DP's Security Bits

One in five applications installed on Windows PCs are missing security patches, a Copenhagen-based vulnerability tracker has reported.

According to Secunia APS, more than 20% of the applications scanned by its Personal Software Inspector (PSI) utility were open to attack because available fixes for security flaws had not been applied.

"More than 20% of all applications installed on users' PCs have known security flaws, but the users have yet to install the patch provided by the vendor of [the] product," said Jakob Balle, Secunia's development manager, in a post to the company's blog last week.

Story continues at computerworld.com 

The ongoing Storm Trojan attack that began Monday has morphed again, security researchers said today, changing the malicious file's name, shifting to new malware hosting servers, and adding a rootkit to cloak the bot code from anti-virus software.

Spam messages attempting to dupe users into installing the bot-making Trojan now include links happycards2008.com or newyearcards2008.com, different URLs than in the second-wave attack that began Christmas Day. According to analysts at the SANS Institute's Internet Storm Center (ISC) and U.K.-based Prevx Ltd., the name of the file users are asked to download has also changed from Tuesday's "happy2008.exe." The file being shilled today is tagged to "happynewyear.exe."

Full Story at computerworld.com 

Trojan horse programs dressed up like video decoders, or codecs, have become a popular way to attempt to infect the computers of unwary Web surfers.

Research by antispyware firm Sunbelt Software found that a number of sites hosted by blog service provider Blogger, a subsidiary of Google, contained fake video files that, if clicked on by a visitor, would prompt the victim to download and install a video helper application. In reality, the application is a Trojan horse program designed to infect the victim's PC, CEO Alex Eckelberry stated in the blog post.

http://www.securityfocus.com/brief/650 

Just a day after unleashing spam featuring Christmas strippers, the Storm botnet switched gears yesterday and began duping users into infecting their own PCs by bombarding them with messages touting the new year, said security researchers.

According to U.K.-based Prevx Ltd. and Symantec Corp. of Cupertino, Calif., the botnet of Storm Trojan-compromised computers started sending spam with subject headings such as "Happy 2008!" and "Happy New Year!" late on Christmas Day. The messages try to convince recipients to steer for the uhavepostcard.com Web site to download and install a file tagged "happy2008.exe," said researchers at both firms.

However, the file is actually a new variant of the Storm Trojan.

Full Story at computerworld.com 

Hewlett-Packard Co. has fixed flaws in a patch-management program bundled with its computers, printers and other hardware that could be used by hackers to "brick" HP or Compaq PCs.

In an alert sent to customers who subscribe to its security warning service, HP said users should run Software Update to patch the flaws disclosed last week by a Polish researcher known only by his alias, "porkythepig." A pair of bugs in the update service's ActiveX control can be used to execute remote code or gain additional access rights, porkythepig said then. He also posted proof-of-concept exploit code that showed how to use one of the vulnerabilities to overwrite and corrupt crucial Windows' system files, an attack that would leave any affected PC unbootable.

Full Story at computerworld.com 

Google is using its YouTube video site as a forum for explaining its privacy practices to the millions of consumers who use its products every day.

The company launched a Privacy Channel on YouTube about two months ago.

The videos aren't professionally produced; they are made by Google engineers, product managers, and Google public relations representatives using a handheld video camera, according to Victoria Grand, a manager of public affairs, who came up with the idea.

Full Story at news.com 

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-069 - Critical

Bulletin Information:

* MS07-069 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
  - Reason for Revision: Bulletin revised to reflect a new Security
    Update FAQ entry for a known issue documented in KB946627. 
  - Originally posted: December 11, 2007
  - Updated: December 20, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.3
 

Google says it has repaired a security issue in its Orkut social networking site that allowed a worm to propagate among at least 400,000 Orkut users.

"Google takes the security of our users very seriously," a company spokesperson said in an e-mail Wednesday evening. "We worked quickly to implement a fix for the issue recently reported in Orkut. We also took steps to help prevent similar problems in the future. Service to Orkut was not disrupted during this time."

Full Story at informationweek.com 

Platform: All platforms

Affected software versions: Adobe Flash Player 9.0.48.0 and earlier, 8.0.35.0 and earlier, and 7.0.70.0 and earlier.

Summary

Critical vulnerabilities have been identified in Adobe Flash Player that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. Users are recommended to update to the most current version of Flash Player available for their platform.

http://www.adobe.com/support/security/bulletins/apsb07-20.html  

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-063 - Important
  * MS07-064 - Critical
  * MS07-065 - Important
  * MS07-066 - Important
  * MS07-068 - Critical
  * MS07-069 - Critical

Bulletin Information:


* MS07-063 - Important
http://www.microsoft.com/technet/security/bulletin/ms07-063.mspx
  - Reason for Revision: Bulletin updated to reflect a change to the
Removal    
    Information text in the Reference Table portion of the Security
Update
    Information section.
  - Originally posted: December 11, 2007
  - Updated: December 19, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1

   
* MS07-064 - Critical
http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
  - Reason for Revision: Bulletin updated to reflect a change to the
    Removal Information text in the Windows Vista Reference Table
    portion of the Security Update Information section. Also
    removed the web-based mitigation from vulnerability
CVE-2007-3901. 
  - Originally posted: December 11, 2007
  - Updated: December 19, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2

       
* MS07-065 - Important
http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
  - Reason for Revision: Bulletin updated to combine references to
    Windows 2000 Professional and Windows 2000 Server with a
    reference to Windows 2000 due to both platforms sharing the
    same vulnerability and severity. 
  - Originally posted: December 11, 2007
  - Updated: December 19, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.2
   

* MS07-066 - Important
http://www.microsoft.com/technet/security/bulletin/ms07-066.mspx
  - Reason for Revision: Bulletin updated to reflect a change to
    the Removal Information text in the Reference Table portion
    of the Security Update Information section. 
  - Originally posted: December 11, 2007
  - Updated: December 19, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.2

       
* MS07-068 - Critical
http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
  - Reason for Revision: Bulletin updated to reflect a change to
    the Removal Information text in the Reference Table portion
    of the Security Update Information section for Windows Vista. 
  - Originally posted: December 11, 2007
  - Updated: December 19, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1


* MS07-069 - Critical
http://www.microsoft.com/technet/security/bulletin/ms07-069.mspx
  - Reason for Revision: Bulletin updated to reflect a known issue;
    a change to the Removal Information text in the Windows Vista
    Reference Table in the Security Update Information section;
    and, a change to the File Information text in the Reference Table
    within the Security Update Information section for all affected
    operating systems.
  - Originally posted: December 11, 2007
  - Updated: December 18, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2
 

Google Inc. said Tuesday that it is working to fix a bug in its Google Toolbar software that could enable cybercriminals to steal data or install malicious software on systems.

The flaw lies in the mechanism for adding custom buttons to the tool bar, according to a blog posting by security researcher Aviv Raff, who issued the first warning about the problem.

Because the tool bar doesn't perform adequate checks when new buttons are being installed, an attacker could spoof the origin of a button and make it appear to be coming from a legitimate Web site, Raff wrote. He added that the attacker then could download malicious files or launch phishing attacks against users who install the button on their tool bars.

Full Story at computerworld.com 

New trojan software has been found picking the pockets of Google and its publishing partners, and potentially exposing Web surfers to more malware.

Bit Defender, a software security company based in Bucharest, Romania, on Tuesday said that it had detected a new trojan (Trojan.Qhost.WU) that replaces Google AdSense text ads with ads from a different, potentially malicious provider.

Full Story at informationweek.com 

Apple on Monday released security updates for its Mac OS X and Windows customers that repair vulnerabilities in a number of Mac operating system components, as well as Apple's Safari Web browser and the Flash and Shockwave browser plug-ins.

Mac versions of the Security Update 2007-009 update are available for Mac OS X 10.4.11 and Mac OS X 10.5.1. The Windows version, Safari 3 Beta Update 3.0.4 Security Update, is available for XP and Vista users.

"Several of these issues are rather serious, so we strongly advise installing these updates at your earliest convenience," said Maarten Van Horenbeeck, an Internet Storm Center handler and a security consultant for Verizon Business, in a blog post.

Full story at informationweek.com 

Apple Inc. has updated Java for Mac OS X 10.4, aka Tiger, to patch 18 different vulnerabilities, including some fixed as long ago as May by Java's maker, Sun Microsystems Inc.

Apple's newest operating system, dubbed Leopard, does not need to be patched because it includes the updated Java components.

According to the accompanying advisory, Tiger's Java, Java 1.4 and J2SE 5.0 contain flaws that in some cases can lead to what Apple calls "arbitrary code execution," which means that attackers may be able to insert their own malware during an exploit and/or gain complete control of the machine. Apple, unlike rivals such as Microsoft Corp., does not rank or rate its security updates to give users an idea of the severity of the bugs.

Full Story at computerworld.com 

It's a compelling vision and an ideal goal. It's also impossible.

Full story at informationweek.com 

Apple released an update for its QuickTime media software on Thursday, fixing at least three vulnerabilities in the program, including a flaw in the way the software handles streaming content.

The patch, which upgrades the software to version 7.3.1, closes a security hole in the way that the media player handles data from a server using the Real-Time Stream Protocol (RTSP). A Polish security researcher disclosed the flaw in November.

http://www.securityfocus.com/brief/645 

Nearly 85 percent of privacy and security professionals believe a reportable breach of personally identifiable information (PII) occurred within their organization in the last year, according to an online survey of 800 such professionals published on Tuesday by accounting firm Deloitte & Touche and the Ponemon Institute.

http://www.securityfocus.com/brief/644 

Websense® Security Labs(TM) has discovered a new email attack that uses a spoofed email claiming to be from the United States Department of Treasury. This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered.

The message claims that a complaint to the Department of Treasury has been filed against the recipient's company. The email informs the reader that a copy of the original complaint has been attached to the email.

The attached "complaint" is a Trojan downloader with some backdoor capabilities. It is a ".pif" file with an MD5 of 9e19d23f27ebf9cfe1b9103066a3019e. It appears, however, that different versions of the Trojan are sent, based on the targeted recipient or company.

Email screenshot available within full alert. 

Ask Eraser may remove user search query data from Ask.com's severs, but deleted data may live on, in part at least, on Google's servers. That's because Google delivers the bulk of the ads on Ask.com, based on information provided by Ask.

This week Ask.com launched its new AskEraser program to eliminate a users' IP addresses, user IDs, session ID cookies, and the complete text of search queries if users ask for it. In some cases, however, gone from an Ask.com server does not mean gone for good.

Full story at informationweek.com 

Issued: December 12, 2007

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS06-078

Bulletin Information:

* MS06-078

 - http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
 - Reason for Revision: V4.0 (December 12, 2007): Bulletin updated
    to add Microsoft Windows XP Professional x64 Edition Service
    Pack 2 and Microsoft Windows Server 2003 x64 Edition Service
    Pack 2 to the "Affected Software" section for Microsoft
    Windows Media Player 6.4 (KB925398). No action is required on
    systems where the security update has been successfully
installed. 
 - Originally posted: December 12, 2006
 - Updated: December 12, 2007
 - Bulletin Severity Rating: Critical
 - Version: 4.0