Major Security / Virus Warnings

Microsoft Security Advisory (935423)
Vulnerability in Windows Animated Cursor Handling
Published: March 29, 2007

Microsoft is investigating new public reports of targeted attacks exploiting a vulnerability in the way Microsoft Windows handles animated cursor (.ani) files. In order for this attack to be carried out, a user must either visit a Web site that contains a Web page that is used to exploit the vulnerability or view a specially crafted e-mail message or email attachment sent to them by an attacker.

As a best practice, users should always exercise extreme caution when opening or viewing unsolicited emails and email attachments from both known and unknown sources.Microsoft has added detection to the Windows Live OneCare safety scanner for up-to-date removal of malicious software that attempts to exploit this vulnerability.Microsoft intends to actively share information with Microsoft Security Response Alliance partners so that their detection can be up to date to detect and remove attacks.Customers in the U.S. and Canada who believe they are affected can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This will include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.

http://www.microsoft.com/technet/security/advisory/935423.mspx

 

Attention AVG 7.0/7.1 users

A recent AVG update can cause problems for users still using outdated versions of AVG (version 7.0 or 7.1), or if AVG Free was previously used on the same computer. Symptoms can vary from an incorrect state of some AVG components, to errors during running tests, causing AVG to unexpectedly close. Detailed description of these symptoms and information on how to correctly solve this problem is available at the Support section, topic no. 545.
- April 10th, 2007 -

http://www.grisoft.com/doc/faq/us/crp/0?num=545#faq_545

 

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
Published: April 12, 2007

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

http://www.microsoft.com/technet/security/advisory/935964.mspx

 

Microsoft Security Advisory (935964)
Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.
Published: April 12, 2007 | Updated: April 13, 2007

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Revisions:
•

April 12, 2007: Advisory published.
•

April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values.

 

VULNERABILITY ALERT:
Microsoft Windows DNS Server RPC interface remote code execution vulnerability
RISK LEVEL: High

On Friday, April 20, 2007 , the CA Security Advisory Team is issuing an alert regarding a high risk level vulnerability threat called Microsoft Windows DNS Server RPC interface remote code execution vulnerability.

For more information, including our remediation steps, please visit our detail page.
http://www3.ca.com/securityadvisor/vulninfo/vuln.aspx?id=35234

This is an update to last weeks publication

Revisions:

• April 12, 2007: Advisory published.

• April 13, 2007: Advisory updated to include additional details about Windows Small Business Server. Mitigations also updated to include additional information regarding the affected network port range and firewall configuration. Additional details also provided for registry key mitigation values. .

• April 15, 2007: Advisory “Suggested Actions” section updated to include additional information regarding TCP and UDP port 445 and the 15 character computer name known issue.

• April 16, 2007: Advisory updated: Ongoing monitoring indicates that we are seeing a new attack that is attempting to exploit this vulnerability.

• April 19, 2007: Advisory updated: To provide information on Windows Live OneCare malware detection capability and to clarify that the registry key workaround provides protection to all attempts to exploit this vulnerability. Advisory also updated to provide additional data regarding exploitability through port 139.

http://www.microsoft.com/technet/security/advisory/935964.mspx

 

Apple QuickTime Java Handling Unspecified Code Execution



Secunia Advisory: SA25011
Release Date: 2007-04-24


Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched


Software: Apple Quicktime 3.x
Apple Quicktime 4.x
Apple Quicktime 5.x
Apple Quicktime 6.x
Apple QuickTime 7.x


Description:
A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error within the Java handling in QuickTime. This can be exploited to execute arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.

The vulnerability is reported on a Mac OS X system using Safari and Firefox. Other browsers and platforms may also be affected.

Solution:
Disable Java support.

Do not browse untrusted websites.

Provided and/or discovered by:
Dino Dai Zovi

Original Advisory:
Matasano:
http://www.matasano.com/log/812/break...n-quicktime-affects-win32-apple-code/

http://secunia.com/advisories/25011/

 

----------------------------------------------------------------------
Adobe Products PNG.8BI PNG File Handling Buffer Overflow

Secunia Advisory: SA25044
Release Date: 2007-04-30


Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched


Software: Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop Elements 5.x


Description:
Marsu has discovered a vulnerability in various Adobe Products, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the PNG.8BI Photoshop Format Plugin when handling PNG files. This can be exploited to cause a stack-based buffer overflow via a specially crafted PNG file.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in Adobe Photoshop CS2 and Adobe Photoshop Elements (Editor) version 5.0 for Windows and reportedly affects Adobe Photoshop CS3.

Solution:
Do not open untrusted PNG files.

Provided and/or discovered by:
Marsu

Original Advisory:
http://milw0rm.com/exploits/3812

http://secunia.com/advisories/25044/

 

Windows Genuine Advantage Phished;We don't have to pay to "activate" a copy of Windows
Windows Genuine Advantage Phished;We don't have to pay to "activate" a copy of Windows

Symantec is warning users of the new trojan horse that phished Microsoft's Windows Genuine Advantage.

Users should KNOW that activating a copy of Windows is free (online activation or using some toll-free numbers).

If ever you see got that Windows asking for credit card information to activate the copy of Windows, DO NOT enter your credit card details. Run a scan using antivirus or antimalware program. You're maybe infected with Trojan.Kardphisher!

More info can be found here
http://www.symantec.com/enterprise/...g/2007/05/ms_needs_your_credit_card_deta.html

 

Vulnerability Summary for the Week of April 30, 2007" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

High Vulnerabilities:

Adobe -- Photoshop
Adobe -- Photoshop Elements
Buffer overflow in Adobe Photoshop CS2 and CS3, and Photoshop Elements 5.0, allows user-assisted remote attackers to execute arbitrary code via a crafted .PNG file.

Cerulean Studios -- Trillian Pro
Heap-based buffer overflow in the Rendezvous / Extensible Messaging and Presence Protocol (XMPP) component (plugins\rendezvous.dll) for Cerulean Studios Trillian Pro before 3.1.5.1 allows remote attackers to execute arbitrary code via a message that triggers the overflow from expansion that occurs during encoding.

Cerulean Studios -- Trillian Pro
Multiple heap-based buffer overflows in the IRC component in Cerulean Studios Trillian Pro before 3.1.5.1 allow remote attackers to corrupt memory and possibly execute arbitrary code via (1) a URL with a long UTF-8 string, which triggers the overflow when the user highlights it, or (2) a font HTML tag with a face attribute containing a long UTF-8 string.

Microsoft -- Windows 2000
Microsoft -- Windows Server 2003
Microsoft -- Windows XP
Unspecified vulnerability in Microsoft Windows 2000, XP, and Server 2003 allows user-assisted remote attackers to execute arbitrary code via unspecified vectors. NOTE: this information is based upon a vague pre-advisory with no actionable information. However, the advisory is from a reliable source.

MicroWorld Technologies -- eScan
The MicroWorld Agent service (MWAGENT.EXE) in MicroWorld Technologies eScan 8.0.671.1, and possibly other versions, allows remote or local attackers to gain privileges and execute arbitrary commands by connecting directly to TCP port 2222.

Sun -- JRE
Sun -- SDK
Sun -- Java Enterprise System
Sun Java Web Start in JDK and JRE 5.0 Update 10 and earlier, and Java Web Start in SDK and JRE 1.4.2_13 and earlier, allows remote attackers to perform unauthorized actions via an application that grants privileges to itself, related to "Incorrect Use of System Classes" and probably related to support for JNLP files.

Symantec -- LiveState Recovery
Symantec -- Ghost
Symantec -- BackupExec System Recovery
Symantec -- Norton Save & Recovery
Buffer overflow in Ghost Service Manager, as used in Symantec Norton Ghost, Norton Save & Recovery, LiveState Recovery, and BackupExec System Recovery before 20070426, allows local users to gain privileges via a long string.

More at http://www.us-cert.gov/cas/bulletins/SB07-127.html

 

ClamAV OLE2 Parser Denial of Service" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
Affected Software:
Clam AntiVirus (clamav) 0.x
ClamWin Free Antivirus 0.x
ClamXav 1.x

Description:
Victor Stinner has reported a vulnerability in ClamAV, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the OLE2 parser when handling objects with malformed FAT partitions and large property sizes. This can be exploited to cause a DoS due to storage and CPU resource consumption by scanning a specially crafted OLE2 file.

Solution: There is no known solution at this time.
http://secunia.com/advisories/25244/


----------------------------------------------------------------------

 

"Vulnerability Summary for the Week of May 7, 2007" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week.

High Vulnerabilities:

Computer Associates -- eTrust Integrated Threat Management
Computer Associates -- eTrust PestPatrol
Computer Associates -- eTrust EZ Antivirus
Stack-based buffer overflow in the Console Server in CA Anti-Virus for the Enterprise r8, Threat Manager r8, Anti-Spyware for the Enterprise r8, and Protection Suites r3 allows remote attackers to execute arbitrary code via unspecified vectors involving login authentication credentials.

McAfee -- SecurityCenter Agent
McAfee -- VirusScan
McAfee -- SecurityCenter
Buffer overflow in the IsOldAppInstalled function in the McSubMgr.McSubMgr Subscription Manager ActiveX control (MCSUBMGR.DLL) in McAfee SecurityCenter before 6.0.25 and 7.x before 7.2.147 allows remote attackers to execute arbitrary code via a crafted argument.

Microsoft -- Exchange Server
Microsoft Exchange Server 2000 SP3, 2003 SP1 and SP2, and 2007 does not properly decode certain MIME encoded e-mails, which allows remote attackers to execute arbitrary code via a crafted base64-encoded MIME e-mail message.

Microsoft -- Office
Microsoft -- Excel
Microsoft -- Excel Viewer
Stack-based buffer overflow in Microsoft Excel 2000 SP3, 2002 SP3, 2003 SP2, and 2003 Viewer allows user-assisted remote attackers to execute arbitrary code via a .XLS BIFF file with a malformed Named Graph record, which results in memory corruption.

Microsoft -- Exchange Server
Cross-site scripting (XSS) vulnerability in Outlook Web Access (OWA) in Microsoft Exchange Server 2000 SP3, and 2003 SP1 and SP2 allows remote attackers to execute arbitrary scripts, spoof content, or obtain sensitive information via certain UTF-encoded, script-based e-mail attachments, involving an "incorrectly handled UTF character set label".

Microsoft -- CAPICOM
Microsoft -- BizTalk Server
Unspecified vulnerability in the Cryptographic API Component Object Model Certificates ActiveX control (CAPICOM.dll) in Microsoft CAPICOM and BizTalk Server 2004 SP1 and SP2 allows remote attackers to execute arbitrary code via unspecified vectors, aka the "CAPICOM.Certificates Vulnerability."

Microsoft -- Internet Explorer
Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; 6 and 7 on Windows XP SP2, or Windows Server 2003 SP1 or SP2; and possibly 7 on Windows Vista does not properly "instantiate certain COM objects as ActiveX controls", which allows remote attackers to execute arbitrary code via a crafted COM object.

Microsoft -- Internet Explorer
Unspecified vulnerability in the CTableCol::OnPropertyChange method in Microsoft Internet Explorer 5.01 SP4 on Windows 2000 SP4; 6 SP1 on Windows 2000 SP4; and 6 on Windows XP SP2, or Windows Server 2003 SP1 or SP2 allows remote attackers to execute arbitrary code by calling deleteCell on a named table row in a named table column, then accessing the column, which causes Internet Explorer to access previously deleted objects, aka the "Uninitialized Memory Corruption Vulnerability."

Microsoft -- Word
Microsoft -- Works Suite
Microsoft Word 2000 SP3, 2002 SP3, 2003 SP2, 2003 Viewer, 2004 for Mac, and Works Suite 2004, 2005, and 2006 does not properly parse certain rich text properties, which allows user-assisted remote attackers to trigger memory corruption and execute arbitrary code, aka the "Word RTF Parsing Vulnerability."

Nokia -- Intellisync Mobile Suite
Nokia -- Intellisync Wireless Email Express
Nokia -- Groupwise Mobile Server
usrmgr/userList.asp in Nokia Intellisync Mobile Suite 6.4.31.2, 6.6.0.107, and 6.6.2.2, possibly involving Novell Groupwise Mobile Server and Nokia Intellisync Wireless Email Express, allows remote attackers to modify user account details and cause a denial of service (account deactivation) via the userid parameter in an update action.

Trend Micro -- ServerProtect
Multiple stack-based buffer overflows in Trend Micro ServerProtect 5.58 before Security Patch 2- Build 1174 allow remote attackers to execute arbitrary code via crafted data to (1) TCP port 5168, which triggers an overflow in the CAgRpcClient::CreateBinding function in the AgRpcCln.dll library in SpntSvc.exe; or (2) TCP port 3628, which triggers an overflow in EarthAgent.exe. NOTE: both issues are reachable via TmRpcSrv.dll.

More at http://www.us-cert.gov/cas/bulletins/SB07-134.html
----------------------------------------------------------------------

 

Opera Browser Security Release - v9.21 Available, Please upgrade to latest version

Changes Since Opera 9.20
User Interface
New shortcut 'ya' for searching with Yahoo! Answers.
Scripting
The onunload event is no longer fired if a new URL is entered manually via the address bar or bookmarks.
Fixed a bug where User JavaScript on HTTPS would keep prompting to be allowed to run on a page.
Fixed a crash caused by long object descendant property chains in JavaScript.
Security
Fixed a buffer overflow with malformed torrents, as reported by iDefense. See the advisory.
Miscellaneous
Stability fix for torrents.
Windows specific
Fixed support for the WMP for Firefox plug-in.
Corrected plug-in paths.
PAC (Proxy Auto-Config) setting is now read from system.

http://www.opera.com/download/

 

Apple has released Security Update 2007-005 to fixed vulnerabilities in several Apple components mentioned in below bulletin/advisory:

http://docs.info.apple.com/article.html?artnum=305530
http://docs.info.apple.com/article.html?artnum=61798

 

"F-Secure Anti-Virus Products Code Execution and DoS Vulnerabilities" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
Multiple vulnerabilities have been identified in various F-Secure Anti-Virus products, which could be exploited by attackers or malware to take complete control of an affected system or cause a denial of service.

The first issue is caused by a buffer overflow error when processing malformed LHA archives, which could be exploited by attackers to execute arbitrary commands by tricking a system protected by a vulnerable application to scan a malicious file.

The second vulnerability is caused by an infinite loop when handling malformed archives or packed executables, which could be exploited by attackers to crash a vulnerable application, creating a denial of service condition.

The third issue is caused due to improper access validation of the address space used by the Real-time Scanning component, which could be exploited by malicious local attackers to obtain elevated privileges via a specially crafted IRP (I/O request packet).

Affected Products

F-Secure Anti-Virus for Workstations version 5.44 and prior
F-Secure Anti-Virus for Windows Servers version 5.52 and prior
F-Secure Anti-Virus for Citrix Servers version 5.52
F-Secure Anti-Virus for MIMEsweeper version 5.61 and prior
F-Secure Anti-Virus Client Security version 6.03 and prior
F-Secure Anti-Virus for MS Exchange version 6.40 and prior
F-Secure Internet Gatekeeper version 6.60 and prior
F-Secure Internet Security 2005
F-Secure Internet Security 2006
F-Secure Internet Security 2007
F-Secure Anti-Virus 2005
F-Secure Anti-Virus 2006
F-Secure Anti-Virus 2007
F-Secure Protection Service for Consumers version 6.40 and prior
F-Secure Anti-Virus for Linux Servers version 4.65 and prior
F-Secure Anti-Virus for Linux Gateways version 4.65 and prior
F-Secure Anti-Virus Linux Client Security 5.30 and prior
F-Secure Anti-Virus Linux Server Security 5.30 and prior
F-Secure Internet Gatekeeper for Linux 2.16 and prior

Solution

Apply patches :
http://www.f-secure.com/security/fsc-2007-1.shtml
http://www.f-secure.com/security/fsc-2007-2.shtml
http://www.f-secure.com/security/fsc-2007-3.shtml

References

http://www.frsirt.com/english/advisories/2007/1985
http://www.f-secure.com/security/fsc-2007-1.shtml
http://www.f-secure.com/security/fsc-2007-2.shtml
http://www.f-secure.com/security/fsc-2007-3.shtml

 

"Symantec Product Advisory: SYM07-013" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
SYM07-013 - Multiple Symantec Ghost Solution Suite Vulnerabilities
Multiple denial of service vulnerabilities have been identified in Symantec Ghost Solution Suite.

Affected Products: Symantec Ghost Solution Suite 2.0.0 and earlier

Three remote denial of service vulnerabilities have been identified in Symantec Ghost Solution Suite. All three vulnerabilities affect both the client and server daemons. Each vulnerability is triggered by sending a malformed UDP Packet to ether the client or server daemon.

Symantec response
Symantec has released updates for all supported 2.0.0 versions of Symantec Ghost Solution Suite. These updates are available through LiveUpdate.

Symantec has released the following downloadable updates for all supported 1.1 version of Symantec Ghost Solution Suite.

Download the updates from: http://securityresponse.symantec.com/avcenter/security/Content/2007.06.05b.html

 

Bogus offer claims forwarding chain letter will glean hundreds of pounds in vouchers

IT security and control firm Sophos is warning computer users not to be duped by enticing email offers, following the rapid spread of a spoof chain-mail, allegedly sent by UK high street supermarket Marks and Spencer, in conjunction with Persimmon Homes.

The email promises at least £100 worth of M&S vouchers in return for forwarding the message on to at least eight people, and copying in a legitimate email address at British housebuilding firm Persimmon Homes. However, neither Marks and Spencer nor Persimmon Homes has endorsed the email and both advise recipients to delete it immediately.

http://www.sophos.com/pressoffice/news/articles/2007/06/markschain.html

 

Yahoo! Messenger Two ActiveX Controls Buffer Overflows" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
Affected Software: Yahoo! Messenger 8.x

Description: Danny has discovered two vulnerabilities in Yahoo! Messenger, which can be exploited by malicious people to compromise a user's system.

1) A boundary error within the Yahoo! Webcam Upload (ywcupl.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Send()" method.

2) A boundary error within the Yahoo! Webcam Viewer (ywcvwr.dll) ActiveX control can be exploited to cause a stack-based buffer overflow by assigning an overly long string to the "Server" property and then calling the "Receive()" method.

Successful exploitation of the vulnerabilities allows execution of arbitrary code.

The vulnerabilities are confirmed in version 8.1.0.249. Other versions may also be affected.

Solution: Set the kill-bit for the affected ActiveX controls.

http://secunia.com/advisories/25547/

 

Fake Adobe Shockwave Player download page!,
This is just a heads up that when your surfing and a box should pop up saying that you need the Adobe Shockwave Player to view something or to play a game that you should always get these updates either direct from here or the authors website only as there are many bogus links going around at this time which will download malware instead so do be careful

 

Yahoo! Messenger 8.1 Unspecified Remote Buffer Overflow Vulnerability" in forum "Vulnerabilities / Advisories".

----------------------------------------------------------------------
Yahoo! Messenger is prone to an unspecified buffer-overflow vulnerability. The software purportedly fails to perform sufficient bounds-checking of user-supplied input before copying it to an insufficiently sized memory buffer.

Yahoo! Messenger version 8.1 is reportedly vulnerable to this issue.

WabiSabiLabi is offering this vulnerability for auction. It was discovered by an unknown researcher.

http://www.securityfocus.com/bid/24784/info

 

"Windows Vista Kernel Unspecified Remote Denial Of Service Vulnerability"

----------------------------------------------------------------------
Microsoft Windows Vista is prone to an unspecified remote denial-of-service vulnerability.

Attackers may exploit this issue to crash the affected operating system, denying further service to legitimate users. Remote code-execution may be possible, but this has not been confirmed.

Vulnerable:
Microsoft Windows Vista x64 Edition 0
Microsoft Windows Vista December CTP
Microsoft Windows Vista Ultimate
Microsoft Windows Vista Home Premium
Microsoft Windows Vista Home Basic
Microsoft Windows Vista Enterprise
Microsoft Windows Vista Business
Microsoft Windows Vista beta 2
Microsoft Windows Vista Beta 1
Microsoft Windows Vista Beta
Microsoft Windows Vista 0

http://www.securityfocus.com/bid/24816/info

 

Adobe Security Bulletins:
- Flash Player Update available to address security vulnerabilities
- Photoshop CS2 and CS3 updates available to address security vulnerabilities ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

APSB07-12 - Flash Player Update available to address security vulnerabilities

Originally posted: July 10, 2007

Summary:
Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.

Severity Rating:
Adobe categorizes this update as critical:
http://www.adobe.com/support/security/severity_ratings.html

Adobe recommends that users apply this update to their installations. Learn more:
http://www.adobe.com/support/security/bulletins/apsb07-12.html

 

Symantec released 5 Security Advisories"

----------------------------------------------------------------------
SYM07-015 - Symantec Backup Exec for Windows Server: RPC Interface Heap Overflow, Denial of Service
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11a.html

SYM07-016 - Symantec Client Security Internet E-mail Auto-Protect Stack Overflow
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11b.html

SYM07-017 - Symantec AntiVirus Corporate Edition Local Elevation of Privilege
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11c.html

SYM07-018 - Symantec SYMTDI.SYS Device Driver Local Elevation of Privilege
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11d.html

SYM07-019 - Symantec AntiVirus Malformed RAR and CAB Compression Type Bypass
http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html

Please read the advisories and their response to the issue.

 

AVG Anti-Virus "AVG7CORE.SYS " Driver IOCTL Privilege Escalation Vulnerability"

----------------------------------------------------------------------
A vulnerability has been identified in AVG Anti-Virus, which could be exploited by local attackers to obtain elevated privileges. This issue is caused due to improper address space validation within the "AVG7CORE.SYS" driver when processing IOCTL 0x5348E004, which could be exploited by malicious users to overwrite arbitrary kernel memory addresses and execute code with elevated privileges.

Affected Products
AVG Anti-Virus Free versions 7.x
AVG Anti-Virus Professional Edition versions 7.x

Solution
Upgrade to the latest version :
http://www.grisoft.com/doc/32/us/crp/0

 

Internet Explorer OnBeforeUnload Javascript Browser Entrapment Vulnerability

----------------------------------------------------------------------
Affected Software:
Microsoft Internet Explorer 7.0
+ Microsoft Windows Vista Ultimate
+ Microsoft Windows Vista Ultimate
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Premium
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Home Basic
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Enterprise
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista Business
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0
+ Microsoft Windows Vista 0

Microsoft Internet Explorer is prone to a vulnerability that allows attackers to trap users at a particular webpage and spoof page transitions.

Attackers may exploit this via a malicious page to spoof the contents and origin of a page that the victim may trust. This vulnerability may be useful in phishing or other attacks that rely on content spoofing.

Internet Explorer 7 is vulnerable to this issue; other versions may also be affected.

http://www.securityfocus.com/archive/1/473702
http://www.securityfocus.com/bid/24911/discuss
----------------------------------------------------------------------

 

Yahoo! Messenger Address Book Remote Buffer Overflow Vulnerabilitiy

----------------------------------------------------------------------
Yahoo! Messenger is prone to a remote buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data.

Attackers can exploit this issue to execute arbitrary code in the context of the application or to cause denial-of-service conditions.

Versions 8.1 and prior are vulnerable.

http://www.securityfocus.com/bid/24926/discuss
----------------------------------------------------------------------

 

Sun Java System Web Server Multiple HTTP Redirect Vulnerabilities"

----------------------------------------------------------------------
Sun Java System Web Server Multiple HTTP Redirect Vulnerabilities

Sun Java System Web Server is prone to multiple HTTP redirect related vulnerabilities. The vulnerabilities include HTTP response splitting, HTTP header injection, and unauthorized access to system resources.

An attacker may exploit the HTTP response splitting vulnerability to influence or misrepresent how web content is served, cached, or interpreted. This could aid in various attacks that attempt to entice client users into a false sense of trust.

Attackers typically exploit HTTP header injection issues to inject arbitrary cookie attributes into a session cookie. Since session IDs are usually stored in cookie form, an attacker can inject arbitrary cookie data
attributes into a session cookie and this may enable a variety of attacks upon active web sessions.

Solution:
The vendor has released service packs and updates to address these issues. Please see the references for more information.


Sun Java System Web Server 7.0
Sun Sun Java System Web Server 7.0 Update 1
http://www.sun.com/download/products.xml?id=467713d6


Sun Java System Web Server 6.1 SP7
Sun Sun Java System Web Server 6.1 SP8
http://www.sun.com/download/products.xml?id=4694392a

 

Microsoft Windows Explorer JPG File Denial of Service Vulnerability

----------------------------------------------------------------------
Microsoft Windows Explorer JPG File Denial of Service Vulnerability

Microsoft Windows Explorer is prone to a denial-of-service vulnerability.

An attacker could exploit this issue to cause Explorer to crash, effectively denying service. Arbitrary code execution may be possible, but this has not been confirmed.

This issue affects Windows Explorer on Microsoft Windows XP; other operating systems and versions may also be affected.

http://www.securityfocus.com/bid/25207/info
----------------------------------------------------------------------

 

BOClean 4.25 Critical Upgrade
Operating Systems

* Windows For Workgroups 3.11 (Win32s required)
* Windows 95, 95A, 95B, 95C (Winsock 2 required)
* Windows 98, 98SE
* Windows ME
* Windows NT4 (SP2+ required)
* Windows 2000
* Windows Server 2003
* Windows XP (any, including 64)
* Windows Longhorn Server
* Windows Vista (any, including 64)

IMPORTANT:

1. If you already have a copy of any earlier BOClean on your machine, UNINSTALL it first! If you have BOClean running on the tray bar, right click it, select "shut down BOClean". Should you forget to do this the remover will complain and tell you to do so. There is no harm done if the old BOClean were to be left running, however you'll have two BOCleans running and that will waste resources. The two will not interfere with one another, but you only require one.

BOClean 4.25 Critical Upgrade

A buffer overflow vulnerability has been discovered by our QA team in Comodo in ALL existing versions of BOClean which can possibly be exploited. Therefore we have brought out this version. Please upgrade your copies to this one if you have not already done so.

http://www.majorgeeks.com/Comodo_BOClean_Anti-Malware_d5616.html

 

Zero-day vulnerability in Yahoo Messenger"

----------------------------------------------------------------------
Zero-day vulnerability in Yahoo Messenger


A security vulnerability in Yahoo Messenger allows attackers to inject malicious code into a user's computer. The zero-day vulnerability, reported in McAfee's security blog, can be exploited by attackers using specially crafted invitations to webcam sessions.

According to McAfee, the vulnerability stems from a heap based buffer overflow and affects Version 8.1.0.413 of the Yahoo Messenger. The company gives no further details. The antivirus vendor has informed Yahoo about the vulnerability. Until an updated version of the Messenger is released, McAfee recommends rejecting webcam invitations from unknown senders. They also advise that, until the update is available, administrators should block outgoing traffic to TCP port 5100 in the firewall through which the Messenger conducts webcam sessions.

http://www.heise-security.co.uk/news/94443

 

MSN Messenger Video Conversation Buffer Overflow Vulnerability"

----------------------------------------------------------------------
MSN Messenger Video Conversation Buffer Overflow Vulnerability

Secunia Advisory: SA26570
Release Date: 2007-08-28


Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched


Software: Microsoft MSN Messenger 6.x
Microsoft MSN Messenger 7.x

Description:
wushi has reported a vulnerability in MSN Messenger, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an error in the handling of video conversations and can be exploited to cause a heap-based buffer overflow via specially crafted data sent to a user.

Successful exploitation may allow execution of arbitrary code, but requires that the victim accepts the incoming Web Cam invitation.

The vulnerability is reported in version 7.x. Other versions may also be affected.

Solution:
No fix is available for 7.x versions and prior. Users are encouraged to upgrade to Windows Live Messenger 8.1 or later, which is not affected by the vulnerability.

Do not accept untrusted Web Cam sessions.



http://secunia.com/advisories/26570/
----------------------------------------------------------------------

 

Yahoo! battered by second ActiveX vulnerability

----------------------------------------------------------------------
Yahoo! battered by second ActiveX vulnerability

Upgrade averts code catastrophe
By John Leyden → More by this author
Published Monday 3rd September 2007 09:16 GMT

Yahoo! users are urged to upgrade their instant messaging software following the discovery of a brace of security vulnerabilities - the second set of serious security flaws involving Yahoo! Messenger in as many weeks.

The latest security bugs both stem from stack-based buffer overflow flaws in the YVerInfo.dll ActiveX control. Successful exploitation, which is far from straightforward, creates a means for hackers to inject hostile code onto systems running vulnerable versions of Yahoo! Messenger.

In order to exploit the bugs, hackers would need to establish a malicious web page in the yahoo.com domain, which might be done by methods such as a cross-site scripting vulnerability or by manipulating DNS resolution, security notification firm Secunia reports.

The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version 8.1.0.419, released late last week. Users are urged to upgrade.

More background can be found in security advisories from Yahoo! (here) and iDefense (here), the firm that discovered the bug.

Last month security researchers identified an even more serious bug - again involving a dodgy ActiveX control - that meant users were exposed to attack providing they accepted a webcam invite from a hacker. ®

http://www.theregister.com/2007/09/03/yahoo_activex_vuln/
----------------------------------------------------------------------

 

Apple iTunes Music File Buffer Overflow Vulnerability

----------------------------------------------------------------------
Apple iTunes Music File Buffer Overflow Vulnerability

Secunia Advisory: SA26725
Release Date: 2007-09-06

Critical: Highly critical
Impact: DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: iTunes 4.x
iTunes 5.x
iTunes 6.x
iTunes 7.x

CVE reference: CVE-2007-3752 (Secunia mirror)

Description:
A vulnerability has been reported in Apple iTunes, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified boundary error when processing album cover art. This can be exploited to cause a buffer overflow via a specially crafted music file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 7.4.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/

Solution:
Update to version 7.4.

iTunes 7.4 for Mac:
http://www.apple.com/support/downloads/itunes74formac.html

iTunes 7.4 for Windows:
http://www.apple.com/support/downloads/itunes74forwindows.html

Provided and/or discovered by:
The vendor credits David Thiel, iSEC Partners

Original Advisory:
http://docs.info.apple.com/article.html?artnum=306404

http://secunia.com/advisories/26725/
----------------------------------------------------------------------

 

OpenOffice TIFF File Parser Buffer Overflow Vulnerability

----------------------------------------------------------------------
OpenOffice TIFF File Parser Buffer Overflow Vulnerability

OpenOffice is prone to a remote heap-based buffer-overflow vulnerability because the application fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.

Remote attackers may exploit this issue by enticing victims into opening maliciously crafted TIFF files.

An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service.

http://www.securityfocus.com/bid/25690/info

 

After being notified by heise Security, Skype silently fixed a security problem in the handling of special URLs by releasing an updated version 3.5.0.239. Other programs such as Adobe's Acrobat Reader, the Netscape browser, and the Miranda Instant Messenger still launch arbitrary programs when special URLs containing the % character are clicked on. In doing so, they may allow spyware to be installed on the user's system. The developers of Mozilla have at least temporarily remedied a similar problem in Firefox.

The Mozilla team categorized the vulnerability as critical, released a dedicated security advisory, and provided users with a patched version via the update function. In contrast, Skype just published a minor update and mentioned "bugfix: Links with invalid % encodings were executed" in the Release Notes, which normal users will never see. Skype users are therefore advised to install the latest version by themselfs. The procedure is quite simple: simply click on "Help/Check for updates".

READ MORE HERE:

http://www.heise-security.co.uk/news/96982

 

QuickTime Pro v.7.2.0.245 Released
10/03/2007

Security Update for QuickTime 7.2
This update is recommended for all users and improves the security of QuickTime 7.2.
Download: QuickTime 7.2.0.245

http://www.apple.com/support/downloads/securityupdateforquicktime72forwindows.html

 

Patch available for PageMaker buffer overflow vulnerability
Release date: October 9, 2007

Vulnerability identifier: APSB07-15

CVE number: CVE-2007-5169

Platform: Windows

Affected software versions: PageMaker 7.0.1 and PageMaker 7.0.2

SummaryA critical vulnerability has been identified in Adobe PageMaker 7.0.1 and PageMaker 7.0.2 that could allow an attacker who successfully exploits this vulnerability to take control of the affected system. It is recommended that users update their installations using the instructions provided below.

SolutionAdobe recommends PageMaker 7.0.1 and PageMaker 7.0.2 users update their installations using the instructions below:

Download the zip file.
Exit PageMaker.
Browse to the PageMaker installation directory (default is \Program Files\Adobe\PageMaker 7.0\).
Expand the zip file and overwrite the existing MAIPM6.dll file in the PageMaker installation directory.
Restart PageMaker.
http://www.adobe.com/support/security/bulletins/apsb07-15.html

 

Kaspersky Online Scanner ActiveX Control Format String Vulnerabity

----------------------------------------------------------------------
Kaspersky Online Scanner ActiveX Control Format String Vulnerability

Secunia Advisory: SA27187
Release Date: 2007-10-11

Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

Software: Kaspersky Online Scanner 5.x

CVE reference: CVE-2007-3675 (Secunia Mirror)

Description:
A vulnerability has been reported in Kaspersky Online Scanner, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a format string error in the kavwebscan.CKAVWebScan ActiveX control (kavwebscan.dll) when processing arguments passed to certain unspecified methods. This can be exploited to execute arbitrary code when a user e.g. visits a malicious website.

The vulnerability affects versions 5.0.93.1 and prior.

Solution:
Update to version 5.0.98.0.
http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Provided and/or discovered by:
Discovered by Stephen Fewer of Harmony Security and reported via iDefense Labs.

Original Advisory:
Kaspersky:
http://www.kaspersky.com/news?id=207575572

http://secunia.com/advisories/27187/
----------------------------------------------------------------------

 

Mozilla Firefox Multiple Vulnerabilities

Secunia Advisory: SA27311
Release Date: 2007-10-19

Critical: Highly critical
Impact: Spoofing
Manipulation of data
Exposure of sensitive information
DoS
System access
Where: From remote
Solution Status: Vendor Patch

Software: Mozilla Firefox 2.0.x

CVE reference:
CVE-2007-1095 (Secunia mirror)
CVE-2007-2292 (Secunia mirror)
CVE-2007-4841 (Secunia mirror)
CVE-2007-5334 (Secunia mirror)
CVE-2007-5338 (Secunia mirror)
CVE-2007-5339 (Secunia mirror)
CVE-2007-5340 (Secunia mirror)

Description:
Some vulnerabilities and a weakness have been reported in Mozilla Firefox, which can be exploited by malicious people to disclose sensitive information, conduct phishing attacks, manipulate certain data, and potentially compromise a user's system.

1) Various errors in the browser engine can be exploited to cause a memory corruption.

2) Various errors in the Javascript engine can be exploited to cause a memory corruption.

Successful exploitation of these vulnerabilities may allow execution of arbitrary code.

3) An error in the handling of onUnload events can be exploited to read and manipulate the document's location of new pages.

4) Input passed to the user ID when making an HTTP request using Digest Authentication is not properly sanitised before being used in a request. This can be exploited to insert arbitrary HTTP headers into a user's request when a proxy is used.

5) An error when displaying web pages written in the XUL markup language can be exploited to hide the window's title bar and facilitate phishing attacks.

6) An error exists in the handling of "smb:" and "sftp:" URI schemes on Linux systems with gnome-vfs support. This can be exploited to read any file owned by the target user via a specially crafted page on the same server.

Successful exploitation requires that the attacker has write access to a mutually accessible location on the target server and the user is tricked into loading the malicious page.

7) An unspecified error in the handling of "XPCNativeWrappers" can lead to execution of arbitrary Javascript code with the user's privileges via subsequent access by the browser chrome (e.g. when a user right-clicks to open a context menu).

This is related to vulnerability #6 in:
SA26095

Solution:
Update to version 2.0.0.8.

NOTE: Additional fixes have been added to prevent the exploitation of a URI handling vulnerability in Microsoft Windows.

For more information:
SA26201

Provided and/or discovered by:
The vendor credits:
1) L. David Baron, Boris Zbarsky, Georgi Guninski, Paul Nickerson, Olli Pettay, Jesse Ruderman, Vladimir Sukhoy, Daniel Veditz, and Martijn Wargers
2) Igor Bukanov, Eli Friedman, and Jesse Ruderman
3) Michal Zalewski
4) Stefano Di Paola
5) Eli Friedman
6) Georgi Guninski
7) moz_bug_r_a4

Original Advisory:
Mozilla:
http://www.mozilla.org/security/announce/2007/mfsa2007-29.html
http://www.mozilla.org/security/announce/2007/mfsa2007-30.html
http://www.mozilla.org/security/announce/2007/mfsa2007-31.html
http://www.mozilla.org/security/announce/2007/mfsa2007-33.html
http://www.mozilla.org/security/announce/2007/mfsa2007-34.html
http://www.mozilla.org/security/announce/2007/mfsa2007-35.html
http://www.mozilla.org/security/announce/2007/mfsa2007-36.html

Other References:
SA26095:
http://secunia.com/advisories/26095/

http://secunia.com/advisories/27311/

 

Real Player - Security Release for critical ActiveX vulnerability http://secunia.com/advisories/27248/

Solution - Apply patch for Real Player 10.5 and 11 beta VIA THE INTERNAL UPDATER

 

Security bulletin for vulnerability in Adobe Reader
Security bulletin
Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat

Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier

SummaryCritical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04.

SolutionAdobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1. The Adobe Reader 8.1.1 update files can be manually downloaded and installed from
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows

The Acrobat 8.1.1 update files can be downloaded and installed from
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

Microsoft may also be providing an update to resolve this issue at a later date. Please refer to Microsoft Security Advisory 943521 for more information.
http://www.microsoft.com/technet/security/advisory/943521.mspx

http://www.adobe.com/support/security/bulletins/apsb07-18.html

 

QuickTime 7.3 addresses critical security issues

QuickTime 7.3 for Windows

About QuickTime 7.3 for Windows
QuickTime 7.3 addresses critical security issues and delivers:
- Updated support for creating iPhone-compatible web content
- Updated JavaScript support in the QuickTime Web Plug-in
- Numerous bug fixes
- Support for iTunes

This release is recommended for all QuickTime 7 users.

For detailed information on the security content of this update, please visit this website: www.info.apple.com/kbnum/n61798.

 

Numerous media players affected by vulnerability in audio codec

That there are multiple critical vulnerabilities in the Free Lossless Audio Codec (FLAC) library has been known since September. However, until now no mention has been made concerning which products use the library and are potentially vulnerable. US-CERT has rectified this omission in an advisory that incudes a list of affected products. The list includes Cog, dBpoweramp, Foobar2000, jetAudio, PhatBox and Yahoo products (probably the Yahoo! Music Jukebox). In Winamp, the vulnerability has been fixed since version 5.5, in libFLAC since version 1.2.1.

Advertisement


Security services provider eEye has released an overview of all 14 known vulnerabilities in libFLAC parsers in a new security advisory. Almost all of these are due to buffer overflows. Many can be exploited to inject and execute code using crafted meta data in FLAC files. As well as the products named, the open source libavcodec audio codec library also uses libFLAC. The bug has not yet been fixed in this library, so that a whole raft of other products is potentially affected by this problem. These include MPlayer, VLC Media Player, GStreamer, ffdshow, xmms and xine.

Until updates are made available, users should only play FLAC files from trusted sources. To date, however, FLAC files are rarely seen in the wild. US rapper Saul Williams is one of the few artists who does offer a losslessly compressed version of his latest album "The Inevitable Rise and Liberation of NiggyTardust!" in FLAC format as a download
http://www.heise-security.co.uk/news/99108

 

Vulnerability Summary for the Week of November 12, 2007

http://www.us-cert.gov/cas/bulletins/SB07-323.html

 

Microsoft Security Advisory (945713)
Vulnerability in Web Proxy Auto-Discovery (WPAD) Could Allow Information Disclosure
Published: December 3, 2007

Microsoft is investigating new public reports of a vulnerability in the way Windows resolves hostnames that do not include a fully-qualified domain name (FQDN). The technology that the vulnerability affects is Web Proxy Auto-Discovery (WPAD). Microsoft has not received any information to indicate that this vulnerability has been publicly used to attack customers, and Microsoft is not aware of any customer impact at this time. Microsoft is aggressively investigating the public reports. Customers whose domain name begins in a third-level or deeper domain, such as “contoso.co.us”, or for whom the following mitigating factors do not apply, are at risk from this vulnerability.

Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Mitigating Factors:

• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.

• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.

• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.

• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)

• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.

http://www.microsoft.com/technet/security/advisory/945713.mspx

 

Vulnerability Summary for the Week of December 3, 2007

http://www.us-cert.gov/cas/bulletins/SB07-344.html

 

“Keep Everything Clear of the Doors”

 

Cybercrooks lurk in shadows of big-name websites

 

Vulnerability Summary for the Week of December 10, 2007

http://www.us-cert.gov/cas/bulletins/SB07-351.html

 

From fellow MVP harry waldron


A new version of the Storm Worm is circulating and it invites folks to visit websites that contain malicious agents that can infect your PC. Always avoid suspicious and unexpected email, and please do not follow any of these links. The Storm Worm is one of the most advanced malware attacks circulating and may be difficult to detect or clean from your system.

New Storm Worm - New Years Theme
http://isc.sans.org/diary.html?storyid=3784
http://www.avertlabs.com/research/blog/index.php/2007/12/25/and-a-happy-nuwar/
http://www.f-secure.com/weblog/archives/00001350.html
http://blog.trendmicro.com/holidays-proving-stormy/
http://holisticinfosec.blogspot.com/2007/12/new-years-storm-deja-vu.html

QUOTE: This version is a New Years-themed e-card directing victims to a malicious website with malware behind it. The message comes in with a number of subjects and body-text. The one line message bodies are also being used as the subject lines.

Below are examples of email subject lines seen so far:

A fresh new year
As the new year...
As you embrace another new year
Blasting new year
Happy 2008!
Happy New Year!
It's the new Year
Joyous new year
New Hope and New Beginnings
New Year Ecard
New Year Postcard
Opportunities for the new year
Wishes for the new year
Happy New Year to You!
Happy New Year to <email address>
Lots of greetings on the new year
New Year wishes for You

There is also a Christmas e-card version that started circulating on Christmas Eve:

New Storm Worm - Christmas Theme
http://www.f-secure.com/weblog/archives/00001349.html
http://blog.trendmicro.com/here-comes-storm-again/
http://www.avertlabs.com/research/blog/index.php/2007/12/24/merry-christmas-nuwar-style/
http://www.symantec.com/enterprise/security_response/weblog/2007/12/is_thatreally_you_santa.html

QUOTE: It turns out that the Storm gang was going to do a Christmas Malware run after all, they just decided to start it surprisingly late - on Christmas eve itself! This site contains a new version of the Storm Worm. The IP address of the site changes every second. Don't be naughty and go wondering to that domain. Please do not click on the "Download For Free Now" button as it will get you infected. Merry Christmas, y'all!

 

Vulnerability Summary for the Week of December 24, 2007

http://www.us-cert.gov/cas/bulletins/SB07-365.html