DP's Security Bits

Websense Security Labs™ ThreatSeeker Network has detected that Google searches on terms related to Google Wave return results that lead to a rogue antivirus. Google Wave is the much talked-about, latest API hitting the collaboration scene today.

There's a lot of hype about the launch of Google Wave, not only because of the 'new' things it offers but also because Google invited only 100,000 lucky users to test the service. With that said, it's no surprise that users are enticed to this new application. Unfortunately, it's also no surprise that the bad guys are using this hype to manipulate search results.

Alert Details

Websense Security Labs™ ThreatSeeker™ Network has discovered that search engine results for information on how to download Microsoft's recently released Security Essentials tool are returning links to Web sites that serve rogue AV.

Malware authors have used Search Engine Optimization (SEO) techniques to mix rogue search results in with legitimate results. For example, one of the rogue links is directly under a MSDN blog entry discussing Microsoft Security Essentials. The rogue redirects are hosted on compromised Web sites, including a Canadian publisher's Web site and the British Travel Health Association.

When a user browses to the compromised Web sites, so long as they have been referred by a search engine, they are redirected to malicious Web sites with domain names such as computer-scanner21 and computervirusscanner31.

An example of one of the payload files shows that AV detection is low. One such file is named Soft_71.exe (SHA1: 4e58a12a9f722be0712517a0475fda60a8e94fdc)
If the user downloads the application, a file with extension .tif is downloaded in the "program files\TS" directory as TSC.exe and system.dat (the .tif file is decrypted/decompressed and split).
The payload then executes "tsc.exe -dltest" apparently connects to a NASA Web site, to check internet connectivity.
Finally, "tsc.exe" is executed with no parameters, and the rogue AV starts. (In the background the original file is deleted).

Since yesterday the Websense ThreatSeeker Network has been monitoring SEO poisoning of search terms related to Microsoft Security Essentials. It appears that the malware authors set up a trial run of SEO poisoning techniques, before converting the redirects to deliver rogue applications today.

Alert Details

REDMOND, Wash. — Sept. 28, 2009 — Microsoft Security Essentials, Microsoft Corp.’s new no-cost, core anti-malware service that helps protect consumers against viruses, spyware and other malicious software, will be available tomorrow, Tuesday, Sept. 29. Microsoft Security Essentials, independently certified by West Coast Labs, is backed by the company’s global security response team and is built on the same award-winning core security technology found in the company’s security solutions for businesses. It requires no registration, trials or renewals and will be available for download directly from Microsoft at http://www.microsoft.com/security_essentials.

Press Release

Issued: September 23, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (975497)
- Title: Vulnerabilities in SMB Could Allow Remote
Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
- Revision Note: V1.2 (September 23, 2009): Clarified the
FAQ, What is Server Message Block Version 2 (SMBv2)? Also
clarified the impact of the workaround, Disable SMB v2.

Websense® Security Labs™ ThreatSeeker™ Network discovered a new spam campaign that is targeting players of the Monopoly game.

The Monopoly World Championships take place every four years, and Las Vegas is the host city of 2009. Because the Monopoly Regional Championships are going on all over the world and many Monopoly enthusiasts take part, the spammers utilize this chance to play their tricks.

Our email honeypot systems detected over 30 thousand Monopoly spam messages on September 21, 2009 alone. The spam uses a social networking technique to "invite" you to play the online board game. It then provides a link to the fake Monopoly game download site, which in fact downloads a Trojan.

Alert Details

Web 2.0 sites that allow user-generated content make up the majority of top distributors of malicious software, stated a report that security firm Websense published this week.

The report, which covers Internet security trends for the first half of 2009, found that a stunning 95 percent of user-generated comments to blogs, chat rooms and message boards are either spam or contain links to malicious programs. In all, the number of malicious sites detected by Websense more than tripled in the last six months, growing almost eight-fold in the last year. The report also found that more than three-quarters of the Web sites hosting some malicious code are legitimate sites that have been compromised.

"The very aspects of Web 2.0 sites that have made them so revolutionary -- the dynamic nature of the content on the the sites, the ability for anyone to easily create and post content, and the trust that users have for others in their online networks -- are the same characteristics that radically raise the potential for abuse," the company stated in the report.

The report echoed a recent survey by researchers from TippingPoint and Qualys, who found that legitimate Web sites are failing to patch significant vulnerabilities, leaving themselves open to compromise.

The Websense report found that 61 of the Top 100 Web sites "either hosted malicious content or contained a masked redirect to lure unsuspecting victims from legitimate sites to malicious content."

SecurityFocus

Adobe has released security bulletin APSB09-14 to address a vulnerability in RoboHelp Sever 8. This vulnerability may allow a remote attacker to execute arbitrary code.

US-CERT encourages users and administrators to review Adobe security bulletin APSB09-14 and apply any necessary updates

Source: US-CERT

Issued: September 17, 2009

Security Advisories Updated or Released Today

* Microsoft Security Advisory (975497)
- Title: Vulnerabilities in SMB Could Allow Remote
Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
- Revision Note: V1.1 (September 17, 2009): Clarified the
FAQ, What is SMBv2? Added a link to Microsoft Knowledge Base
Article 975497 to provide an automated Microsoft Fix it
solution for the workaround, Disable SMB v2.

Issued: September 16, 2009

Summary

The following bulletin has undergone a minor revision increment.
Please see the following information for more details.

* MS09-047 - Critical

Bulletin Information:

* MS09-047 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-047.mspx
- Reason for Revision: V1.1 (September 16, 2009): Corrected the
list of bulletins replaced by the update for Windows Media
Format Runtime, under Microsoft Windows 2000, Windows XP, and
Windows Server 2003.
- Originally posted: September 8, 2009
- Updated: September 16, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Firefox 3.5.3 is released.

Fixed in Firefox 3.5.3:
MFSA 2009-51 Chrome privilege escalation with FeedWriter
MFSA 2009-50 Location bar spoofing via tall line-height Unicode characters
MFSA 2009-49 TreeColumns dangling pointer vulnerability
MFSA 2009-47 Crashes with evidence of memory corruption (rv:1.9.1.3/1.9.0.14)

Issued: September 9, 2009

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-049 - Critical
* MS09-045 - Critical

Bulletin Information:

* MS09-049 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-049.mspx
- Reason for Revision: V1.1 (September 9, 2009): Revised the
description for Wireless Frame Parsing Remote Code Execution
Vulnerability (CVE-2009-1132) to clarify exploit conditions.
- Originally posted: September 8, 2009
- Updated: September 9, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS09-045 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-045.mspx
- Reason for Revision: V1.1 (September 9, 2009): Corrected the
update package file name for JScript 5.6 on all supported
x64-based editions of Windows Server 2003.
- Originally posted: September 8, 2009
- Updated: September 9, 2009
- Bulletin Severity Rating: Critical
- Version: 1.1

Issued: September 9, 2009

Summary

The following bulletin has undergone a major revision increment.
Please see the appropriate bulletin for more details.

* MS09-048 - Critical

Bulletin Information:

* MS09-048 - Critical

- http://www.microsoft.com/technet/security/bulletin/ms09-048.mspx
- Reason for Revision: V2.0 (September 9, 2009): Added Windows XP
Service Pack 2, Windows XP Service Pack 3, and Windows XP
Professional x64 Edition Service Pack 2 to the Affected
Software table. Also added entries to the section, Frequently
Asked Questions (FAQ) Related to This Security Update,
explaining why Microsoft is not releasing updates for the
affected Windows XP editions, and clarifying the scope of the
updates for the denial of service vulnerabilities. There were
no changes to the security updates offered in this bulletin.
- Originally posted: September 8, 2009
- Updated: September 9, 2009
- Bulletin Severity Rating: Critical
- Version: 2.0

Issued: September 8, 2009

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS09-035 - Moderate

Bulletin Information:

* MS09-035 - Moderate

- http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
- Reason for Revision: V2.3 (September 8, 2009): Added a new entry
to the section, Frequently Asked Questions (FAQ) Related to
This Security Update, to communicate that Microsoft Knowledge
Base Article 969706 has been revised to change the known
issue KB974223 to KB974479, in order to offer a non-security
update to fix the issue.
- Originally posted: July 28, 2009
- Updated: September 8, 2009
- Bulletin Severity Rating: Moderate
- Version: 2.3

Issued: September 8, 2009

Security Advisory Released Today

* Microsoft Security Advisory (975497)
- Title: Vulnerabilities in SMB Could Allow Remote
Code Execution
- http://www.microsoft.com/technet/security/advisory/975497.mspx
- Revision Note: V1.0 (September 8, 2009): Advisory published.

Register Online

Note: There may be latency issues due to replication, if the page does not display keep refreshing

Today Microsoft released the following Security Bulletin(s).

Note: »www.microsoft.com/technet/security and »www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary:

»www.microsoft.com/technet/securi···sep.mspx

Critical (5)

Microsoft Security Bulletin MS09-045
Vulnerability in JScript Scripting Engine Could Allow Remote Code Execution (971961)
»www.microsoft.com/technet/securi···045.mspx

Microsoft Security Bulletin MS09-049
Vulnerability in Wireless LAN AutoConfig Service Could Allow Remote Code Execution (970710)
»www.microsoft.com/technet/securi···049.mspx

Microsoft Security Bulletin MS09-047
Vulnerabilities in Windows Media Format Could Allow Remote Code Execution (973812)
»www.microsoft.com/technet/securi···047.mspx

Microsoft Security Bulletin MS09-048
Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)
»www.microsoft.com/technet/securi···048.mspx

Microsoft Security Bulletin MS09-046
Vulnerability in DHTML Editing Component ActiveX Control Could Allow Remote Code Execution (956844)
»www.microsoft.com/technet/securi···046.mspx

Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety 1-866-727-2338. International customers should contact their local subsidiary.

As always, download the updates only from the vendors website - visit Windows Update and Office Update or Microsoft Update websites. You may also get the updates thru Automatic Updates functionality in Windows system.

Security Tool
Find out if you are missing important Microsoft product updates by using MBSA

.

Websense Security Labs™ ThreatSeeker Network has detected that Google searches on terms related to Labor Day sales return results that lead to rogue antivirus software. Labor Day is one of the biggest holidays observed in the US each year. Retail sales events held during this weekend are some of the most anticipated throughout the country.

When Google is used to search for terms related to Labor Day sales, malicious URLs as high as the first result are returned. Upon clicking an affected search-result link, JavaScript code redirects the user to a Web site advising them that their machine is infected with viruses. It then proceeds to offer free (rogue/fake) AV software. AOL and ASK.com are also affected in a similar way.

Alert Details

Microsoft Security Bulletins to be issued: September 8, 2009

This is an advance notification of security bulletins that Microsoft is intending to release on September 8, 2009.

Microsoft is planning to release 5 security bulletins rated as critical all affecting Windows.

http://www.microsoft.com/technet/security/Bulletin/ms09-sep.mspx

Issued: September 1, 2009

Security Advisory Released Today

* Microsoft Security Advisory (975191)
- Title: Vulnerability in Internet Information
Services FTP Service Could Allow for Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/975191.mspx
- Revision Note: Advisory published.