “Went looking for Limewire, downloaded a version and now I have Tango Toolbar”.

So either he grabbed a cracked version which comes with the toolbar, or he downloaded something from P2P land which came with a few surprises. Regardless of infection route, it took a while to find the file in question because “It’s called Tango Toolbar and there’s a picture of a red hat on it” doesn’t really help much.  This particular toolbar is a mess of broken uninstallers, disclaimers warding off associations with the product and endless people on support forums wondering how it ended up on their computers in the first place.

Idea Excellent site containing practical advice and best practices for families with children. Some items pertinent to security include:

Tips for Parents
http://www.theonlinemom.com/secondary.asp?id=92

Internet Security Software Overview
http://www.theonlinemom.com/secondary.asp?id=58

Common FAQs
http://www.theonlinemom.com/secondary.asp?id=80

More Posts Next page »