DP's Security Bits

The Mozilla Foundation released on Monday a fix for two security issues, patching a problem in the way its Firefox browser processes links that call external programs to handle data.

The issue came to light last week, the destination in a circuitous trip of discovery. In early July, three researchers found a way to execute code in Firefox -- and potentially other Windows programs -- by passing the browser a malicious uniform resource identifier (URI) from Internet Explorer. The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

http://www.securityfocus.com/brief/559 

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have warned of a widespread email spam campaign that poses as a screensaver, but is really designed to install a Trojan horses and rootkits on infected Windows PCs.

The emails, which are being seen in inboxes worldwide, claim that the recipient has been sent a screensaver by a friend and tells the user to open the attachment (called bsaver.zip).

Details ... 

Anti-malware applications and spam filters are now routinely used by nearly all businesses. Yet digital garbage may still be pouring into employees' machines from an unsuspected source: RSS and Atom feeds.

 Both feed formats automatically deliver updated news and other types of Web information directly to subscribers' readers and aggregators. But feeds can also be used by hackers to surreptitiously transfer viruses, Trojan horses, worms and various other types of malware. That's because feed suppliers often scoop up content automatically without giving thought to the code's safety. As a result, data — both good and bad — is transferred directly to subscribers' computers.

Continues at itsecurity.com 

Bulk e-mail using attachments in the Portable Document Format (PDF) has begun to decline just a month after it first appeared, and spammers are moving on to Excel files, security firms said this week.

The seemingly short-lived adoption by spammers of PDF attachments began in mid-June, and peaked earlier this month. However, use of the format has started to decline, while an increasing amount of spam e-mail has appeared with Excel attachments. Enterprise security firm BitDefender noted the decrease in PDF spam on July 24 and predicted that the format will cease being a significant vector in the future.

http://www.securityfocus.com/brief/556 

Issued: July 26, 2007

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-040 - Critical

Bulletin Information:

* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: Additional clarification has been added to
    the Bulletin explaining that .NET Framework updates are
    cumulative and may contain non-security updates. The Bulletin
    was also updated to clarify that this update applies to Service
    Pack 3 for .NET Framework 1.0 and Service pack 1 for .NET
    Framework 1.1.
  - Originally posted: July 10, 2007
  - Updated: July 26, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.3 

On July 26, McAfee will begin offering a new application called Rootkit Detective, designed to detect and remove dangerous rootkit attacks. The software will also help end-users ward off the threats, as well as funnel new intelligence into the company's ongoing research operations.

Following in the footsteps of SiteAdvisor -- the free Web site security program acquired by McAfee in April 2006 that warns users about potentially dangerous sites and search results -- company officials said that the new tool will be offered at no charge from its Web site via download, with benefits for both end-users and its researchers.

Continues at infoworld.com 

The number of infected Web pages has soared nearly six-fold since the first of the year, according to security company Sophos Plc.

Detailed in a just-released threat report, the spike shows just how widespread Web attacks have become, Sophos said today. In June, it detected an average of almost 30,000 newly-infected pages each day; earlier in the year, the tally was as low as only 5,000 new pages daily.

The vast majority of pages serving up malicious content are, in fact, hosted on legitimate Web sites, Sophos also said. About 80% of all Web-based malware is on innocent, albeit compromised, sites.

Continues at computerworld.com 

The Mozilla Foundation acknowledged over the weekend that its own Firefox browser allows links that can send malicious code to external programs, a security issue that the group had previously argued should be fixed by the browser maker.

In early July, three researchers found a way to execute code in Firefox -- and potentially other Windows programs -- by passing it a malicious uniform resource identifier (URI) from Internet Explorer. The discovery lit off a firestorm of finger pointing: The Mozilla Foundation argued that IE should validate the URI before passing it along to another program, while Microsoft stated that input validation is the responsibility of the receiving program.

http://www.securityfocus.com/brief/553 

Test the Secunia PSI (BETA) Technology Preview, an upcoming addition to the Secunia Software Inspector series, based on the proven Secunia File Signatures Technology.

The Secunia PSI detects installed software and categorises your software as either Insecure, End-of-Life, or Up-To-Date. Effectively enabling you to focus your attention on software installations where more secure versions are available from the vendors.

https://psi.secunia.com/

A major flaw in the Apple iPhone's browser opens the device to attack through a malicious wireless access point or Web server, the security firm that discovered the vulnerability announced on Monday.

Because of some poor security choices in the phone's design, an attacker could install code to steal any and all data on the iPhone by exploiting a flaw in Apple's MobileSafari browser, the company, Independent Security Evaluators, said in a general analysis of the issue. An attack could use a link sent through e-mail or by an SMS (short message service) text message, or use an attacker-controlled wireless access point to execute a man-in-the-middle to redirect the iPhone's browser to the malicious code.

http://www.securityfocus.com/brief/552 

Issued: July 19, 2007

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-040 - Critical

Bulletin Information:

* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: Bulletin Updated: Corrected KB933854 file
    manifest table for .NET Framework 1.1 on supported versions
    of Windows Server 2003. The Bulletin has also been updated
    providing an additional link to the main Bulletin Knowledge
    Base Article which will document all non-security
    functionality changes introduced in this .NET Framework
    security update. 
  - Originally posted: July 10, 2007
  - Updated: July 19, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2

Issued: July 12, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-038 - Moderate
  * MS07-039 - Critical
  * MS07-040 - Critical
  * MS07-041 - Important

Bulletin Information:

* MS07-038 - Moderate

  - http://www.microsoft.com/technet/security/bulletin/ms07-038.mspx
  - Reason for Revision: Bulletin revised. CVE hyperlink updated to
    correct CVE id. Workarounds Section updated to correct
    command line instructions. 
  - Originally posted: July 10, 2007
  - Updated: July 12, 2007
  - Bulletin Severity Rating: Moderate
  - Version: 1.1

* MS07-039 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-039.mspx
  - Reason for Revision: Bulletin Revised: Updating bulletin to add
    FAQ section for ADAM dependencies and why this update was
    deployed to all 2000 and 2003 systems.  
  - Originally posted: July 10, 2007
  - Updated: July 12, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: Bulletin Updated: Corrected Windows Vista
    severity rating in the "Affected Software" table to
    Important. Corrected several instances in the file manifest
    tables incorrectly referencing a version of Mscordacwks.dll
    that is not installed on the system. Added an additional FAQ
    explaining why customers installing .NET Framework 3.0 should
    update .NET Framework 2.0 on their system. Added an
    additional FAQ for ASP.NET Web application developers. 
  - Originally posted: July 10, 2007
  - Updated: July 12, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1

* MS07-041 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-041.mspx
  - Reason for Revision: Bulletin Updated: additional clarification
    has been added explaining that the vulnerability lies in an
    object IIS 5.1 uses to maintain statistics on hosted
    applications. 
  - Originally posted: July 10, 2007
  - Updated: July 12, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.1 

July 12, 2007

Summary

The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS07-036 - Critical

Bulletin Information:

* MS07-036 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-036.mspx
 - Reason for Revision: Bulletin updated. Affected Products updated
   to include Microsoft Office 2004 for Mac. File Manifest
   information updated for Microsoft Office Compatibility Pack
   for Word, Excel, and PowerPoint 2007. 
 - Originally posted: July 10, 2007
 - Updated: July 12, 2007
 - Bulletin Severity Rating: Critical
 - Version: 2.0
 

CastleCops has joined the Anti-Spyware Coalition. "We are pleased to welcome CastleCops as the newest member of the Anti-Spyware Coalition," said Ari Schwartz, deputy director of the Center for Democracy and Technology and coordinator of the ASC. "The strength of the ASC has always been built on the incredible commitment and deep knowledge base of its membership. The extensive experience and expertise of CastleCops and its volunteers will be a vital asset to the ASC moving forward."

http://www.castlecops.com/a6807-CastleCops_joins_the_Anti_Spyware_Coalition.html
 

Description:
Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.

1) An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website.

The vulnerability affects versions 9.0.45.0 and prior.

2) An error within the interaction of Flash Player and certain browsers can be exploited to leak key presses to a Flash Player applet.

The vulnerability affects versions 7.0.69.0 and prior on Linux and Solaris. It does not affect Flash Player 9.

A bug has also been reported in the validation of the HTTP Referer in versions 8.0.34.0 and prior, which may aid in e.g. CSRF (Cross-Site Request Forgery) attacks.

Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/

Solution:
Update to version 9.0.47.0.

http://secunia.com/advisories/26027/ 

July 10, 2007

Today Microsoft released the following Security Bulletin(s).

July Bulletin Summary

Critical

MS07-036 -  Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)
MS07-039 -  Vulnerability in Windows Active Directory Could Allow Remote Code Execution (926122)
MS07-040 -  Vulnerabilities in .NET Framework Could Allow Remote Code Execution (931212)

MS07-037 -  Vulnerability in Microsoft Office Publisher 2007 Could Allow Remote Code Execution (936548)
MS07-041 -  Vulnerability in Microsoft Internet Information Services Could Allow Remote Code Execution (939373)

Moderate

MS07-038 -  Vulnerability in Windows Vista Firewall Could Allow Information Disclosure (935807)

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
 

The average zero-day (0day) bug has a lifespan of 348 days before it is discovered or patched, and some vulnerabilities live on for much longer, according to security vendor Immunity Inc.'s chief executive officer.

Zero-day bugs are vulnerabilities that have not been patched or made public. When discovered and not disclosed, these bugs can be used by hackers and criminals to break into corporate systems to steal or change data. As a result, there is a thriving market for zero-day bugs.

"Huge amounts of money are being offering to zero-day discoverers for their zero-days," said Justine Aitel, Immunity's CEO, speaking in Singapore at the SyScan '07 security conference.

Continues at computerworld.com 

Google announced on Monday that the company had signed a definitive agreement to buy Internet messaging security firm Postini for $625 million in cash.

The acquisition would allow Google to offer e-mail and instant-messaging security as well as archiving and encryption services without requiring customers to purchase additional hardware. The offerings fit right into Google's current line-up of hosted applications, such as GMail, Google Calendar and Google Docs & Spreadsheets, Dave Girouard, vice president of Google Enterprise, said in a statement.

http://www.securityfocus.com/brief/543 

Websense® Security Labs(TM) has received reports that a new email campaign is spreading that attempts to lure users into downloading malicious code. It appears as though the same group that was behind the widespread attacks July 4th, that used greeting card lures to spread, are behind this also. The July 4th greeting card had more than 250 sites that were hosting a variety of malicious code.  The websites are using the exact same JavaScript obfuscation technique and exploit code as the greeting card run also.

All emails use URL's that send users to an IP address that will attempt to exploit the users if there browsers are vulnerable. If the browser is not vulnerable the exploit code will not work, however the page will attempt the user to download a file called patch.exe by displaying a message "If your download does not start in approximately 15 seconds click here to download".

The theme of the new email campaigns are based around a new patch that is available for users who may have been infected with a recent Worm.

Subject lines we have seen so far are:

* Virus Detected!
* Trojan Alert!
* Worm Alert!
* Worm Activity Detected!

Assuming users are running vulnerable browsers, several files will be downloaded and run on their machines and Trojan Horses will be installed. As in the July 4th greeting card attacks their are several versions of the code that are being uploaded by the attackers in order to thwart detection.

Additional details and information 

It appears that spammers have found a way of automatically creating Hotmail and Yahoo email accounts, having already created more than 15,000 bogus Hotmail accounts, according to security company BitDefender.

Both Microsoft and Yahoo use "captcha" systems to stop email accounts from being automatically generated; accounts aren't created until a new user correctly identifies letters depicted in an image. Captcha systems are designed to ensure that the letters are not easily recognized by machines.

BitDefender says that a new threat, dubbed Trojan.Spammer.HotLan.A, is using automatically generated Yahoo and Hotmail accounts to send out spam email, which suggests that spammers have found a way to overcome Microsoft's and Yahoo's CAPTCHA systems.

Story continues at tech.blorge.com