DP's Security Bits

An investigation into the Conficker worm published last week by security researchers at SRI International highlighted the technical ability of the worm's coders and the danger posed when the program starts checking a greatly expanded list of Internet drop sites come April 1.

In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code. Computer systems infected with the new version version — dubbed Conficker.C and Downadup.C by different security firms — will begin generating a list of 50,000 psuedo-random domain names every day starting April 1 and attempt to download new commands from 500 of those domains.

In addition, the worm program blocks security software, distributes code by creating a peer-to-peer network, and attempts to prevent anyone but the authors from updating its code by authenticating updates using a hash algorithm — known as MD6 — that is only a few months old. The collection of those capabilities worried the researchers.

"In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself."

http://www.securityfocus.com/brief/935

Fixed in Firefox 3.0.8

MFSA 2009-13 Arbitrary code execution through XUL <tree> element
MFSA 2009-12 XSL Transformation vulnerability

http://www.mozilla.org/security/known-vulnerabilities/firefox30.html#firefox3.0.8

Cisco has released multiple security advisories to address vulnerabilities in IOS Software. These vulnerabilities may allow an attacker to cause a denial-of-service condition, interfere with network traffic, or operate with escalated privileges.

US-CERT encourages users and administrators to review the following Cisco security advisories and apply any necessary workarounds or updates to help mitigate the risks.

• cisco-sa-20090325-udp : Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability
• cisco-sa-20090325-tcp : Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
• cisco-sa-20090325-ip : Cisco IOS Software Multiple Features IP Sockets Vulnerability
• cisco-sa-20090325-webvpn : Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
• cisco-sa-20090325-mobileip : Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
• cisco-sa-20090325-scp : Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
• cisco-sa-20090325-sip : Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability
• cisco-sa-20090325-ctcp : Cisco IOS cTCP Denial of Service Vulnerability

http://www.us-cert.gov/current/index.html#cisco_releases_multiple_security_advisory

Sun Microsystems has released an alert to address multiple vulnerabilities in the Java System Identity Manager. These vulnerabilities may allow an attacker to execute arbitrary commands, conduct cross-site scripting attacks, modify configuration settings, or obtain sensitive information.

US-CERT encourages users and administrators to review Sun Alert 253567 and apply any necessary patches.

http://www.us-cert.gov/current/index.html#sun_releases_alert_for_java

Effective March 31, 2009, technical support and Definitions File updates for the following products will be discontinued:

Ad-Aware SE Plus
Ad-Aware SE Professional
Ad-Aware SE Enterprise

As Definitions File threat updates for Ad-Aware SE will not be issued after this date, please upgrade to the latest version of Ad-Aware – Ad-Aware Anniversary Edition – in order to stay protected from online threats.

Lavasoft Announcement

Issued: March 18, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-004 - Important
* MS08-040 - Important

Bulletin Information:

* MS09-004 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-004.mspx
- Reason for Revision: V1.2 (March 18, 2009): Corrected product
instance names from "ADMT" and "ADS" to "MS_ADMT" and
"MicrosoftADS", respectively. These are instance names
referenced in the Security Update Deployment section for the
Microsoft SQL Server 2000 Desktop Engine (WMSDE). This is an
informational change only that does not affect the files
contained in the update. Customers who have successfully
updated their systems do not need to reinstall this update.
- Originally posted: February 10, 2009
- Updated: March 18, 2009
- Bulletin Severity Rating: Important
- Version: 1.2

* MS08-040 - Important

- http://www.microsoft.com/technet/security/bulletin/ms08-040.mspx
- Reason for Revision: V1.9 (March 18, 2009): Corrected product
instance names from "ADMT" and "ADS" to "MS_ADMT" and
"MicrosoftADS", respectively. These are instance names
referenced in the Security Update Deployment section for the
Microsoft SQL Server 2000 Desktop Engine (WMSDE). This is an
informational change only that does not affect the files
contained in the update. Customers who have successfully
updated their systems do not need to reinstall this update.
- Originally posted: July 8, 2008
- Updated: March 18, 2009
- Bulletin Severity Rating: Important
- Version: 1.9

US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
• Registered Autonomy Users should review the related Autonomy alert (login required).

Full Details

Summary

Critical vulnerabilities have been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that one of these issues is being exploited (CVE-2009-0658).

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.4, and users of Acrobat 7 update to Acrobat 7.1.1. For Adobe Reader users who can’t update to Adobe Reader 9.1, Adobe has provided the Adobe Reader 8.1.4 and Adobe Reader 7.1.1 updates.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03. Users who have previously updated to Adobe Reader 9.1 and Acrobat 9.1 for Windows and Macintosh need not take any action. Adobe now plans to make available Adobe Reader 9.1 and Adobe Reader 8.1.4 for Unix by March 24.

Affected software versions

Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

Security Bulletin Full Details

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient's local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to "breaking news." Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user's IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video. If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor's website.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/current/index.html#waledac_trojan_horse_spam_campaign

Issued: March 11, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-008 - Important

Bulletin Information:

* MS09-008 - Important

- http://www.microsoft.com/technet/security/bulletin/ms09-008.mspx
- Reason for Revision: V1.1 (March 11, 2009): Clarified that
CVE-2009-0093 does not apply to supported editions of Windows
Server 2008. Added a link to Microsoft Knowledge Base Article
962238 under Known Issues in the Executive Summary. Clarified
what systems are primarily at risk for CVE-2009-2033.
Finally, updated a finder acknowledgment for CVE-2009-0233
and CVE-2009-0234.
- Originally posted: March 10, 2009
- Updated: March 11, 2009
- Bulletin Severity Rating: Important
- Version: 1.1

Issued: March 11, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (953839)
- Title: Update Rollup for ActiveX Kill Bits
- http://www.microsoft.com/technet/security/advisory/953839.mspx
- Revision Note: March 11, 2009: Added an entry to Frequently
Asked Questions to communicate that for the purpose of
automatic updating, this update does not replace the
Cumulative Security Update of ActiveX Kill Bits (950760) that
is described in Microsoft Security Bulletin MS08-032.

Summary

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe recommends users of Adobe Reader and Acrobat 9 update to Adobe Reader 9.1 and Acrobat 9.1. Adobe is planning to make available updates for Adobe Reader 7 and 8, and Acrobat 7 and 8, by March 18. In addition, Adobe plans to make available Adobe Reader 9.1 for Unix by March 25.

Affected software versions

Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions

Adobe Security Bulletin

US-CERT is aware of public reports of two new attack vectors for a vulnerability affecting Adobe Reader and Acrobat. This vulnerability is due to a buffer overflow condition that exists in the way Adobe Acrobat Reader handles JBIG2 Streams.

When Adobe Reader is installed on a system, it adds an IFilter that allows applications such as the Windows Indexing Service to index PDF files. If the Windows Indexing Service processes a malicious PDF file stored on the system, the vulnerability can be exploited. Exploitation using this technique can require little to no user interaction.

In addition to adding an IFilter, the Adobe Acrobat and Reader installation process adds a Windows Explorer Shell Extension. If Windows Explorer displays a folder that contains a malicious PDF file, the vulnerability can be exploited. Exploitation using this technique also requires little to no user interaction.

US-CERT encourages users and administrators to incorporate the following workarounds to help mitigate the risks:

• Locate and unregister the Adobe Reader IFilter using: regsvr32 /u AcroRdIF.dll
• Locate and unregister the Adobe Acrobat IFilter using: regsvr32 /u AcroIF.dll
  
• Disable Adobe Acrobat Windows Shell integration to help mitigate the risk. This can be disabled by executing the following command: regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"
  

Additional information about the Adobe Reader and Acrobat JBIG2 vulnerability can be found in the Vulnerability Notes Database.

US-CERT will provide additional information as it becomes available.

Issued: March 10, 2009

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-052 - Critical

Bulletin Information:

* MS08-052 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-052.mspx
 - Reason for Revision: V4.0 (March 10, 2009): Added entry in the
    Frequently Asked Questions (FAQ) Related to this Security
    Update section to communicate the rerelease of the update
    packages for Windows XP Service Pack 3 and Windows Server
    2003 Service Pack 2 to fix an installation issue. Customers
    who have already successfully installed the original updates
    for Windows XP Service Pack 3 or Windows Server 2003 Service
    Pack 2 do not need to reinstall the new updates. 
 - Originally posted: September 9, 2008
 - Updated: March 10, 2009
 - Bulletin Severity Rating: Critical
 - Version: 4.0

See the Microsoft Security Response Center (MSRC) Blog for a short, five to ten minute overview of the bulletins we have released. These clips will focus on the severity of the issue and the exploitability index ratings we have assigned them in order to help you get a quick understanding of the impact to your environment.

Event Overview

On March, 11, 2009, Microsoft releases its monthly security bulletins. Join us for a brief overview of the technical details of the March bulletins. We intend to address your concerns in this webcast, therefore, most of the webcast is devoted to attendees asking questions about the bulletins and getting answers from Microsoft security experts.

Presenters: Adrian Stone, Senior Security Program Manager Lead, Microsoft Corporation and Steve Adegbite, Senior Security Program Manager Lead, Microsoft Corporation

Register Online

Updated: March 10, 2009

New Additions

We have added detection and cleaning capabilities for the following malicious software:

See the complete list of malicious software cleaned by this tool.

http://www.microsoft.com/security/malwareremove/default.mspx

Note: There may be latency issues due to replication, if the page does not display keep refreshing
March 10

Today Microsoft released the following Security Bulletin(s). 

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

March Bulletin Summary

Critical (1)

MS09-006 -  Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)

Important (2)

MS09-007 -  Vulnerability in SChannel Could Allow Spoofing (960225)
MS09-008 -  Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

The Conficker worm, which checks 250 different domains each day for an update, could become a lot harder to stop, if those responsible for the malicious program can get their latest code to infected computers.

The software module, discovered on Friday and initially dubbed Downadup.C and Conficker.C, causes Conficker-infected computers to search — not 250 — but 50,000 different domains each day for updates. Last month, Microsoft teamed up with security firms and domain registrars to block the 250 new domains that the worms each day. The group, called the Conficker Cabal, will be hard pressed to block infected PCs attempts to update from 50,000 different domains.

http://www.securityfocus.com/brief/923

US-CERT is aware of reports of economic stimulus scams circulating. These scams are being conducted through both email and malicious websites.

Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts.

The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the Federal Trade Commission alert about economic stimulus scams.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

http://www.us-cert.gov/current/index.html#economic_stimulus_email_and_website