DP's Security Bits

A group of U.S. companies, led by technology giants Microsoft, Hewlett-Packard and eBay, is set to outline recommendations for new federal data-privacy legislation that could make life easier for consumers and lead to a standard federal breach-notification law.

The recommendations, which were developed by a group of industry players called the Consumer Privacy Legislative Forum, are set to be released at an upcoming privacy conference six weeks from now, according to Peter Cullen, Microsoft's chief privacy officer.

Story continues at computerworld

Novell has released updates for GroupWise 7 and 8 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information.

US-CERT encourages users to review the Novell download page and apply the appropriate patch to help mitigate the risks.

http://www.us-cert.gov/current/index.html#novell_releases_updates_for_groupwise

US-CERT is aware of public reports of malicious code circulating via spam email messages related to Valentine's Day. These messages contain a link to a website that contains several images of hearts and instructs users to choose one image. If users click on one of the images, they will be prompted to download an executable file. Reports indicate that the executable files could be named: youandme.exe, onlyyou.exe, you.exe, and meandyou.exe (please note that these file names may change at any time). If users accept the download, malicious code may be installed onto their systems.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Use caution when downloading and installing applications.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/current/index.html#malicious_code_spreading_via_valentine

Issued: January 28, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-074 - Critical

Bulletin Information:

* MS08-074 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-074.mspx
 - Reason for Revision: V2.0 (January 28, 2009): Added a footnote to
    the Affected Software table and two entries to the section,
    Frequently Asked Questions (FAQ) Related to this Security
    Update, pertaining to security updates KB958437 and KB958439
    for supported versions of Microsoft Office Excel 2007. There
    were no changes to the security update binaries or detection.
    Customers with Microsoft Office Excel 2007 or Microsoft
    Office Excel 2007 Service Pack 1 who have already
    successfully installed KB958437 and KB958439 do not need to reinstall.
 - Originally posted: December 9, 2008
 - Updated: January 28, 2009
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Spam trumpeting the power of love is nothing more than an old trick dressed up in new clothes, more evidence that the backers of the Waledec bot Trojan are the same bunch that hammered users last year with Storm, security companies are warning.

Multiple security vendors, including MX Logic Inc., Trend Micro Inc. and Panda Security, have issued alerts about new Valentine-themed spam campaigns that try to dupe users into installing the Waledec bot.

Subject lines for the spam, said Sam Masiello, vice president of information security at MX Logic, are "short and sweet," and include "Me and You," "In Your Arms" and "With all my love." Users who browse to the link embedded in the spam reach a site with a dozen hearts, any one of which will download an executable file when clicked.

Story continues at computerworld.com

Websense Security Labs™ ThreatSeeker™ Network has discovered that a subdomain of the International Electrotechnical Commission (IEC) Web site has been compromised. The IEC is an international standards organization that prepares and publishes International Standards for all electrical, electronic, and related technologies. Member countries include Japan, Australia, U.S.A., central European countries, and numerous others.

Alert Details

Said by F-Secure Weblog:

Downadup infections appear to have peaked during the week.

As time passes, the number of estimated Downadup infections becomes more problematic to calculate as we are monitoring a varying number of domains. Re-infections may also be inflating the count. In any case, today seems better than the day before and we think that growth of Downadup has been curbed. Disinfection of the worm remains a challenge.

So let's look at Thursday's IP count, where are the infected computers?

Our sinkhole logged just over one million unique IP addresses yesterday. This is compared to 350,000 last Friday. Remember, there may be any number of computers sitting behind a single IP address.

China, Russia, and Brazil have the highest IP count. Combined, they account for nearly 41 percent of the total.

Only a bit over 1 percent came from the United States…

Job site Monster.com acknowledged a breach of its user database late Friday, warning that online intruders made off with an unspecified number of job seekers' names, phone numbers, e-mail addresses, log-in names and passwords.

The Web site, run by New York, NY-based Monster Worldwide, gave scant information about the breach, except that the intrusion did not compromise any Social Security numbers or personal financial details, which the company does not generally collect. The breach also affected Monster.com's government client, USAJobs.com, which also posted a notice on Friday.

Story continues at securityfocus.com

Since the time Microsoft released security update MS08-067, we have released information about MS08-067 exploits and specifically about the Conficker worm in our malware encyclopedia and in multiple blog posts for example here. This blog provides a summary of the available information Microsoft has provided on the Conficker worm and the vulnerability it exploits, which Microsoft addressed with MS08-067.

First, we outline the various attack vectors because it’s important for customers to understand that the Conficker worm utilizes a variety of attack vectors to infect machines. Based on this analysis we follow up with guidance for what customers can do to protect themselves. The first and most important piece of guidance is to immediately deploy the security update associated with Microsoft Security Bulletin MS08-067, if you haven’t already. However, because this worm utilizes a number of additional vectors of attack we provide additional information and guidance to help you build a defense in depth approach. Finally, we close with information and pointers to how to clean up your machine using the Microsoft Malicious Software Removal Tool.

Let’s examine again the ways this worm spreads. So far, only two variants of the worm have been discovered in the wild. The first one, Worm:Win32/Conficker.A, was first reported Nov. 21, 2008 and propagates only by exploiting the vulnerability addressed by security update MS08-067. This variant avoids infecting computers that use Ukrainian keyboard layout and that raised the suspicion that the malware developer is located in Ukraine. Worm:Win32/Conficker.B, the second variant, was reported Dec. 29, 2008. This variant uses multiple propagation methods:

http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx

Issued: January 21, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS05-022

Bulletin Information:

  * MS05-022 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms05-022.mspx
 - Reason for Revision: V2.0 (January 21, 2009): Bulletin updated.
   Replaced the download link for MSN Messenger 6.2 with the
   bulletin link to MS07-054. Users may either use the specific
   download link in MS07-054 to upgrade, or log on to MSN Messenger
   service to accept the required upgrade.
 - Originally posted: April 12, 2005
 - Updated: January 21, 2009
 - Bulletin Severity Rating: Critical
 - Version: 2.0

Issued: January 21, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-040 - Important

Bulletin Information:

  * MS08-040 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
  - Reason for Revision: V1.7 (January 21, 2009): Listed Microsoft
    SQL Server 2000 Desktop Engine (MSDE 2000) Service Pack 3a, a
    component of Application Center 2000 Service Pack 2, as
    non-affected software.
  - Originally posted: July 8, 2008
  - Updated: January 21, 2009
  - Bulletin Severity Rating: Important
  - Version: 1.7

Heartland Payment Systems, a credit-card and check processor serving 250,000 businesses in the United States, warned on Tuesday that it had found evidence of a network breach that had compromised consumers' credit-card numbers.

Last week, auditors hired by the company found malicious software on its payment network, the firm said in a statement. Visa and Mastercard had tipped off the company to fraudulent card activity related to credit-card transactions processed on Heartland's network.

Heartland "immediately took a number of steps to further secure its systems," the company said. The payment processor also set up a Web site, www.2008breach.com, to act as a communications point with affected customers.

Full story at securityfocus.com

Apple has released QuickTime 7.6, for both Windows and Mac OS X systems, to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Apple Article HT3403 and upgrade to QuickTime 7.6.

http://www.us-cert.gov/current/index.html#apple_releases_quicktime_7_6

Cisco Security Advisory cisco-sa-20090121-csm was released to address a vulnerability that occurs in Cisco Security Manager when it is used in conjunction with Cisco IPS Event Viewer. This vulnerability may allow an unauthenticated, remote attacker to access the MySQL databases or IPS Event Viewer server.

US-CERT encourages users and administrators to review Cisco Security Advisory cisco-sa-20090121-csm and apply any necessary updates or workarounds to help mitigate the risks.

http://www.us-cert.gov/current/index.html#cisco_releases_security_advisory_for6

Google Inc. planned to turn off the anti-phishing service used by Firefox 2.0 on Tuesday, a Mozilla Corp. executive said on Monday.

Although the two most-recent builds of Firefox 2.0, labeled 2.0.0.19 and 2.0.0.20, have omitted the defense, earlier editions of the browser were still able to query Google for a list of sites suspected of hosting identity theft scams. But Google is now shutting down the blacklist, said Mike Beltzner, the director of Firefox.

Story continues at computerworld.com

US-CERT is aware of public reports indicating a widespread infection of the Win32/Conflicker/Downadup worm. This worm exploits a previously patched vulnerability addressed in Microsoft Security Bulletin MS08-067. This worm attempts to propagate via multiple methods including removable media.

US-CERT strongly encourages users to review Microsoft Security Bulletin MS08-067 and update unpatched systems as soon as possible.

Additionally, US-CERT recommends that users take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep the virus signatures up to date.
• Review the Microsoft Malware Protection Center blog entry for details regarding the worm.
• Review the Using Caution with USB Drives Cyber Security Tip for more information on protecting removable media.

http://www.us-cert.gov/current/index.html#widespread_infection_of_win32_conflicker

Symantec has released a security advisory to address a vulnerability in the Symantec AppStream LaunchObj ActiveX control. By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user.

US-CERT encourages users to review Vulnerability Note VU#194505 and Symantec Security Advisory SYM09-001, apply the update, and follow the best practices provided in the advisory.

http://www.us-cert.gov/current/index.html#symantec_releases_security_advisory1

AVG Technologies, a global anti-virus and Internet security software provider with over 80 million users in 167 countries, today announced the acquisition of Sana Security, a leading developer in identity theft prevention software. Sana’s forward-looking technology in the industry comes from its behavior-based security software that proactively protects against threats in a similar way to the human immune system. The transaction marks another successful milestone as AVG continues its corporate growth strategy to continually improve Internet security coverage for individuals and small businesses and expand its global footprint. Headquartered in Redwood City, California, Sana also provides AVG with its first offices in Silicon Valley.

Press Release

Research In Motion has released Security Advisories KB17118 and KB17119 to address vulnerabilities in the PDF Distiller of the BlackBerry Attachment Service for BlackBerry Unite and BlackBerry Enterprise Server. The vulnerabilities are due to the improper processing of PDF files within the Distiller component of the BlackBerry Attachment Service. By convincing a user to open a maliciously crafted PDF attachment on a BlackBerry smartphone, an attacker may be able to execute arbitrary code on the system running the BlackBerry Attachment Service.

US-CERT encourages users to review BlackBerry Security Advisories KB17118 and KB17119 and apply the updates or implement the workarounds listed in the documents to help mitigate the risk.

US-CERT will provide additional information as it becomes available.

http://www.us-cert.gov/current/index.html#blackberry_security_advisories

Issued: January 13, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS08-066 - Important
  * MS08-037 - Important

Bulletin Information:

* MS08-066 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-066.mspx
  - Reason for Revision: V1.1 (January 13, 2009): Added an entry to
    the section, Frequently Asked Questions (FAQ) Related to this
    Security Update, explaining this revision as a detection
    change for this security update. The corrected detection
    offers the security update to affected systems that
    previously were not offered this security update. Customers
    who have successfully updated their systems do not need to
    reinstall this update. 
  - Originally posted: October 14, 2008
  - Updated: January 13, 2009
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS08-037 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms08-037.mspx
  - Reason for Revision: V2.3 (January 13, 2009): Added a new entry
    to the Frequently Asked Questions (FAQ) Related to This
    Security Update section to communicate the fix to a detection
    and deployment issue with Windows XP Service Pack 3. There
    were no changes to the binaries or packages for this update.
    Customers who have successfully updated their systems do not
    need to reinstall this update. 
  - Originally posted: July 8, 2008
  - Updated: January 13, 2009
  - Bulletin Severity Rating: Important
  - Version: 2.3