Donna's SecurityFlash

Malware SPAM: Congratulations!! You have won todays Macbook Air winner.zip

donna — Sat, 07 Nov 2009 04:40:50 GMT

A malicious attachment in today's malware spam is in the wild. The email message is:

Congratulations!! You have won todays Macbook Air.
Please open attached file and see datails.

70% of malware scanners will detect the file. Once executed, the trojan will try to connect to IP address 78.159.121.41

http://www.calendarofupdates.com/updates/index.php?showtopic=24840

Windows 7 sales exceed Vista sales by 234%

donna — Fri, 06 Nov 2009 15:40:05 GMT

It has been quite amazing to watch the global excitement build around Windows 7, especially during a tough economic climate. It was just a few short weeks ago that we learned about Windows 7 outselling the UK's "own" Harry Potter. In Japan, anxious PC users waited in line to be one of the first to get their hands on Windows 7. And just today, according to the NPD groups' weekly tracking service, Windows 7 software unit sales in the U.S. increased 234% over Windows Vista's first few days of sales. "A combination of factors impacted Windows 7 PC sales at the outset, but the trajectory of overall PC sales is very strong leading into the holiday season," said Stephen Baker at NPD.

http://windowsteamblog.com/blogs/windows7/archive/2009/11/05/windows-7-sales-exceed-vista-sales-by-234.aspx

Windows 7 Boxed Software Sales Surpass Vista Launch, According to NPD

Top-Selling Windows 7 SKUs
1. Windows 7 Home Premium Upgrade
2. Windows 7 Pro Upgrade
3. Windows 7 Home Premium Family Pack 3 User Upgrade

http://www.npd.com/press/releases/press_091105a.html

Now get your Windows 7 theme :)

Revamped: MSN Homepage

donna — Fri, 06 Nov 2009 15:33:54 GMT

New Cleaner, Prettier MSN Homepage Revealed

he new, revamped MSN homepage is now live. Updated on Tuesday, November 3rd, this hugely popular internet portal sees 100 hundred million visitors per month who comes to read news, watch videos, and get other local information like events and weather. Yet despite its popularity, the portal has not seen a major overhaul of its design since 2004.

If you’re not a regular visitor to the site, you’ll still be able to tell at a glance that it’s undergone a number of big changes. Nothing has been left untouched – even the butterfly logo has been revamped!The new site opts for a much cleaner look. Gone is the blue background surrounding the white space, replaced by a completely white background instead.

At the top of the site, there’s a Bing search box, followed by topical links underneath taking you to news, entertainment, sports, money, lifestyle, or “more” subsections. On the main page, the lead stories are promoted by large, attention-grabbing images while other news items appear below as links.

Also different is that the site no longer forces you to sign in and custom your settings in order to get local information. Although customization is still an option, Microsoft found that most users weren’t bothering. So now, the site uses geolocation technology to determine your location by IP address. This allows it to deliver local weather and news to the homepage and to the “local edition” sub-site that’s filled exclusively with area news (see link at top right).

However, if you want to see your Hotmail email or Windows Live updates in the homepage modules that sit towards the bottom of the page, you will need to sign in and authenticate yourself using your Windows Live ID.

One of the more interesting updates is the inclusion of Facebook news feeds and Twitter updates, both of which are located as tabs within the Windows Live module. Using Facebook Connect and Twitter OAuth, you can sign into these sites without having to enter your username and password. These new features allow you to keep up-to-date on your social networks right from the homepage. You can also update your status from the homepage, too.

The new homepage is being rolled out over the coming months, but U.S. users can see a preview of it now at preview.msn.com. By the end of the year, 10% of U.S. users will have been switched over. After the U.S. rollout is complete, international markets will follow.

Screenshots in http://on10.net/blogs/sarahintampa/New-Cleaner-Prettier-MSN-Homepage-Revealed/ or http://www.microsoft.com/presspass/press/2009/nov09/11-03NewHomepagePR.mspx

Good but I'm not interested with Facebook and Twitter OAuth that have dark-side

Google Chrome Two Vulnerabilities

donna — Fri, 06 Nov 2009 15:30:19 GMT

Secunia Advisory: SA37273
Release Date: 2009-11-06
Critical: Moderately critical
Impact:
Exposure of system information
Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch
Software: Google Chrome 3.x

Some vulnerabilities have been reported in Google Chrome, which potentially can be exploited by malicious people to disclose sensitive information or compromise a user's system.

1) The browser fails to display a warning when a user downloads and opens e.g. SVG, MHT, or XML files. This can be exploited to potentially execute arbitrary JavaScript code in a local context and e.g. disclose the content of local files via a specially crafted web page.
2) An error in the Gears SQL API implementation can be exploited to put SQL metadata into a bad state and cause a memory corruption.

Successful exploitation of this vulnerability may allow execution of arbitrary code, but requires that the user allows the interaction of a malicious website with the Gears plugin.
The vulnerabilities are reported in versions prior to 3.0.195.32.

Solution: Update to version 3.0.195.32.

http://secunia.com/advisories/37273/

Controversial email blocklist SORBS sold

donna — Fri, 06 Nov 2009 15:28:32 GMT

GFI confirms purchase of reputation service

GFI Software has confirmed the purchase of sometimes controversial spam blocklist provider SORBS for a reported $451,000.

Spam and Open Relay Blocking System (SORBS) has maintained a list of email servers suspected of sending or relaying spam since 2002. Inefficiencies in its spam blocklist database removal procedure, a controversial fines policy and the aggressive blacklisting of shared IP addresses have drawn criticism even from those also looking to clamp down on junk mail on the internet.

Citing an impending eviction by its University of Queensland web hosts, Australia-based SORBS publicly contemplated either selling or closing the service back in June. In the event the operation continued running as before until October when it found a white knight in the shape of GFI Security, a US based vendor of web and network security and management tools.

http://www.theregister.co.uk/2009/11/06/sorbs_sold/

Apple Mac OS X "ptrace()" DoS Vulnerability

donna — Fri, 06 Nov 2009 15:28:12 GMT

Secunia Advisory: SA37238
Release Date: 2009-11-06
Critical: Not critical
Impact: DoS
Where: Local system
Vendor Solution Status: Unpatched

A vulnerability has been reported in Mac OS X, which can be exploited by malicious, local users to cause a DoS (Denial of Service). The vulnerability is caused due to a race condition within the "ptrace()" implementation, which can be exploited to cause a kernel panic.

The vulnerability is reported in version 10.5.6, 10.5.7, and 10.6.1. Other versions may also be affected.

Solution: Restrict access to trusted users only.

http://secunia.com/advisories/37238/

House Panel Approves Cyber-security Awareness Act

donna — Fri, 06 Nov 2009 15:14:46 GMT

Legislation would mandate that National Institute of Standards and Technology develop a plan to ensure cyber-security coordination within the U.S. government.

A U.S. House subcommittee approved Nov. 4 the Cybersecurity Coordination and Awareness Act, legislation that would require NIST (National Institute of Standards and Technology) to develop and implement a plan to ensure coordination within the U.S. government with regard to the development of international cybersecurity technical standards.

The bill, approved by the the Committee on Science and Technology’s Subcommittee on Technology and Innovation, would also require NIST to develop and implement a cybersecurity awareness and education program and engage in research and development to improve identity management systems.

"Twenty-two years ago, this Committee paved the way for federal cybersecurity efforts with the Computer Security Act of 1987, which charged NIST with developing technical standards to protect non-classified information on federal computer systems and was the first of 13 major laws related to cybersecurity," Subcommittee Chairman David Wu (D-OR), said in a statement.

http://www.eweek.com/c/a/Security/House-Panel-Approves-Cybersecurity-Awareness-Act-899956/

Botnets Tighten Defenses Year After McColo Shutdown

donna — Fri, 06 Nov 2009 15:12:07 GMT

In the roughly 12 months since the McColo shutdown caused a short but dramatic drop in spam, botnet operators have changed tactics to minimize the impact of authorities shutting down their ISPs. Security researchers discussed how with eWEEK.

In the year since the shutdown of notorious Web hosting firm McColo, spammers are growing strong. In fact, researchers at McAfee reported that spam accounted for 92 percent of e-mail in the second quarter of 2009. Part of this is the result of improvements by botnet operators. Like anyone who is successful what they do, the people controlling the most powerful botnets in cyber-space learn from their mistakes.

"McColo affected a couple of main botnets seriously, notably Srizbi which has never recovered and Rustock which took an immediate hit before recovering over time," explained Bradley Anstis, vice president of technical strategy at M86 Security. "One of the immediate changes was the use of hard coded domains in the malware body instead of IP addresses. Before, domains could be changed to different IP addresses to provide a recovery option on their command and control methods."

"In general," he continued, "they have improved the availability and resilience of their command and control servers and in some ways the McColo take down has driven them more underground and forced them to use more different methods, making it harder to detect. Some examples that have already been seen have been the use of Twitter, Google Groups and Facebook."

More in http://www.eweek.com/c/a/Security/Botnets-Tighten-Defenses-Year-After-McColo-Shutdown-613503/

Gov't warns firms about online robberies

donna — Fri, 06 Nov 2009 14:59:49 GMT

Online criminals have used the Automated Clearing House (ACH) system to facilitate the theft of more than $100 million from small and medium businesses, the FBI warned this week.

The attacks typically use social engineering via e-mail messages to install malicious software on the computers of managers responsible for a business's financial transactions. The Trojan horse then transfers money from the firm's account, when the manager signs onto the business's bank account. The FBI has had reports of firms losing hundreds of thousands to millions of dollars, according to an advisory posted on the FBI's Internet Crime Complaint Center (IC3).

"In most cases, the victims' accounts are held at local community banks and credit unions, some of which use third-party service providers to process ACH transactions," the FBI stated. "The bank account holders are often small- to medium-sized businesses across the United States, in addition to court systems, school districts, and other public institutions."

Data indicates that criminals are quickly ramping up their operations. Last month, the FBI estimated that more than $40 million has recently been stolen from firms, according to the Washington Post. In one example, a Silicon Valley construction firm had $447,000 siphoned from its account in 27 separate transactions in a matter of minutes.

http://www.securityfocus.com/brief/1032

Backdoor in top iPhone games stole user data, suit claims

donna — Fri, 06 Nov 2009 14:56:51 GMT

Storm8's iSpy

A maker of some of the most popular games for the iPhone has been surreptitiously collecting users' cell numbers without their permission, according to a federal lawsuit filed Wednesday.

The complaint claims best-selling games made by Storm8 contained secret code that bypassed safeguards built into the iPhone to prevent the unauthorized snooping of user information. The Redwood City, California, company, which claims its games have been downloaded more than 20 million times, has no need to collect the numbers.

"Nonetheless, Storm8 makes use of the 'backdoor' method to access, collect, and transmit the wireless phone numbers of the iPhones on which its games are installed," states the complaint, which was filed in US District Court in Northern California. "Storm8 does so or has done so in all of its games."

Messages left for Storm8 representatives weren't returned.

http://www.theregister.co.uk/2009/11/06/iphone_games_storm8_lawsuit/

Vulnerability in the BlackBerry Desktop Manager allows remote code execution

donna — Fri, 06 Nov 2009 14:52:33 GMT

Research In Motion (RIM) has tested the following software to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected.

Affected product: BlackBerry Desktop Software version 5.0 and earlier (on all platforms)
Non-Affected Software: BlackBerry® Device Software, BlackBerry® Enterprise Server

This advisory relates to a vulnerability in a Lotus Notes Intellisync DLL that the BlackBerry Desktop Manager may use. This vulnerability may allow a malicious user to perform an attack that leverages social engineering to achieve remote code execution on the computer running the BlackBerry Desktop Manager. If the legitimate (logged in) user clicks a link to a malicious web site (for example, in an email message, in a browser, or an instant message) on the computer that is running the BlackBerry Desktop Manager, a vulnerability in an Intellisync component could allow the malicious user who sent the link or created the malicious web site to execute code on the computer using the privileges of the legitimate user.

Note: The affected Lotus Notes Intellisync DLL is included by default in all BlackBerry Desktop Manager installations. This vulnerability exists whether or not the DLL is used after installation.

Issue Severity: This vulnerability has a Common Vulnerability Scoring System (CVSS) score of 9.3.
Issue Status: Vulnerability confirmed. For more information, see the Resolution section.

Resolution
RIM has issued a software update that resolves this issue in BlackBerry Desktop Software version 5.0.1 and later.
Upgrade the BlackBerry Desktop Software

Note: The minimum BlackBerry Desktop Software version you can install to resolve this issue is 5.0.1.

http://www.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB19701 via http://www.us-cert.gov/current/index.html#blackberry_desktop_manager_vulnerability

Postini Technology to Spread Across Google Apps

donna — Fri, 06 Nov 2009 14:48:38 GMT

The Postini technology that lets Google Apps Premier administrators control their e-mail environments by establishing and enforcing usage policies, rules and parameters will be extended to the other applications of the suite.

That way, Apps Premier administrators will gain tighter control over how employees use not only Gmail but also the other suite components, like the word processing, spreadsheet and presentation applications.

When completed, this extension of the Postini security and management capabilities could go a long way toward calming concerns from CIOs and IT managers about using Web-hosted software like Google Apps.

This could in turn boost Google's attempts to lure large organizations to adopt Apps Premier, which, as the suite's most sophisticated version, contains an increasing number of tools and services that these companies require. Apps Premier is the only fee-based edition of the suite, priced at US$50 per user per year.

http://www.pcworld.com/businesscenter/article/181575/postini_technology_to_spread_across_google_apps.html

Kaspersky: Removable media is a major source of infection

donna — Fri, 06 Nov 2009 14:41:26 GMT

Kaspersky Lab presents its monthly malware statistics

From this month onwards, the data used is gathered from all products that use the Kaspersky Security Network (KSN), i.e. products from both the 2009 and 2010 lines. As a result, the Top Twenties have changed somewhat and the figures in both ratings this month are significantly higher, due to an increased numbers of users participating in KSN.

The first Top Twenty lists malicious programs, adware and potentially unwanted programs that were detected and neutralised when accessed for the first time, i.e. by the on-access scanner.

Net-Worm.Win32.Kido.ir, which made its first appearance last month, has replaced the traditional leader, Kido.ih. This demonstrates once again that infected removable media are a major source of infection.

Still on the subject of removable media, Autorun.dui, which appears regularly in the ratings, has been joined by a very similar program, Autorun.awkp that entered in 9th place. These malicious programs, as the name suggests, automatically run malware on removable devices.

http://www.kaspersky.com/news?id=207575954
http://www.kaspersky.com/news?id=207575955

Websense: Media-servers.net Compromised

donna — Fri, 06 Nov 2009 14:37:47 GMT

Websense Security Labs™ ThreatSeeker™ Network has detected that the site media-servers.net has been compromised and injected with malicious code. The Web site belongs to a high-profile advertiser on the Internet realm. It's important to note that media-servers.net serves advertising content from ad.media-servers.net, and that this site is clean. The injected code is part of an ongoing mass injection campaign that compromised thousands of legitimate Web sites. Websense Security labs have been tracking this campaign for months.

The exploits associated with this attack are:

Microsoft DirectShow CVE-2008-0015
Microsoft Snapshot Viewer CVE-2008-2463
Microsoft Data Access Components (MDAC) CVE-2006-0003
AOL ConvertFile() remote buffer overflow exploit

There is also an autoloading malicious PDF file that holds the next vulnerabilites:

Adobe Reader and Acrobat 8.1.1 buffer overflow CVE-2007-5659
Adobe Acrobat and Reader 8.1.2 buffer overflow CVE-2008-2992

If the user's browser is successfully exploited, a malicious file is downloaded and run in the user's Windows home directory from another collaborated exploit site. The malicious file (SHA1: 6776489a0ed889fbabb317763c7c913fdc782631) has an extremely low AV detection rate at the time the file was checked.

http://securitylabs.websense.com/content/Alerts/3500.aspx

Gumblar malware is active again

donna — Fri, 06 Nov 2009 14:32:00 GMT

Malware hijacks Google searches to infect PCs

ScanSafe researchers are seeing renewed activity regarding Gumblar, a multifunctional piece of malware that spreads by attacking PCs visiting hacked Web pages. Gumblar can steal FTP credentials as well as hijack Google searches, replacing results on infected computers with links to other malicious sites.

When the Gumblar malware was found in March, it looked for instructions on a server at gumblar.cn. That domain was taken offline at the time, but has been reactivated within the last 24 hours, wrote Mary Landesman, a senior security researcher with ScanSafe, on a company blog.

Websites that are infected with Gumblar contain an iframe, which is a way to bring content from one Web site into another. Malware writers usually make those iframes invisible. When a victim visits the site, the iframe will launch a series of exploits hosted on a remote computer to try and hack the visiting machine.

http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=17487

56pc wireless networks open to hackers

donna — Fri, 06 Nov 2009 14:27:40 GMT

Over half (56pc) of wireless networks in Dublin, Cork and Limerick are vulnerable to attackers, according to the latest wireless vulnerability assessment by Deloitte.

This means that over half of the 6545 networks that were scanned across the three cities are not protected against attacks on their information, exposing sensitive personal or business data to unauthorised users.

The findings of the assessment, which was expanded this year to include Cork and Limerick, has shown that once again the use of wireless encryption to protect wireless networks remains poor. The 56pc of networks found to be vulnerable used either no encryption to protect communications (19pc), or weak encryption which can be trivially broken in a matter of minutes by hackers (36pc).

By analysing those networks that can be identified as either residential or business networks (i.e. excluding public networks), it was found that the incidence of unsecured wireless network drops to 46pc. In addition, further analysis of the business and residential networks reveals that Limerick has the most secure wireless landscape (at 62pc) compared to Dublin and Cork (54pc and 53pc respectively). The survey shows that the level of wireless security in Dublin has remained consistent with last year, when 54pc of connections were also found to be insecure in the capital city.

http://www.businessworld.ie/livenews.htm?a=2506719

Another Firefox browser update

donna — Thu, 05 Nov 2009 23:11:03 GMT

A new build of Firefox v3.5 is available.

Version 3.5.5 fixes several stability issues.

Release note here. Download it Mozilla site or use its built-in updater.

Microsoft Security Bulletin Advance Notification for Nov. 2009

donna — Thu, 05 Nov 2009 22:20:55 GMT

On November 10, 2009, Microsoft is planning to release six (6) security bulletins affecting Windows and Office products.

More info:
http://www.microsoft.com/technet/security/bulletin/ms09-nov.mspx
http://blogs.technet.com/msrc/archive/2009/11/05/november-2009-bulletin-release-advance-notification.aspx

New Facebook malware promises to reveal identities in a users 'Honesty Box'

donna — Thu, 05 Nov 2009 15:14:12 GMT

Warnings have been made about a new Facebook attack that promises to display hidden messages.

An application on the social networking site, named ‘Honesty Box', allows users to send and receive ‘anonymous messages and discover what people really think of you' with all of the users friends and network members allowed to write in it.

Part of the selling point is that the messages are anonymous. The application writers claim that they ‘will never reveal who sent messages on Honesty Box, unless, in our sole judgment, the content of a message violates our Terms of Use and/or Privacy Policy'.

However Christopher Boyd, director of research at FaceTime security labs claimed that a group of individuals are spamming a fake program to the walls of unsuspecting Facebook users, which promises to reveal who left them messages in their Honesty Box.

More in http://www.scmagazineuk.com/New-Facebook-malware-promises-to-reveal-identities-in-a-users-Honesty-Box/article/157102/?

Twitter fanatic glimpses dark side of OAuth

donna — Thu, 05 Nov 2009 15:09:59 GMT

'Secure' authentication can be anything but

A mobile enthusiast and professional internet strategist got a glimpse of OAuth's dark side recently when he received an urgent advisory from Twitter.

The dispatch, generated when Terence Eden tried to log in, said his Twitter account may have been compromised and advised he change his password. After making sure the alert was legitimate, he complied. That should have been the end of it, but it wasn't. It turns out Eden used OAuth to seamlessly pass content between third-party websites and Twitter, and even after he had changed his Twitter password, OAuth continued to allow those websites access to his account.

"Unless you revoke these tokens when you change your password, a malicious user will still have access to your twitter account," said Eden, who tackles customer usability issues for a large telecommunications company. "Twitter doesn't make that wonderfully clear."

In theory, OAuth is supposed to enhance security by eliminating the need to share Twitter login credentials with other sites. The problem is that the tokens the service uses to authenticate users have to be manually reset.

http://www.theregister.co.uk/2009/11/04/oauth_dark_side/