DP's Security Bits

Microsoft Security Bulletin Minor Revisions
Issued: April 30, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-016 - Critical
  * MS07-025

Bulletin Information:

* MS08-016 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-016.mspx
  - Reason for Revision: V2.1 (April 30, 2008): Bulletin updated.
    Added a new entry to the Update FAQ describing additional
    security features included in the update for Microsoft Office
    2003 Service Pack 2. 
  - Originally posted: March 11, 2008
  - Updated: April 30, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
   
* MS07-025

  - http://www.microsoft.com/technet/security/bulletin/ms07-025.mspx
  - Reason for Revision: V2.1 (April 30, 2008): This Bulletin has
    been revised to move Microsoft Office Compatibility Pack for
    Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
    from the Affected Software list to the Non-Affected Software
list. 
  - Originally posted: May 8, 2007
  - Updated: April 30, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
 

Attackers are increasingly exploiting common database vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads, security experts warned last week.

The attacks, which apparently started at the beginning of April, attempt to use any field on a Web site that accepts user input to execute commands on the database that stores the site's information. Since most databases use some variant of the structured query language (SQL), the attack is known as SQL injection.

http://www.securityfocus.com/brief/729 

US-CERT is aware of a public report indicating that a phishing scam is circulating. This scam is related to the U.S. Internal Revenue Service economic stimulus rebate and arrives via email messages that appear to be from the IRS. The messages include text that attempts to convince users to follow a link to a website before a deadline to expedite the rebate process. This website requests that the user provide bank account information.

US-CERT encourages users to do the following to help mitigate the risks:

• Do not follow unsolicited web links received in email messages.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks (pdf) document for more information on social engineering attacks.
• Refer to the Internal Revenue Service Service Suspicious e-Mails and Identity Theft website for more information on current scams.

http://www.us-cert.gov/current/index.html#irs_rebate_phishing_scam

Microsoft Security Bulletin Minor Revisions
Issued: April 23, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-024 - Critical
  * MS08-023 - Critical
  * MS08-019 - Important
  * MS07-040 - Critical
  * MS07-015

Bulletin Information:

* MS08-024 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
  - Reason for Revision: V2.1 (April 23, 2008): Bulletin updated:
    Removed erroneous references to Windows XP Professional x64
    Edition Service Pack 3. 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.1
   
* MS08-023 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-023.mspx
  - Reason for Revision: Corrected the Registry Key Verification for
    all supported x64-based editions of Windows Server 2003 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS08-019 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx
  - Reason for Revision: V1.5 (April 23, 2008): Clarified the Update
    FAQ entry about the last revision, dated April 18. That
    change was a detection change only that does not affect the
    files contained in the initial update. 
  - Originally posted: April 8, 2008
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.5
   
* MS07-040 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
  - Reason for Revision: V3.1 (April 23, 2008): Bulletin updated:
    Removed erroneous references to Windows XP Professional x64
    Edition Service Pack 3. 
  - Originally posted: July 10, 2007
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 3.1
   
* MS07-015

  - http://www.microsoft.com/technet/security/bulletin/ms07-015.mspx
  - Reason for Revision: V1.2 (April 23, 2008) Bulletin updated:
    Microsoft Visio 2002 removed from Microsoft Office XP Service
    Pack 3 section of Affected Software table. Microsoft Visio
    2002 Service Pack 2 is listed separately in the Affected
    Software table. 
  - Originally posted: February 13, 2007
  - Updated: April 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2

Microsoft Security Advisory Notification
Issued: April 23, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (951306)
  - Title: Vulnerability in Windows Could Allow
    Elevation of Privilege
  - http://www.microsoft.com/technet/security/advisory/951306.mspx
  - Revision Note: April 23, 2008: Added clarification to
    impact of workaround for IIS 6.0

* Microsoft Security Advisory (932596)
  - Title: Update to Improve Kernel Patch Protection
  - http://www.microsoft.com/technet/security/advisory/932596.mspx
  - Revision Note: April 23, 2008: Added an FAQ entry about
    known issues in installing the kernel update   

US-CERT is aware of public reports of a vulnerability in Apple QuickTime. By convincing a user to open a specially crafted QuickTime file, an attacker may be able to execute arbitrary code. This vulnerability may have several attack vectors, such as visiting a malicious or compromised website.

US-CERT encourages users to use caution when opening QuickTime files, and apply the best security practices described in the Securing Your Web Browser document, to help mitigate the risks.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#apple_quicktime_vulnerability 

IT security and control firm Sophos has published its latest Security Threat Report, which looks at worldwide cybercrime during the first quarter of 2008. The findings show a dramatic increase in web-based threats compared to 2007 – the first three months of 2008 showed Sophos finding and blocking a new infected webpage every five seconds, compared with one every 14 seconds last year.

http://www.sophos.com/pressoffice/news/articles/2008/04/secrep08q1.html 

AVG Technologies, a leading provider of Internet security software, will tomorrow release AVG Anti-Virus Free 8.0, the latest version of the company’s popular and widely-used free security software, which now incorporates protection against spyware through a new combined anti-virus and anti-spyware engine.

AVG Free provides basic protection against viruses and spyware, together with the safe-searching component of the company’s patent-pending LinkScanner® technology, incorporated into the new AVG Security Toolbar. The Free product does not include the proactive safe-surfing (“drive-by download” protection) of the full LinkScanner module that is included in the commercial AVG products, nor the protection against hackers, keyloggers, spam, phishing attacks, and malicious file downloads that can come through instant messaging and attachments from seemingly friendly sources. The free product also does not include the round-the-clock email support provided with the commercial products.

Press Release 

Microsoft Security Bulletin Revisions
Issued: April 22, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-024 - Critical
  * MS07-040 - Critical

Bulletin Information:

* MS08-024 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-024.mspx
 - Reason for Revision: V2.0 (April 22, 2008): Added Internet
    Explorer 7 for Windows XP Service Pack 3 and Internet
    Explorer 7 for Windows XP x64 Edition Service Pack 3 to
    affected software. 
 - Originally posted: April 8, 2008
 - Updated: April 22, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0
   
* MS07-040 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-040.mspx
 - Reason for Revision: V3.0 (April 22, 2008): Bulletin updated:
    Added .NET Framework 1.0 (KB928367), .NET Framework 1.1
    (KB928366), and .NET Framework Version 2.0 (KB928365) as
    affected components for Windows XP Service Pack 3 and Windows
    XP Professional x64 Edition Service Pack 3. This is a
    detection update only. There were no changes to the binaries. 
 - Originally posted: July 10, 2007
 - Updated: April 22, 2008
 - Bulletin Severity Rating: Critical
 - Version: 3.0

On the eve of the presidential primary in Pennsylvania, an online prankster leveraged a security vulnerability on Sen. Barack Obama's campaign Web site to redirect visitors to Sen. Hillary Rodham Clinton's campaign site.

According to Symantec, someone embedded computer code into a posting on the Obama blog. The content in this case targeted cross-site scripting flaw (XSS), an exceedingly common type of vulnerability that can be used to automatically redirect Web browsers viewing the affected page to another site.

http://blog.washingtonpost.com/securityfix/ 

AVG Technologies plans to release a revamped version of its popular, free anti-malware scanner on Thursday.

Version 8.0 of the software will add anti-spyware and safe search features to its core anti-virus engine. Safe surfing features, that give users warnings about visiting insecure websites all the time not just when they search, will remain a paid feature of AVG's full fat product.

Both the safe search and safe surfing features use Linkscanner technology, acquired by AVG when it bought Exploit Prevention Labs last December

Larry Bidwell, AVG's global security strategist, explained that as well as keeping a small database of known bad sites Linkscanner looks for pointers to dodgy content, such as links to encrypted JavaScript files often associated with malware downloads, on analysed sites.

The increasing hacker tactic of planting drive-by-downloads on legitimate websites makes such real time analysis techniques more important, he added.

AVG 8.0 comes free of charge to consumers and will be available, initially in English only, from Thursday 24 April. Italian, French, and Spanish versions are also in the works. Previously, the free version of the scanner was only available in English. ®

http://www.theregister.co.uk/2008/04/22/avg8_free/ 

Criminals changed tactics in the last six months of 2007, dropping malicious e-mail in favor of Web-based attacks, according to data reported to Microsoft Corp. by Windows users.

The company saw the number of Trojan horse downloader programs it removed from Windows machines jump by 300%, according to Jimmy Kuo, principal architect with Microsoft's Malware Protection Center. These programs masquerade as legitimate pieces of software, but once installed they then download malicious software such as spyware or adware onto the victim's computer. They are typically installed via the Web.

Story at computerworld.com 

Description:
A vulnerability has been reported in multiple Adobe products, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when handling BMP files. This can be exploited to cause a buffer overflow via a BMP file having a malformed header.

http://secunia.com/advisories/29838/ 

PayPal, the electronic payment service owned by eBay Inc., has denied that it plans to tag Apple Inc.'s Safari as "unsafe" and block it from accessing the site.

"We have absolutely no intention of blocking current versions of any browsers, including Apple's Safari, from our website," a company spokeswoman said in an e-mail late Friday.

Story continues at computerworld.com 

Issued: April 18, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-019 - Important

Bulletin Information:

* MS08-019 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-019.mspx
  - Reason for Revision: V1.4 (April 17, 2008): Updated FAQ entry
    about known issue relating to a Visio 2007 detection problem. 
  - Originally posted: April 8, 2008
  - Updated: April 18, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.4

PayPal says allowing customers to make financial transactions on unsafe browsers "is equal to a car manufacturer allowing drivers to buy one of their vehicles without seat belts."

PayPal, one of the brands most spoofed in phishing attacks, is working on a plan to block its users from making transactions from Web browsers that don't provide anti-phishing protection.

http://www.eweek.com/c/a/Security/PayPal-Plans-to-Ban-Unsafe-Browsers/ 

Apple has released Safari 3.1.1 to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, conduct cross-site scripting attacks, or spoof the contents of the browser address bar.

US-CERT encourages users to review Apple's About the security content of Safari 3.1.1 document and upgrade to Safari 3.1.1 to help mitigate the risks.

Issued: April 17, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (951306)
  - Title: Vulnerability in Windows Could Allow
    Elevation of Privilege
  - http://www.microsoft.com/technet/security/advisory/951306.mspx
  - Revision Note: Advisory published. 

People are getting wiser about their passwords, but not necessarily about their personal information, according to a survey conducted in Europe.

The survey, conducted by conference group Infosecurity Europe, found that only 21 percent of the nearly 600 people queried outside Liverpool Street Station in London gave up their password when offered an incentive -- in this case, a chocolate bar -- down from 64 percent last year. Yet, of the people who declined to give their password, six in ten later identified the type of information -- such as date of birth, pet's name, or anniversary date -- used to create their password.

http://www.securityfocus.com/brief/725