Information Security Newsletter

Bulletins posted 8/13/2009

For fourth month in a row, Safari updated.
Apple on Tuesday released Safari 4.0.3 to patch six vulnerabilities.

Three of the flaws – involving issues in CoreGraphics, ImageIO and WebKit – could be exploited to execute arbitrary code, according to an Apple advisory.

Perhaps the most unique bug involves a problem with Safari's new Top Sites feature, which provides an "at-a-glance view" of a user's favorite sites, the advisory said. An attacker might be able to exploit the flaw by adding a malicious site to this list, permitting potential phishing scams. Apple fixed the issue by only permitting websites that a user manually visits to be included in the list.

Andrew Storms, director of security operations at vulnerability management firm nCircle, suggested that, considering the number of security updates from Apple this year, the company may want to consider setting a patching schedule.

Vendors such as Microsoft, Oracle and Adobe already do this.

So far this year, Apple has delivered five Safari updates and three Mac OS X updates, the most recent on Aug. 5. Safari has been patched each month since May. Tuesday's release arrived on the same day that Microsoft distributed nine patches to resolve 19 flaws.

"This release makes the contrast between the security processes of Microsoft and Apple even more stark," Storms said. "Microsoft's release was planned, but Apple's updates seem to arrive at a haphazard pace."

An Apple spokeswoman did not respond to a request for comment.

Users should install the new patch.

From: http://www.scmagazineus.com/ by Dan Kaplan

Bulletins posted 8/11/2009

Microsoft Security Advisory (973811) released.
This month, we released nine security bulletins. Five of those are rated Critical and four have an aggregate severity rating of Important. Of the nine updates, eight affect Windows and the last one affects Office Web Components (OWC). It is also important to note that five of the six critical updates also have an Exploitability Index rating of “1” which means that we could expect there to be consistent, reliable code in the wild seeking to exploit one or more of these vulnerabilities within the first 30 days from release.

Users should run Microsoft Update and install new updates.

From Microsoft

Bulletins posted 8/7/2009

WARNING Hotmail accounts are being hijacked.

If you think your account has been compromised, you should change your password and tell your friends and family to change their passwords.

You will want to change your hotmail password and other passwords, ensure you have the most recent virus definitions, and that your Windows operating system has all the latest patches.

As always, you should be cautious about opening messages that contain links to websites, do not open attachments unless you are sure you know who they are from (if you have any doubt, call them to make sure).

Users should check there sent folder to see if they have mail sent from their account they did not send.

From http://windowslivehelp.com, by Windows Live Hotmail Technical Support

Boobytrapped images pose threat to Mac users, warns Apple.
Users of Mac computers are being advised to install an important security patch, after Apple acknowledged that a serious flaw existed in its Mac OS X operating system that could be exploited by hackers.

In a security advisory posted on its website, the Cupertino-based vendor of iMac and MacBook computers warned that it had discovered that hackers could create specially crafted image files capable of running malicious code without the user's authorisation, such as a worm or Trojan horse.

The affected image file formats include PNG, Canon RAW and OpenEXR.

To circumvent this and other security issues, Apple is recommend that users install Security Update 2009-003 - updating themselves to Mac OS X v10.5.8:

Per Apple users are advised to install the new security patch.

From http://www.sophos.com, by Graham Cluley

A computer attack shut down the social networking site Twitter for about two hours on Thursday morning, causing headaches in the online community and glitches in other Web sites such as Facebook.
A computer attack shut down the social networking site Twitter for about two hours on Thursday morning, causing headaches in the online community and glitches in other Web sites such as Facebook.

Twitter says the shutdown was caused by a "denial of service attack," which likely means a hacker used a herd of infected computers to send bad information to the site and overwhelmed it.

A post to Twitter's blog said its Web site was back online before noon ET, but the site's users still were reporting problems.

"We are continuing to defend against and recover from this attack," the message from the company says.

Facebook and other social networking sites appeared to be affected by Twitter's shut-down, too. Twitter runs applications through those sites and there was speculation that the glitches were related.

"Earlier this morning, we encountered issues within our network that resulted in a short period of degraded site experience for some visitors," said Facebook spokeswoman Kathleen Loughlin.

"No user data was at risk, and the matter is now resolved for the majority of users. We're monitoring the situation to ensure that users continue to have the fast and reliable experience they've come to expect from Facebook," she said.

Twitter's site went down around 9:30 a.m. ET on Thursday and was back online by about 11:30 a.m.

It's unclear who plotted the attack against Twitter and what their motives may have been. Internet attacks sometimes hit Web sites as they become popular. Security experts say financial motives often are behind modern cyber-attacks.

Twitter -- a micro-blogging site where users post 140-character messages to their followers -- has soared in popularity in recent months. According to Comscore, a Web tracking firm, the site had 44 million unique visitors in June.

Thursday's incident highlights the degree to which people depend on online social networks to feel connected to the world.

Some Twitter and Facebook users expressed near-panic that the sites were not working properly. Others reacted with ambivalence.

This is not the first time Twitter has been hit with a cyber-attack. Last month, a hacker broke into the personal Google accounts of Twitter employees, stealing personal information and company financial reports and posting them online.

In an e-mail to CNN.com, Twitter co-founder Biz Stone said that incident is not related to Thursday's security breach.

"There's no indication that this attack is related to any previous activities. We are currently the target of a denial of service attack," Stone said in the e-mail.

"Attacks such as this are malicious efforts orchestrated to disrupt and make unavailable services such as online banks, credit card payment gateways, and in this case, Twitter for intended customers or users. We are defending against this attack now and will continue to update our status blog as we defend and later investigate."

Don DeBolt, director of threat research at CA, a computer security company, said it's too early to tell who or what may be behind the Twitter attack.

But he said denial-of-service attacks target specific Web sites.

"To be effective, [these attacks] need to be focused on a Web site or a series of Web sites," he said. "It's not going to be something where malware (harmful software) is going to be deployed and then randomly attacks Web sites."

John Harrison, a researcher with Web security firm Symantec, said it is very difficult to learn the identity of the attacker, or attackers, as they could be anywhere on Earth and the infected network could span several countries.

Logging on to sites such as Twitter while they are under attack only makes the situation worse because it adds to the overloading of the system, he said.

The U.S. Computer Emergency Readiness Team says it's impossible for Web developers to fully prevent such attacks. But everyday computer users can ensure that their machines aren't used in a coordinated attack like the one seen Thursday.

To protect their computers, consumers should update anti-virus software, create passwords that are difficult to crack and maintain computer firewalls, the agency says.

The U.S. Computer Emergency Readiness Team says for users to protect their computers, consumers should update anti-virus software, create passwords that are difficult to crack and maintain computer firewalls .

From http://www.cnn.com by John D. Sutter

Bulletins posted 8/4/2009

Firefox 3.5.2 and 3.0.13 security updates now available for download
As part of Mozilla’s ongoing stability and security update process, Firefox 3.5.2 and Firefox 3.0.13 are now available for Windows, Mac, and Linux as free downloads:

Firefox 3.5.2 is available at http://firefox.com/

Firefox 3.0.13 is available at http://www.mozilla.com/firefox/all-older.html

We strongly recommend that all Firefox users upgrade to this latest release. If you already have Firefox 3.5 or Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting “Check for Updates…” from the Help menu.

For a list of changes and more information, please review the Firefox 3.5.2 Release Notes and the Firefox 3.0.13 Release Notes.

Note: All Firefox 3.0.x users are encouraged to upgrade to Firefox 3.5.2 by downloading it from http://firefox.com/ or by selecting “Check for Updates…” from the Help menu..

Users should install the update for FireFox.

From Mozilla

Bulletins posted 7/31/2009

Apple to fix iPhone Security Flaw
Apple is set to release a software patch to address a recently described security flaw in the iPhone, the UK network operator 02 has said.

Experts revealed on Thursday that modified SMS messages could result in iPhones being disconnected from the network or hijacked altogether.

Phones incorporating the Windows Mobile and Google Android operating systems are also vulnerable, they said.

An O2 spokesperson said the patch would be available Saturday through iTunes.

"We will be communicating to customers both through the website and proactively," the spokesperson added.

"We always recommend our customers update their iPhone with the latest software and this is no different."

Access all areas

Charlie Miller and Collin Mulliner told the Black Hat conference in Las Vegas that the hack works by slightly modifying the data - sent by the network and which the user does not see - that arrives as part of a text message.

The system that processes such messages is similar across different operating systems and can, once compromised, gain access across a range of applications including a phone's address book or camera.

The team say that hackers could develop programs to exploit the weakness in as little as two weeks, but told the conference that publicising the means of attack was necessary to ensure the problem was addressed.

"If we don't talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what," Mr Mulliner, an independent security expert, said.

The team wrote software to exploit the weakness, targeting iPhones on four networks in Germany as well as AT&T in the US. However, they believe it would work equally well in any country.

The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.

The problem could be fixed by directly patching the vulnerability in smartphones' operating systems, or the network providers could scan for messages that look to be trying to gain access to phones via the malicious code.

The researchers said they had informed Google of the hack and that the company had already taken steps to address the problem.

The Black Hat gathering, part of a leading series of conferences for information and computer security experts, took place from 25 to 30 July.

Apple were not available to comment on the flaw.

Users should watch for the patch to be available Saturday through iTunes and update their iPhone with the latest software.

From http://news.bbc.co.uk/

Bulletins posted 7/30/2009

Single misplaced '&' caused latest IE exploit
A security hole in Internet Explorer that opened the browser to hackers since early July was caused by a single typo in Microsoft's code.

An errant ampersand ("&") took the blame for the exploit, admitted Microsoft in a blog published Tuesday at its Security Development Lifecycle (SDL) Web site.

Michael Howard, a security program manager at Microsoft, explained in his blog that the typo corrupted the code of an ActiveX control used by the browser. The control was created by Microsoft using an older library of code, which Howard admitted has flaws. Because of those flaws, the typo caused the code to write untrusted data, exposing the browser to the bad guys.

Outside of its regular Patch Tuesday routine, Microsoft issued an emergency fix for IE, which it said would block attempts to exploit the flaw in ActiveX controls.

Users should install the update patch on their computer and not wait for automatic updates.

From http://news.cnet.com, by Lance Whitney

TwitViewer A Possible Phishing Scam
Want to see the last 200 visitors on your Twitter page? Sounds pretty intriguing doesn't it? But as the old saying goes... "If it looks too good to be true, it probably is".

CAUTION: TwitViewer is a possible phishing scam.

A new service, TwitViewer.net (not linking to the site for obvious reasons), has been making the rounds today on Twitter. The service has seen literally thousands of Twitterers enter in their login information to see "whos stalking" them. (The misspelling was intentional)

Do not enter your login information on the TwitViewer website. If you have entered your logon information at TwitViewer website change it immediately.

From http://www.webpronews.com, by Stephen Shankland

New version of Adobe Flash Player is available (Critical update)
Critical vulnerabilities have been identified in the current versions of Adobe Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems. These vulnerabilities could cause the application to crash and could potentially allow an attacker to take control of the affected system.

We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009. This bulletin will be updated to reflect their availability on that date. (The update for Adobe Flash Player v9 and v10 for Solaris is still pending.)

Adobe recommends users of Adobe Flash Player 9.x and 10.x and earlier versions update to Adobe Flash Player 9.0.246.0 and 10.0.32.18. Adobe recommends users of Adobe AIR version 1.5.1 and earlier versions update to Adobe AIR 1.5.2.

Users should unistall old versions of Flash Player, install the new version Adobe Flash Player (v10.0.32.18)

From Adobe Support

Bulletins posted 7/23/2009

Rogue anti-spyware/scareware on Twitter
In addition to Trojans and Worms, Twitter seems to also be a good platform for distributing rogue security solutions (aka scareware). The latest example of this is a program called "MalwareRemovalBot" which has been detected as "not-a-virus:FraudTool.Win32.MalwareRomovalBot.e".

The link in the tweets leads to the 'vendor' site - and nearly every link there leads to the download.

The downloaded filename varies - "setup.exe", "setupxv.exe" or "setup-trial.exe". It's a UPX-compressed Windows PE-executable.

Once the program's installed and a scan's been run, the program may report fake spyware infections to scare the user and get him to "register".

The registration website leads to the shopping site where a "special offer" is waiting for the potential customer. A license for a single PC costs as much as the 3 PC license - $39.95 plus two 'extra' technologies for $9.95. The total payment of $59.85 can be made by PayPal or credit-card. Pretty expensive for fake protection.

As they suggest in the article: "Use your common sense, and don't be a twit when you tweet."

From viruslist.com, by Marco

Firefox 3.0.12 patches five critical problems
If you haven't updated your Firefox browser to 3.5 yet and are still on 3.0, Mozilla just released Firefox 3.0.12. This is an update to the open-source browser that fixes five critical security vulnerabilities and fixes a handful of other bugs.

"We strongly recommend that all Firefox 3.0.x users upgrade to this latest release," Mozilla said on its developer blog. "If you already have Firefox 3, you will receive an automated update notification within 24 to 48 hours. This update can also be applied manually by selecting 'Check for Updates...' from the Help menu."

From CNet News, by Stephen Shankland

Security advisory for Adobe Reader, Acrobat and Flash Player
A critical vulnerability exists in the current versions of Flash Player (v9.0.159.0 and v10.0.22.87) for Windows, Macintosh and Linux operating systems, and the authplay.dll component that ships with Adobe Reader and Acrobat v9.x for Windows, Macintosh and UNIX operating systems. This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows.

We are in the process of developing a fix for the issue, and expect to provide an update for Flash Player v9 and v10 for Windows, Macintosh, and Linux by July 30, 2009 (the date for Flash Player v9 and v10 for Solaris is still pending). We expect to provide an update for Adobe Reader and Acrobat v9.1.2 for Windows, Macintosh and UNIX by July 31, 2009.

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0]\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit.

Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date.

From Adobe Support

Akamai Technologies Security Advisory 2009-0001(Download Manager)
Akamai is announcing an upgrade to its download manager due to a security vulnerability.

Akamai Download Manager is a client software application that helps users download content. It is available as an ActiveX component or Java applet and provides users the ability to pause, resume downloading at a later time, and automatically recover from dropped connections or system crashes.

Akamai has become aware of a security vulnerability within the Akamai Download Manager up to and including version 2.2.3.7 of the ActiveX control. For successful exploitation, this vulnerability requires a user to be convinced to visit a malicious URL put into place by an attacker. This may then lead to an unauthorized download and automatic execution of arbitrary code run within the context of the victim user.

If you use Akamai's Download Manager, we highly recommend you upgrade to the latest version, by visiting Akamai's upgrade web site.

From Donna's SecurityFlash, by Donna Buenaventura

Total eclipse used to bait scareware scam - Ruse targets geographically-confused stargazers
Wednesday's total solar eclipse over India and China has been exploited as a bait for sites punting scareware.

Miscreants are using black hat search engine trickery to point geographically-confused users towards websites peddling rogue antivirus software, as explained in an illustrated advisory by Trend Micro.

A search term associated with the attack "Solar Eclipse 2009 in America" might appear confusing at first, because the century's longest solar eclipse was at no point visible in North America. However, it makes sense when the target market for such scams - relatively affluent, if perhaps slightly naive westerners - is factored into the equation.

Don't be fooled by these types of scams and be sure to warn your vulnerable friends and family.

From The Register, by John Leyden

Bulletins posted 7/21/2009

Spammers Running Wild In Latest MySpace Phishing Attack
In the last 24 hours there has been a sudden surge in the amount of spam being sent and received by MySpace users, suggesting that the site has fallen prey to a security exploit that grants spammers access to accounts. Many users are logging in to find that they’ve commented on their friend’s status updates with spammy messages inviting them to “make $$ this summer”. We’ve reached out to MySpace to ensure that they are aware of the issue.

Some MySpacers are speculating on the site’s forums that the hack is tied to phishing links in status updates, which seems to be in line with the reports we’ve seen of literally hundreds of identical spam status updates to certain band profiles. We’ve learned that this is in fact the case — MySpace users are falling prey to a phishing attack through links in status updates that invite them to enter their login information, which is then used to spam their accounts. MySpace expects to have a fix for this out later today that will remove all of these links.

If you are a MySpace user, be aware of these types of phishing schemes and don't fall prey to them. You should never give out your login credentials online to any untrusted or unknown requests

From TechCrunch, by Jason Kincaid

Hidden-cam video of US sports reporter lures web users to malware infection
IT security and control firm Sophos is warning all internet users to be wary of websites claiming to host a controversial nude video of high-profile ESPN reporter Erin Andrews - hackers are using the hype surrounding the hidden camera tape to distribute malware that will infect both PC and Mac computer systems.

The internet has been abuzz with news that a voyeur had secretly filmed the glamorous US sports reporter through the peephole of her hotel room door. Lawyers working for Andrews said that they will take legal action against anyone distributing the footage, which was taken without her knowledge or consent. However, opportunists and hackers have been quick to set up websites claiming to contain the illicit content, in the hope of driving internet traffic to their websites or infecting innocent victims.

Computer users who visit many of these sites are running the risk of being infected by the OSX/Jahlav-C Trojan horse on Macs, or the Mal/FakeAV-AY Trojan if visiting from a Windows computer. Once a hacker has control of your computer they can steal sensitive information and con unsuspecting computer users into paying for bogus online protection.

As the hype continues to escalate online, Sophos notes that hackers have also taken to posting links to the malicious sites in as many places as possible including as comments on blogs written on the subject. Sophos advises that all computer users should avoid following untrusted links from blog and news story comments.

Be careful not to fall for this scam and inform vulnerable friends and family.

From Sophos

Bulletins posted 7/20/2009

Google addresses its own security bugs in Chrome stable release update
The stable channel for Google's Chrome Web browser (Chrome 2) has not seen a lot of action in recent weeks, perhaps indicating just how stable it has been. But a pair of exploitable defects that Google's engineers rate as "high" and "critical" have prompted the company to issue an automatic update to its deployed Chrome 2 Web browsers, beginning after midnight last night.

Although code running in Chrome is supposed to be tightly sandboxed, as engineers admitted very early this morning, the possibility existed for a maliciously crafted regular expression (RegEx, used in local searches) to generate a heap overflow, creating a situation where arbitrary code could be executed without the need for privilege. That was the "high" problem, which could lead to the ability to trigger the "critical" problem: An already compromised browser could then be maliciously maneuvered into allocating inordinately colossal memory buffers, thus slowing down the computer (denial of service) and possibly crashing the browser along the way.

At present, there's no evidence that working exploits of these conditions were ever tested in the field -- they appear to have been just as much news to folks who try cracking browsers, as to anyone else.

If you use the Google Chrome Internet browser, you should be updated automatically, but we recommend checking to make sure the update has been applied.

From Beta News, by Scott M. Fulton, III

Bulletins posted 7/17/2009

'Sexy View/Sexy Space' Symbian Worm Spreading
A more sophisticated variant of a wily worm is using a Symbian-certified application to infect its victims via text messages, while also demonstrating botnet-like behavior, prompting some researchers to warn that it's a smartphone botnet in the making.

The so-called Sexy View/Sexy Space malware has researchers split over whether to officially call it a botnet. While Trend Micro says it's indeed a smartphone botnet, F-Secure is less convinced. "It's almost a stretch to call it a botnet, or at least a botnet in the sense that we normally think of them," says Patrik Runald, chief security advisor for F-Secure, which reported the first version of the worm to Symbian in February.

While the worm is able to update the SMS template it uses while spreading, it doesn't have other bot features, he says. "When we think of botnets, we think of a malicious program that calls home for further instructions," such as updating malware, attacking a Website, sending email, or installing an application, he says. "Sexy View does one of those features, which is the ability to update the SMS template it uses when spreading...But Sexy View doesn't have any of the other features we normally take for granted in a bot. So although it can be called a botnet, it's a very simple one with very limited, for now at least, functionality."

Jamz Yaneza, threat research manager for Trend Micro, says Sexy View/Sexy Space was actually a bot in its first iteration in February, but it was unable to successfully spread because its host site was taken down. "This mobile worm starts to steal your information, and it monitors the Websites you go to, and when you connect to the network for an update, it will do something else. That's why it has the makings of a bot," Yaneza says.

Trend Micro is investigating the host it's communicating with, he says, which appears to be out of China. Yaneza says the worm has hit more victims, although Trend Micro has no official numbers.

Botnet or not, the attack sends malware posing as a legitimate Symbian phone app with a Trojan Micro. It steals the victim's subscriber, phone, and network information, and transmits that data to a Website. It also spams SMS messages to contacts on the user's phone to continue its spread, according to Trend Micro.

The worm sends an SMS message with a URL, which, when clicked, prompts the user to install the software -- if you click "yes," then you're infected.

Experts say users can protect themselves from this attack by not visiting links they receive in SMS messages, and by installing antivirus software on their smartphones.

From Dark Reading, by Kelly Jackson Higgins

Mozilla has releases an update to v.3.5 of Firefox
The brand new version 3.5 of Mozilla Firefox already has an update addressing security and stability issues.

This fixes the flaw we reported on yesterday that was found and being exploited almost immediately after 3.5 was released. It also addresses more than 20 other bugs according to Mozilla.

If you are using the Firefox browser, we recommend that you update to 3.5.1 as soon as possible.

Bulletins posted 7/16/2009

Zero Day vulnerabilities plague Microsoft
Microsoft products have had two new zero day problems in the last couple of weeks.

The first one has been patched as part of their patch Tuesday bundle of updates that came out this week. There is no patch available for the second one however.

The newest vulnerability is in the Microsoft Office Web Components Spreadsheet ActiveX control (OWC10.dll and OWC11.dll).

Microsoft Office Web Components are ActiveX controls that provide Microsoft Office functionality, such as spreadsheets, tables, and charts. This vulnerability may be exploited if a user visits a maliciously crafted web page.

Successful exploitation may result in an attacker gaining user level privileges. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

OCWC10.dll is installed by default with Microsft Office XP, and both DLLs are installed by default with Microsoft Office 2003. OWC11 is also installed by default with Microsoft ISA Server and Microsoft Office Accounting and Business Contact Manager. OWC11 is an optional install with Microsoft Office 2007.

All users of Microsoft products should ensure that the latest patches have been installed.

To prevent the second vulnerability from affecting you, Microsoft has recommended preventing Office Web Components Library from running in Internet Explorer by issuing the kill bit for the affected classids. Here is their bulletin outlining how to do so.

Newest version of Firefox (3.5) has a new zero day vulnerability
We have new reports of a vulnerability affecting Mozilla Firefox version 3.5. It is due to an error in the way JavaScript is processed.

Exploitation of this vulnerability could allow an attacker to execute arbitrary code on your computer.

We recommend that you disable JavaScript in Firefox until there is a patch available. There is an excellent US CERT web site that can help you with this and other Web Browser security tasks (for most browsers). It's called Securing Your Web Browser and you'll find a link to a section on Mozilla in the contents at the top of the page.

VMWare Releases New Security Advisory
VMware has released security advisory VMSA-2009-0009 to address multiple vulnerabilities involving the udev, sudo, and curl packages of the ESX Service Console. These vulnerabilities may allow an attacker to execute arbitrary requests to an affected intranet server, read or overwrite files, or gain elevated privileges on the affected system.

Additionally, VMware has updated security advisory VMSA-2009-0008.1. This advisory addresses a vulnerability in the krb5 package of the ESX Service Console. Exploitation of this vulnerability may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

If you use VMWare products that are affected by these advisories, we recommend going to the following two VMWare advisory sites and applying the necessary work arounds or patches.VMSA-2009-0009 and VMSA-2009-0008.1

Bulletins posted 7/10/2009

McAfee warns of new Mac malware attack
Researchers at McAfee Avert Labs have warned that a new malware attack for Mac OS X systems has been spotted in the wild.

Known informally as 'Puper', the Trojan disguises itself as a video program for OS X systems called 'MacCinema'.

The attack appears as a disk image which launches an installer application for the fictional MacCinema software. Once the installer completes its task, the user becomes infected with a script file named 'AdobeFlash'.

The malicious script then launches itself every five hours, and attempts to download and launch other malware on the infected system.

Mac users need to remember that even though you're still not as big a target as Windows, the bad guys know you're out there. You still need to use basic good security practices like having an up to date antivirus application and keeping your system up to date with all the latest patches.

And like everyone else, you need to be aware of these scams and avoid downloading anything you're not sure about.

From V3.co.uk, by Shaun Nichols

Wireless Cybercriminals Target Clueless Vacationers

By Steven Kotler

The following story was posted today on FoxNews.com. I found it very informative and timely given that many of you are probably taking summer vacations. Enjoy!

The newest trend in Internet fraud is "vacation hacking," a sinister sort of tourist trap.

Cybercriminals are targeting travelers by creating phony Wi-Fi hot spots in airports, in hotels, and even aboard airliners.

Vacationers on their way to fun in the sun, or already there, think they're using designated Wi-Fi access points. But instead, they're signing on to fraudulent networks and hand-delivering everything on their laptops to the crooks.

"More and more people are traveling with Wi-Fi devices like smartphones and laptops," says Marian Merritt, Internet safety advocate at the computer-security giant Symantec. "Airports and airlines and hotels are responding. They're setting up free Wi-Fi networks to lure in customers. Now they're luring in hackers as well."

In 2008, Silicon Valley-based AirTight Networks, a wireless security company, sent a team of "white-hat" hackers — good guys who try to thwart "black hat" hackers — around the world on an international airport study.

They checked the Wi-Fi networks at 27 airports — 20 in the U.S., five in Asia and two in Europe — and the results were not good.

At John F. Kennedy International Airport in New York, the baggage-handling system was being run on an insecure network. At other airports, ticketing systems were similarly exposed.

And everywhere they looked, they found fake Wi-Fi hot spots set up by hackers phishing for suckers — and there were plenty of suckers to be had.

"We found a lot of people using insecure Wi-Fi," says AirTight investigator Rick Farina, "and people engaged in all sort of dangerous activity — checking their e-mail, doing their banking, buying stock. These are not the kinds of thing you want to be doing on public Wi-Fi."

A lot of the problem may be that people let their guard down when they're on vacation.

"Much of the time, people just log in to the first robust network they see," says AirTight spokeswoman Della Lowe. "When we did our airport study, we found only 3 percent of the people were using secure networks."

And according to their study, even the "secure" networks weren't all too safe.

Eighty percent of the private Wi-Fi networks at airports surveyed by Airtight were secured by the aging Wired Equivalent Privacy (WEP) protocol, which was cracked back in 2001.

Almost as many — 77 percent — of the networks they surveyed were actually private, peer-to-peer networks, meaning they weren't official hotspots. Instead, they were running off someone else's computer.

In response to the rise in vacation hacking, some companies are beginning to tighten up security.

When AirTight's Farina alerted American Airlines to vulnerabilities in its system earlier this year, the airline took action.

"I can't tell you what they did," says Farina, "but their Wi-Fi is safer."

JetBlue also says it has taken appropriate steps.

"Phishing is a risk that exists anywhere there are wireless services available, which is pretty much everywhere these days," says JetBlue spokesman Bryan Baldwin.

"At our Terminal 5 at JFK, where we offer free Wi-Fi, we have measures in place to minimize risks for our customers," he said. "We'd prefer not to go into detail about the specifics of those measures, because the details could be used by clever hackers against the defenses."

A spokesman for the Marriott hotel chain would give only a terse statement:

"When it comes to online security, Marriott has worked diligently to protect our guests."

One thing all security experts agree on: When it comes to hackers, the best defense is a good offense.

To this end, the folks at Symantec have created a list of five simple tips for thwarting most attacks.

— Pay attention to your surroundings. Just because you're on vacation doesn't mean you're not in public. Don't look at important documents when sitting in a waiting area for a plane or a train — wait until you're alone and in private for that.

— Beware of "Evil Twins." Some Wi-Fi networks look legitimate but are actually dummy networks created by criminals. Even if they contain the name of your airport, airline or hotel, they will directly link your computer to the hacker's. If you always use the official access keys provided by the establishment, then you should be safe.

— Always assume Wi-Fi connections are being eavesdropped on. Never enter sensitive data — Social Security numbers, bank account information, etc. — when browsing the Web via a Wi-Fi network.

— Set all Bluetooth devices to "hidden," not to "discoverable." Better yet, if you don't use Bluetooth, just shut off the function altogether.

— Keep your security software current and active. Mobile PCs are just as vulnerable to viruses, worms and Trojan horses as are desktops, so make sure you have the latest protection installed.

"In short," says Merritt, "if you don't feel confident in the system security, then just don't use it."

Original article on FoxNews.com by Steven Kotler

Bulletins posted 7/08/2009

Microsoft warns of hole in Video ActiveX control
Microsoft on Monday warned of a vulnerability in its Video ActiveX Control that could allow an attacker to take control of a PC if the user visits a malicious Web site.

There have been limited attacks exploiting the hole, which affects Windows XP and Windows Server 2003, Microsoft said on its Security Response Center blog.

This is the second DirectShow security hole Microsoft has announced in the past few months. The company has yet to provide a security update for a vulnerability announced in May that involves the way DirectX handles QuickTime files.

Since there are no by-design uses for the ActiveX Control within Internet Explorer, Microsoft is recommending that users implement a workaround outlined in the security advisory. Customers can automatically implement the workaround by following the instructions under "Fix It For Me" in the Knowledge Base article for advisory number 972890 on the Microsoft support site.

We recommend that anyone running Windows XP (or Windows Server 2003) immediately implement the workaround as noted above. Microsoft recommends that you use the workaround even if you are using Vista or Windows Server 2008, just to be safe.

From CNet News, by Elinor Mills

High Crimes Using Low-Tech Attacks
Criminals are resurrecting low-tech attacks to siphon tens of thousands of dollars from unsuspecting victims. According to financial fraud experts, so-called "man-in-the-phone" attacks require little more than a telephone and old-fashioned con artistry.

The scam works like this: The criminal calls a target, claiming to be the fraud department of the target's bank calling to alert the mark to potential unauthorized activity. The recipient of the call is then told to please hold while a fraud specialist is brought on the line. The perpetrator then calls the victim's bank, and bridges the call, while placing his portion of the call on mute.

When the bank's fraud department asks various questions in a bid to authenticate the victim, the criminal records the customer's answers. Depending on the institution, the answers may include the victim's Social Security number or national ID number, a PIN or password, and/or the amount of last deposit or location of the last transaction.

The criminal then calls the bank back (ostensibly reaching a different customer service representative), supplies the personal information needed to access the victim's account, and begins to initiate a series of wire transfers out of that account into another that he controls.

That anecdote comes from Amir Orad, executive vice president at Actimize, a company that provides back-end anti-fraud solutions to banks and financial institutions. Orad said his company first saw this attack against one of its customers in the United Kingdom about six weeks ago. Since then, the company has seen similar attacks against financial institutions in Canada and the United States, giving the perpetrators the information they need to begin transferring tens of thousands of dollars from victims.

Orad said many banks and anti-fraud solutions are keen to focus on high-tech attacks, particularly those involving counterfeit bank Web sites, keystroke logging viruses, and so-called man-in-the-browser attacks, which involve malware capable of modifying the customer's Web transactions as they occur in real time.

"What's unique about this attack is that it's really low-tech," Orad said. "We're always thinking about complicated attacks like man-in-the-browser, but this is one of the simplest and most elegant attacks I've ever seen."

Malcolm Wiley, a spokesman for the U.S. Secret Service, said people who receive an alert about potential fraudulent activity should keep a cool head and take a deep breath before taking any action, regardless of the medium the alert comes in.

"If you receive a call about someone claiming to be from your bank, the smartest thing to do is to hang up, look up the bank's number and call them directly," Wiley said.

From Washington Post Security Fix Blog, by Brian Krebs

Apple Releases Advisory and Update for Safari 4
Apple just released a new security update for Safari 4.0. The newest version is 4.02 and is available on Safari's download site.

If you use Apple's Safari Web browser, we recommend updating it as soon as possible

From Donna's Security Flash, by Donna Buenaventura

Twitter Travails: Pranks and Deleted Account Errors
Twitter's "Trending Topics" is a popular feature that allows you to see what are the most popular subjects being discussed on Twitter in real time. Yesterday, amid popular tweets about Wimbledon, Steve McNair, and Harry Potter, one thing seemed to be on everybody's mind: gorilla p***s. Highlighting another crack in Twitter security, hackers flooded onto Twitter yesterday to create fake accounts and drive global discussions toward primate anatomy.

Called Operation Sh**ter, the attack was coordinated via a wiki on insurgen.info with specific instructions on how to carry out the prank. The page has since been taken down, but thanks to Google you can still see a cached version of the wiki. Instructions urged like-minded pranksters to sign up for fake accounts on Twitter, and start posting random (read: nonsense) posts with the hashtag ‘#gorillap***s' included in every message. The 4chan instructions also asked users to register eBaum's World as their location in their user profile -- eBaum's World is a hybrid Website with sections for videos, news, user-created blogs, and games..

The hackers behind the ruse were reportedly from 4chan -- an online bulletin board -- as well as other online hacker haunts. But the best known of these groups is 4chan. Members of that site were also linked to the recent YouTube porn prank, as well as the manipulation of Time Magazine's online poll for the 100 most influential people of 2009. It was also suspected that members of 4chan were behind Anonymous, the group responsible for last year's cyberattacks against the Church of Scientology.

On the same day as the primate prank, Twitter itself erred by suspending hundreds to possibly thousands of regular user accounts. How the suspensions happened is unclear, but Twitter officially said it was due to "human error." The strange thing is many of the suspended accounts were not exhibiting any of these irregular behaviors. The only recurring factors were that many of the suspended Twitter accounts had at least several thousand followers, and enough of these accounts were using a third-party Twitter application, called Tweetlater, that Twitter had to publicly state the application was "not to blame for these suspensions nor is it in violation of [Twitter's] Terms." As of this writing, most of the unfairly suspended Twitter accounts have been reinstated.

From PC World, by Ian Paul

Bulletins posted 7/02/2009

Mozilla Firefox 3.5 officially released
After a prolonged beta period, Mozilla has officially released its new version of Firefox.

Version 3.5 contains multiple security enhancements, such as improved anti-phishing and malware and privacy protection, according to Mozilla.

One of the privacy features is called “Private Browsing," which lets users browse the internet without Firefox retaining any data about sites and pages that were visited. No pages are added to the list of sites in the “History” menu, the library window's history list, or the browser's “Smart Location Bar” address list.

“We wanted to make sure that our users had control over the information that was being kept by the browser,” Johnathan Nightingale, Mozilla's "human shield," told SCMagazineUS.com Tuesday. "Once the private browsing mode is started, all the work up to that point is unaffected. Firefox is reinitialized, brought up fresh, and nothing you do afterward is ever logged to disk -- no downloads, cookies, no cache – so a record is not there even if power is lost during the session.”

Competing browsers' privacy features, such as Microsoft's IE8 InPrivate, Chrome's Incognito and Safari's private browsing mode, do much the same thing, but Firefox handles the operation automatically and more transparently, Nightingale said.

Another Firefox privacy tool is called “Clear Recent History,” which gives a user even more granular control.

“With this tool, users can clear any given time period of browsing record,” Nightingale said.

For even more control, users can erase any record of a particular website with a featured dubbed “Forget About This Site.” This feature can remove all traces of a particular website without disturbing the rest of the browsing history for other sites, Nightingale said.

Mozilla Firefox 3.5 is available now for Windows, Linux, and Mac OS X operating systems and we recommend updating to this new version.

From SC Magazine, by Chuck Miller

Britney Spears Twitpic account hacked; fake death posted
A vulnerability in a third-party service through which users post photos to their Twitter profiles allowed hackers on Sunday to falsely report that Britney Spears had died.

The attackers, apparently preying on the fact that several notable celebrities died last week, including Michael Jackson, were able to post a message to Spears' Twitter profile that claimed she, too, had passed away.

Twitpic founder Noah Everett, in a blog post Monday, said the attackers used a technique known as brute force to guess the email PINs of about 10 users, which they were able to use to automatically post messages to various Twitter pages. Everett did not address Spears by name in his post.

The latest tweet from the celebrity, posted Sunday afternoon, said: Britney's Twitter was just hacked. The last message is obviously not true. She is fine and dandy spending a quiet day at home relaxing.

Similar messages also were posted to the accounts of Ellen DeGeneres and Miley Cyrus, according to reports.

I want to make it clear that this was not a Twitter issue, but a Twitpic issue, and I take full responsibility for it," Everett wrote, adding that an investigation, in conjunction with internet service providers, is underway to determine the source of the attacks.

One more example of the way Twitter and other social media sites are becoming the newest target for scammers. Be aware.

From SC Magazine, by Dan Kaplan