DP's Security Bits

Description:
Marsu has discovered a vulnerability in various Adobe Products, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error within the PNG.8BI Photoshop Format Plugin when handling PNG files. This can be exploited to cause a stack-based buffer overflow via a specially crafted PNG file.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in Adobe Photoshop CS2 and Adobe Photoshop Elements (Editor) version 5.0 for Windows and reportedly affects Adobe Photoshop CS3.

Solution:
Do not open untrusted PNG files.

http://secunia.com/advisories/25044/ 

Google has removed paid links that advertised seemingly legitimate Web sites but actually tried to install nefarious programs on PCs.

The links were displayed as "sponsored links" after visitors entered specific queries into Google's search service. Clicking the links would ultimately go to a legitimate site, but by way of another site that attempted a "drive-by installation" of password-stealing software. Miscreants placed the links using Google's AdWords service for advertisers.

Continues at news.com.com 

Issued: April 27, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-021
  * MS07-012

Bulletin Information:

MS07-021

  - Reason for Revision: Updated File Information Section for Windows
    XP Service Pack 2 and Windows Vista  
  - Originally posted: April 10, 2007
  - Updated: April 26, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
    
MS07-012

   - Reason for Revision: Bulletin Updated: additional clarification
     addresses customers who are developing applications that
     statically link to the redistributed files replaced by the
     Visual Studio update. Microsoft SQL Server 2000 has also been
     added to the "Non-Affected Software" list.  
  - Originally posted: February 13, 2007
  - Updated: April 26, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.2
        
Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

Description:
A vulnerability and a security issue have been reported in various Symantec products, which can be exploited by malicious, local users to disclose sensitive information, cause a DoS (Denial of Service), and gain escalated privileges.

1) Scheduled backups to remote network shares save login credentials for remote shares in the application directory with insecure permissions (read access for everyone).

2) An unspecified error can be exploited to cause a buffer overflow, which can lead to a DoS or execution of arbitrary code with SYSTEM privileges.

The vulnerability and the security issue are reported in the following products and versions:
* Norton Ghost 10.0 and 10.01
* Norton Ghost for Norton System Works 10.0
* Norton Ghost for Dell 10.0
* Norton Save & Recovery 11.0, 11.01, and 11.01B
* Norton Save & Recovery for Norton System Works 2007 1.01B
* Norton Save & Recovery Sony Euro 1.01
* LiveState Recovery 6.0, 6.01, and 6.02
* BackupExec System Recovery 6.5, 6.52, 6.52A, and 6.53

Solution:
Update to the latest version via LiveUpdate.

http://secunia.com/advisories/25013/ 

A $1 billion lawsuit filed today promises to open up a new front in the battle against spam: It targets not just spammers, but -- for the first time -- also those responsible for harvesting e-mail addresses on behalf of spammers.

The lawsuit, filed in the U.S. District Court in Alexandria, Va., is one of the largest of its kind and is being filed on behalf of Project Honey Pot members in over 100 countries. Project Honey Pot is a service provided by Park City-Utah based anti-spam company Unspam Technologies Inc.

"If you've harvested e-mail addresses or sent spam in the last two years, chances are you're on our radar screen and we're coming after you," a note posted on the Project Honey Pot Web site said today.

ComputerWorld 

Outspoken author and security guru Bruce Schneier has questioned the very existence of the security industry, suggesting it merely indicates the willingness of other technology companies to ship insecure software and hardware.

Speaking this week at Infosecurity Europe 2007, a leading trade show for the security industry, Schneier said, "the fact this show even exists is a problem. You should not have to come to this show ever."

Story at news.com.com 

Versions of Cisco Network Services (CNS) NetFlow Collection Engine (NFC) prior to 6.0 create and use default accounts with identical usernames and passwords. An attacker with knowledge of these accounts can modify the application configuration and, in certain instances, gain user access to the host operating system.

The upgrade to NFC version 6.0 is not a free upgrade. This default password issue does not require a software upgrade and can be changed by a configuration command for all affected customers. The workaround detailed in this document demonstrates how to change the passwords in 5.0.

http://www.cisco.com/warp/public/707/cisco-sa-20070425-nfc.shtml
 

Spammers have decided to kill two birds with one spam: The stock-touting e-mail messages regularly sent out by spam-focused bot nets have started to include links to malicious code, according to a report published Wednesday by e-mail security firm MessageLabs.

The criminal groups responsible for the spam appear to believe that recipients of the e-mail may click on a Web link, even if they don't buy the stock touted by the e-mail message. In the past 10 days, MessageLabs has only detected about 3,500 of the messages, so the spammers may be testing to waters to see how often the scam works, said Mark Sunner, chief technology officer for the company.

http://www.securityfocus.com/brief/489 

Mozilla Corp. yesterday extended support for its 17-month-old Firefox 1.5.0.x browser until mid-May, citing the need to roll out a patch that will automatically update users to the newer 2.0 version before it pulls the support plug.

Even that date looks iffy, however, according to information posted to Mozilla development wikis.

The company had earlier said that yesterday would be the termination date for Firefox 1.5.x support -- meaning it would issue no new security updates after that. But when it released version 1.5.11 last month, Mozilla hinted that the final security fix would not make that deadline.

ComputerWorld 

Description:
A vulnerability has been reported in Apple QuickTime, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error within the Java handling in QuickTime. This can be exploited to execute arbitrary code when a user visits a malicious web site using a Java-enabled browser e.g. Safari or Firefox.

The vulnerability is reported on a Mac OS X system using Safari and Firefox. Other browsers and platforms may also be affected.

http://secunia.com/advisories/25011/ 

Apple on Thursday issued a security update for Mac OS X that addresses 25 security flaws in the operating system software.

The security update affects various parts of the operating system, including some third-party components such as the Kerberos authentication technology. The most serious of the vulnerabilities could allow an attacker to gain complete control over an unpatched Mac, Apple said in a security advisory.

Continues at news.com.com 

Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.

Published: April 12, 2007 | Updated: April 19, 2007

Microsoft is investigating new public reports of attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM. Our ongoing monitoring in indicates that we are seeing new attacks to exploit the vulnerability by the Win32/Siveras bot family. Windows Live Safety Scanner and Windows Live OneCare can be used to detect currently known malware types that are attempting to exploit the vulnerability. Microsoft continues to strongly urge customers to deploy the registry workaround identified below to comprehensively mitigate all attempts to exploit the vulnerability through the various identified ports and authentication requirements.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

http://www.microsoft.com/technet/security/advisory/935964.mspx 

Keep your computer and wallet safe with these free security apps for every platform. Check out this comprehensive list at IT Security. You're sure to find something to add to your security tool kit.

You'll find applications for:

Spyware
Antivirus
Rootkit
Firewall
Email
Web Utility
Network
Intrusion Detection System
Virtual Private Network
Temporary Files
Wireless
Encryption
Miscellaneous 

Complexity in rootkits is growing at a phenomenal rate, allowing malicious software to burrow deep and potentially go undetected inside Microsoft's Windows platform, according to a security report released Wednesday by McAfee.

Rootkits--malicious software that operates in a stealth fashion by hiding its files, processes and registry keys--have grown over the past five years from 27 components to 2,400, according to McAfee's Rootkits Part 2: A Technical Primer (PDF).

Story continues news.com.com 

In recent years, US-CERT has received reports of an increased number of phishing sites set up in the wake of tragedies and natural disasters. US-CERT reminds users to remain cautious when receiving unsolicited email that could be a potential phishing attempt.

Phishing emails may appear as requests for donations from a charitable organization asking the users to click on a link that will then take them to a fraudulent web site that appears to be a legitimate charity. The users are then asked to provide personal information that can further expose them to future compromises.

Users are encouraged to take the following measures to protect themselves from this type of phishing attack:

• Do not follow unsolicited web links received in email messages.
• Contact your financial institution immediately if you believe your account and/or financial information has been compromised.
• Verify the legitimacy of the email by contacting the company directly through a trusted contact number.
• Visit the Anti-Phishing Working Group for more information on known phishing attacks.

For additional information regarding phishing, US-CERT recommends reading the following documents:

1. Technical Trends in Phishing Attacks
2. Recognizing and Avoiding Email Scams
3. Avoiding Social Engineering and Phishing Attacks

Finjan Software Inc. today joined the ranks of vendors offering free site security-ranking services by unveiling SecureBrowsing, a plug-in for Internet Explorer and Firefox that warns users of risky Web sites.

The browser plug-in scans each link in the results generated by the search engines from Google Inc., Yahoo Inc. and Microsoft Corp. in real time, then ranks the URLs so users can decide whether to click through. The scans, said Finjan, examine all the dynamic code components of the page and detect potentially malicious code hosted on sites with a behavior-based scanner rather than relying on blacklists.

ComputerWorld 

Description:
A vulnerability has been reported in the Wizz RSS News Reader extension for Mozilla Firefox, which can be exploited by malicious people to compromise a vulnerable system.

Certain input is not properly sanitised before being used and can be exploited to e.g. execute arbitrary script code within the "chrome:" context.

Successful exploitation requires that a user is tricked into loading a specially crafted RSS feed.

The vulnerability is reported in versions prior to 2.1.9.

Solution:
Update to version 2.1.9.
https://addons.mozilla.org/en-US/firefox/addon/424

http://secunia.com/advisories/24913/ 

A new instant-messaging pest that spreads using the chat feature in Skype has surfaced, security firm F-Secure warned Monday.

The worm, dubbed Pykse.A, is similar to threats that affect instant-messaging applications. A targeted Skype user will receive a chat message with text and a Web link that looks like it goes to a JPEG file on a Web site, F-Secure said on its Web site.

Clicking the link will redirect the user to a malicious file. The file, after executing, will send a malicious link to all online contacts in a Skype user's list and will show a picture of a scantily clad woman, F-Secure said. In addition, it sets the user's Skype status message to "Do Not Disturb," the security firm said.

Story continues at news.com.com 

The Internal Revenue Service learned late Friday of a new tax scam on the Internet that lures taxpayers into filing tax information on a site masquerading as a member of the Free File Alliance. The IRS reminded taxpayers the only place to access the Free File program is through the official IRS.gov Web site.

“The final days of the tax season always bring tax scams,” IRS Commissioner Mark W. Everson said. “Make sure you’re really dealing with the IRS. Taxpayers can feel safe using Free File, but the only way to do it is through the secure IRS.gov Web site.”

The latest twist on tax scams involves tax preparation Web sites that inaccurately say they are part of the Free File Alliance, a partnership between 19 tax software companies and the IRS. The IRS is working with the Treasury Inspector General for Tax Administration to look into allegations that the Web sites accepted tax information from taxpayers, changed the taxpayers’ bank account numbers to their own and then filed the return through a legitimate Free File partner.

http://www.irs.gov/newsroom/article/0,,id=169507,00.html 

Vulnerability in RPC on Windows DNS Server Could Allow Remote Code Execution.

Published: April 12, 2007 | Updated: April 15, 2007

Microsoft is investigating new public reports of a limited attack exploiting a vulnerability in the Domain Name System (DNS) Server Service in Microsoft Windows 2000 Server Service Pack 4, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft Windows 2000 Professional Service Pack 4, Windows XP Service Pack 2, and Windows Vista are not affected as these versions do not contain the vulnerable code.

Microsoft’s initial investigation reveals that the attempts to exploit this vulnerability could allow an attacker to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM.

Upon completion of this investigation, Microsoft will take appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Customers who believe they are affected can contact Product Support Services. Contact Product Support Services in North America for help with security update issues or viruses at no charge using the PC Safety line (1-866-PCSAFETY). International customers can use any method found at this location: http://support.microsoft.com/security

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

http://www.microsoft.com/technet/security/advisory/935964.mspx