Donna's SecurityFlash

Microsoft Security Advisory 972890 Released

donna — Mon, 06 Jul 2009 17:30:25 GMT

From MSRC Team Blog:

I wanted to let you know that we have just posted Microsoft Security Advisory 972890 that discusses new, limited attacks against a Microsoft Video ActiveX Control affecting Windows XP and Windows Server 2003.

Specifically, we’re aware of a code execution vulnerability within this control that can enable an attacker to run code as the logged-on user if they browse to a malicious site.

We have an investigation into this issue under way as part of our Software Security Incident Response Process (SSIRP) and are working to develop a security update to address the issue.

In the meantime, our investigation has shown that there are no by-design uses for this ActiveX Control within Internet Explorer. Therefore, we’re recommending that all customers go ahead and implement the workaround outlined in the Security Advisory: setting all killbits associated with this particular control. While Windows Vista and Windows Server 2008 customers are not affected by this vulnerability, we are recommending that they also set these killbits as a defense-in-depth measure. Once that killbit is set, any attempt by malicious websites to exploit the vulnerability would not succeed.

http://blogs.technet.com/msrc/archive/2009/07/06/microsoft-security-advisory-972890-released.aspx

Note: The advisory page http://www.microsoft.com/technet/security/advisory/972890.mspx is ~~not available at the time of this writing/blogging~~. Please visit the said URL again afterwards. Edit: Advisory page is now live.

The work-around is to set a killbit for CLSID {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}
http://msmvps.com/blogs/donna/archive/2009/07/06/microsoft-windows-msvidctl-remote-buffer-overflow-vulnerability-0day.aspx

Computer virus hits weather website

donna — Mon, 06 Jul 2009 17:04:01 GMT

Persons tracking Bermuda's online weather forecast on Friday got more than they bargained for.

Users of weather.bm who attempted to look at radar imagery, instead discovered a virus on the official website of the Bermuda Weather Service. Site manager Logic Communications quickly took down the page and removed the virus. A short time later, the site was fully operational again.

http://www.theroyalgazette.com/siftology.royalgazette/Article/article.jsp?articleId=7d9732f3003000a&sectionId=60

Singapore No. 2 ‘black hat’ target

donna — Mon, 06 Jul 2009 17:02:30 GMT

Singapore has been highlighted as one of the world’s leading targets for black hat Web security attacks, in a new research by network security provider Fortinet.

The unified threat management solutions provider has released its June 2009 Threatscape Report, which found that Singapore was ranked the second highest in the world’s top five regions, after the United States, based on detected Web security exploit attempts.

This new research has found significant growth in Web threat traffic, marked by increased volumes of malware and the highest rate of phishing attacks to date.

http://mis-asia.com/news/articles/singapore-no.-2-black-hat-target-fortinet

Twitter Travails: Pranks and Deleted Account Errors

donna — Mon, 06 Jul 2009 16:59:11 GMT

Twitter's "Trending Topics" is a popular feature that allows you to see what are the most popular subjects being discussed on Twitter in real time. Yesterday, amid popular tweets about Wimbledon, Steve McNair, and Harry Potter, one thing seemed to be on everybody's mind: gorilla penis. Highlighting another crack in Twitter security, hackers flooded onto Twitter yesterday to create fake accounts and drive global discussions toward primate anatomy.

Called Operation Sh**ter, the attack was coordinated via a wiki on insurgen.info with specific instructions on how to carry out the prank. The page has since been taken down, but thanks to Google you can still see a cached version of the wiki. Instructions urged like-minded pranksters to sign up for fake accounts on Twitter, and start posting random (read: nonsense) posts with the hashtag ‘#gorillapenis' included in every message. The 4chan instructions also asked users to register eBaum's World as their location in their user profile -- eBaum's World is a hybrid Website with sections for videos, news, user-created blogs, and games.

The hackers behind the ruse were reportedly from 4chan -- an online bulletin board -- as well as other online hacker haunts. But the best known of these groups is 4chan. Members of that site were also linked to the recent YouTube porn prank, as well as the manipulation of Time Magazine's online poll for the 100 most influential people of 2009. It was also suspected that members of 4chan were behind Anonymous, the group responsible for last year's cyberattacks against the Church of Scientology.

Twitter Deletes Regular User Accounts

On the same day as the primate prank, Twitter itself erred by suspending hundreds to possibly thousands of regular user accounts. How the suspensions happened is unclear, but Twitter officially said it was due to "human error." The strange thing is many of the suspended accounts were not exhibiting any of these irregular behaviors. The only recurring factors were that many of the suspended Twitter accounts had at least several thousand followers, and enough of these accounts were using a third-party Twitter application, called Tweetlater, that Twitter had to publicly state the application was "not to blame for these suspensions nor is it in violation of [Twitter's] Terms." As of this writing, most of the unfairly suspended Twitter accounts have been reinstated.

More in http://www.pcworld.com/article/167889/twitter_travails_pranks_and_deleted_account_errors.html

Microsoft Windows MSVidCtl Remote Buffer Overflow Vulnerability (0day)

donna — Mon, 06 Jul 2009 16:51:54 GMT

Title : Microsoft Windows MSVidCtl Remote Buffer Overflow Vulnerability (0day)
VUPEN ID : VUPEN/ADV-2009-1787
CVE ID : GENERIC-MAP-NOMATCH
CWE ID : CWE-119
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2009-07-06

Technical Description: A vulnerability has been identified in Microsoft Windows, which could be exploited by remote attackers to compromise an affected system. This issue is caused by a buffer overflow error in the ActiveX control for streaming video "MSVidCtl.dll" when reading a file containing overly long data, which could be exploited by remote attackers to execute arbitrary code by tricking a user into visiting a specially crafted web page.

Note: This vulnerability is currently being exploited in the wild.

Affected Products: Microsoft Windows XP, Microsoft Windows Server 2003, Microsoft Windows Vista

Solution:
Set a kill bit for the CLSID {0955AC62-BF2E-4CBA-A2B9-A63F772D46CF}.
VUPEN Security is not aware of any vendor-supplied patch.

Credits: Vulnerability discovered in the wild.

ChangeLog: 2009-07-06 : Initial release

http://www.vupen.com/english/advisories/2009/1787

Dell Driver Download Manager & Slipstream'ed Vista SP2

donna — Sun, 05 Jul 2009 17:37:13 GMT

I have problem with Dell’s Driver Download Manager which Dell released earlier this month (see my Rant on Dell Driver Download Manager on my blog). I’m off to fresh install a slipstream’ed Vista SP2. To do’s after doing that are noted on my other blog.

China Testing Mac Version of Green Dam Web Filter

donna — Fri, 03 Jul 2009 20:31:34 GMT

China's Ministry of Industry and Information Technology says the Green Dam mandate has only been delayed. Publisher Jinhui Computer System Engineering is reportedly testing a version of Green Dam for Apple's Mac computers, which have been exempt. Tests found Green Dam to be vulnerable to malware and ineffective, even blocking images of Garfield.

http://www.newsfactor.com/news/Mac-Version-of-Green-Dam-Expected/story.xhtml?story_id=0030006966ZO&full_skip=1

SMS Remote Code Execution Vulnerability in iPhone

donna — Fri, 03 Jul 2009 20:29:33 GMT

Charlie Miller, a well-known security researcher who specializes in Mac and iPhone security, yesterday revealed information about a new vulnerability in iPhone that allows remote code execution via SMS. Not a lot is known about the vulnerability, which was announced at the SyScan conference in Singapore, except that Charlie is working with Apple to get it fixed as soon as possible.

This is about as bad as it gets as the vulnerability seems to allow unsigned code to run which circumvents a core part of iPhone's security model. It's usually only able to run signed code, i.e. Apps that have been approved by Apple. No user-interaction is required which is unlike current mobile malware.

http://www.f-secure.com/weblog/archives/00001714.html

Comodo removed Ask/IAC SafeSurf Toolbar by replacing it with HopSurf/IAC/Ask Toolbar

donna — Fri, 03 Jul 2009 14:45:46 GMT

So Comodo’s promise to remove SafeSurf Toolbar happened but not to finish their agreement with A$k/IAC. Instead, the new version of Comodo is now bundled with HopSurf Toolbar which is IAC/Ask.com too. The installer become worst because there’s no EULA presented in addition to known method of misleading people by offering unnecessary third party service/component in a SECURITY software. Note that it is a security software that should offer clean installer no?

Screenshots at http://www.calendarofupdates.com/updates/index.php?s=&showtopic=19279&view=findpost&p=83848

Their announcement says:

What's New In 3.10.101801.529?
==============================
NEW! COMODO Secure DNS is introduced as a new free service
NEW! COMODO HopSurf Toolbar - COMODO SafeSurf Toolbar has been discontinued and superseded by COMODO HopSurf Toolbar
NEW! CIS now allows the users to change the URL for the program and virus updates
IMPROVED! CIS now has a better support for Windows Security Center integration in Windows Vista SP1 and later
IMPROVED! AV engine now supports more archives and has better detection capabilities
IMPROVED! Direct disk access false alerts have been reduced
FIXED! Some applications do not run when CIS is installed in Vista 64 bit
FIXED! Antivirus scans excluded folders
FIXED! Firewall does not show some connections under high load
FIXED! Firewall sometimes causes the PC to freeze in windows XP 32
FIXED! cfp.exe crashes when HIPS alerts timeout

http://forums.comodo.com/feedbackcommentsannouncementsnews_cis/comodo_internet_security_310101801529_released-t41954.0.html

That NEW! COMODO Secure DNS is introduced as a new free service is from DNSadvantage.com/Neustar, Inc. and again, this NEW! COMODO HopSurf Toolbar - COMODO SafeSurf Toolbar has been discontinued and superseded by COMODO HopSurf Toolbar means you need to agree with (not included EULA in the installer) the EULA in using Ask Toolbar/IAC/Ask.com service. See HopSurf EULA online: https://accounts.comodo.com/hp/management/eula or http://www.hopsurf.com/license.jsp

Sunbelt partners with StopBadware.org

donna — Wed, 01 Jul 2009 18:35:39 GMT

New partner, new site reports
We’re very pleased to announce that, as of today, Sunbelt Software has joined Google as a data partner, providing updated data about badware websites to our Clearinghouse. (See the press release.) Sunbelt’s research director, Eric Howes, has helped us out for a long time as part of our working group, and it’s great to have the company on board in a more formal way. The new data allow us to extend and deepen our analysis of, and insight into, the badware website landscape.

http://blog.stopbadware.org/2009/06/30/new-partner-new-site-reports
http://www.stopbadware.org/home/pr_06302009
http://www.sunbeltsoftware.com/Press/Releases/?id=291

Kaspersky vs Zango

donna — Wed, 01 Jul 2009 18:31:56 GMT

Kaspersky Lab court ruling sets precedent for the anti-malware industry

Kaspersky Lab, a leading developer of secure content management systems, informs that the 9th U.S. Circuit Court of Appeals has ruled in Kaspersky Lab's favor in claims brought by Zango.

In a precedent-setting case for the Internet security industry, the 9th U.S. Circuit Court of Appeals ruled last week that Kaspersky Lab is entitled to immunity under the safe harbor provision of the Communications Decency Act from a suit claiming that its software interfered with the use of downloadable programs by customers of Zango.

The court ruled that Kaspersky Lab, which classified online media company Zango's software as malware and "protected" users from it accordingly, could not be held liable for any actions it took to manufacture and distribute the technical means to restrict Zango software’s access to others, as Kaspersky Lab deemed it “objectionable material.”

Zango sued Kaspersky Lab to force the company to reclassify Zango's programs as nonthreatening and to prevent Kaspersky Lab's security software from blocking Zango's potentially undesirable programs. In a landmark ruling for the anti-malware industry, the 9th U.S. Circuit Court of Appeals affirmed a lower court ruling that Kaspersky Lab is a provider of an “interactive computer service” as defined in the Communications Decency Act of 1996.

The court decision stated: “Kaspersky contends that Zango's software is adware, and possibly spyware. Spyware, which is often installed on a computer without the user's knowledge or consent, covertly monitors the user's activities and exposes the user to the risk that his or her passwords and confidential information may be stolen… As its software qualifies, Kaspersky is entitled to Good Samaritan immunity.”

The ruling protects a consumer’s choice to determine what information and software is allowed on their computing systems, and protects the ability of anti-malware vendors to identify and label software programs that may be potentially unwanted and harmful to computer users. Kaspersky Lab's software is designed to do just that. Users can adjust the settings to allow certain programs of their choice to come through at all times.

http://www.kaspersky.com/news?id=207575851

Congratulations for your MVP Award, Steven Burn

donna — Wed, 01 Jul 2009 16:03:52 GMT

Our friend Steven Burn is now a Microsoft MVP. He received the award today for Consumer Security category in Microsoft MVP Program.

My Congrats to you Steven!

http://www.calendarofupdates.com/updates/index.php?showtopic=21050

Dell published the Windows 7 upgrade program today

donna — Thu, 25 Jun 2009 23:24:52 GMT

http://en.community.dell.com/blogs/direct2dell/archive/2009/06/25/dell-and-the-windows-7-upgrade-program.aspx

Windows Live Messenger 10th Anniversary—next month

donna — Thu, 25 Jun 2009 23:16:03 GMT

Windows Live Messenger Team blogs the 10th anniversary of Windows Live Messenger –> July 22, 2009

The Countdown to the Windows Live Messenger 10th Anniversary begins

Windows Live Messenger blog

My wish: Happy Advanced Anniversary!

My wishlist: Please release a standalone installer of Windows Live Messenger without the need for people to get it one by one: http://messengergeek.spaces.live.com/blog/cns!E3785B1281BBDA1!1723.entry (Thanks to Microsoft MVP Jonathan Kay for the nice work!)

Pre-order Windows 7: 50% discount

donna — Thu, 25 Jun 2009 23:03:20 GMT

Finally, as a way of saying thank you to our loyal Windows customers, we are excited to introduce a special time limited offer! We will offer people in select markets the opportunity to pre-order Windows 7 at a more than 50% discount. In the US, this will mean you can pre-order Windows 7 Home Premium for USD $49.99 or Windows 7 Professional for USD $99.99. You can take advantage of this special offer online via select retail partners such as Best Buy or Amazon, or the online Microsoft Store (in participating markets).

This program begins tomorrow in the U.S., Canada and Japan. The offer ends July 11th in the U.S. and Canada and on July 5th for Japan or while supplies last. Customers in the UK, France and Germany, can pre-order their copy of Windows 7 starting July 15th and will run until August 14th (or supplies last) to ensure folks don’t miss out on this. Act fast if you want to be the first in line to get Windows 7 at this screaming deal! Note: The special low pre-order price will vary per country.

I missed the above message. Thanks to CoU member, Weasel for noting it!

Software add-in with add-on

donna — Thu, 25 Jun 2009 20:10:38 GMT

Many people are not happy to receive a new PC with many crapplications. What they do is they reformat the new hard-drive to fresh install the system or they will use PC Decrapifier to remove the crapplications.

Many of us are not happy to see installers of software that have add-ons. Those add-ons are either third party or from the same vendor that is not always needed to run or operate the program that you want to install. See the growing number of software with add-ons at Calendar of Updates.

Today, I decided to check for updates for Windows (I have it turn off as I check for updates all the time anyway). What WU offered to me is an optional Office Live add-in with add-on!

People have to deal or watch for some much add-ons and add-ins already :(

Microsoft Security Beta 'Sells Out' Within 24 Hours

donna — Thu, 25 Jun 2009 19:33:46 GMT

The beta version of Microsoft 's security software is a hit. The software giant announced Wednesday on its Web site that it had reached the U.S. limit on downloads for Microsoft Security Essentials -- which was only made available Tuesday.

The general release of the free software is expected this fall.

"Alert!" said a posting on the Web page for the security software. "Thank you for your interest in joining the Microsoft Security Essentials Beta. We are not accepting additional participants at this time. Please check back at a later date for possible additional availability."

Limit Reached Within 24 Hours

The beta became available Tuesday morning and reached the limit for the U.S. and Israel within twenty-four hours. Microsoft had said it would allow 75,000 downloads for users in the U.S., Israel and Brazil.

According to news reports , the limit for the U.S. and Israel was reached at about 5 a.m. PDT Wednesday. The limit of 20,000 downloads for Brazilian users hadn't been reached, meaning 55,000 downloads were reserved for U.S. and Israel.

http://www.data-storage-today.com/news/PC-Security-Beta--Sells-Out--Quickly/story.xhtml?story_id=12100BSDE5OU

A dangerous mix: Twitter auto feeds combined with 140,000 followers

donna — Thu, 25 Jun 2009 19:28:39 GMT

It's a dangerous combination: 140,000 followers and a Twitter account that generates its Tweets from other pages via auto feeds. Unknown attackers have exploited the Twitter account of venture capitalist and former Apple evangelist Guy Kawasaki to spread links to malware. The link in a Tweet allegedly lead to sex videos involving American actress and singer-songwriter Leighton Meester: "Leighton Meester sex tape video free download!"

http://www.h-online.com/security/A-dangerous-mix-Twitter-auto-feeds-combined-with-140-000-followers--/news/113617

Leighton Meester sex tape lure spreads Mac and Windows malware to Twitter users
http://www.sophos.com/blogs/gc/g/2009/06/24/leighton

Microsoft Outlines Revenue Recognition for the Windows 7 Upgrade Option Program

donna — Thu, 25 Jun 2009 18:11:32 GMT

Microsoft Corp. today announced the start of the Windows 7 Upgrade Option program enabling consumers and small businesses to receive Windows 7 when they purchase a qualifying Windows Vista personal computer starting June 26, 2009. Under the program, designated PCs pre-installed with premium versions of Windows Vista will qualify for licenses of the equivalent Windows 7 product.

For more details on Windows 7 pricing and offers please see the company's announcement at www.windowsteamblog.com

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/06-25-2009/0005050378&EDATE=

http://www.microsoft.com/Presspass/press/2009/jun09/06-25Windows7UpgradeOptionPR.mspx

http://windowsteamblog.com/blogs/windows7/archive/2009/06/25/announcing-the-windows-7-upgrade-option-program-amp-windows-7-pricing-bring-on-ga.aspx

Check out the New Windows 7 Packaging

Microsoft Hohm

donna — Thu, 25 Jun 2009 18:07:03 GMT

Microsoft Corp. today announced Microsoft Hohm, a new online application that enables consumers to better understand their energy usage, get recommendations and start saving money. Microsoft Hohm uses advanced analytics licensed from the Lawrence Berkeley National Laboratory and the U.S. Department of Energy to provide consumers with personalized energy-saving recommendations. Microsoft Hohm is an easy-to-use tool that helps consumers lower their energy bill and reduce their impact on the environment. The beta application is available at no cost to anyone in the United States with an Internet connection and can be accessed directly by visiting http://www.microsoft-hohm.com

http://www.microsoft.com/presspass/press/2009/jun09/06-24EnergyUsagePR.mspx