DP's Security Bits

Issued: January 15, 2008

Security Advisories Released Today

 * Microsoft Security Advisory (947563)
  - Title: Vulnerability in Microsoft Excel Could Allow
    Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/947563.mspx
  - Revision Note: Advisory Published. 

The SANS Institute on Monday released its take on the top ten cyber security threats for 2008. Leading the list is a rise in the number of attacks on Web browsers, a growing amount of botnets, and sophisticated cyber-espionage.

Twelve noted cyber security experts -- Stephen Northcutt, Ed Skoudis, Marc Sachs, Johannes Ullrich, Tom Liston, Eric Cole, Eugene Schultz, Rohit Dhamankar, Amit Yoran, Howard Schmidt, Will Pelgrin, and Alan Paller -- helped compile the list. Released in conjunction with the SANS Security 2008 conference in New Orleans, the list represents a collective assessment of the online attack vectors most likely to cause damage in the year ahead.

Continues at informationweek.com 

Thousands of legitimate Web sites are hosting an infection kit that evades detection by attempting to compromise each visitor only once and using a different file name each time, Web security firm Finjan warned on Monday.

The attack, dubbed the "Random JS toolkit" by the security firm, currently uses dozens of hosting servers and more than 10,000 legitimate domains to attempt to exploit the systems of visitors to the sites, the company said in an analysis posted to its Web site.

Full Story at securityfocus.com 

A new Trojan program is targeting unwitting users' bank data by intercepting account information before it is encrypted and sending it to an attacker's central database.

The Trojan, dubbed Trojan.Silentbanker by security software company Symantec, can intercept online banking transactions that normally are well guarded by two-factor authentication procedures. During a banking transaction, Silentbanker will change the user's bank account details over to the attacker's account, all the while mimicking what the user would expect to see from a typical banking transaction. Because users have no idea their account data has been changed, they then unknowingly send money to the attacker's account after entering their second authentication password.

Full Story at computerworld.com 

Top Ten Viruses for 2007

According to GRISOFT global security strategist Larry Bridwell, the 10 viruses exhibiting the most staying power in 2007 are:

1. Win32/Virut
2. I-Worm/Stration
3. I-Worm/Nuwar
4. Downloader.Tibs
5. Downloader.Zlob
6. BackDoor.Hupigon
7. PSW.OnlineGames
8. I-Worm/Netsky
9. I-Worm/Mytob
10. Worm/Feebs

Full Story 

Even if a Web site displays a seal certifying that it is hackproof, it may not always be immune to security breaches.

A case in point is Geeks.-com, which on Jan. 4 began notifying an undisclosed number of customers that their personal and financial data may have been compromised. The online technology retailer, whose formal name is Genica Corp., said in a warning letter that it discovered the system intrusion on Dec. 5.

The compromised information included names, addresses, telephone numbers and Visa credit card numbers, according to a copy of the letter posted on The Consumerist blog

Full Story at computerworld.com 

Oracle plans to release a Critical Patch Update for its products on Tuesday, January 15. The patch corrects vulnerabilities in multiple Oracle products.

Oracle said on Thursday it plans to release 27 security fixes for its business software, including Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager Grid Control, Oracle PeopleSoft Enterprise PeopleTools, and Oracle PeopleSoft Enterprise Human Capital Management.

Full Story at informationweek.com 

Issued: January 9, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS07-042 - Critical

Bulletin Information:

* MS07-042 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-042.mspx
 - Reason for Revision: Bulletin updated: Added Microsoft Word
    Viewer 2003 as an affected product. Also added an Update FAQ
    clarifying the kill bit for Microsoft XML Parser 2.6 and its
    applicability to this security update. 
 - Originally posted: August 14, 2007
 - Updated: January 9, 2008
 - Bulletin Severity Rating: Critical
 - Version: 3.0
 

Issued: January 9, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-064 - Critical
  * MS07-057 - Critical

Bulletin Information:

* MS07-064 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
  - Reason for Revision: Bulletin updated to remove known issues
    notation. This update does not have any known issues. 
  - Originally posted: December 11, 2007
  - Updated: January 9, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.3
   
* MS07-057 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
  - Reason for Revision: Revised to add a known issue. 
  - Originally posted: October 9, 2007
  - Updated: January 9, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2

In the past month, at least three consumers have reported that photo frames -- small flat-panel displays for displaying digital images -- received over the holidays attempted to install malicious code on their computer systems, according to the Internet Storm Center, a network-threat monitoring group. Each case involved the same product and the same chain of stores, suggesting that the electronic systems were infected at the factory or somewhere during shipping, said Marcus Sachs, who volunteers as the director of the Internet Storm Center.

http://www.securityfocus.com/news/11499 

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (943411)
  - Title: Update to Improve Windows Sidebar Protection
  - http://www.microsoft.com/technet/security/advisory/943411.mspx
  - Revision Note: Advisory Published.

Websense(R) Security Labs(TM) has discovered a new email attack that uses a spoofed email claiming to be from the National Payroll Reporting Consortium (NPRC). This is similar to previous attacks claiming to originate from the IRS, Better Business Bureau, and Department of Justice. We have been tracking all of these attacks, and reporting them as they are discovered.

The message claims that the recipient's company has made numerous misrepresentations regarding worker classification to lower compensation costs. The email asks the recipient to fill in an attached form and fax it to NPRC's fraud department in order to resolve the issue.

The attachment is a Trojan downloader with some backdoor capabilities. It is a malicious Windows executable file with an MD5 of 854e259c7c0ac6fb2a26963a9d77600d.

For additional details and information

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

January Bulletin Summary

Critical

MS08-001 - Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (941644)

MS08-002 - Vulnerability in LSASS Could Allow Local Elevation of Privilege (943485)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
 

Visitors to the Consumer Electronics Show in Las Vegas this week might want to forgo freebie flash drives, or at least use them with caution. The SANS Internet Storm Center has published several anecdotal reports indicating that computer peripherals like USB flash drives and consumer electronics products like digital picture frames have been found infested with malware.

Full Story at informationweek.com 

Adobe Flash files created by a number of Web authoring platforms could be co-opted by an online fraudster to conduct a cross-site scripting attack, security researchers stated last week.

A paper authored by Google security researcher Richard Canning found that the Flash files created by at least five Web site authoring systems, including Adobe Dreamweaver and InfoSoft FusionCharts, could be used to to bypass anti-phishing measures. By creating a link that passes Javascript code to the Flash files, an attacker can cause a victim to run malicious code in the security context of a potentially trusted Web server, Canning stated in a summary of his findings.

http://www.securityfocus.com/brief/658 

Sears Holdings has taken part of its Managemyhome.com Web site offline following revelations that the site was making customers' purchasing histories publicly available.

Sears disabled the site's "Find your products" section on Friday following criticism from privacy advocates, who said that fraudsters could use information provided by the site to scam Sears customers.

"We take our customers' privacy concerns very seriously. As a result, we have turned off the ability to view a customer's purchase history on Manage My Home until we can implement a validation process that will restrict access by unauthorized third parties," said Sears spokeswoman Kimberly Freely in an e-mail.

Full story at computerworld.com 

US-CERT, the U.S Department of Homeland Security's cybersecurity arm, on Wednesday issued two warnings.

The first notice concerns the public availability of exploit code for RealPlayer 11 build 6.0.14.748. US-CERT said it will provide additional information when available.

The second notice concerns a vulnerability in Flash (.swf) files that may allow a remote, unauthenticated attacker to execute a cross-site scripting (XSS) attack on vulnerable systems. The vulnerability has to do with the way that input is validated when passed to an embedded ActionScript and JavaScript in the Flash file.

Flash authoring tools, said US-CERT, may generate Flash files that are vulnerable.

Full story at informationweek.com 

Underscoring the difficulty in keeping up with the pace of malicious code development, two antivirus companies published their latest tally of the menagerie of malicious code against which they have to protect their customers.

On Wednesday, antivirus firm F-Secure announced that the total number of "detections" -- or variants -- of viruses, worms, Trojan horses and other malicious code reached 500,000 in the last week of 2007, counting from 1986. In December, McAfee estimated that is own count of malicious code would surpass 360,000 by the end of the year.

http://www.securityfocus.com/brief/655 

Issued: January 3, 2008

This is an advance notification of two security bulletins that
Microsoft is intending to release on January 8, 2008.

This bulletin advance notification will be replaced with the
January bulletin summary on January 8, 2008. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/bulletin/ms08-jan.mspx

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, January 9, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the January
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Critical Security Bulletins

Microsoft Security Bulletin 1

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4
    - Windows XP Service Pack 2
    - Windows XP Professional x64 Edition
    - Windows XP Professional x64 Edition Service Pack 2
    - Windows Server 2003 Service Pack 1
    - Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition
    - Windows Server 2003 x64 Edition Service Pack 2
    - Windows Server 2003 with SP1 for Itanium-based Systems
    - Windows Server 2003 with SP2 for Itanium-based Systems
    - Windows Vista
    - Windows Vista x64 Edition

    - Impact: Remote Code Execution
    - Version Number: 1.0

Important Security Bulletins

Microsoft Security Bulletin 2

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4
    - Windows XP Service Pack 2
    - Windows XP Professional x64 Edition
    - Windows XP Professional x64 Edition Service Pack 2
    - Windows Server 2003 Service Pack 1
    - Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition
    - Windows Server 2003 x64 Edition Service Pack 2
    - Windows Server 2003 with SP1 for Itanium-based Systems
    - Windows Server 2003 with SP2 for Itanium-based Systems

    - Impact: Local Elevation of Privilege
    - Version Number: 1.0

Other Information

Microsoft Windows Malicious Software Removal Tool:

Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Note that this tool will not be distributed using
Software Update Services (SUS).

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For this month:

* Microsoft is planning to release five non-security,
  high-priority updates on Microsoft Update (MU) and
  Windows Server Update Services (WSUS).

* Microsoft is planning to release two non-security,
  high-priority update for Windows on Windows Update (WU) and
  WSUS.

Note that this information pertains only to non-security,
high-priority updates on Microsoft Update, Windows Update,
Windows Server Update Services, and
Software Update Services released on the same day as the Security
Bulletin Summary. Information will not be provided about
non-security updates released on other days.
 

New "ransomware" that locks up a person's PC and demands $35 to return control to its user is on the prowl, a security researcher said this week.

The extortionists tell victims of the Delf.ctk Trojan horse to dial a 900 number, said Alex Eckelberry, CEO of Sunbelt Software Distribution Inc., a Clearwater, Fla.-based security developer. That number can be traced to "passwordtwoenter.com," a payment processor also used by hardcore pornography Web sites to charge for access to their content, added Eckelberry.

Story continues at computerworld.com