DP's Security Bits

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS11-092 - Critical
* MS12-004 - Critical
* MS12-013 - Critical
* MS12-020 - Critical
* MS12-024 - Critical
* MS12-034 - Critical
* MS12-043 - Critical
* MS12-045 - Critical

Bulletin Information:

* MS11-092 - Critical

- http://technet.microsoft.com/security/bulletin/ms11-092
- Reason for Revision: V1.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2619339 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: December 13, 2011
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS12-004 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-004
- Reason for Revision: V1.3 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2631813 and KB2598479 to correct a Windows Update
reoffering issue. This is a detection change only. Customers
who have already successfully updated their systems do not
need to take any action.
- Originally posted: January 10, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.3

* MS12-013 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-013
- Reason for Revision: V1.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2654428 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: February 14, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS12-020 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-020
- Reason for Revision: V2.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2621440 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: March 13, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 2.1

* MS12-024 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-024
- Reason for Revision: V1.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2653956 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: April 10, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS12-034 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-034
- Reason for Revision: V1.4 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2676562 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: May 8, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.4

* MS12-043 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-043
- Reason for Revision: V1.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2719985 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: July 10, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

* MS12-045 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-045
- Reason for Revision: V1.1 (July 31, 2012): Bulletin revised
to announce a detection change in the Windows Vista packages
for KB2698365 to correct a Windows Update reoffering issue.
This is a detection change only. Customers who have already
successfully updated their systems do not need to take any
action.
- Originally posted: July 10, 2012
- Updated: July 31, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

26 Internet Explorer
0 Restricted Sites
0 Firefox

15419 items in database

What is CoreSecure?

The Malwarebytes research team has determined that CoreSecure is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue. You are strongly advised to follow our removal instructions.

http://forums.malwarebytes.org/index.php?showtopic=113262

Windows Ultra-Antivirus is a rogue anti-spyware program that displays false scan results, fake security warnings, and uses rootkits to prevent you from terminating or deleting the program. When installed it will be configured to start automatically when you login to Windows. Once started it performs a fake scan and then states that numerous files on your computer are infections. When you attempt to use the program to clean these infections, though, it states that you first need to purchase it before it will allow you to do so. As all of the infections are false, please ignore anything this program shows and instead continue with the rest of the removal guide.

http://www.bleepingcomputer.com/virus-removal/remove-windows-ultra-antivirus

2012-07-25
Adware
++ FalcoPickFlip + Win32.InCore ++ Win32.Krdr.g
Malware
++ Fraud.FedexWord + Fraud.PrivacIE
Trojans
+ Bancos + Banload ++ Bublik + Kazy.pdf ++ VisioSthelssss.br + Win32.Gamarue + Win32.Graftor.br ++ Win32.Grum + Win32.Muollo + Win32.OnLineGames.down + Win32.OnLineGames.gen + Win32.ZBot
Total: 2551737 fingerprints in 794659 rules for 6709 products.
http://www.safer-networking.org/en/index.html

What is VaccineForce?

The Malwarebytes research team has determined that VaccineForce is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue.

http://forums.malwarebytes.org/index.php?showtopic=113106

Windows Active Guard is a computer infection from the Rogue.FakeVimes family rogue anti-spyware programs. This program is classified as a rogue becuase it deliberately displays fake security alerts , fake scan results, and does not allow you to use your computer normally until you purchase the pgoram. This family of rogues are promoted using three methods. The first method is through web sites that display an advertisement that pretends to be an online anti-malware scanner. When the advertisement is finished, it will state that your computer is infected and that you should download Windows Active Guard in order to clean your computer. The second method is to install the infection without your knowledge or permission when you visit web sites that have been hacked to display malicious code. This code will attempt to exploit vulnerabilities in Windows, Flash, Shockwave, Java, or Adobe Acrobat so that the malicious code can automatically install the software onto your computer without your permission. The final method is through Trojans that pretend to be a video codec or other software that is required to view an online video.

http://www.bleepingcomputer.com/virus-removal/remove-windows-active-guard

Windows Security System is a rogue anti-spyware program from the Rogue.Contra family. This rogue displays fake scan results and warnings in order to scare you into thinking your computer is infected. This program is installed via two methods. The first method is Trojans that download and install the program on to your computer without your permission. The second are fake online scanners that state your computer is infected and then prompt you to download and install the program.

When installed, the rogue will also create numerous harmless files in your Windows Temp folder that will then be detected as malware when Windows Security System attempts to scan your computer. If you attempt to use the program to remove any of the files it detects as infections, it will state that you need to purchase the program before you can do so. As all of the files it detects as infections are harmless or legitimate Windows files, please disregard the scan results and do not purchase the program.

http://www.bleepingcomputer.com/virus-removal/remove-windows-security-system

Windows Security Renewal is a fake anti-virus program that is part of the Rogue.FakeVimes family of computer infections. This program is classified as a rogue anti-spyware program because it deliberately displays fake security warnings, fake scan results, and makes it so you are unable to use your computer normally. This family of rogue programs are promoted using three methods. The first method is through web sites that display an advertisement that pretends to be an online anti-malware scanner. When the advertisement is finished, it will state that your computer is infected and that you should download Windows Security Renewal in order to clean your computer. The second method is to install the infection without your knowledge or permission when you visit web sites that have been hacked to display malicious code. This code will attempt to exploit vulnerabilities in Windows, Flash, Shockwave, Java, or Adobe Acrobat so that the malicious code can automatically install the software onto your computer without your permission. The final method is through Trojans that pretend to be a video codec or other software that is required to view an online video.

http://www.bleepingcomputer.com/virus-removal/remove-windows-security-renewal

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

* MS12-044 - Critical

Bulletin Information:

* MS12-044 - Critical

- http://technet.microsoft.com/security/bulletin/ms12-044
- Reason for Revision: V1.1 (July 18, 2012): Removed erroneous
update FAQ pertaining to the applicability for this update on
systems running Windows 8 Release Preview and Windows Server
2012 Release Candidate. Windows 8 Release Preview and Windows
Server 2012 Release Candidate are not affected by the
vulnerabilities described in this bulletin.
- Originally posted: July 10, 2012
- Updated: July 18, 2012
- Bulletin Severity Rating: Critical
- Version: 1.1

Windows Home Patron is a computer infection from the Rogue.FakeVimes family of rogue anti-spyware programs. This family of infections are spread by three methods. The first method is hacked web sites that have malicious code inserted on them to infect users who visit them. The second method is through Trojans that pretend to be software required to view an online video. The last method is advertisements that pretend to be online anti-malware scanners that state you are infected and then prompt you to download and install the program.

When installed, Windows Home Patron will be configured to start automatically when you login to Windows. It will also create numerous entries in the Windows Registry that make it so you are unable to launch many of your legitimate security or Windows programs. It does this in order to protect itself from being removed by one of these programs.

Once started, the program will perform a fake scan of your computer and state that there are numerous infections present. If you attempt to remove any of these infections, though, the program will state that you first need to purchase it before it will allow you to do so. As these threats are either non-existent or harmless files, please ignore any of the scan results and instead remove this rogue via the guide below.

http://www.bleepingcomputer.com/virus-removal/remove-windows-home-patron

25 Internet Explorer
0 Restricted Sites
0 Firefox

15393 items in database

2012-07-18
Adware
+ Win32.InCore
Trojans
+ Bancos + Banload ++ Crypt.InfectRansom ++ Fake.MS.BHO ++ Win32.Dapato + Win32.Muollo + Win32.NrgBot.rtk + Win32.OnLineGames.gen + Win32.ZBot
Total: 2550601 fingerprints in 794445 rules for 6698 products.

http://www.safer-networking.org/en/index.html

http://www.mozilla.org/en-US/

Fixed in Firefox 14

MFSA 2012-56 Code execution through BLOCKED SCRIPT URLs

MFSA 2012-55 feed: URLs with an innerURI inherit security context of page

MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage

MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption

MFSA 2012-51 X-Frame-Options header ignored when duplicated

MFSA 2012-50 Out of bounds read in QCMS

MFSA 2012-49 Same-compartment Security Wrappers can be bypassed

MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden

MFSA 2012-47 Improper filtering of javascript in HTML feed-view

MFSA 2012-46 XSS through data: URLs

MFSA 2012-45 Spoofing issue with location

MFSA 2012-44 Gecko memory corruption

MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop

MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

What is BestSpeed?

The Malwarebytes research team has determined that BestSpeed is a fake anti-malware application. These so-called "rogues" use intentional false positives to convince users that their systems have been compromised. Then they try to sell you their software, claiming it will remove these threats. In extreme cases the false threats are actually the very trojans that advertise or even directly install the rogue.

http://forums.malwarebytes.org/index.php?showtopic=112641

Windows Virtual Firewall is a rogue anti-spyware program from the Rogue.FakeVimes family of computer infections. Programs from this family are spread via three methods. The first method is hacked web sites that host malicious scripts that attempt to exploit vulnerabilities on your computer to install Windows Virtual Firewall without your permission or knowledge. The second method is through Trojans that pretend to be a codec or software that is required to view an online video. The last method is through advertisements that pretend to be online anti-malware scanners that state your computer is infected and then prompt you to download and install the rogue to remove the detected threats.

While being installed, Windows Virtual Firewall will set itself to start automatically and will create numerous Windows Registry entries that make it so you are unable to launch your normal programs. When you attempt to launch one of your normal security programs, these Registry entries will instead launch the rogue and state that your programs are infected.

Once started, the program will perform a fake scan of your computer and state that there are numerous infections present. If you attempt to remove any of these infections, though, the program will state that you first need to purchase it before it will allow you to do so. As these threats are either non-existent or harmless files, please ignore any of the scan results and instead remove this rogue via the guide below.

http://www.bleepingcomputer.com/virus-removal/remove-windows-virtual-firewall

Windows Premium Defender is a computer infection from the Rogue.FakeVimes family of rogue anti-spyware programs. Programs from this family are spread via three methods. The first method is hacked web sites that host malicious scripts that attempt to exploit vulnerabilities on your computer to install Windows Premium Defender without your permission or knowledge. The second method is through Trojans that pretend to be a codec or software that is required to view an online video. The last method is through advertisements that pretend to be online anti-malware scanners that state your computer is infected and then prompt you to download and install the rogue to remove the detected threats.

While being installed, Windows Premium Defender will set itself to start automatically and will create numerous Windows Registry entries that make it so you are unable to launch your normal programs. When you attempt to launch one of your normal security programs, these Registry entries will instead launch the rogue and state that your programs are infected.

Once started, the program will perform a fake scan of your computer and state that there are numerous infections present. If you attempt to remove any of these infections, though, the program will state that you first need to purchase it before it will allow you to do so. As these threats are either non-existent or harmless files, please ignore any of the scan results and instead remove this rogue via the guide below.

http://www.bleepingcomputer.com/virus-removal/remove-windows-premium-defender

Windows Web Combat is a rogue anti-spyware program from the Rogue.FakeVimes family. This program is classified as a rogue as it displays false information in order to trick you into purchasing the program. This particular variant is spread via three methodsmethods. The first method is the use of hacked web sites that exploit visitor's vulnerable programs in order to install the rogue without their permission. The second method uses web sites that display fake online anti-malware scanners that pretend to scan your computer, state that it is infected, and then prompt you to download and install Windows Web Combat in order to clean it. The last method is through the use of Trojans that pretend to be software required to view an online video.

Once the rogue is installed on your computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan and then state that there are numerous infections present. If you attempt to use the program to remove these infections, though, it will state that you first need to purchase it before it can do so. This is a scam as the scan results are all fake, and in many cases, the infected files do not even exist on your computer. Therefore, please ignore the scan results and do not purchase the program.

http://www.bleepingcomputer.com/virus-removal/remove-windows-web-combat

Windows Virtual Angel is a computer infection from the the Rogue.FakeVimes family of rogue anti-spyware programs. This infection is classified as a rogue because it purposely displays false scan results, hijacks your computer so that you are unable to run your normal applications, and displays fake security warnings to scare you into thinking you are infected. This family of infections is spread via three methods. The first method is through web sites that have been hacked to display malicious code that installs the rogue on to your computer without your knowledge or permissions. The second method uses online advertisements that pretend to be online anti-malware scanners that state that you are infected and then prompt you to download and install Windows Virtual Angel in order to clean it. The final method is through the use of Trojans that pretend to be software required to view an online video.

Once the rogue is installed on your computer it will be configured to start automatically when Windows starts. Once started it will perform a fake scan and then state that there are numerous infections present. If you attempt to use the program to remove these infections, though, it will state that you first need to purchase it before it can do so. This is a scam as the scan results are all fake, and in many cases, the infected files do not even exist on your computer. Therefore, please ignore the scan results and do not purchase the program.

http://www.bleepingcomputer.com/virus-removal/remove-windows-virtual-angel

File Recovery is a computer infection from the Rogue.FakeHDD family of scareware programs. This family of computer infections pretends to be a hard drive diagnostic and repair programs that scans your hard drives for errors and then allows you to fix them. In reality, though, this program is a computer virus that displays false information, hijacks your computer, and hides your files and Windows start menu in order to make you think that your hard drive is failing. This family of computer infections is spread through Trojans that display fake error messages on your computer. When you click on one of these messages it will then launch the File Recovery program in the hopes that you will purchase it.

Once installed, File Recovery will be configured to start automatically when you login to Windows. Once started, it will pretend to perform a Check routine that supposedly examines your hard drive for errors. When it has finished it will present you with a Repair screen that displays a summary of the issues you supposedly have with your computer and hard drives. If you attempt to repair any of these problems using File Recovery, though, it will first state that you need to purchase the program before it will allow you to do so. Some of the hard drive problems that it will display include:

Hard drive boot sector reading error
System blocks were not found
Error 0x00000024 - NTFS_FILE_SYSTEM
Error 0x00000078 - INACCESSIBLE_BOOT_DEVICE
Error 0x0000002E - DATA_BUS_ERROR
Error 0x00000050 - PAGE_FAULT_IN_NONPAGED_AREA
The DRM attribute value is too small before disk scan

As this program is a scam do not be scared into purchasing the program when you see these alerts.

http://www.bleepingcomputer.com/virus-removal/remove-file-recovery