DP's Security Bits

In the latest narrowcast attack, security researchers warned today, cybercriminals masquerading as the Internet Revenue Service are counting on the gullibility of business executives.

The e-mail attacks try to dupe recipients into opening the attached file by scaring them with a bogus allegation. "You have received a complaint in regards to your business services," the message begins. "Instructions on how to resolve this complaint as well as a copy of the original complaint are attached to this email."

Other social engineering tricks used by the attackers include the tax agency's logo in the message body, an attached Word document named COMPLAINT.rtf, and the message addressed directly to the recipient.

ComputerWorld 

Issued: May 31, 2007

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-029

Bulletin Information:

* MS07-029

  - http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
  - Reason for Revision: Bulletin revised. File Information updated
    for Windows Server 2003. Clarification added throughout the
    bulletin for server configurations that may require the
    installation of DNS functionality as a prerequisite for the
    security update installation.  
  - Originally posted: May 8, 2007
  - Updated: May 31, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
        
Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

The American Red Cross has learned about a new scam targeting military families. This scam takes the form of false information to military families as described below:

The caller (young-sounding, American accent) calls a military spouse and identifies herself as a representative from the Red Cross. The caller states that the spouse's husband (not identified by name) was hurt while on duty in Iraq and was med-evacuated to a hospital in Germany. The caller stated they couldn't start treatment until paperwork was accomplished, and that in order to start the paperwork they needed the spouse to verify her husband's social security number and date of birth. In this case, the spouse was quick to catch on and she did not provide any information to the caller.

Red Cross Press Release

Description:
Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to conduct spoofing attacks, bypass certain security restrictions, and potentially compromise a user's system.

1) Errors in the JavaScript engine can be exploited to cause memory corruption and potentially to execute arbitrary code.

2) An error in the "addEventListener" method can be exploited to inject script into another site, circumventing the browser's same-origin policy. This could be used to access or modify sensitive information from the other site.

3) An error in the handling of XUL popups can be exploited to spoof parts of the browser such as the location bar.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/

Solution:
Update to version 2.0.0.4 or 1.5.0.12.

Secunia Advisory 

Search giant Google quietly bought up GreenBorder Technologies earlier this month in an acquisition that some company watchers have speculated signals a future security offering.

The deal, which reportedly closed earlier in May, gives Google access to GreenBorder's virtualization technology, which allows Internet browsers to run in a sandboxed environment to prevent malicious code from interacting with a user's PC. The only notice of the deal appeared to be a statement on GreenBorder's support site.

Mozilla Corp. will issue the last security update for its open-source Firefox 1.5 browser today (Wednesday). It will include an automatic update mechanism to give users the option of upgrading to the newer Firefox 2.0.

"The upgrade offer will be enabled within in a few weeks," said Mozilla in a blog on its developer center.

The long-anticipated end to Firefox 1.5 support was originally slated for April 24, but last month Mozilla pushed back the drop-dead date, saying it needed more time to craft the auto updater. When Mozilla triggers what it's called "Major Updates," users will be offered an in-place upgrade to Firefox 2.0, which they decline if they wish. Users can also permanently suppress the upgrade message so it never again appears.

Today's Firefox 1.5.0.12 will be the final security patch for the 18-month-old browser. Also due for delivery is Firefox 2.0.0.4. Both, Mozilla said, are "standard stability and security updates."

Firefox 2.0.0.4 will be posted here, while Firefox 1.5.0.12 will be available from this page of the Mozilla site. A list of the vulnerabilities patched by both updates will be posted sometime after 2.0.0.4 and 1.5.0.12 go live.

ComputerWorld 

Apple released a security update for Quicktime 7.1.6, further removing a vulnerability first used by a security researcher in April to win $10,000 and a new Macbook in the "PWN 2 0WN" contest at CanSecWest 2007. This security update complements an earlier bug patch for Quicktime 7.1.6 released by Apple on May 1, 2007. The 1.1Mb Windows Quicktime 7.1.6 update affects users of Windows 2000 SP4, and Windows XP SP2. The 1.4 Mb Mac Quicktime 7.1.6 update affects users of Mac OS X v10.3.9 and Mac OS X v10.4.9.

http://news.com.com/8301-10784_3-9723451-7.html 

A group of Carnegie Mellon University programmers has launched a service called ReCaptcha that can help cut down on spam while letting people digitize books.

The project is a variation of the widely used "Captcha" technique to weed out computer abuse such as e-mailing spam or posting spam on blog comments. Captchas require users to pass little pattern recognition tests, commonly reading distorted or obscured words.

CNet News 

ESET, the leader in proactive threat protection, today unveiled its new online scanning service. Powered by award-winning ESET NOD32 Antivirus software, ESET Online Scanner is a free Web-based service that enables computer users to perform a comprehensive system scan to check for and clean viruses, spyware, and other malware—without uninstalling their existing antivirus solution. With Online Scanner, non-ESET users can get a “second opinion” on the health status of their computers and determine if their existing malware solution is really performing up to snuff.

“It’s a pleasure for us to offer the public the power of NOD32 in our new Online Scanner service,” said Miroslav Trnka, co-founder and CTO of ESET. “ESET believes in empowering users to make the best AV buying decision, and we’ve offered free 30-day trial licenses for many years that include full product functionality. While it doesn’t replace the trial version, the new Web scanner takes this try-before-you-buy philosophy a step further by allowing users to test our product in real-time without removing their existing protection.”

Announcement

 Websense® Security Labs™ has received reports of a new email spam variant similar to an attack launched early this year. The spoofed email purports to be from the Better Business Bureau (BBB). The message claims that a complaint has been filed against the recipient's company. Attached to the message is a Microsoft Word document (Document_for_Case.doc), supposedly containing additional details regarding the complaint. The Word document actually contains a Trojan Downloader that, when opened, attempts to download and install a keylogger. This keylogger uploads stolen data to an IP address in Malaysia.

A small survey of blogs that use the popular WordPress blogging software has found that the sites' administrators are not sticklers about patching, which could leave the door open to increasingly common compromises with malicious JavaScript.

The survey, published by security analyst David Kierznowski on Wednesday, found that only one of the 50 surveyed WordPress sites had upgraded to the latest supported versions -- 2.2 and 2.0.10 -- of the open-source package. Nearly half of the sites had not even been upgraded from the unsupported 1.5 branch of the WordPress software.

Description:
Sergio Alvarez has reported a vulnerability in avast!, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error within the parsing of .CAB files and can be exploited to cause a heap-based buffer overflow via a specially crafted .CAB file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability reportedly affects versions prior to 4.7.766 for servers and 4.7.700 for the Managed Client product.

Solution:
Update to the latest versions.
http://www.avast.com/eng/download.html

Secunia Advisory 

A virus writer with something to prove has written a proof-of-concept OpenOffice document to demonstrate a way to infect Windows, Linux and Mac OS X systems with a single script.

The virus, dubbed BadBunny by antivirus firm Sophos, is a script embedded in an OpenOffice Draw file and performs different actions based on the host's operating system. On Windows, the program drops a file for the instant messaging client mIRC that attempts to spread the virus. On the Mac OS X, the program places two Ruby scripts that attempt to propagate the file, and on Linux systems, BadBunny drops scripts written in Python and Perl to copy itself to other systems.

Description:
Ismael Briones has reported two vulnerabilities in Nod32 Antivirus, which potentially can be exploited by malicious users to gain escalated privileges, or by malicious people to compromise a vulnerable system.

The vulnerabilities are caused due to boundary errors when cleaning, deleting, or renaming files detected as malware. These can be exploited to cause stack-based buffer overflows via a specially crafted directory containing malware with an overly long directory or path name.

Successful exploitation may allow execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.70.37.

Solution:
Update to version 2.70.39.
http://www.eset.com/download/registered_software.php

http://secunia.com/advisories/25375/ 

Spammers, phishers and other Internet bottom-feeders, be warned.

A key Internet standards body gave preliminary approval on Tuesday to a powerful technology designed to detect and block fake e-email messages.

It's called DomainKeys Identified Mail, and it promises to give Internet users the best chance so far of staunching the seemingly endless flow of fraudulent junk e-mail.

Story continues at news.com.com 

Issued: May 22, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-004

Bulletin Information:

* MS07-004

  - http://www.microsoft.com/technet/security/bulletin/ms07-004.mspx
  - Reason for Revision: Bulletin updated to reflect that Windows
    Internet Explorer 7 on Windows Server 2003 Service Pack 2 is
    an affected component, same as Windows Internet Explorer 7 on
    Windows Server 2003 Service Pack 1. The vgx.dll version
    installed with Windows Internet Explorer 7 is a major-version
    higher than vgx.dll included in Windows Server 2003 Service
    Pack 2. Windows Server 2003 Service Pack 2 is not-affected by
    this vulnerability as released. Therefore, customers who
    install Windows Internet Explorer 7 on Windows Server 2003
    Service Pack 2 will also need to apply this security update.  
  - Originally posted: January 9, 2007
  - Updated: May 22, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2
        
Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

Symantec Corp. (Nasdaq: SYMC) and Huawei Technologies Co., Ltd. (Huawei) today announced that the two companies are forming a joint venture company. The new company will develop and distribute world-leading security and storage appliances to global telecommunications carriers and enterprises.

Businesses around the world are building and maintaining IP networks and IT systems that support a growing number of connections. This requires balancing increasing performance and availability requirements with system security and data integrity. The joint venture will help carriers and enterprises effectively address these challenges by offering security and storage appliances that are easy to implement and maximize value to customers. According to IDC, the global security and storage appliance market is $23 billion today, and the market in China is forecast to exceed $1.1 billion.

News Release 

Issued: May 21, 2007

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (937696)
  - Title: Release of Microsoft Office Isolated
    Conversion Environment (MOICE) and File Block Functionality
    for Microsoft Office
  - http://www.microsoft.com/technet/security/advisory/937696.mspx
  - Revision Note: Advisory Published: May 21, 2007    

Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

 A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Net since April 17 and has already stolen personal data from more than 2000 home users worldwide.

The compromised information includes bank and credit card account numbers (including CVV codes), Social Security numbers, and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted SSL streams and send the stolen information to a server based in Russia.

The variant was discovered by Don Jackson, a security researcher with Atlanta-based SecureWorks Inc., who also discovered the original Gozi Trojan back in January.

Story continues at computerworld.com 

Adware maker Zango Inc. has sued PC Tools Pty Ltd., makers of the popular Spyware Doctor software, in a dispute over the way the antispyware program flags and removes Zango's technology.

Representatives from both Zango and PC Tools confirmed that Zango had filed suit against the antispyware vendor. However they declined to provide details on the lawsuit except to say that it involved a dispute over the way Spyware Doctor rated Zango's software.

ComputerWorld