DP's Security Bits

Internet Storm Center researchers are warning users that drive-by exploits have been embedded in a few dozen legitimate MySpace pages.

Johannes Ullrich, chief technology officer with the Internet Storm Center, told InformationWeek that the malicious code that's embedded in the Web pages installs the FluxBot, a dangerous new bot. Since the bot doesn't have a central command and instead relies on a complex set of ever-changing networks of proxy servers, Ullrich said it's extremely difficult to shut it down or cleanse it off an infected system.

"It appears that these are compromised accounts," said Ullrich. "Hackers overtook maybe a few dozen pages. MySpace is fixing the issue. ... They reacted very quickly in this case."

InformationWeek 

Experts at Sophos, a world leader in IT security and control, have warned of a widespread attempt to infect email users by sending them a warning about a bogus Microsoft security patch.

The emails, which have the subject line "Microsoft Security Bulletin MS07-0065" pretend to come from Microsoft, and claim that a zero-day vulnerability has been discovered in the Microsoft Outlook email program. They go on to warn recipients that "more than 100,000 machines" have been exploited via the vulnerability in order to promote medications such as Viagra and Cialis.

Users are encouraged by the email to download a patch which, it is claimed, will fix the problem and prevent them from becoming attacked by hackers.

However, clicking on the link contained inside the email does not take computer users to Microsoft's website but one of many compromised websites hosting a Trojan horse. Sophos proactively detects the Trojan, without requiring an update, using Behavioral Genotype® Protection as Mal/Behav-112.

http://sophos.com/pressoffice/news/articles/2007/06/bogusmspatch.html 

The Department of Justice (DoJ) is alerting e-mail users about a possible phishing attack using messages that claim to be from the DoJ.

In a news release Thursday, the DoJ said the e-mails may have the subject field or be addressed "Dear Citizen." It also said the messages may refer to a fraudulent U.S. Internal Revenue Service case filed against the recipient, and may contain a DoJ logo in the body of the mail or as an attachment.

The DoJ said the e-mail is a hoax, and asked recipients to neither open the message nor download any attachments that come with it, and delete the message immediately. The department said it would not contact users about such matters via e-mail.

Anyone receiving the e-mail is asked to file a complaint via a DoJ Web site.

ComputerWorld 

Issued: June 26, 2007

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS07-022

Bulletin Information:

MS07-022

- Reason for Revision: Updated this bulletin to advise customers
that are running Windows 2000 Service Pack 4 on NEC 98
systems that a revised version of the security update is
available.
- Originally posted: April 10, 2007
- Updated: June 26, 2007
- Bulletin Severity Rating: Important
- Version: 2.0

Description:
Apple has issued a security update for Mac OS X, which fixes two vulnerabilities.

1) An invalid type conversion when rendering frame sets in WebKit can be exploited to corrupt memory and can be exploited to execute arbitrary code when a user visits a malicious website.

2) An input validation error in the processing of headers passed to the "XMLHttpRequest" object in WebCore can be exploited to inject arbitrary HTTP requests.

Solution:
Apply Security Update 2007-006.

The ASC will host its third Public Workshop June 27, 2007, at Harvard University Law School, in Cambridge, Massachusetts.  The ASC is currently accepting speaker suggestions, and registration for the event is open.  A copy of the agenda is also available.

The SANS Internet Storm Center reports of a fake shockwave player download page. 

Quote 

When visited, the web page in question (a game site related to RuneScape) shows couple of broken icons and all links just point to another web page that conveniently inform the user that his version of Macromedia Flash Player needs to be updated. After this notice, the user is redirected to a web site hosting a complete replica of the Shockwave Player Download Center

Details: http://isc.sans.org/diary.html?storyid=3024 

The Defense Department took as many as 1,500 computers off line because of a cyber attack, Pentagon officials said Thursday.

Few details were released about the attack, which happened Wednesday, but Defense Secretary Robert Gates said the computer systems would be working again soon.

Gates said the Pentagon sees hundreds of attacks a day, and this one had no adverse impact on department operations. Employees whose computers were affected could still use their handheld BlackBerries.

During a press briefing Gates said, "We obviously have redundant systems in place. ... There will be some administrative disruptions and personal inconveniences." He said the Pentagon shut the computers down when a penetration of the system was detected, and the cause is still being investigated.

When asked if his own e-mail account was affected, Gates revealed, "I don't do e-mail. I'm a very low-tech person."

http://www.time.com/time/nation/article/0,8599,1636002,00.html 

Cerulean Studios on Monday released a "highly critical" security update for its Trillian multi-protocol chat software.

Attackers could exploit vulnerabilities in the character encoding for Trillian 3.1.5.1--specifically, the word-wrapping handling of UTF-8, the Unicode Transformation Format used for encoding characters in e-mail, instant messages and Web pages, iDefense Labs warned in its security advisory. The vulnerabilities potentially could affect earlier versions of the Trillian software as well, iDefense said.

Story continues at news.com.com 

A group of security professionals, legal experts and educators who helped former Connecticut substitute teacher Julie Amero overturn a conviction on charges of exposing her students to pornographic pop-up ads has formed a permanent organization that aims to educate the courts and legislators about technology, crime and digital forensics.

Taking the name of the person who brought them together, the members of the Julie Group intend to teach lawyers and end user about issues of technology and criminal law, lobby policy makers for fairness in criminal codes and regulations, and bring to light unfair prosecutions. The group will likely again offer their computer-security expertise to prosecutors and defense attorneys in future cases.

http://www.securityfocus.com/news/11471 

A malware distribution and attack kit sold commercially through underground channels on the Internet has compromised hundreds of thousands of systems in the past six months, including an epidemic of infections that hit Italian Web servers this past weekend, according to security and antivirus firms.

Known as Mpack, the kit consists of commercial-grade software components written in the PHP Web programming language and apparently sold by a group of Russian programmers. The software, which comes with a year of support, was first mentioned in an analysis penned by antivirus firm Panda Software. In mid-May, Panda stated that the software had compromised at least 160,000 computers.

http://www.securityfocus.com/brief/529 

Trend Micro Incorporated (TSE: 4704), a leader in network antivirus and content security software and services, today announced the accelerating infection over the weekend in Italy of seemingly legitimate web pages loaded with malicious code that could plant a keylogger to steal user passwords, or turn computers into proxy servers for various other attacks. Trend Micro data indicates that tens of thousands of users worldwide have already accessed compromised urls, oblivious to the threat as a result of their natural web surfing activity. The initial HTML malware takes advantage of a vulnerability in so-called "iFrames" that are commonly used on websites and commonly exploited. Trend Micro researchers believe it was initially probably an automated attack, created from a computer Trojan-making kit.

Details ... 

Online payment service PayPal, a subsidiary of eBay, rolled out on Friday a second factor for authenticating users online -- a key fob that generates a pseudo random security code every 30 seconds.

Following a beta program launched at the RSA Security conference in February, the service is now available for both eBay and PayPal customers, the companies said in a statement. The security token, produced by security-services firm VeriSign, generates a pseudo-random six-digit number every 30 seconds that can be authenticated through VeriSign's Identity Protection service.

http://www.securityfocus.com/brief/528 

We invite you to attend an Q&A with the Microsoft Security MVPs. In this chat the MVP experts will answer your questions regarding online safety issues such as phishing, spyware, rootkits as well as server related topics. If you have questions on how to protect your PC, please bring them to this informative chat.

When:   Thursday June 21st
Time:    4pm PST and 7pm EST
Where:  TechNet Chat Room

No password required

Websense® Security Labs™ has received reports of a large scale attack in Europe that is using the MPACK web exploit toolkit.  For more information on MPACK please see the Panda Labs blog here:
http://blogs.pandasoftware.com/blogs/pandalabs/archive/2007/05/11/MPack-uncovered_2100_.aspx.

At the time of this alert our ThreatSeeker technology has discovered more than *10,000* sites that have been compromised and have IFRAMES pointing to the hub infection site.

Assuming users connect to one of the compromised sites and are vulnerable to one of several loaded exploits a Trojan Horse is downloaded onto their machine which is designed to steal banking, and potentially other confidential information through a serious of web infection downloads.

Details... 

RSA Security just finished a study of Wi-Fi in three top financial centers: New York, London and Paris. The security solutions business company found that of the three big money centers, London has the most Wi-Fi, but more importantly, the most secure Wi-Fi.

Story continues

Apple Inc. took just three days to update the beta of its Safari browser for Windows, releasing a new version that patches three vulnerabilities.

Safari 3.0.1 fixed three flaws -- a minority of the bugs found so far by researchers -- in the Windows beta. According to Apple, two of the trio don't affect the Safari 3.0 beta that runs on Mac OS X, but the third can crash the Mac browser.

Story continues at computerworld.com

The FBI announced on Wednesday that an ongoing cybercrime initiative, dubbed Operation Bot Roast, has identified more than a million PCs compromised with bot software and resulted in charges against three people for violations of the Computer Fraud and Abuse Act.

The U.S. Department of Justice, along with its partners at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University and the Botnet Task Force, aim to disrupt the operations of bot masters, or bot herders, that compromise their victims machines to use for sending spam or attacking other computers.

http://www.securityfocus.com/brief/525 

Issued: June 13, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-034 - Critical
  * MS07-033 - Critical

Bulletin Information:

* MS07-034 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-034.mspx
  - Reason for Revision: Updated the Microsoft Knowledge Base Article
    to reference KB Article 929123 in the Known Issues section. 
  - Originally posted: June 12, 2007
  - Updated: June 13, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.3
   
* MS07-033 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-033.mspx
  - Reason for Revision: Registry Key Verification corrected for
    Internet Explorer 6 Service Pack 1 on all supported editions
    of Microsoft Windows 2000 Service Pack 4; Removed duplicate
    text in Workarounds for COM Object Instantiation Memory
    Corruption Vulnerability - CVE-2007-0218 and Workarounds for
    Uninitialized Memory Corruption Vulnerability - CVE-2007-1751 
  - Originally posted: June 12, 2007
  - Updated: June 13, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2
       
Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

June 12, 2007

Today Microsoft released the following Security Bulletin(s).

June Bulletin Summary

Critical

MS07-031 - Vulnerability in the Windows Schannel Security Package Could Allow Remote Code Execution (935840)
MS07-033 - Cumulative Security Update for Internet Explorer (933566)
MS07-034 - Cumulative Security Update for Outlook Express and Windows Mail (929123)
MS07-035 - Vulnerability in Win32 API Could Allow Remote Code Execution (935839)

MS07-030 - Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (927051)

Moderate

MS07-032 - Vulnerability in Windows Vista Could Allow Information Disclosure (931213)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.