Information Security Newsletter

Bulletins posted 5/07/2009

Another Google Chrome Patch for Critical Security Hole
For the second time in two weeks, Google has shipped a new version of its Chrome browser to fix a pair of serious security vulnerabilities.

One of the two flaws carry a “critical” rating because of the risk of code execution with the privileges of the logged on user.

If you use Google Chrome, check to make sure it has updated itself. Google Chrome usually updates automatically, but it's a good idea to check.

From ZDNet - Ryan Naraine

Microsofts Patch Tuesday will patch PowerPoint zero day
Microsoft plans to issue one critical patch during its monthly patch cycle next week, plugging a critical flaw in its PowerPoint presentation program that is being actively targeted by attackers.

The PowerPoint vulnerability was the only bulletin identified in the Security Bulletin Advance Notification issued today by Microsoft.

Details of the flaw surfaced last month and Microsoft acknowledged that the flaw was being exploited by hackers in the wild in targeted, limited attacks. PowerPoint versions affected by the flaw are Office PowerPoint 2000 Service Pack 3, Office PowerPoint 2002 Service Pack 3, and Office PowerPoint 2003 Service Pack 3.

If you don't have Autoupdate enabled, be sure to download and apply this patch next Tuesday (5/12). In the meantime, be careful opening any PowerPoint files that you can't be sure are legitimate.

From SearchSecurity.com - Robert Westervelt

Bulletins posted 5/06/2009

Adobe PDF vulnerability fix slated for May 12
Adobe said it plans to release an update by May 12 for the recently disclosed Reader and Acrobat vulnerability.

In doing so, Adobe will push out Windows updates for Reader and Acrobat versions 7, 8 and 9 and Macintosh and Unix updates for versions 8 and 9, David Lenoe, Adobe's security program manager, said Friday afternoon in a blog post.

The company also has confirmed a second vulnerability in its Reader for Unix software, which also is slated to be fixed in next week's update, Lenoe said. That bug does not affect Windows or Mac versions, but Adobe is investigating whether it can "reproduce an exploitable scenario."

Proof-of-concept code for both vulnerabilities has been published on the web; however, Adobe is not aware of any live attacks.

As users await the patches, Adobe has suggested they disable JavaScript in Reader and Acrobat, Lenoe said. In addition, the company has contacted leading anti-virus providers so they can build in protection to their products.

This is the second major zero-day PDF flaw to strike the popular viewer this year.

If you are running any of the Adobe products, make sure that you apply this patch as soon as possible. As noted before the best long term strategy may be to abandon Adobe products and move to some other pdf application.

From SC Magazine - Dan Kaplan

Leaked Copies of Windows 7 RC - As was case with Mac iWork 09 - Contain Trojan
Pirated copies of Windows 7 Release Candidate (RC) on file-sharing sites contain malware, according to users who have downloaded the upgrade.

Windows 7 RC, which Microsoft Corp. will officialy launch on May 5, leaked two weeks ago, with copies first appearing on BitTorrent tracking sites on April 24.

Some of the pirated builds include a Trojan horse, numerous users said in message forums and in comments on BitTorrent sites such as Mininova.org.

"Just a warning for anyone downloading the new RC builds of windows 7. Quiet [sic] a lot of the downloads have a trojan inbedded [sic] in the setup EXE," said someone identified as Frank Fontaine on a Neowin.net discussion thread. "The Setup EXE is actually a container, it appears to be a self-extracting EXE. There are 2 files inside, Setup.exe and codec.exe."

Fontaine's antivirus software identified the "codec.exe" file as a generic Trojan.

"Suspicious codec.exe!" reported someone labeled as "UltimateGTR" on Mininova, commenting on one of the 32-bit builds.

Another Mininova commenter, "WuNgUn," identified the malware as the "Falder" Trojan, which downloads fake security software, dubbed "scareware," to PCs and installs a rootkit to hide from legitimate antivirus products.

Microsoft, which has cited potential infection as a reason to steer clear of unauthorized downloads, jumped on the news. "This unfortunately shows that there are those out there who see the significant interest in something such as Windows 7 as an opportunity to try to take advantage of others," said Alex Kochis, director of Microsoft's Genuine Windows anti-piracy technology group, in a post to a company blog on Friday.

Windows 7 RC is not the first leaked software found to harbor attack code. In January 2009, for example, security experts warned that pirated copies of Apple Inc.'s then-new iWork '09 suite contained a Trojan horse that hijacked Macs.

Microsoft will let the general public download Windows 7 RC on Tuesday, but has not said what time it will make the upgrade available. Subscribers to TechNet and the Microsoft Developers Network (MSDN) have been allowed to download the RC since last Thursday.

Remember that anything downloaded from file sharing sites is inherently dangerous. As many as 50% of all files from those types of sites are infected with malware. Pirating is dangerous and illegal.

From PC World - Gregg Keizer

Bulletins posted 5/01/2009

Adobe Reader, Acrobat Hit With Another Zero-Day
A new zero-day vulnerability in Adobe Reader has been disclosed, once again putting the popular PDF reader in possible peril from attackers.

The newly discovered vulnerability affects "all currently supported shipping versions" of the software, meaning Versions 9.1, 8.1.4, 7.1.1, and earlier of Adobe Reader and Acrobat, and on all operating system platforms for the applications, said Adobe's Product Security Incident Response Team (PSIRT) in its blog this afternoon.

The company is also "currently investigating" the exploit that also was posted with the vulnerability disclosure, blogged Adobe's David Leone.

"Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh, and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a time line as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue," blogged Leone.

This is the second major zero-day flaw to be exposed in Adobe Reader this year. In February, Adobe reported a buffer overflow bug in Reader and Acrobat. A researcher later demonstrated that a user merely storing -- and not even opening -- a PDF infected via the flaw could trigger an attack.

With Adobe Reader's security woes increasing during the past few months, some security experts are declaring it time for users to change their PDF reader programs to avoid attacks. F-Secure has led the charge, noting that 47 percent of the targeted attacks it has seen so far this year used Adobe Acrobat Reader PDFs -- a twenty-fold increase compared to last year. "Adobe is targeted primarily because they are the big guy," says Patrik Runald, chief security advisor for F-Secure.

F-Secure now advises users to switch over to an alternative PDF reader from the pdfreaders site for open-source PDF readers. The more diverse the PDF reader pool, the better for user security, Runald says.

First of all make sure you keep Adobe products up to date if you decide to stay with them. Adobe also recommends turning off JavaScript in Adobe products until they post an update. We agree with F-Secure that the best strategy to stay safe is probably to abandon them and go to some other application.

From Dark Reading - Kelly Jackson Higgins

Google Joins Mozilla, Blames IE for Chrome Bug
Google has fixed a bug in its Chrome browser which could allow cross-site scripting and other dangerous policy violations under interesting circumstances: when Chrome is called from Internet Explorer because a link is executed in IE with the "chromehtml" protocol handler.

If you are using Google's Chrome browser, update Chrome to get to the new version 1.0.154.59 as soon as possible.

From eWeek - Larry Seltzer

IRS Phishing Scam Appears Again
Tis the season and the scammers are busy as usual. The latest phishing scam is a fake email with a link to a poisoned IRS site.

The message says:

After the last annual calculations of your fiscal activity we have determined that you are eligible to receive a tax refund of $460.08
Please visit the link to proceed: {{the bad link here}}
A refund can be delayed for a variety of reasons.
We apologize for the any troubles caused, and is very grateful for your cooperation.
Deliberate wrong inputs are criminally pursued and indicated.

Sincerely,
Tricia Banner
Refund Department
Copyright © 2009 Internal Revenue Service All rights reserved.

Be aware of these types of scams and warn vulnerable friends and family.

Facebook neutralizes phishing attack
Facebook said Thursday it has put the brakes on a phishing wave that was trying to dupe members into divulging their login credentials.
During the past two days, phishers sent messages to Facebook users that appeared to come from their "friends." However, the scammers actually had hacked those accounts, giving them the ability to send messages and impersonate the victim.

The emails they sent contained links to two sites -- fbstarter[com] or fbaction[net] -- that were designed to mimic the actual Facebook login screen, company spokesman Barry Schnitt told SCMagazineUS.com on Thursday.The crooks were trying to get recipients to give up their username and password to access Facebook.

Once Facebook learned of the attack, it blocked the scammers' content from being shared on Facebook, and the company changed the passwords on those profiles that had been sending the bogus messages.

"The passwords they've stolen are no longer valid [on Facebook]," Schnitt said. But, he added, the fraudsters may try to use the stolen goods on other websites, where individuals may use the same credentials as they do on Facebook.

Jamie Tomasello, abuse operations manager at message security firm Cloudmark, said the phishing campaign  could just as easily have been pushing links to malware-serving websites that were trying to, for example, trick users into downloading a trojan disguised as a plugin to view a video.

"The more users depend on social networking sites as a trusted source of communication, the more fraudsters are going to abuse it," Tomasello told SCMagazineUS.com on Thursday.

Schnitt said users should be on the lookout for similar scams. He reminded users that Facebook rarely logs them out, thus they would not always have to re-enter their login details. In addition, when being queried for username and password, users should look at the address bar to ensure they are at the legitimate site.

Schnitt said he did not know how many people fell victim. Facebook boasts as many as 200 million active users.

If you have a Facebook account, you should understand that these types of scams will keep getting more and more sophisticated and ubiquitous. Facebook is just too large and rich a target to be ignored by scammers. Be suspicious of messages with links to other sites even if they look like they come from a friend.

From SC Magazine - Dan Kaplan

A New Twitter Breach Published

A French hacker has posted screenshots backing claims that he breached Twitter's administrative panel, threatening the security and integrity of high-profile accounts and exposing private information to the public, such as the account holder's e-mail address, IP address, mobile phone number in some cases and list of accounts blocked by the user.

The screen shots show internal settings and information for Twitter accounts belonging to U.S President Barack Obama, actor Ashton Kutcher, and singers Lily Allen and Britney Spears. The info reveals that the Obama account has blocked more than 90 users from sending it messages. The screen shots also revealed a list of users who have been blacklisted by Twitter.

Twitter confirmed the intrusion and said that only ten accounts had been compromised and that no information in the accounts had been altered.

Unlike an attack earlier this year when a hacker gained access to a Twitter administrator's account by using a password cracker to guess her log-in credential, the French hacker, who goes by the handle "Hacker Croll"; gained access by breaching a Twitter administrator's Yahoo e-mail account, where he found an e-mail from Twitter that disclosed the administrator's Twitter password. To gain access to the Yahoo account, the hacker simply reset the password to the account by answering the secret question. Croll doesn't say what the secret question was.

Unlike the previous Twitter hack attack, Croll didn't send out phony messages from the compromised accounts.

If you use Twitter, you should again understand that these types of scams will keep happening. All of these Web 2.0 applications are becoming the target of choice for scammers. Be careful with your account and make sure you have a strong password. We also recommend restricting your followers to people you have actually met in person.

From Wired Threat Level - Kim Zetter