DP's Security Bits

Description:
Sun Microsystems has acknowledged some vulnerabilities in StarOffice, which can be exploited by malicious people to compromise a user's system.

For more information:
SA24588

The vulnerabilities affect StarOffice / StarSuite versions 6, 7, and 8.

Solution:
Do not open untrusted documents.

The vendor is currently working on fixes.

http://secunia.com/advisories/24646/ 

Mozilla's security chief has stepped into the debate about the disclosure of security bugs by saying that software developers are at the mercy of bug hunters.

Mozilla security chief Window Snyder called on security researchers to follow responsible disclosure guidelines, giving vendors a reasonable amount of time to fix bugs before making them public. As things stand, bug hunters have the whip hand, she argued.

http://www.theregister.com/2007/03/26/mozilla_full_disclosure/ 

Online players of the video game Omerta have more than the rival gangsters in the computer game to worry about. According to anti-spyware vendor Sunbelt Software, of Clearwater, Fla., cyber-thieves have been spreading spyware disguised as software from Omerta Game Ltd.

Sunbelt Software President Alex Eckelberry warned users to be wary of any software for the game that's not from Omerta. Attackers are trying to trick users into downloading piece of malware called ProAgent that captures and logs keystrokes on a computer, he said.

http://www.physorg.com/news93873805.html 

Researchers at Oxford have built an x86 emulator that runs purely on Java, making it ideal for security researchers who want to analyze and archive viruses, host honeypots and defend themselves against buggy or malicious software without hosing their machines. The JPC also emulates a host of other environments, giving technophiles the ability to play Asteroids and other software that's sat on shelves for years collecting dust.

http://www.theregister.com/2007/03/23/java_emulator/ 

Websense Security Labs^TM has discovered a new set of the Warezov/Stration malicious code. This new code is currently spreading through the Skype network. Although the code itself is not self-propagating, when it runs, a URL is sent to all users within the user's Contacts List.

This attack appears to be the same as the version mentioned on the FSecure Blog Feb 27th,
http://www.f-secure.com/weblog/archives/archive-022007.html#00001126,
but with new URL information and a new version of the malicious code.

Skype users receive a message that says "Check up this," with a URL containing a hyperlink. When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are prompted to run the file (note: there is no vulnerability within Skype). If the user runs the file, several other files are downloaded and run.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=757 

Mozilla Corp. yesterday took the unusual step of patching a single vulnerability in its Firefox browser, but it will resume regular multiple-fix security updates with the next release, which is slated to debut before April 24.

Firefox 2.0.0.3 and Firefox 1.5.0.11 -- Mozilla currently supports two branches of the open-source application -- both fix a single flaw, according to the release notes posted on the company's Web site.

Mozilla said that the patched bug, though rated as a low threat, could be used by attackers to run a rudimentary port scan of systems within the same perimeter as the victimized machine. The attacker, however, would have to craft a malicious Web site and host it on an FTP server and then con users into visiting the page.

ComputerWorld 

The little lock icon that appears on a Web browser window frame when a secure connection exists between a browser and a Web server may be lulling users into a false sense of security.

The reality is that secure connections, in which data is encrypted using Secure Sockets Layer (SSL) technology before being transmitted over the Web, is increasingly being used to hide and spread malicious code, according to a report from security vendor Kaspersky Labs.

The issue is certainly not new. Security analysts have for long warned about the possibility of hackers exploiting encrypted SSL connections to sneak viruses and other malicious code past firewalls, antivirus software and intrusion detection systems. But what's lending greater urgency to the issue now is the widespread use of SSL communications by banks, retailers, e-commerce sites and e-mail providers on the Internet, said Shane Coursen, a senior technical consultant at Kaspersky.

ComputerWorld 

A security researcher has documented malware that uses a vulnerability in Apple's QuickTime movie player to make a computer download and run a Javascript. A MySpace account promoting a French music group is exploiting the flaw to siphon information about users visiting the page and send it to a remote server.

The perpetrators pull off the feat by embedding into their page an invisible QuickTime video that uses one Javascript to download and execute a second Javascript. It's this second script that acts as the spyware, according to the researcher, Didier Stevens, who documents his findings here.

http://www.theregister.com/2007/03/16/myspace_quicktime_exploit/ 

Members of the U.S. House of Representatives' Subcommittee on Commerce, Trade and Consumer Protection today heard a chorus of support from various industry representatives for a proposed new spyware bill.

But that support was tempered with calls for caution by some who fear the bill, without some modifications, could harm Internet advertisers.

The bill, dubbed the Securely Protect Yourself Against Cyber Trespass Act (Spy Act), is sponsored by Rep. Edolphus Towns (D-N.Y.) and would make it unlawful to install software that gathers information, monitors usage, serves up advertisements or modifies browser and other settings on a computer without explicit user consent. Violations would be treated as unfair or deceptive trade practices subject to enforcement action by the U.S. Federal Trade Commission (FTC). The bill also allows fines of up to $3 million for some types of violations.

Computerworld 

After a month-long public comment period, the Anti-Spyware Coalition released final working reports of both the Best Practices and Conflict Resolution documents on March 15, 2007.  Both documents are now available from the Documents page.

http://www.antispywarecoalition.org/documents/ 

Websense® Security Labs(TM) has received reports of new malicious Web sites, designed to install Trojan horse and Password Stealing malicious code. The Web sites are hosted in China and attempt to exploit several Microsoft® vulnerabilities to download and install a Trojan downloader without end-user interaction.

Among the sites are a popular Chinese book store hosted on Myrice. All sites appear to have been compromised.

There are three IFRAMEs that are loaded:

http://www.<removed>.com/aafs.asp
http://www.<removed>.com/a/Ms.html
http://www.<removed>.com/a/index.htm

Upon visiting the sites, users who are not patched for the vulnerabilities from Microsoft will have exploit code run on their machine without user-interatcion. The file is loaded from http://<removed>.com/author3/70/OpenIe.Exe  and is designed to capture keystrokes in order to steal information from the user.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=752 

Websense Security Labs^TM has received reports of new, malicious Web sites which are designed to install Trojan horses. The Web sites are hosted in Korea and Hong Kong. The sites attempt to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

Users receive an email, written in German, requesting that they visit a Web site to verify their order number. Upon visiting the site, the malicious code is automatically downloaded and run, assuming the user is not patched for the Microsoft vulnerability.

http://www.websense.com/securitylabs/alerts/alert.php?AlertID=751 

Antivirus specialist Trend Micro on Wednesday said it has acquired HijackThis, a tool used to remove spyware from Windows PCs.

HijackThis is a free tool developed by Dutch student Merijn Bellekom. The tool is mostly used by technical users to pinpoint spyware infections on Windows machines and help remove them. It has been downloaded more than 10 million times, according to Trend Micro.

Continues at news.com.com 

In a victury for privacy activists, Google Inc. will start making its records about users' searches anonymous after 18 to 24 months under a policy announced Wednesday.

Until now, the dominant search company has indefinitely retained a log of every search, with identifiers that can associate it with a particular computer. The new policy, to be implemented within the next year, is intended to better protect users' privacy, two executives wrote in a Google Blog entry posted Wednesday.

Computerworld 

A vulnerability in the way OpenBSD handles IPv6 data packets exposes systems running the traditionally secure open-source operating system to serious attack.

A memory corruption vulnerability error exists in the OpenBSD code that handles IPv6 packets, Core Security Technologies said in an alert published Tuesday. Exploiting the flaw could let an attacker commandeer a vulnerable system, according to Core, which said it discovered the issue and crafted sample exploit code.

Continues at news.com.com 

This Friday Trend Micro will open public beta testing for their new TrendProtect browser add-in. TrendProtect integrates with Internet Explorer or Firefox and helps users avoid visiting unsafe sites. Where McAfee's SiteAdvisor has a single rating for an entire site, TrendProtect analyzes individual pages. Like CallingID, it looks at the domain's owner and history to get a reputation score. And like LinkScanner Pro, it analyzes the content of the page to catch any exploits or malicious code. TrendProtect and the newly-acquired HijackThis are both elements of Trend Micro's TrendSecure initiative, which offers free security help and utilities to all.

Story continues at security.ithub.com