DP's Security Bits

Websense Security Labs™ ThreatSeeker™ Network has detected yet another new Waledac campaign theme in the wild. The new variant uses an Independence Day theme as a social engineering mechanism. The United States of America celebrates Independence Day on July 4 each year.

The malicious emails that are sent use subjects and content related to Independence Day, Fourth of July and fireworks shows.

The malicious Web sites in the current attack also have a July 4 or fireworks theme within the domain name. ThreatSeeker has been monitoring the registration of these domains. Should the user click on the video, which is designed to appear to be a YouTube video, an .exe is offered. When downloaded the .exe would install the latest Waledac variant onto the user's machine.

Alert Details

Issued: July 1, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS03-011
* MS02-069
* MS02-052
* MS02-013
* MS00-081
* MS00-075
* MS00-059
* MS00-011
* MS99-045
* MS99-031

Bulletin Information:

* MS03-011

- http://www.microsoft.com/technet/security/bulletin/ms03-011.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

* MS02-069

- http://www.microsoft.com/technet/security/bulletin/ms02-069.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

* MS02-052

- http://www.microsoft.com/technet/security/bulletin/ms02-052.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

* MS02-013

- http://www.microsoft.com/technet/security/bulletin/ms02-013.mspx
- Reason for Revision: V3.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating: Critical
- Version: 3.0

* (MS00-081)

- http://www.microsoft.com/technet/security/bulletin/ms00-081.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 2.0

* (MS00-075)

- http://www.microsoft.com/technet/security/bulletin/ms00-075.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 2.0

* (MS00-059)

- http://www.microsoft.com/technet/security/bulletin/ms00-059.mspx
- Reason for Revision: V2.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 2.0

* (MS00-011)

- http://www.microsoft.com/technet/security/bulletin/ms00-011.mspx
- Reason for Revision: V3.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch Availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 3.0

* (MS99-045)

- http://www.microsoft.com/technet/security/bulletin/ms99-045.mspx
- Reason for Revision: V3.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see Patch Availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 3.0

* (MS99-031)

- http://www.microsoft.com/technet/security/bulletin/ms99-031.mspx
- Reason for Revision: V3.0 (July 1, 2009): Removed download
information because Microsoft Java Virtual Machine is no
longer available for distribution from Microsoft. For more
information, see New Version Availability.
- Originally posted:
- Updated: July 1, 2009
- Bulletin Severity Rating:
- Version: 3.0

What’s New in Firefox 3.5:

Firefox 3.5 makes surfing the Web easier and more enjoyable with exciting new features and platform updates that allow Web developers to create the next generation of Web content. Native support for open video and audio, private browsing, and support for the newest Web technologies will enable richer, more interactive online experiences.

Performance. Firefox 3.5 includes the powerful new TraceMonkey JavaScript engine, which delivers unprecedented performance with today’s complex Web applications. Firefox 3.5 is more than two times faster than Firefox 3 and ten times faster than Firefox 2.

Open Video and Audio. Enjoy video and audio content from within your browser, without the need for plugins. Video is a vital part of the modern Web, whether it’s used to communicate, educate, or entertain. Firefox 3.5 delivers the first native integration of audio and video directly into the browser. Now everyone can easily watch open format Ogg Theora videos.

Web developers can use these technologies to design pages that interact with video content in new and exciting ways, offering richer interactive experiences beyond controlling playback and volume.

Privacy Controls. Firefox 3.5 includes features designed to protect your privacy online and provide greater control over your personal data.

While using the new Private Browsing mode in Firefox 3.5, nothing you encounter on the Web will be stored from that moment on during your browsing session. Unique to Firefox 3.5, the new Forget this Site feature can remove every trace of a site from your browser. If you want to remove all private data or activity from the past few hours, Clear Recent History, another Firefox-only feature, gives you full control over what stays and what goes.

Location Aware Browsing. Location Aware Browsing saves you time by allowing websites to ask you where you are located. If you choose to share your location with a website, it can use that information to find nearby points of interest and return additional, useful data like maps of your area. It’s all optional – Firefox doesn’t share your location without your permission.

http://www.mozilla.com/en-US/press/mozilla-2009-06-30.html

Websense Security Labs™ ThreatSeeker™ Network has discovered spam emails offering recipients links to unpublished videos and pictures of singer Michael Jackson. According to news reports Michael Jackson's death was confirmed yesterday.

The spam email appears to offer a link to a YouTube video, but instead sends the recipient to a Trojan Downloader hosted on a compromised Web site. The file offered is called Michael.Jackson.videos.scr (MD5: 664cb28ef710e35dc5b7539eb633abca). This file is located on a legitimate Web site hosted in Australia belonging to a radio broadcasting station. Upon executing the file, a legitimate Web site at http://musica.uol.com.br/ultnot/2009/06/25/michael-jackson.jhtm is opened by the default browser in order to distract the user by presenting a news article for them to read.

In the background, three further information-stealing components are downloaded and installed by the malware. One of the downloaded files is called michael.gif, which has low AV detection rates - see VT results here. The malware then installs a malicious BHO that is registered with this file %windir%\Dynamic.dll and this GUID {FCADDC14-BD46-408A-9842-CDBE1C6D37EB}. Another component is bound to startup at %windir%\system32\kproces.exe. Another malicious file installed by the malware is %windir%\system32\fotos.exe.

Alert Details

Summary

A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system.  Adobe has provided a solution for the reported vulnerability.  It is recommended that users update their installations using the instructions provided below.

Affected software versions

Shockwave Player 11.5.0.596 and earlier versions

Solution

Adobe recommends Shockwave Player users on Windows uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/

Adobe security bulletin APSB09-08

Websense Security Labs™ ThreatSeeker™ Network has discovered that the Web site of Fort William Mountain Bike World Cup 2009 has been hijacked by attackers, and redirects users to rogue AV sites if they visit the site through well-known search engines such as Google, Yahoo, and MSN.

This site has been injected by the Nine-Ball malicious code twice this month. Now, the injected code has been cleaned but system control has been lost without the administrator's knowledge. Once the attackers gained system control, they likely made small changes to the configuration of the Web server to redirect any visitors to rogue AV Web sites if arriving at the site via search engines. We would like to remind Web masters that a full examination of the whole system is necessary after removing code injections.

Alert Details

SUMMARY

Here is detailed information about the vulnerabilities:

1. Fixed a problem related to negative stream offset (in malicious JPEG2000 stream) which caused reading data from an out-of-bound address. We have added guard codes to solve this issue.
2. Fixed a problem related to error handling when decoding JPEG2000 header, an uncaught fatal error resulted a subsequent invalid address access. We added error handling code to terminate the decoding process.

http://www.foxitsoftware.com/pdf/reader/security.htm#0602

Issued: June 17, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-022 - Critical
* MS09-021 - Critical
* MS09-020 - Important
* MS09-018 - Critical
* MS09-010 - Critical

Bulletin Information:

* MS09-022 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-022.mspx
- Reason for Revision: V1.1 (June 17, 2009): Added "Disable the
Print Spooler service" as workaround for CVE-2009-0230.
- Originally posted: June 9, 2009
- Updated: June 17, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-021 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-021.mspx
- Reason for Revision: V1.1 (June 17, 2009): Added a link to
Microsoft Knowledge Base Article 969462 under Known Issues in
the Executive Summary.
- Originally posted: June 9, 2009
- Updated: June 17, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-020 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-020.mspx
- Reason for Revision: V1.1 (June 17, 2009): Expanded on the "What
causes the vulnerability?" FAQ entries for CVE-2009-1122 and
CVE-2009-1535. This is an informational change only.
- Originally posted: June 9, 2009
- Updated: June 17, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

* MS09-018 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx
- Reason for Revision: V1.1 (June 17, 2009): Listed Microsoft
Windows 2000 Professional Service Pack 4, all supported
editions of Windows Vista, and all supported versions of
Windows Server 2008 for Itanium-based Systems as non-affected
software. Also, clarified which ports are used by the Global
Catalog server in the Block TCP ports workaround for
CVE-2009-1139. This is an informational change only.
- Originally posted: June 9, 2009
- Updated: June 17, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-010 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-010.mspx
- Reason for Revision: V1.3 (June 17, 2009): Corrected bulletin
replacement for the Microsoft Office Converter Pack
(KB960476) update package. This is an informational change
only. Customers who have already successfully installed the
update do not need to reinstall.
- Originally posted: April 14, 2009
- Updated: June 17, 2009
- Bulletin Severity Rating: Critical
- Version: 1.3

Issued: June 17, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (969898)
- Title: Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/969898.mspx
- Revision Note: V1.1 (June 17, 2009): Added an entry to
Frequently Asked Questions to communicate that for the
purpose of automatic updating, this update does not replace
the Cumulative Security Update of ActiveX Kill Bits (950760)
that is described in Microsoft Security Bulletin MS08-032.

* Microsoft Security Advisory (960715)
- Title: Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/960715.mspx
- Revision Note: V1.2 (June 17, 2009): Added an entry to
Frequently Asked Questions to communicate that for the
purpose of automatic updating, this update does not replace
the Cumulative Security Update of ActiveX Kill Bits (950760)
that is described in Microsoft Security Bulletin MS08-032.

* Microsoft Security Advisory (956391)
- Title: Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/956391.mspx
- Revision Note: V1.3 (June 17, 2009): Added an entry to
Frequently Asked Questions to communicate that for the
purpose of automatic updating, this update does not replace
the Cumulative Security Update of ActiveX Kill Bits (950760)
that is described in Microsoft Security Bulletin MS08-032.

Websense Security Labs™ ThreatSeeker™ Network has detected another large mass injection attack in the wild after the Beladen and Gumblar attacks. We are calling this mass compromise Nine-Ball because of the final landing site. We have been tracking the Nine-Ball mass compromise since 6/03/2009. To date, over 40,000 legitimate Web sites have been compromised with obfuscated code that leads to a multi-level redirection attack, ending in a series of drive-by exploits that if successful install a trojan downloader on the user's machine.

Alert Details

Fixed in Firefox 3.0.11

MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-31 XUL scripts bypass content-policy checks
MFSA 2009-30 Incorrect principal set for file: resources loaded via location bar
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-26 Arbitrary domain cookie access by local file: resources
MFSA 2009-25 URL spoofing with invalid unicode characters
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)

Issued: June 9, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (971888)
- Title: Update for DNS Devolution
- http://www.microsoft.com/technet/security/advisory/971888.mspx
- Revision Note: Advisory published.

* Microsoft Security Advisory (971492)
- Title: Vulnerability in Internet Information
Services Could Allow Elevation of Privilege
- http://www.microsoft.com/technet/security/advisory/971492.mspx
- Revision Note: V2.0 (June 9, 2009): Advisory updated to
reflect publication of security bulletin.

* Microsoft Security Advisory (969898)
- Title: Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/969898.mspx
- Revision Note: Advisory published.

* Microsoft Security Advisory (945713)
- Title: Vulnerability in Web Proxy Auto-Discovery
(WPAD) Could Allow Information Disclosure
- http://www.microsoft.com/technet/security/advisory/945713.mspx
- Revision Note: V2.0 (June 9, 2009): Advisory updated to
reflect publication of security bulletin MS09-008 and
Microsoft Security Advisory 971888.

Event Overview

On June, 10, 2009, Microsoft releases its monthly security bulletins. Join us for a brief overview of the technical details of the June bulletins. We intend to address your concerns in this webcast, therefore, most of the webcast is devoted to attendees asking questions about the bulletins and getting answers from Microsoft security experts.

Presenters: Adrian Stone, Senior Security Program Manager Lead, Microsoft Corporation and Christopher Budd, Security Response Communications Lead, Microsoft Corporation

Register Online

Published: January 11, 2005 | Updated: June 9, 2009

New Additions

We have added detection and cleaning capabilities for the following malicious software:

See the complete list of malicious software cleaned by this tool.

http://www.microsoft.com/security/malwareremove/default.mspx

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···jun.mspx

Critical (6)

Microsoft Security Bulletin MS09-018
Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
»www.microsoft.com/technet/securi···018.mspx

Microsoft Security Bulletin MS09-022
Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
»www.microsoft.com/technet/securi···022.mspx

Microsoft Security Bulletin MS09-019
Cumulative Security Update for Internet Explorer (969897)
»www.microsoft.com/technet/securi···019.mspx

Microsoft Security Bulletin MS09-027
Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
»www.microsoft.com/technet/securi···027.mspx

Microsoft Security Bulletin MS09-021
Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
»www.microsoft.com/technet/securi···021.mspx

Microsoft Security Bulletin MS09-024
Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
»www.microsoft.com/technet/securi···024.mspx

Important (3)

Microsoft Security Bulletin MS09-026
Vulnerability in RPC Could Allow Elevation of Privilege (970238)
»www.microsoft.com/technet/securi···026.mspx

Microsoft Security Bulletin MS09-025
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
»www.microsoft.com/technet/securi···025.mspx

Microsoft Security Bulletin MS09-020
Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
»www.microsoft.com/technet/securi···020.mspx

Moderate (1)

Microsoft Security Bulletin MS09-023
Vulnerability in Windows Search Could Allow Information Disclosure (963093)
»www.microsoft.com/technet/securi···023.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA.

Microsoft has issued a Security Bulletin Advance Notification for June for bulletins to be released on Tuesday, June 9.  Microsoft will be releasing a total of 10 security bulletins consisting of the following:

6 updates affecting Windows. Two Critical, three Important, and one Moderate.

1 Critical update affecting Internet Explorer.

1 Critical update affecting Word.

1 Critical update affecting Excel.

1 Critical update affecting Office.

http://www.microsoft.com/technet/security/bulletin/ms09-jun.mspx

Apple has released iTunes 8.2 and QuickTime 7.6.2 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Apple articles HT3592 and HT3591 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_releases_itunes_8_2

REDMOND, Wash. — May 28, 2009 — Microsoft Corp. today unveiled Bing, a new Decision Engine and consumer brand, providing customers with a first step in moving beyond search to help make faster, more informed decisions. Bing is specifically designed to build on the benefits of today’s search engines but begins to move beyond this experience with a new approach to user experience and intuitive tools to help customers make better decisions, focusing initially on four key vertical areas: making a purchase decision, planning a trip, researching a health condition or finding a local business.

The result of this new approach is an important beginning for a new and more powerful kind of search service, which Microsoft is calling a Decision Engine, designed to empower people to gain insight and knowledge from the Web, moving more quickly to important decisions. The new service, located at http://www.Bing.com, will begin to roll out over the coming days and will be fully deployed worldwide on Wednesday, June 3.

The explosive growth of online content has continued unabated, and Bing was developed as a tool to help people more easily navigate through the information overload that has come to characterize many of today’s search experiences. Results from a custom comScore Inc. study across core search engines show that as many as 30 percent of searches are abandoned without a satisfactory result. The data also showed that approximately two-thirds of the remaining searches required a refinement or requery on the search results page.

“Today, search engines do a decent job of helping people navigate the Web and find information, but they don’t do a very good job of enabling people to use the information they find,” said Steve Ballmer, Microsoft CEO. “When we set out to build Bing, we grounded ourselves in a deep understanding of how people really want to use the Web. Bing is an important first step forward in our long-term effort to deliver innovations in search that enable people to find information quickly and use the information they’ve found to accomplish tasks and make smart decisions.”

Press Release

VMware has released a security advisory to address multiple vulnerabilities in VMware Workstation, Player, ACE, Server, Fusion, ESX, and ESXi. The first of these vulnerabilities is due to a error in the VMware Descheduled Time Accounting driver. Exploitation of this vulnerability may result in denial of service in Windows-based virtual machines. The second vulnerability is due to a known error in the libpng package used by some VMware products. Exploitation of this vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the VMware security advisory and apply any necessary updates to help mitigate the risks

http://www.us-cert.gov/current/index.html#vmware_releases_security_advisory2