DP's Security Bits

Websense® Security Labs™ ThreatSeeker™ Network has discovered that malware authors are already using Christmas themes this year as a social engineering tactic, in an effort to gain control over compromised machines. This campaign uses email messages in the form of e-greetings, leading to supposed animated postcards. These actually lead to a Trojan backdoor that has been distributed in previous malicious spam campaigns.

The email messages, spoofed to appear as though they have been sent from postcards.org, display an animated Christmas scene. A URL link within the email leads to a malicious file called postcard.exe hosted on various servers, including those in the .com TLD space.

Once executed, a backdoor is created by the malware author enabling access and control over the resources of the compromised machine. Control is conducted over IRC, communicating with ircserver.*snip*.la. During the install process an image called xmas.jpg is displayed to the user as a distraction technique.

Full Alert

Technology research firm SRI International released a free software tool on Monday to help system administrators detect botnet activity within their network.

The program, called BotHunter, monitors the inside of a network to detect the two-way communications flows that are common between computers compromised by bot software and the command-and-control (C&C) server that is used to send commands to each infected machine. The software keeps tabs on the suspicious requests and responses — which SRI International calls dialogs — and compares them with patterns of known bot software, said Phillip Porras, security program director for SRI International.

http://www.securityfocus.com/brief/861

Issued: November 25, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS07-005

Bulletin Information:

* MS07-005

 - http://www.microsoft.com/technet/security/bulletin/ms07-005.mspx
 - Reason for Revision: V2.0 (November 25, 2008): Bulletin updated:
    added Windows XP Service Pack 3 as an Affected Product.
    Step-by-Step Interactive Training is not installed on Windows
    by default and therefore this security update should be
    applied to systems running Windows XP Service Pack 3. 
 - Originally posted: February 13, 2007
 - Updated: November 25, 2008
 - Bulletin Severity Rating: Important
 - Version: 2.0

Issued: November 25, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-068 - Critical
  * MS06-078

Bulletin Information:

* MS07-068 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
  - Reason for Revision: V2.3 (November 25, 2008): Bulletin updated
    to correct the filename of wwmasf.dll to wmasf.dll in the
    file information for Windows Media Format 9.5 Runtime for
    Windows Server 2003 x64 Edition. 
  - Originally posted: December 11, 2007
  - Updated: November 25, 2008
  - Bulletin Severity Rating: Critical
  - Version: 2.3
   
* MS06-078

  - http://www.microsoft.com/technet/security/bulletin/ms06-078.mspx
  - Reason for Revision: V6.1 (November 25, 2008): Bulletin updated
    to correct the filename, Wwmvcore.dll, to Wmvcore.dll for
    file information for Windows Media Format 9.5 Series Runtime
    on Windows XP Professional x64 Edition and Windows Server
    2003 x64 Edition. 
  - Originally posted: December 12, 2006
  - Updated: November 25, 2008
  - Bulletin Severity Rating: Critical
  - Version: 6.1

Issued: November 25, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (953839)
  - Title: Cumulative Security Update of ActiveX Kill Bits
  - http://www.microsoft.com/technet/security/advisory/953839.mspx
  - Revision Note: November 25, 2008: Added an entry to
    Frequently Asked Questions to communicate that users with
    Windows Server 2008 Server Core installation will still be
    offered but do not need to install this update.

Symantec has released a security advisory to address multiple vulnerabilities for Symantec Backup Exec. These vulnerabilities may allow an attacker to gain access to or modify information, cause a denial of service, or potentially execute arbitrary code.

US-CERT encourages users and administrators to review Symantec Security Advisory SYM08-021 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#symantec_releases_security_advisory_for

US-CERT is aware of public reports of an increase in malicious code propagating via USB flash drive devices. Currently, there are two popular methods by which USB flash drives are being infected with malicious code. Please note that these are not the only two methods available.

The first of these methods is referred to as simple file copy. This means that the malicious code initially resides on an infected computer and copies itself to all the storage devices connected to the affected computer. This method requires the user to access the USB flash drive and execute the malicious code.

The second method is referred to as AutoRun.inf modification. This means that the malicious code alters or creates an autorun.inf file on targeted storage devices connected to the affected computer. When an infected USB flash drive is connected to another computer, the malicious code can be automatically executed with no additional user interaction.

US-CERT encourages users to do the following to help mitigate the risks:

http://www.us-cert.gov/current/index.html#malicious_code_spreading_through_usb

To address the growing need for a PC security solution tailored to the demands of emerging markets, smaller PC form factors and rapid increases in the incidence of malware, Microsoft Corp. plans to offer a new consumer security offering focused on core anti-malware protection.

Code-named “Morro,” this streamlined solution will be available in the second half of 2009 and will provide comprehensive protection from malware including viruses, spyware, rootkits and trojans. This new solution, to be offered at no charge to consumers, will be architected for a smaller footprint that will use fewer computing resources, making it ideal for low-bandwidth scenarios or less powerful PCs. As part of Microsoft’s move to focus on this simplified offering, the company also announced today that it will discontinue retail sales of its Windows Live OneCare subscription service effective June 30, 2009.

PressPass

Symantec (Nasdaq: SYMC) today announced that John W. Thompson, chairman and chief executive officer, will retire as CEO at the end of the fiscal year. The board of directors has appointed Enrique T. Salem, Symantec’s chief operating officer, as president and chief executive officer effective April 4, 2009. Following the transition, Thompson, 59, will remain chairman of the board and Salem, 43, will join the board of directors.

Press Release

US-CERT is aware of public reports of a fraudulent email scam circulating via messages that falsely appear to be from the U.S. Federal Reserve. These email messages contain information about a phishing scam and links for users to follow to obtain additional information about the scam. If a user follows the links, they will be redirected to a malicious website where a PDF exploit is used to install malicious code on the affected system.

US-CERT encourages users to do the following to help mitigate the risks:

• Do not follow unsolicited links.
• Use caution when visiting untrusted websites.
• Install antivirus software and keep the virus signatures up to date.
  
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/current/index.html#u_s_federal_reserve_phishing

Websense® Security Labs™ ThreatSeeker™ Network has discovered a new malicious social-engineering spam campaign masquerading as official emails sent by Google's Web 2.0 social networking site, Orkut. Orkut is one of the most popular social networking sites in Latin America and the second most visited site in India. The email is spoofed, appearing to be from the domain google.com for this fake notification which advises the user that their account has been subject to investigation and will be terminated within 72 hours unless they click through the hyperlink and follow the necessary instructions

Details ..

Issued: November 12, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-068 - Important
  * MS08-058 - Critical
  * MS08-056 - Moderate

Bulletin Information:

* MS08-068 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-068.mspx
  - Reason for Revision: V1.1 (November 12, 2008): Corrected entry in
    the FAQ for SMB Credential Reflection Vulnerability -
    CVE-2008-4037 section to clarify reports of published proof
    of concept code. Microsoft has not received any direct
    reports that this vulnerability had been publicly used to
    attack customers. 
  - Originally posted: November 11, 2008
  - Updated: November 12, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-058 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms08-058.mspx
  - Reason for Revision: V1.2 (November 12, 2008): Corrected a
    registry key verification entry for Internet Explorer 6 for
    all supported x64-based editions of Windows Server 2003. 
  - Originally posted: October 14, 2008
  - Updated: November 12, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS08-056 - Moderate

  - http://www.microsoft.com/technet/security/bulletin/ms08-056.mspx
  - Reason for Revision: V1.1 (November 12, 2008): Corrected the
    removal information in the section, Security Update
    Deployment, to state that this security update cannot be
    uninstalled.  
  - Originally posted: October 14, 2008
  - Updated: November 12, 2008
  - Bulletin Severity Rating: Moderate
  - Version: 1.1

Issued: November 12, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (956391)
  - Title: Cumulative Security Update of ActiveX Kill Bits
  - http://www.microsoft.com/technet/security/advisory/956391.mspx
  - Revision Note: November 12, 2008: Removed an incorrect
    reference that Windows Server 2008 Server Core installation
    is affected. Added an entry to Frequently Asked Questions to
    communicate that users with Windows Server 2008 Server Core
    installation will still be offered but do not need to install
    this update.

Apple has released iLife Support 8.3.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Apple Article HT3276 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#apple_releases_ilife_support_8

In case you you are not able to run your Windows XP operating system after AVG 8.0 virus definition update (DB: 270.9.0/1777) and you do not have Windows XP installation CD, please proceed as follows in order to resolve this situation

http://www.avg.com/faq.num-1575#faq_1575

A coalition of security-software companies, testing firms and information-technology publications issued on Monday two documents setting out guidelines for testing antivirus scanners and malware defenses.

The recently-formed group, known as the Anti-Malware Testing Standard Organization (AMTSO), published The Fundamental Principles of Testing and Best Practices for Dynamic Testing on its Web site. Among the principles espoused by the organizations are open and transparent testing, the validation of test sample to classify their malicious nature, and verifying the statistic validity of the tests. The testing guidelines stress that any battery of tests must deliver reproducible results, recommends against the use of virtual machines and to define different levels of success.

http://www.securityfocus.com/brief/852

Note: There may be latency issues due to replication, if the page does not display keep refreshing
November 11

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

November Bulletin Summary

Critical (1)

MS08-069 - Vulnerabilities in Microsoft XML Core Services Could Allow Remote Code Execution (955218)

Important (1)

MS08-068 - Vulnerability in SMB Could Allow Remote Code Execution (957097)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

VMware has released Security Advisory VMSA-2008-0018 and has updated Security Advisory VMSA-2008-0016.1 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to conduct directory traversal attacks, operate with escalated privileges, or obtain sensitive information.

US-CERT encourages users and administrators to review VMware Security Advisories VMSA-2008-0018 and VMSA-2008-0016.1 and apply any necessary updates to help mitigate the risks.

http://www.us-cert.gov/current/index.html#vmware_releases_security_advisory_vmsa2

Issued: November 6, 2008

This is an advance notification of security bulletins that
Microsoft is intending to release on November 11, 2008.

The full version of the Microsoft Security Bulletin Advance
Notification for November 2008 can be found at
http://www.microsoft.com/technet/security/bulletin/ms08-nov.mspx.

This bulletin advance notification will be replaced with the
November bulletin summary on November 11, 2008. For more information
about the bulletin advance notification service, see
http://www.microsoft.com/technet/security/Bulletin/advance.mspx.

To receive automatic notifications whenever Microsoft Security
Bulletins are issued, subscribe to Microsoft Technical Security
Notifications on
http://www.microsoft.com/technet/security/bulletin/notify.mspx.

Microsoft will host a webcast to address customer questions on
these bulletins on Wednesday, November 12, 2008,
at 11:00 AM Pacific Time (US & Canada). Register for the November
Security Bulletin Webcast at
http://www.microsoft.com/technet/security/bulletin/summary.mspx.

Microsoft also provides information to help customers prioritize
monthly security updates with any non-security, high-priority
updates that are being released on the same day as the monthly
security updates. Please see the section, Other Information.

This advance notification provides the software subject as the
bulletin identifier, because the official Microsoft Security
Bulletin numbers are not issued until release. The bulletin summary
that replaces this advance notification will have the proper
Microsoft Security Bulletin numbers (in the MSyy-xxx format) as the
bulletin identifier. The security bulletins for this month are as
follows, in order of severity:


Critical Security Bulletins

Windows Bulletin 1

  - Affected Software:
    - Microsoft XML Core Services 3.0 on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft XML Core Services 4.0 when installed on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft XML Core Services 6.0 when installed on
      Microsoft Windows 2000 Service Pack 4
    - Microsoft XML Core Services 3.0 on
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Microsoft XML Core Services 4.0 when installed on
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Microsoft XML Core Services 6.0 when installed on
      Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Microsoft XML Core Services 3.0 on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Microsoft XML Core Services 4.0 when installed on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Microsoft XML Core Services 6.0 when installed on
      Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Microsoft XML Core Services 3.0 on
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Microsoft XML Core Services 3.0 on
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2003 x64 Edition 1 and
      Windows Server 2003 x64 Edition Service Pack 2
    - Microsoft XML Core Services 3.0 on
      Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Microsoft XML Core Services 3.0 on
      Windows Vista and
      Windows Vista Service Pack 1
    - Microsoft XML Core Services 4.0 when installed on
      Windows Vista and
      Windows Vista Service Pack 1
    - Microsoft XML Core Services 6.0 when installed on
      Windows Vista and
      Windows Vista Service Pack 1
    - Microsoft XML Core Services 3.0 on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Microsoft XML Core Services 4.0 when installed on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Microsoft XML Core Services 6.0 when installed on
      Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Microsoft XML Core Services 3.0 on
      Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 3.0 on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation not affected)
    - Microsoft XML Core Services 3.0 on
      Windows Server 2008 for Itanium-based Systems
    - Microsoft XML Core Services 4.0 when installed on
      Windows Server 2008 for Itanium -based Systems
    - Microsoft XML Core Services 6.0 when installed on
      Windows Server 2008 for Itanium -based Systems
    - Microsoft XML Core Services 5.0 on
      Microsoft Office 2003 Service Pack 3
    - Microsoft XML Core Services 5.0 on
      Microsoft Word Viewer 2003 Service Pack 3
    - Microsoft XML Core Services 5.0 on
      2007 Microsoft Office System and
      2007 Microsoft Office System Service Pack 1
    - Microsoft XML Core Services 5.0 on
      Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats and
      Microsoft Office Compatibility Pack for Word, Excel, and
      PowerPoint 2007 File Formats Service Pack 1
    - Microsoft XML Core Services 5.0 on
      Microsoft Expression Web and
      Microsoft Expression Web 2
    - Microsoft XML Core Services 5.0 on
      Microsoft Office SharePoint Server 2007 and
      Microsoft Office SharePoint Server 2007 Service Pack 1
      (32-bit editions)
    - Microsoft XML Core Services 5.0 on
      Microsoft Office SharePoint Server 2007 and
      Microsoft Office SharePoint Server 2007 Service Pack 1
      (64-bit editions)
    - Microsoft XML Core Services 5.0 on
      Microsoft Office Groove Server 2007

    - Impact: Remote Code Execution
    - Version Number: 1.0


Important Security Bulletins

Windows Bulletin 2

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4
    - Windows XP Service Pack 2 and
      Windows XP Service Pack 3
    - Windows XP Professional x64 Edition and
      Windows XP Professional x64 Edition Service Pack 2
    - Windows Server 2003 Service Pack 1 and
      Windows Server 2003 Service Pack 2
    - Windows Server 2003 x64 Edition and
      Windows Server 2003 x64 Edition Service Pack 2
    - Windows Server 2003 with SP1 for Itanium-based Systems and
      Windows Server 2003 with SP2 for Itanium-based Systems
    - Windows Vista and
      Windows Vista Service Pack 1
    - Windows Vista x64 Edition and
      Windows Vista x64 Edition Service Pack 1
    - Windows Server 2008 for 32-bit Systems
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for x64-based Systems
      (Windows Server 2008 Server Core installation affected)
    - Windows Server 2008 for Itanium-based Systems

    - Impact: Remote Code Execution
    - Version Number: 1.0


Other Information

Microsoft Windows Malicious Software Removal Tool:

Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For information about non-security releases on Windows Update and Microsoft
update, please see:
* http://support.microsoft.com/kb/894199: Microsoft Knowledge Base
  Article 894199, Description of Software Update Services and
  Windows Server Update Services changes in content for 2008.
  Includes all Windows content.
* http://technet.microsoft.com/en-us/wsus/bb466214.aspx: New,
  Revised, and Released Updates for Microsoft Products Other Than
  Microsoft Windows