DP's Security Bits

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have advised the Apple Macintosh community not to panic following the discovery of another Trojan horse for the Mac OS X platform. Instead, Apple Mac lovers are advised to ensure that they continue to take personal computer security seriously and have a secure defense in place.

The Trojan, named Troj/MacSwp-B (also known as Imunizator), tries to scare Mac users into purchasing unnecessary software by claiming that privacy issues have been discovered on the computer.

Full story at sophos.com 

Flaws that allow cross-site scripting attacks through Adobe Flash files could let attackers compromise online accounts and local networks. Yet, Web publishers have been slow to fix their sites, a security researcher says.

http://www.securityfocus.com/news/11511 

Issued: March 26, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS07-025

Bulletin Information:

* MS07-025

 - http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
 - Reason for Revision: V2.0 (March 26, 2008): This Bulletin has
    been revised to add Microsoft Office Compatibility Pack for
    Word, Excel, and PowerPoint 2007 File Formats and Microsoft
    Office Compatibility Pack for Word, Excel, and PowerPoint
    2007 File Formats Service Pack 1 to the Affected Software list. 
 - Originally posted: May 8, 2007
 - Updated: March 26, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Issued: March 25, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS07-040 - Critical

Bulletin Information:

* MS07-040 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
 - Reason for Revision: Bulletin Updated: Added .NET Framework 1.0
    (KB928367) and .NET Framework 1.1 (KB929729) as affected
    components for Windows Vista Service Pack 1 and Windows
    Server 2008.  
 - Originally posted: July 10, 2007
 - Updated: March 25, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

On Tuesday, Anti-Malware Test Lab and AV-Comparatives.org announced an alliance toward becoming one of the most respected sources of objective and independent information about antivirus products. Together they intend to create a unique system of integrated tests for determining the effectiveness of commercial antivirus software by the end of 2008.

Andrea Clementi, founder of AV-Comparatives, said in a statement that "the partnership with Anti-Malware Test Lab will allow us to evaluate more aspects of antivirus software and to offer users a more comprehensive independent view of various security products."

Clementi further hinted that if this alliance works out, there may be additional alliances of independent antivirus software-testing labs.

Continues at news.com 

Issued: March 21, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (950627)
  - Title: Vulnerability in Microsoft Jet Database
    Engine (Jet) Could Allow Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/950627.mspx
  - Revision Note: Advisory published   
 

Cybercriminals will find ways to reach your confidential information unless your network is securely protected.

With tax season coming down to the wire, most American households are preparing to fire up their web browsers in order to use one of the main online tax preparation software programs in order to begin the dreary, but necessary, task of filing tax documentation for the year.

Filing tax returns is one of the yearly tasks American households must add to their already-busy schedules. Without proper network security, households risk having not only their networks attacked, but also risk losing personal information. Some think that having a basic antivirus solution is enough to prevent intrusions. Others may not even be aware that their computer could be at risk. To help American households prevent identity theft, BitDefender® is offering valuable tips to follow this tax season.

Source: BitDefender 

Pennsylvania took down its online voter registration Wednesday after discovering it failed to protect personal data, and the vulnerability was apparently caused by a programming error.

A Digg user reported earlier this week that Pennsylvania's online voter registration Web site exposed voters' personal information.

"This was discovered after filling out a registration myself," the Digg contributor wrote. "Being a security conscious programmer, I decided to test."

The programmer said that the printable voter application -- which users could fill out online, print out, and mail to election officials -- was not protected by authentication or validation.

Before the site shut down, PDFs containing names, dates of birth, and portions of Social Security numbers of some voters could be accessed through the state's servers.

Full story at informationweek.com 

Facebook plans to roll out new privacy features on Wednesday that will give users more control over who sees the data stored on their profile pages.

The new privacy controls will allow users to choose which of their friends can see information such as their photo albums, mobile phone number or e-mail address. Facebook users will also be able to share information about themselves with a wider group of people, thanks to a new "friends-of-friends" feature that is also expected to be available on Wednesday.

Story continues at computerworld.com 

Issued: March 19, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-014 - Critical

Bulletin Information:

* MS08-014 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
 - Reason for Revision: V3.0 (March 19, 2008): Bulletin updated.
    Added Excel Viewer 2003 Service Pack 3 and Compatibility Pack
    Service Pack 1 to non-affected software. Added FAQ added
    about re-release to fix known issues relating to Excel 2003
    Service Pack 2 or Service Pack 3. Updated the file name of
    the Excel 2003 update executable. 
 - Originally posted: March 11, 2008
 - Updated: March 19, 2008
 - Bulletin Severity Rating: Critical
 - Version: 3.0

Apple Inc. today patched 13 vulnerabilities in Safari with an update that takes the browser to Version 3.1.

The new Safari, which Apple proclaimed is "the world's fastest Web browser for Mac and Windows PCs," fixed 10 flaws afflicting both the Mac and Windows editions, and three that affect Safari for Windows XP and Windows Vista. The majority of the 13 vulnerabilities were cross-site scripting bugs.

Full story at computerworld.com 

The CanSecWest conference announced on Tuesday the format for this year's competition in which security pros can attempt to compromise a laptop computer's operating system to win the laptop and potentially a cash reward.

Dubbed the "PWN2OWN" competition, the contest will give security professionals the opportunity to hack one of three systems: up-to-date versions of Microsoft's Windows Vista, Apple's Mac OS X, and Ubuntu Linux. To win the contest, a person must run code on the laptop using a previously unknown vulnerability in the operating system or a major application, such as a Web browser, a plug-in browser program, an instant messaging client, or an e-mail reader.

http://www.securityfocus.com/brief/705 

Google Apps users now have a more secure way to log on to the online groupware service.

Arcot Systems on Wednesday announced that it was making its A-OK On-Demand authentication service available to Google Apps Premier Edition users to add another layer of security to the logon process.

Typically Google Apps users enter a username and password to get access to the Web-based mail, calendar and groupware software, but with the A-OK product they also use an encrypted file that is stored on their computer to add a second factor of authentication. As with online banking products, if the user tries to log on from a different computer, A-OK will ask predetermined questions, such as "What high school did you attend," before granting the user access to Google Apps.

Story at computerworld.com 

Issued: March 13, 2008

Summary

The following bulletin has undergone a major revision increment.
Please see the bulletin for more detail.

  * MS08-014 - Critical

Bulletin Information:

* MS08-014 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
 - Reason for Revision: FAQ added about known issues relating to
    users of Excel 2003 Service Pack 2 or Service Pack 3 
 - Originally posted: March 11, 2008
 - Updated: March 13, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days.

The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites.

Full Story at computerworld.com 

Online fraudsters have continued to expand their efforts this week to inject iframe attacks into the optimized search results of major Web sites.

The attack abuses a common practice among Web sites -- caching search queries -- an activity designed to boost their rankings among major search engines, such as Google, according to security researcher Dancho Danchev. The attackers inject common search terms and an iframe script designed to send victims to other sites hosting malicious code. The search term and iframe redirect get cached in search engines such as Google.

http://www.securityfocus.com/brief/701 

Issued: March 12, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-017 - Critical
  * MS08-016 - Critical
  * MS08-015 - Critical
  * MS08-014 - Critical

Bulletin Information:

* MS08-017 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-017.mspx
  - Reason for Revision: V1.1 (March 12, 2008): Bulletin updated to
    reflect new download link for Microsoft Office Web Components
    2000 for BizTalk Server 2000 and 2002. Also corrected the
    registry key for verifying the update for ISA Server. 
  - Originally posted: March 11, 2008
  - Updated: March 12, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-016 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
  - Reason for Revision: V1.1 (March 12, 2008): Bulletin updated. FAQ
    added to clarify the reason why a non-vulnerable version of
    Office will be offered this update. Also removed MS07-015 as
    a replaced bulletin for Microsoft Office XP Service Pack 3. 
  - Originally posted: March 11, 2008
  - Updated: March 12, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-015 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-015.mspx
  - Reason for Revision: V1.1 (March 12, 2008): Bulletin updated. FAQ
    added to clarify the reason why a non-vulnerable version of
    Office will be offered this update. Also updated the
    vulnerability FAQs and the file information tables for
    Outlook 2000 and Outlook 2003. 
  - Originally posted: March 11, 2008
  - Updated: March 12, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1
   
* MS08-014 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-014.mspx
  - Reason for Revision: V1.1 (March 12, 2008): Bulletin updated. FAQ
    added to clarify the reason why a non-vulnerable version of
    Office will be offered this update. 
  - Originally posted: March 11, 2008
  - Updated: March 12, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.1

Issued: March 12, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (947563)
  - Title: Vulnerability in Microsoft Excel Could Allow
    Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/947563.mspx
  - Revision Note: Advisory updated to reflect the correct
    Excel file formats in the MOICE Workarounds section

A U.S. judge has granted a request by the Federal Trade Commission for a judgment against a company accused of distributing spyware and adware onto people's computers.

A judge in the U.S. District Court for the District of Nevada has ordered Timothy P. Taylor to give up $4,595.36, the money he made from a scheme that tricked consumers into downloading spyware by offering free screensavers and videos on his TeamTaylorMade.com Web site, the FTC said Monday.

Software on Taylor's site included spyware called Media Motor from ERG Ventures that changed consumers' home pages, tracked their Internet activity, altered browser settings, degraded computer performance and disabled antispyware and antivirus software, the FTC said.

Full story at computerworld.com