DP's Security Bits

Websense Security Labs™ ThreatSeeker™ Network has detected that the Fox Sports site has been compromised and injected with malicious code. Fox Sports is a division of the Fox Broadcasting Company. It specializes in the latest sports news and world sports updates. Fox Sports has an Alexa ranking of 330.

Alert Details

A distributed denial-of-service (DDoS) attack on a major DNS service provider caused a brief hiccup in online shopping last week at some of the Web's biggest online destinations.

UltraDNS, which counts such giants as Amazon and Wal-Mart among its customers, was DDoS'd after business hours on Dec. 23, according to Amazon Web Services and other reports from victims and news outlets.

Story continues at darkreading.com

Issued: December 21, 2009

Summary

The following bulletin has undergone a minor revision increment.

* MS09-058 - Important

Bulletin Information:

* MS09-058 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
- Reason for Revision: V1.1 (December 21, 2009): Added a link to
Microsoft Knowledge Base Article 971486 under Known Issues in
the Executive Summary.
- Originally posted: October 13, 2009
- Updated: December 21, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Chances are you know someone who has been hit by Koobface, one of the first successful social networking worms. But there are many faces to Koobface, and many ways its authors make money from it.

New research from Trend Micro details how Koobface's creators monetize the worm through scareware or fake antivirus, click fraud, information-stealing malware, and online dating services. "Unlike in the past when we always thought of malware as one piece of malware, like Melissa or Lovebug, in today's world Koobface is an ongoing criminal enterprise using hundreds and thousands of pieces of code," says David Perry, global director of education for Trend Micro. "That makes it more difficult to describe to the public at large. It's not just one file."

Continues at darkreading.com

Top Internet security suite products scored high when detecting zero-day attacks during a three-month period, according to new data released today from independent German lab AV-Test, with Symantec and Kaspersky Lab finding 98 and 97.5 percent, respectively.

AV-Test tested 10 zero-day threats during a three-month period on Windows XP SP3 machines running Symantec Norton Internet Security 2010, Kaspersky Internet Security 2010, PC Tools Internet Security 2010, AVG Internet Security 9.0, G Data Internet Security 2010, Panda Internet Security 2010, Avira Premium Security Suite 9.0, McAfee Internet Security 2010, CA Internet Security 2010, F-Secure Internet Security 2010, BitDefender Internet Security 2010, and Trend Micro Internet Security 2010.

AVG caught 92.2 percent of the threats, followed by G Data, 90 percent; Panda, 90 percent; Avira, 87.7 percent; McAfee, 87.2 percent; CA, 86.7 percent; F-Secure, 85.8 percent; BitDefender, 84.3 percent; and Trend Micro, 83.3 percent.

Story continues at darkreading.com

Issued: December 16, 2009

Summary

The following bulletin has undergone a minor revision increment.

* MS09-037 - Critical

Bulletin Information:

* MS09-037 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-037.mspx
- Reason for Revision: V2.1 (December 16, 2009): Added a link to
Microsoft Knowledge Base Article 973908 under Known Issues in
the Executive Summary.
- Originally posted: August 11, 2009
- Updated: December 16, 2009
- Bulletin Severity Rating: Critical
- Version: 2.1

Get it at http://www.mozilla.com/en-US/firefox/all.html

What’s New in Firefox 3.5.6

Firefox 3.5.6 fixes the following issues:

• Fixed several security issues.
• Fixed several stability issues.

US_CERT Reports:

Adobe has stated that they are investigating public reports of a vulnerability affecting Adobe Reader and Acrobat. Public reports indicate that exploitation of this vulnerability may occur when a user opens a specially crafted PDF file. Exploitation of this vulnerability may result in arbitrary code execution. Public reports currently indicate active exploitation of this vulnerability.

US-CERT encourages users and administrators to do the following to help mitigate the risks until the vendor is able to provide an update:

• Review the Adobe blog entry regarding this issue.
• Use caution when opening PDF files from untrusted sources.
• Disable JavaScript in Adobe Acrobat and Reader. To do this, click "Edit," then "Preferences" and then "JavaScript," and uncheck "Enable Acrobat JavaScript."

US-CERT will provide additional information as it becomes available.

Online attacks against databases have taken off in the past 18 months, according to data released by IBM’s X-Force security team.

In May 2008, IBM’s customers encounters about 2,500 SQL injection attacks every day. By midsummer 2009, the technology giant’s product were seeing 600,000 database attacks per day on average, said Tom Cross, a security researcher at IBM. The attacks attempt to inject legitimate structured query language (SQL) commands into whichever database software runs a particular Web site.

http://www.securityfocus.com/brief/1048

The FBI warned consumers today about an ongoing threat involving pop-up security messages that appear while they are on the Internet. The messages may contain a virus that could harm your computer, cause costly repairs or, even worse, lead to identity theft. The messages contain scareware, fake or rogue anti-virus software that looks authentic.

Press Release

Issued: December 9, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-073 - Important
* MS09-072 - Critical
* MS09-071 - Critical
* MS09-070 - Important
* MS09-058 - Important
* MS08-037 - Important

Bulletin Information:

* MS09-073 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-073.mspx
- Reason for Revision: V1.1 (December 9, 2009): Removed a redundant
entry for the Microsoft Office Compatibility Pack from the
non-affected software table. Also corrected several
deployment reference tables to clarify that in some cases,
this update does not require a restart. This is an
informational change only.
- Originally posted: December 8, 2009
- Updated: December 9, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

* MS09-072 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-072.mspx
- Reason for Revision: V1.1 (December 9, 2009): Corrected a
reference to Microsoft Knowledge Base Article 976749 in the
section, Frequently Asked Questions (FAQ) Related to This
Security Update. Also corrected, in the Security Update
Deployment section, the registry key for verification of the
update for Internet Explorer 7 for all supported x64-based
editions of Windows XP.
- Originally posted: December 8, 2009
- Updated: December 9, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-071 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-071.mspx
- Reason for Revision: V1.1 (December 9, 2009): Added an entry to
the Frequently Asked Questions (FAQ) Related to This Security
Update section to explain this revision. This is an
informational change only.
- Originally posted: December 8, 2009
- Updated: December 9, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-070 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-070.mspx
- Reason for Revision: V1.1 (December 9, 2009): Corrected the SMS
2.0 and SMS 2003 with SUIT entries for Windows Server 2003
x64 Edition Service Pack 2 in the SMS table. This is an
information change only.
- Originally posted: December 8, 2009
- Updated: December 9, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

* MS09-058 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx
- Reason for Revision: V1.1 (December 9, 2009): Added a link to
Microsoft Knowledge Base Article 971486 under Known Issues in
the Executive Summary.
- Originally posted: October 13, 2009
- Updated: December 9, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

* MS08-037 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
- Reason for Revision: V3.1 (December 9, 2009): Corrected the
registry key verification and removal information in the
reference table for the DNS client on Microsoft Windows 2000
Service Pack 4 (KB951748). This is an informational change only.
- Originally posted: July 8, 2008
- Updated: December 9, 2009
- Bulletin Severity Rating: Important
- Version: 3.1

Issued: December 8, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS08-037 - Important

Bulletin Information:

* MS08-037 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
- Reason for Revision: V3.0 (December 8, 2009): Updated to
communicate the rerelease of the security update for the DNS
client on Microsoft Windows 2000 Service Pack 4 (KB951748).
Also corrected the bulletin replacement information for this
update. Customers who have previously installed this update
need to reinstall the automatically reoffered update. No
other updates are affected by this rerelease.
- Originally posted: July 8, 2008
- Updated: December 8, 2009
- Bulletin Severity Rating: Important
- Version: 3.0

Issued: December 8, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (977981)
- Title: Vulnerability in Internet Explorer Could
Allow Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/977981.mspx
- Revision Note: V2.0 (December 8, 2009): Advisory updated to
reflect publication of security bulletin.

* Microsoft Security Advisory (974926)
- Title: Credential Relaying Attacks on Integrated
Windows Authentication
- http://www.microsoft.com/technet/security/advisory/974926.mspx
- Revision Note: V1.0 (December 8, 2009): Advisory published.

* Microsoft Security Advisory (973811)
- Title: Extended Protection for Authentication
- http://www.microsoft.com/technet/security/advisory/973811.mspx
- Revision Note: V1.2 (December 8, 2009): Updated the FAQ
with information about three non-security updates relating to
Windows HTTP Services, HTTP Protocol Stack, and Internet
Information Services.

* Microsoft Security Advisory (954157)
- Title: Security Enhancements for the Indeo Codec
- http://www.microsoft.com/technet/security/advisory/954157.mspx
- Revision Note: V1.0 (December 8, 2009): Advisory published.

Register Online

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···dec.mspx

Critical (3)

Microsoft Security Bulletin MS09-071
Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318)
»www.microsoft.com/technet/securi···071.mspx

Microsoft Security Bulletin MS09-074
Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183)
»www.microsoft.com/technet/securi···074.mspx

Microsoft Security Bulletin MS09-072
Cumulative Security Update for Internet Explorer (976325)
»www.microsoft.com/technet/securi···072.mspx

Important (3)

Microsoft Security Bulletin MS09-069
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
»www.microsoft.com/technet/securi···069.mspx

Microsoft Security Bulletin MS09-070
Vulnerabilities in Active Directory Federation Services Could Allow Remote Code Execution (971726)
»www.microsoft.com/technet/securi···070.mspx

Microsoft Security Bulletin MS09-073
Vulnerability in WordPad and Office Text Converters Could Allow Remote Code Execution (975539)
»www.microsoft.com/technet/securi···073.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

.

Release date: December 3, 2009

Vulnerability identifier: APSB09-19

Platform: All Platforms

Summary

Adobe is planning to release an update for Adobe Flash Player 10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and earlier versions, to resolve critical security issues. Adobe expects to make these updates available on December 8, 2009.

Security Bulletin

Microsoft Security Bulletin Advance Notification issued: December 3, 2009

This is an advance notification of security bulletins that Microsoft is intending to release on December 8, 2009

3 Rated Critial and 3 Rated Important

http://www.microsoft.com/technet/security/bulletin/ms09-dec.mspx

Issued: December 2, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-046 - Critical

Bulletin Information:

* MS09-046 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-046.mspx
- Reason for Revision: V1.2 (December 2, 2009): Added a link to
Microsoft Knowledge Base Article 956844 under Known Issues in
the Executive Summary.
- Originally posted: September 8, 2009
- Updated: December 2, 2009
- Bulletin Severity Rating: Critical
- Version: 1.2

US-CERT reports

US-CERT is aware of public reports of a malware campaign circulating. This campaign is circulating via email messages offering information regarding the H1N1 vaccination. This email messages contain a link to a bogus Centers for Disease Control and Prevention website. Users who click on this link may become infected with malware. Public reports indicate that these email messages are noted as having subject lines such as: "Governmental registration program on the H1N1 vaccination" and "Your personal vaccination profile." Please note that subject lines may change at any time.

US-CERT encourages users to take the following precautions to help mitigate the risks:

• Install antivirus software, and keep the signature files up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on avoiding social engineering attacks.

Websense Security Labs™ ThreatSeeker™ Network has discovered that the Koobface malware campaign is now using a Christmas theme. Recent developments by Koobface have included use of Google Reader.

The Koobface Web site offers a video posted by 'SantA'. The usual ruse of requiring a codec to watch the video is used, to encourage the user to install and run a file called setup.exe (SHA1:a2046fc88ab82abec89e150b915ab4b332af924a). This file is currently detected by 16 out of 41 antivirus products according to VirusTotal.

On the compromised Facebook page the user is presented with a link to ch[removed]cher.ch which is a compromised site in Switzerland. The user is redirected to one of several Koobface Web sites through a malicious Flash movie file hosted on the compromised site. If the user runs the infected file, the worm will automatically login to their Facebook, Myspace, and several other social networking sites and send messages to all their friends.

Alert Details