Major Security / Virus Warnings

Vulnerability Summary for the Week of December 31, 2007

http://www.us-cert.gov/cas/bulletins/SB08-007.html

 

Hostile takeover of Shareaza

The distributors of the iMesh P2P client are using a particularly aggressive method to distribute their software. Users of the Shareaza filesharing client have recently been installing a fake client after responding to a message inviting them to download and install an updated version. The problem can be traced back to the Shareaza developers losing control of the original shareaza.com domain from which the software attempts to update.

The new owner of the domain claims to be providing an updated version of the Shareaza client for download. However, the download does not contain the open-source Shareaza client at all but instead, according to research carried out by Shareaza users, an iMesh or BearShare client with a modified user interface and additional adware in the guise of a toolbar. Because it also offers music tracks and albums for sale, iMesh considers itself a legal P2P network. Nevertheless, there is a silver lining for Shareaza users. The update mechanism could have allowed criminal individuals to install trojans or spyware along with the updates.

It would seem that the French music industry association La Societe Des Producteurs De Phonogrammes En France (SPPF) forced the previous owner, Jonathan Nilson, to sell the domain. The SPPF had brought an action against Nilson in a Parisian court.

The Shareaza developers have reacted to the situation by releasing a new version of the software that no longer tries to update from the old domain. The official website has now moved to the SourceForge server farm. Shareaza users should download and install the latest version 2.3.1.0 and uninstall the fake client if necessary.

http://www.heise-security.co.uk/news/101548

 

Cyber Security Bulletins for the Week of January 7, 2008
Published: January 14, 2008

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cyber Security Division (NCSD) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

Review the http://www.us-cert.gov/cas/bulletins/SB08-014.html

 

'Tis the Season for Tax Return Scams

It's that time of the year again, tax season. With every tax season is the latest in tax return phishes.

See sample received by ISC at http://isc.sans.org/diary.html?storyid=3898

 

Storm Worm Directing Users to Medical Spam Web Sites
added January 30, 2008 at 03:20 pm | updated January 30, 2008 at 06:02 pm

US-CERT is aware of a variant of the Storm Worm that sends unsolicited email messages to users and attempts to evade spam filtering. When a user receives this email message, it will contain a link in the format of:

http://<IP Address>/<random directory name>

When visited, the user will be directed to a website containing medical spam information.

US-CERT urges users and administrators to take the following preventative measures to mitigate the security risks:


Install anti-virus software, and keep its virus signature files up-to-date.
Block executable and unknown file types at the email gateway.
Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.



Cisco Releases Security Advisories to Address a Vulnerability in the Cisco Wireless Control System
added January 30, 2008 at 02:23 pm

Cisco has released Security Advisory cisco-sa-20080130-wcs to address a vulnerability in the Wireless Control System. The vulnerability exists in the Apache Tomcat URI handler and may allow a remote, unauthenticated attacker to execute arbitrary code on an affected system.

More information and workarounds regarding this vulnerability can be found in the Cisco Security Advisory cisco-sa-20080130-wcs.


http://www.uscert.gov/current/current_activity.html#new_storm_worm_tactic

 

Description:
Some vulnerabilities have been discovered in Yahoo! Music Jukebox, which can be exploited by malicious people to compromise a user's system.

1) A boundary error in the YMP DataGrid ActiveX control (datagrid.dll) when handling arguments passed to the "AddImage()" and "AddButton()" methods can be exploited to cause a stack-based buffer overflow via an overly long argument.

2) A boundary error in the Yahoo! Mediagrid ActiveX control (mediagridax.dll) when handling arguments passed to the "AddBitmap()" method can be exploited to cause a stack-based buffer overflow via an overly long argument.

Successful exploitation allows execution of arbitrary code when a user e.g. visits a malicious website.

NOTE: Working exploit code is publicly available.

The vulnerabilities are confirmed in Yahoo! Music Jukebox version 2.2.2.056. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX controls.
http://secunia.com/advisories/28757/

 

12 February 2008, 15:02Valentine's Day greetings from storm worm
Was it just a test run, or do the storm worm botnet's operators have difficulty reading a calendar? Storm-infected computers were sending out Valentine's Day messages a whole month ago - despite the fact that it's actually this Thursday. A number of anti-virus software vendors are now warning of a new wave of storm worm emails promising Valentine's Day greetings, but in fact merely infecting users with new versions of the worm.

Advertisement

The emails, with subject lines such as Love Rose, Rockin' Valentine or Just You, include links to websites showing one of eight different sloppy Valentine's Day images pointing to a file called valentine.exe. The detection rate for anti-virus software is abysmal - only Kaspersky, Sophos and F-Secure, which contains the Kaspersky engine, detect the current malware version. Since the botnet operators frequently replace the executable, detection rates are, however, highly variable.

Signature updates from anti-virus software vendors are barely able to keep up, so that some variants remain undetected and can be executed. Solutions with integrated behavioural blockers or additional behaviour based detection programs, such as Norton's AntiBot or Trend Micro's RUBotted, are likely to offer better protection in such cases.

The usual security tips should help protect against storm worm infection. Don't open unrequested email attachments, never execute files from dubious websites and always keep your anti-virus software up to date.
http://www.heise-online.co.uk/security/Valentine-s-Day-greetings-from-storm-worm--/news/110099

 

Critical VMware Security Alert for Windows-Hosted VMware Workstation, VMware Player, and VMware ACE

Products
VMware ACE
VMware Player
VMware Workstation
Details

Summary
On Windows hosts, if you have configured a VMware host-to-guest shared folder, it is possible for a program running in the guest to gain access to the host's complete file system and create or modify executable files in sensitive locations.

Workaround
Until VMware releases a patch to fix this issue, users of affected Windows-hosted VMware products should disable shared folders.

To disable shared folders in the Global settings:
1.From the VMware product's menu, choose Edit > Preferences.
2.In the Workspace tab, under Virtual Machines, deselect the checkbox for Enable all shared folders by default.

To disable shared folders for the individual virtual machine settings:
1.From the VMware product's menu, choose VM > Settings.
2.In the Options tab, select Shared Folders and Disable.

http://kb.vmware.com/selfservice/mi...nguage=en_US&cmd=displayKC&externalId=1004034

 

A week after Mcafee Avert Labs found WinCE/InfoJack, we’ve run across more malware in China. This time the malware, running on Symbian Series 60 phones, attempts to extort money from users. SymbOS/Kiazha.A displays a message telling the user to send RMB 50 (approx. $7) to the malware author in order to regain use of the phone.

http://www.avertlabs.com/research/blog/index.php/2008/03/04/crimeware-goes-mobile/

 

ActiveX Control "Console" Property Memory Corruption

Critical: Highly critical

Impact: System access
Where: From remote
Solution Status: Unpatched

Software: RealPlayer 11.x
http://secunia.com/advisories/29315/

 

Help avoid online tax fraud
Published: January 15, 2007 | Updated: March 6, 2008

If you file your taxes over the Internet, it's important to remember some common-sense rules about protecting your privacy and helping to prevent identity theft.

The information in your return contains everything that an unscrupulous third party needs to steal your identity, file tax returns on your behalf, steal your refund, and more.



One of the most important things you can do to help protect yourself is to use Internet Explorer 7. For more information, see Keep your identity safer this tax season.
http://www.microsoft.com/windows/products/winfamily/ie/tax/default.mspx

 

Adobe is planning to release a security update for Flash Player 9 in April 2008 to strengthen the security of Adobe Flash Player for our customers and end users, and to provide further mitigations for previously disclosed vulnerabilities. The Flash Player security update provides further mitigations for issues listed in the December 2007 Security Bulletin ABSP07-20 for DNS rebinding and cross-domain policy file vulnerabilities, and Security Advisory APSA07-06 for cross-site scripting vulnerabilities in SWFs. Due to the possibility that these security enhancements and changes may impact existing content, Adobe is providing relevant information in advance to allow customers to better prepare for the pending release.

Customers are advised to review the upcoming Flash Player updates to determine if their content will be impacted, and to begin implementing necessary changes immediately to help ensure a seamless transition. This document provides an overview of the upcoming Flash Player changes, links to TechNotes, and relevant documentation to help you better prepare.

If any of the following situations apply, you should read this article in detail:

http://www.adobe.com/devnet/flashplayer/articles/flash_player9_security_update.html

 

********************************************************************
Title: Microsoft Security Bulletin Revisions
Issued: March 25, 2008
********************************************************************

Summary
=======
The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS07-040 - Critical

Bulletin Information:
=====================

* MS07-040 - Critical
- http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx

- Reason for Revision: Bulletin Updated: Added .NET Framework 1.0
(KB928367) and .NET Framework 1.1 (KB929729) as affected
components for Windows Vista Service Pack 1 and Windows
Server 2008.
- Originally posted: July 10, 2007
- Updated: March 25, 2008
- Bulletin Severity Rating: Critical
- Version: 2.0

 

XnView 1.x"

----------------------------------------------------------------------
http://secunia.com/advisories/29620/
Release Date: 2008-03-31

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: XnView 1.x

CVE reference: CVE-2008-0069 (Secunia mirror)

Solution:
Update to version 1.93.4.
http://pagesperso-orange.fr/pierre.g/xnview/endownload.html

 

Email Attack Targeting Microsoft's April Security Bulletins

Email Attack Targeting Microsoft's April Security Bulletin Release Cycle

US-CERT has seen reports of an email attack targeting Microsoft's April Security Bulletin release cycle. This attack arrives via email messages with the subject line "Critical Patch Released: Microsoft Security Bulletin MS08-64738." These email messages contain a link to a fraudulent Microsoft Update web site that hosts malicious code or contains an attachment that is embedded with malicious code. Users who follow the link or open the attachment may become infected with a Trojan.

US-CERT encourages users to do the following to help mitigate the risks:

Install anti-virus software and keep its virus signature files up to date.
Do not follow unsolicited web links received in email messages.
Verify web sites recommended in email by manually typing their URLs. Do not link directly to web sites recommended in an email.

Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
Follow the guidance provided in the Recognize and avoid fraudulent e-mail to Microsoft customers document from Microsoft
http://www.us-cert.gov/current/index.html#email_attack_targeting_microsoft_s

 

Security advisory Potential vulnerability in Photoshop Album Starter Edition 3.2
Release date: April 21, 2008

Vulnerability identifier: APSA08-04

CVE number: CVE-2008-1765

Platform: Windows

Affected Software: Photoshop Album Starter Edition 3.2

SummaryAdobe is aware of a recently published security issue in Adobe Photoshop Album Starter Edition 3.2 that could potentially cause code execution. An attacker would need to convince a user to open a malicious BMP file to successfully exploit the issue. This issue does not affect Photoshop or Photoshop Elements users who have already applied the updates described in Security Bulletin APSB07-13.

DetailsAn attacker would need to convince a user to open a malicious BMP file in Photoshop Album Starter Edition to successfully exploit the issue. Adobe recommends that customers exercise caution when receiving unsolicited or suspicious BMP files. This issue does not affect Photoshop or Photoshop Elements users who have already applied the updates described in Security Bulletin APSB07-13.

http://www.adobe.com/support/security/advisories/apsa08-04.html

 

Apple QuickTime Vulnerability Report
added April 23, 2008 at 06:33 pm

US-CERT is aware of a public report of a new vulnerability in Apple QuickTime. The report indicates that if a user opens a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website. US-CERT is currently investigating this report and will provide additional details as needed.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_quicktime_vulnerability
----------------------------------------------------------------------

 

The sophisticated mass infection that's injecting attack code into hundreds of thousands of reputable web pages is growing and even infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we we reported earlier, is notable for its ability to infect huge numbers of pages using only a single string of text. At time of writing, Google searches here, here and here showed almost 520,000 pages containing the infection string, though the exact number changes almost constantly. As the screenshot below shows, even the DHS, which is responsible for protecting US infrastructure against cyber attacks, wasn't immune. Other hacked sites include those belonging to the United Nations and the UK Civil Service.
continued at source
http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/

 

PayPal XSS Vulnerability Undermines EV SSL Security

A security researcher in Finland has discovered a cross-site scripting vulnerability on paypal.com that would allow hackers to carry out highly plausible attacks, adding their own content to the site and stealing credentials from users.
The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser's address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal. Two years ago, a similar vulnerability was discovered on a different page of the PayPal site, which also used an SSL certificate

continued at source

http://news.netcraft.com/archives/2...vulnerability_undermines_ev_ssl_security.html

 

Microsoft Security Advisory (953818)
Blended Threat from Combined Attack Using Apple’s Safari on the Windows Platform
Published: May 30, 2008 | Updated: June 20, 2008

Microsoft is investigating new public reports of a blended threat that allows remote code execution on all supported versions of Windows XP and Windows Vista when Apple’s Safari for Windows has been installed. Safari is not installed with Windows XP or Windows Vista by default; it must be installed independently or through the Apple Software Update application. Customers running Safari on Windows should review this advisory.

At the present time, Microsoft is unaware of any attacks attempting to exploit this blended threat. Upon completion of this investigation, Microsoft will take the appropriate measures to protect our customers. This may include providing a solution through a service pack, the monthly update process, or an out-of-cycle security update, depending on customers needs.

Apple Support has released a security advisory that addresses the vulnerability in Apple’s Safari 3.1.2 for Windows. Please see Apple security advisory About the security content of Safari 3.1.2 for Windows for more information.

Mitigating Factors:

• Customers who have changed the default location where Safari downloads content to the local drive are not affected by this blended threat.

http://www.microsoft.com/technet/security/advisory/953818.mspx

 

Adobe released a security update today for Acrobat and Reader 8.1.2. It fixes a vulnerability which allows remote attacker to execute malicious code. This is likely to appear in a malware spreading website near you soon given the track record of the botnet operators. Suggest update this one as soon as possible,
http://www.adobe.com/support/security/bulletins/apsb08-15.html

 

Microsoft Security Advisory (954462)
Rise in SQL Injection Attacks Exploiting Unverified User Data Input
Published: June 24, 2008

Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development. These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database. When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.

Mitigating Factors:

This vulnerability is not exploitable in Web applications that follow generally accepted best practices for secure Web application development by verifying user data input
http://www.microsoft.com/technet/security/advisory/954462.mspx

 

Mozilla Foundation Security Advisory 2008-21
Title: Crashes with evidence of memory corruption (rv:1.8.1.15)
Impact: Critical
Announced: July 1, 2008
Reporter: Mozilla developers and community
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0
Firefox 2.0.0.15
SeaMonkey 1.1.10


Description
Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances and we presume that with enough effort at least some of these could be exploited to run arbitrary code.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail. Without further investigation we cannot rule out the possibility that for some of these an attacker might be able to prepare memory for exploitation through some means other than JavaScript such as large images.

Workaround
Disable JavaScript until a version containing these fixes can be installed.

 

Attention Virus Warning

 

Websense® Security Labs(TM) ThreatSeeker(TM) Network has discovered that the Web site of John Sands Greeting Card Company is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site has been found to contain the said malicious code.

John Sands is the largest greeting card company in Australasia, helping both Australians and New Zealanders to celebrate with a huge variety of cards and gift wrap items under their brand names such as John Sands, The Ink Group, Momentum Greetings and Creative Stationery. Acquired by American Greetings in 1996, the company was founded in 1837 by John Sands, the son of an English engraver. The company is Australia's second oldest registered company.
http://securitylabs.websense.com/content/Alerts/3268.aspx

 

In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild.

Please ensure that your copy of Microsoft Windows is patched and security software is fully up to date to ensure that April 1st 2009, is a day like any other day!

W32/Conficker.worm attacks port 445, Microsoft Directory Service, exploitin g MS08 - 067 . MS08 - 067 is an exploit similar to MS06 - 040 , which we first saw a couple of years ago .

W32/Conficker .worm attack symptoms:
- Blocks access to security - related sites
- User lockouts
- Trafic on port 445 on non - Directory Service (DS) servers
- No access to admin shares
- Autorun.inf files in recycled directory
http://majorgeeks.com/McAfee_AVERT_Stinger_Conficker__d6157.html

 

Thursday, April 09, 2009 1:25 PM by mmpc
Cashing in on Conficker's Bad Name
Over the last couple of days we've seen some spam claiming to be from Microsoft, providing a free scan to remove Conficker. Here's an example:


http://blogs.technet.com/mmpc/archive/2009/04/09/cashing-in-on-confickers-bad-name.aspx

 

http://blogs.technet.com/msrc/archive/2009/04/09/conficker-e.aspx

 

Swine Flu Phishing Attacks and Email Scams
http://www.us-cert.gov/current/index.html#swine_flu_phishing_attacks_and

 

APSB09-07 - Security Updates available for Adobe Reader and Acrobat

Originally posted: June 9, 2009

Summary:
Critical vulnerabilities have been identified in Adobe Reader
9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe recommends users of Adobe Reader 9 and Acrobat 9 and earlier versions update to Adobe Reader 9.1.2 and Acrobat 9.1.2.
Adobe recommends users of Acrobat 8 update to Acrobat 8.1.6, and users of Acrobat 7 update to Acrobat 7.1.3. For Adobe Reader users who can't update to Adobe Reader 9.1.2, Adobe has provided the Adobe Reader 8.1.6 and Adobe Reader 7.1.3 updates. Updates apply to Windows and Macintosh. Security updates for Adobe Reader on the UNIX platform will be available on June 16, 2009; the Bulletin will be updated to reflect their availability on that date.

This update incorporates the initial output of code hardening efforts discussed in a May 20 Adobe ASSET (Adobe Secure Software Engineering Team) blog post, as well as externally reported issues.

http://www.adobe.com/support/security/bulletins/apsb09-07.html

 

Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows.

Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date.
(Note: This Security Advisory will be replaced with the final Security Bulletin upon release on October 13, 2009.)

http://www.adobe.com/support/security/bulletins/apsb09-15.html

 

Security Updates Available for Adobe Reader and Acrobat

Security Updates Available for Adobe Reader and Acrobat
Release date: October 13, 2009

Vulnerability identifier: APSB09-15

CVE number: CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462

Platform: All
http://www.adobe.com/support/security/bulletins/apsb09-15.html

 

Apple has released Safari 4.0.4 to address multiple vulnerabilities

 

Apple Releases Mac OS X v10.6.2 and Security Update 2009-006

http://support.apple.com/kb/HT3937

 

Adobe Releases Security Updates for Flash Player and AIR
added December 9, 2009 at 09:03 am

Adobe has released a security bulletin to address multiple vulnerabilities in Adobe Flash Player 10.0.32.18 and earlier and Adobe AIR1.5.2 and earlier. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

http://www.adobe.com/support/security/bulletins/apsb09-19.html

 

The Microsoft Security Response Center (MSRC) : Results of Investigation into Holiday IIS Claim:

http://blogs.technet.com/msrc/archi...-of-investigation-into-holiday-iis-claim.aspx

 

Adobe Reader and Acrobat updates scheduled for January 12

Security Advisory for Adobe Reader and Acrobat
Release date: January 7, 2010

Vulnerability identifier: APSB10-02

Platform: All

SummaryAdobe is planning to release an update for Adobe Reader 9.2 and Acrobat 9.2, and Adobe Reader 8.1.7 and Acrobat 8.1.7 for Windows and Macintosh, and Adobe Reader 9.2 for UNIX, to resolve critical security issues. Adobe expects to make this quarterly update available on January 12, 2010.

 

Oracle Critical Patch Update Advisory - January 2010
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html

 

Action center in Windows 7 reporting that McAfee is not installed

The Action Center in Windows 7 shows that antivirus, antispyware or firewall is not installed when they are in fact installed and working normally.

http://support.microsoft.com/default.aspx?scid=kb;en-us;2028210&sd=rss&spid=14498

 

Add-on security vulnerability announcement
One malicious add-on and another add-on with a serious security vulnerability were discovered recently on the Mozilla Add-ons site. Both issues have been dealt with, and the details are described below.

Mozilla Sniffer
Issue
An add-on called “Mozilla Sniffer” was uploaded on June 6th to addons.mozilla.org. It was discovered that this add-on contains code that intercepts login data submitted to any website, and sends this data to a remote location. Upon discovery on July 12th, the add-on was disabled and added to the blocklist, which will prompt the add-on to be uninstalled for all current users.


Impact to users
If a user installs this add-on and submits a login form with a password field, all form data will be submitted to a remote location. Uninstalling the add-on stops this behavior. Anybody who has installed this add-on should change their passwords as soon as possible.


Status
Mozilla Sniffer has been downloaded approximately 1,800 times since its submission and currently reports 334 active daily users. All current users should receive an uninstall notification within a day or so. The site this add-on sends data to seems to be down at the moment, so it is unknown if data is still being collected.

Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.

http://blog.mozilla.com/addons/2010/07/13/add-on-security-announcement/

 

please note this is for those who have not applied the security patch as outlined here

XP SP2

http://www.computerworld.com/s/arti...y_patch_for_XP_SP2?taxonomyid=17&pagenumber=2

Windows Shortcut Exploit
Protection Tool
Detects the Windows Shortcut Exploit
Blocks exploit from running
Works with your existing anti-virus

http://www.sophos.com/products/free-tools/sophos-windows-shortcut-exploit-protection-tool.html

 

Security Advisory for Adobe Reader and Acrobat
Adobe has confirmed it will be releasing out-of-cycle security updates for Adobe Reader and Adobe Acrobat tomorrow, August 19th. The updates will be for Reader 9.3.3 for Windows, Macintosh and UNIX, Acrobat 9.3.3 on Windows and Macintosh, and Reader and Acrobat 8.2.3 on Windows and Macintosh.
please note that this update is critical

http://www.adobe.com/support/security/bulletins/apsb10-17.html

 

Insecure Loading of Dynamic Link Libraries in Windows Applic

Vulnerability Note VU#707943
Microsoft Windows based applications may insecurely load dynamic libraries
Overview
Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location.
I. Description
Dynamically Linked Libraries (DLLs) are executable software components that are incorporated into a program at run-time rather than when the program is compiled and linked. Functions included in these libraries can be loaded in different ways by an application. In the case of run-time dynamic linking, a module uses the LoadLibrary() or LoadLibraryEx() functions to load the DLL at run time. If the location of the DLL to be loaded is not specified (such as specifying a fully qualified path name) by the application, Microsoft Windows defines an order in which directories are searched for the named DLL. By default, this search order contains the current directory of the process.
If an attacker can cause an affected application to call LoadLibrary() while the application's current directory is set to one controlled by the attacker, that application may run the attacker's code from a specially named DLL also supplied in that directory. This can occur when the affected application opens a normal file typically associated with it from the attacker-controlled directory. The specific name of the DLL that an attacker would need to choose varies depending on the affected application.

II. Impact
A remote, unauthenticated attacker with the ability to supply a malicious DLL may be able to execute arbitrary code on a vulnerable system. In the most likely exploit scenario, an attacker could host this malicious DLL on a USB drive or network share. The attacker-supplied code would be run with the privileges of the user of the affected application.

In some cases of affected applications, an attacker who already has access to a local folder on the system could use this vulnerability in a local application running with elevated privileges to escalate their own privileges on the system.
http://www.kb.cert.org/vuls/id/707943

 

Security Advisory for Adobe Reader and Acrobat


Home/Support/Security advisories/ Security bulletinSecurity Advisory for Adobe Reader and Acrobat
Release date: September 8, 2010

Vulnerability identifier: APSA10-02

CVE number: CVE-2010-2883

Platform: All

SummaryA critical vulnerability exists in Adobe Reader 9.3.4 and earlier versions for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh. This vulnerability (CVE-2010-2883) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild.

Adobe is in the process of evaluating the schedule for an update to resolve this vulnerability.

http://www.adobe.com/support/security/advisories/apsa10-02.html

 

Fraud alert: "Your Hotmail account will be deleted"
A new scam email claiming to be from Microsoft asks for personal information to avoid suspension of your Windows Live Hotmail account. Do not reply! This email message is a scam.
http://click.email.microsoftemail.c...c366e6115fa3eef18170c43994dbbfb012c98fd9da927


Fraud alert: UPS package scam
In recent newsletters, we told you about a phishing email message purporting to be from UPS. A reader recently brought another UPS-related scam to our attention.
http://click.email.microsoftemail.c...390b9ed5fe846af0e9a16892d62ca3e67d97c1caf9cfe


Worried about ID theft? You're not alone
A recent study by the National Cyber Security Alliance and the Anti-Phishing Working Group found Americans are as concerned about ID theft as they are of job loss.
http://click.email.microsoftemail.c...1042eeb327c14a04b1e7e88deafc03f2494b487a8a749


Microsoft to lead Family Online Safety Institute
A group manager from Microsoft's Trustworthy Computing group recently assumed the chair of the Family Online Safety Institute (FOSI) board of directors. Learn more about FOSI and its charter to make the Internet safer for families.
http://click.email.microsoftemail.c...196f6ca7708fc384626443f2733fa8b1f4ef73f08e290


Operation b49: Microsoft takes on the bots
In February, Microsoft helped take down the Waledac botnet in an effort known internally as "Operation b49." Now in phase two, Operation b49 can help you clean out your PC if you think it's been infected by a bot.
http://click.email.microsoftemail.c...bdc2bd57d9e20de8554f4dffca8705af558303ec10e00

 

Cisco has released a security advisory to address a vulnerability affecting CiscoWorks Common Services for Oracle Solaris and Microsoft Windows. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code with administrative privileges or cause a denial-of-service condition.

http://www.cisco.com/en/US/products/products_security_advisory09186a0080b51501.shtml

 

Google has released Chrome 7.0.517.41 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.




http://googlechromereleases.blogspot.com/2010/11/stable-channel-update.html

 

Apple Releases Mac OS X v10.6.5 and Security Update 2010-007

Apple has released Mac OS X v10.6.5 and Security Update 2010-007 to address multiple vulnerabilities affecting a number of packages. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, obtain sensitive information, conduct cross-site scripting attacks, cause a denial-of-service condition, or bypass security restrictions.

Systems using PGP WDE should not be updated. Public reports indicate that a compatibility issue exists between PGP WDE and the Mac OS X v10.6.5 update. Applying the Mac OS X v10.6.5 update to a system running PGP WDE will prevent the system from successfully booting. Additional information about this issue can be found in PGP knowledgebase article 2288.
https://pgp.custhelp.com/app/answers/detail/a_id/2288

Users and administrators are encouraged to review Apple article HT4435
http://support.apple.com/kb/HT4435
and apply any necessary updates. Users and administrators running PGP WDE should delay updating to Mac OS X v10.6.5 until a solution has been identified. PGP WDE users who cannot postpone updating to Mac OS X v10.6.5, or who have previously updated to Mac OS X v10.6.5 and are unable to boot their systems, should refer to PGP knowledgebase article 2288
https://pgp.custhelp.com/app/answers/detail/a_id/2288
for instructions on safely applying this update or recovering a system that fails to boot because this update was applied.

 

Apple has released iOS 4.2 for the iPhone, iPod Touch,

Apple has released iOS 4.2 for the iPhone, iPod Touch, and iPad to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, initiate a call, cause a denial-of-service condition, gain system privileges, or obtain sensitive information.

http://support.apple.com/kb/HT4456

 

Holiday Season Phishing Scams and Malware Campaigns
added November 18, 2010 at 02:17 pm | updated December 20, 2010 at 09:57 am