Microsoft Office 2003 SP2 released

  Several Microsoft service packs were released for the Office 2003 product family.

Backdoor.Hesive - Uses Microsoft Access Jet Engine Vulnerability

  Please be careful with all email messages containing Microsoft Access attachments. This new exploit capitalizes on an unpatched Microsoft Jet Engine vulnerability that creates a compromise to system security until the Trojan Horse registry settings are corrected. 

This new Microsoft Access based exploit is very rare in the wild.  Still, it could could surprise individuals if another wave of emails were massively spammed.  Microsoft Access data base email attachments are usually thought of as being safe to open by most of us. 

We should always be cautious on ANY attachment type in unexpected email messages. The best practice is to never open attachments regardless of whether they appear safe or not. 

Backdoor.Hesive - Uses Microsoft Access Jet Engine Vulnerability
http://secunia.com/virus_information/21954/hesive/

Backdoor.Hesive is a Trojan horse that opens a back door on the compromised computer and allows a remote attacker unauthorized access. The Trojan may arrive as a Microsoft Access file that exploits the Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability (described in Bugtraq ID 12960).


Microsoft Jet Database Engine Malformed Database File Buffer Overflow Vulnerability
http://www.securityfocus.com/bid/12960/info

Solution: Currently we are not aware of any vendor-supplied patches for this issue

Allows the remote attacker the ability to perform the following actions:

List active ports
List processes, services, and threads
Download and execute remote files
Upload files
Run a system shell
Modify registry values
End processes
Get system information
Get network information
Post collected data to hostile web site

Suclove.A - New version of LoveLetter virus emerges

  A new virus ressembling the social engineering approach of the Love Letter virus in May 2000 has emerged. This one is easy to block and more of a threat to home users.

InfoWorld - Corporate Spyware Product Evaluations

  F-Secure was the top corporate choice, based on it's real-time effectiveness in stopping a broad range of spyware and adware infections.

InfoWorld - Corporate Spyware Product Evaluations

F-Secure selected as top corporate Spyware product overall

QUOTE:   F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates.  Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.

InfoWorld - Corporate Spyware Product Evaluations

  F-Secure was the top corporate choice, based on it's real-time effectiveness in stopping a broad range of spyware and adware infections.

InfoWorld - Corporate Spyware Product Evaluations

F-Secure selected as top corporate Spyware product overall

QUOTE:   F-Secure Anti-Virus Client Security has one of the best, most comprehensive security bundles available, although it suffers a bit from a disjointed administration user interface. One of three anti-spyware solutions in this review that includes anti-virus capabilities in the same package, Anti-Virus Client Security’s real-time protection stopped all attempts to infect my test clients. Reporting is browser-based and provides ample predefined templates.  Because of its awesome real-time protection and overall performance, Anti-Virus Client Security 6 received the highest score of the ten products reviewed.

Opera 8.50 browser - Adbar removed & latest security updates

 Opera 8.50 was recently improved to remove the adbar on the free version.  So far the new version is working well and presents no conflicts with IE 6 SP2 or Mozilla Firefox 1.5. 

Release Note

This release is a recommended security upgrade.

At a Glance

• Advertisement banner removed
• Registration options removed
• Updated end-user license agreement
• Browser JavaScript fixes broken Web sites on the fly

Changes since 8.02

User interface

• Removed advertising banners and all dialogs and menus related to advertising, registration, and license codes.
• Solved issue with Opera reverting explicit user setting to use program as handler rather than plug-in.
• Removed support for branded banners.

Security

• Fixed issue reported in Secunia Advisory 16645: Attachment URLs now used instead of cache URLs for viewing attachments.
• Fixed drag-and-drop vulnerability allowing unintentional file uploads. Issue reported by mikx.de.
• Improved handling of must-revalidate cache directive for HTTPS pages.
• Fixed display issue with cookie comment encoding.

Miscellaneous

• Included Browser JavaScript by default. On first run after install/upgrade, Opera will fetch a fresh browser.js file and start using it.
• Multiple stability fixes.

Download Link for version 8.50:

SANS: Bouncing Malware writeup featuring James Bond theme

The folks at the Internet Storm Center have an interesting series that illustrates the dangerous of advanced spyware threats.  This one is dedicated to the James Bond fans and provides an interesting account of the dangers in using the Internet without proper safeguards or precautions.

Follow the Bouncing Malware IX: eGOLDFINGER

Bagle Virus Spam Attack -- 11 new variants in one day

Earlier this week, the Bagle malware authors used an approach of creating a number of new viruses and spamming them massively in the wild.  Each new wave of infected emails contained a different variation of the virus which was designed to elude detection by AV vendors.  F-Secure set an all-time record will 11 releases in one day 

Excellent Writeup by F-Secure on September 20th

 Email-Worm.Win32.Bagle.cy (aka Bagle.BI)
 Email-Worm.Win32.Bagle.cz
 Email-Worm.Win32.Bagle.da
 Email-Worm.Win32.Bagle.db
 Email-Worm.Win32.Bagle.dc
 Email-Worm.Win32.Bagle.dd
 Email-Worm.Win32.Bagle.de
 Email-Worm.Win32.Bagle.df

Bagle.CI/CJ -- Multiple New Bagle Variants

MS05-039: W32.Iberio new PnP Internet worm

W32.Iberio is a worm with back door capabilities that spreads by exploiting the Microsoft Windows Plug and Play Buffer Overflow Vulnerability -- as described in Microsoft Security Bulletin MS05-039

Bagle.CZ - New variant using CPL extensions

  This new variant was massively spammed via email and while the downloader component doesn't appear to be working, this new variant can deactivate existing AV or FW software installed on the PC.  The CPL extensions are typically found inside of a zipped archieve. This modified variant bypasses detectability in most AV products and users should be cautious in handling email messages.

McAfee information on this massively spammed variant
http://vil.nai.com/vil/content/v_129588.htm

Trend information
http://secunia.com/virus_information/21411/trojbagle.cz/

Sophos information
http://www.sophos.com/virusinfo/analyses/trojdropperbc.html

ISC information
http://isc.sans.org/diary.php?storyid=665

Multiple new variants of this threat were recently mass spammed. Filenames include 1.cpl and price.cpl and may arrive in a ZIP file named newprice.zip , price_09.zip, price some number.zip , etc.  The variants seen thus far are non functional, and deemed a low risk. The first such variant drops a corrupt file (ceeweewe.exe) to the %windir%. The corrupt file is detected as W32/Bagle.dam. Detection will be enhanced in the 4580 DAT release to detect and delete these newly discovered damaged variants. This is a generic detection covering many variants of the W32/Bagle@MM virus when sent in "CPL" format.

Mozilla Firefox - IDN Patch corrects critical vulnerabilities

  One day after public disclosure of the vulnerability, an XPI patch was provided that deactivates IDN processing. This tested out well for me 

Mozilla Firefox - IDN Patch corrects critical vulnerabilities
https://addons.mozilla.org/messages/307259.html

On September 9, the Mozilla team released a configuration change which, as a temporary measure to work around this problem, disables IDN in the browser. IDN functionality will be restored in a future product update. The fix is either a manual configuration change or a small download which will make this configuration change for the user.

I actually prefer using the manual approach as it's easy and expedient to perform, plus you don't have to toggle back on the “allow software to be installed from a website“ (which typically should be set to off as a best practice)

MANUAL APPROACH:

1. You can type "about:config" as a "URL" in the address bar
2. Then key or locate "network:enableIDN"
3. Double click it to disable it (set it to "false")
4. Close and restart browser (you can do another about:config to confirm this is now set as false)

Mozilla Firefox - Critical Security Warning for all versions

   Users should avoid links in unsolicited email messages and untrusted URLs regardless of which browser they use.  Based on past experience, the Mozilla foundation has a priority on security, so I'm certain this will be addressed soon with a new release of Firefox.

Firefox/Deerpark all versions - Critical Security Warning
http://news.zdnet.com/2100-3513_22-5856201.html
http://techrepublic.com.com/2100-1009_11-5856201.html
http://secunia.com/advisories/16764/
http://security-protocols.com/advisory/sp-x17-advisory.txt

Tom Ferris has discovered a vulnerability in Firefox, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially to compromise a user's system. The vulnerability is caused due to an error in the handling of an URL that contains the 0xAD character in its domain name. This can be exploited to cause a heap-based buffer overflow.

Successful exploitation crashes Firefox and may potentially allow code execution but requires that the user is tricked into visiting a malicious web site or open a specially crafted HTML file.  The vulnerability has been confirmed in version 1.0.6, and is reported to affect versions prior to 1.0.6, and version 1.5 Beta 1.

Sept 13, 2005 - Microsoft Security Bulletins Preview

  Here's hoping the bad guys can't reengineer the critical bulletin that's forthcoming in September as we need a break after MS05-039 in August

Kaspersky Labs: Watch for $9.95 charges on your credit cards

  Kaspersky Labs documents a freshly launched fraud attack where the scammers use low monetary values in an attempt to go unnoticed. 

Are you $9.95 out of pocket?  - September 7, 2005 weblog entry
http://www.viruslist.com/en/weblog?calendar=2005-09

QUOTE:  Next to the more or less daily scams mentioned in the previous post, we're seeing a resurgence in another scamming tactic. Over the last couple of weeks more people are reporting charges of $9.95 to their credit cards - for no reason whatsoever. About a year ago we saw a similar trend and now it has been picked up again.

The scammers hope that because the amount of money is so small, the charge will go unnoticed. They're also using names which closely resemble real company names to make the charges look (at first glance) more legitimate. So be sure to check your accounts for odd charges on a regular basis.

MS05-039: Spybot.WOE exploits 4 unpatched MS vulnerabilities

  A new variant of Spybot has emerged which exploits four unpatched Microsoft vulnerabilities which must be patched on all PCs to ensure the best levels of protection.

W32.Spybot.WOE is a worm with back door capabilities that can be used to launch a distributed denial of service attack. The worm spreads by exploiting numerous vulnerabilities, including the Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).

Firewall protection:  The following are TCP ports that should be protected in the firewall for the PC or server:  139, 445, 1427, 4654, 65528, 65529.

Microsoft Security Exploits: Spreads by scanning TCP ports 139 and 445, and exploiting the following vulnerabilities:

• The Microsoft Windows Plug and Play Buffer Overflow Vulnerability (as described in Microsoft Security Bulletin MS05-039).
• The Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability (as described in Microsoft Security Bulletin MS03-026).
• The Microsoft Windows Local Security Authority Service Remote Buffer Overflow(as described in Microsoft Security Bulletin MS04-011).
• The Microsoft Windows ASN.1 Library Bit String Processing Variant Heap Corruption Vulnerability (as described in Microsoft Security Bulletin MS04-007).

Windows XP SP2 - Windows Firewall update available

  Microsoft has released a new update. This update applies to Microsoft Windows XP Service Pack 2 (SP2) or Microsoft Windows Server 2003 Service Pack 1 (SP1). This patch fixes a condition where an exception may not show up in the Windows Firewall GUI, if this exception is created by modifying the registry directly. In order to do this, administrative priveleges are required on the box. The danger in this flaw is that a hacker could open a backdoor that would not be shown in the GUI Firewall ruleset.

Windows XP SP2 - Windows Firewall update available

ISC email Hoax warning: Gas shortage hoax

http://isc.sans.org/diary.php?date=2005-09-02

There is a hoax e-mail making the rounds about a gas shortage. Don't run out and create a shortage. And now, we have reports from one of our readers (thanx, Rikki) who is seeing e-mails about a gas shortage floating around. The facts are, yes, there have been gas stations that have run out of gasoline. That is mostly because people have flocked to them to fill up fearing a shortage (can you say self-fulfilling prophecy?). Yes, some refining capacity in the US has been impacted by the hurricane, but we won't know the impact of that for some time yet. In the meantime, there is gasoline available in the US, and stations are still getting deliveries. Yes, the prices have gone up and conserving would be a good idea, but there is no evidence of an imminent widespread shortage outside of the areas that suffered direct infrastructure damage earlier this week. Remain calm.

Dameware Remote Control - Buffer Overflow & POC warnings from FrSIRT

  Corporate Users of the Dameware remote control facility should patch their systems expediently as a new vulnerability and proof-of-concept code were published at the end of August.

Dameware Remote Control - Buffer Overflow Expoit Warning

Dameware Remote Control - Proof of Concept Exploit (be careful as actual code for the exploit is published here) 

Solution: Upgrade to DameWare Mini Remote Control version 4.9.2.4

QUOTE: A vulnerability was identified in DameWare Mini Remote Control Server, which could be exploited by remote attackers to execute arbitrary commands. This flaw is due to a buffer overflow error in the authentication procedure that does not properly handle an overly long "username" parameter (port 6129), which could be exploited by unauthenticated remote attackers to compromise a vulnerable system.

By default (DameWare Remote Control Server) DWRCS listens on port 6129 TCP. An attacker can construct a specialy crafted packet and exploit this vulnerability. The vulnerability is caused by insecure calls to the lstrcpyA function when checking the username.

Katrina Malware - Trojan-Downloader.JS.Small.bq is at this website

 Be careful with website links in email messages.  It's a best practice to never click on a URL even to opt out of spam unless you are sure it can be trusted.  This breaking news story from an email message spammed to numerous individuals contains a hostile link that will download malware from the website to PCs that visit it. 

Katrina Malware - Trojan-Downloader.JS.Small.bq is at this website

F-Secure - September 1st Weblog identifies this new downloader trojan horse

Subject: Re: Katrina killed as many as 80 people.

Just before daybreak Tuesday, Katrina, now a tropical storm, was 35 miles northeast of Tupelo, Miss., moving north-northeast with  winds of 50 mph. Forecasters at the National Hurricane Center said the amount of rainfall has been adjusted downward Monday.  Mississippi Gov. Haley Barbour said Tuesday that Hurricane Katrina killed as many as 80 people in his state and burst levees in Louisiana flooded New Orleans. Read More

The Read More.. links to “nextermest . com” [DO NOT VISIT THIS SITE as Trojan-Downloader.JS.Small.bq is at this website]. It uses obfuscated javascript to download what looks like a .hta exploit.