May 2008

Going by the amount of complaints you have less chance of getting a refund from bucksbill.com than winning the lottery.

Spyware Sucks, an anti spyware blog, warned about the rogue awhile back and today posted a disclaimer:

Unfortunately, people are also emailing me directly because they (mistakenly) believe that I and/or this blog are associated with the fraudsters.

I am NOT associated with bucksbill.com

Please, remember that victims of overcharging and unauthorised charges can dispute the charge with their bank or building society and request that the charge be reversed.

Think twice before handing over credit card information on the internet. Do you know anything about the company, a little research could save a lot of grief.

Certainly don’t do it in a panic because some company you have never heard of before pops up saying your computer is infected and buy their product to remove it.

Sure sign of a rogue.

{ 0 comments }

In an interview with Netcraft, Finnish security researcher Harry Sintonen reported a critical cross-site scripting vulnerability on paypal.com.

Netcraft

The vulnerability is made worse by the fact that the affected page uses an Extended Validation SSL certificate, which causes the browser’s address bar to turn green, assuring visitors that the site – and its content – belongs to PayPal.

{ 0 comments }

Nitesh Dhanjani released his research on issues within Apple’s Safari browser today.

Apprantly Apple has decided not to fix two of the issues and gave Dhanjani permission to discuss them with the security community.

1. Safari Carpet Bomb. It is possible for a rogue website to litter the user’s Desktop (Windows) or Downloads directory (~/Downloads/ in OSX). This can happen because the Safari browser cannot be configured to obtain the user’s permission before it downloads a resource. Safari downloads the resource without the user’s consent and places it in a default location (unless changed).

The implication of this is obvious: Malware downloaded to the user’s desktop without the user’s consent.

Apple does not feel this is a issue they want to tackle at this time. In my most recent email to Apple, I suggested that they incorporate an option in Safari so the browser can be configured to ask the user before anything is downloaded to the local file system. Apple agreed it was a good suggestion:

…the ability to have a preference to “Ask me before downloading anything” is a good suggestion. We can file that as an enhancement request for the Safari team. Please note that we are not treating this as a security issue, but a further measure to raise the bar against unwanted downloads. This will require a review with the Human Interface team. We want to set your expectations that this could take quite a while, if it ever gets incorporated.

[credit to BK have-it-your-way Rios for suggesting the term "Carpet Bomb" to describe this issue].

2. Sandbox not Applied to Local Resources. This issue is more of a feature set request than a vulnerability. For example, Internet Explorer warns users when a local resource such as an HTML file attempts to invoke client side scripting. I feel this is an important security feature because of user expectations: even the most sophisticated users differentiate between the risk of clicking on an executable they have downloaded (risk perceived to be higher) to clicking on a HTML file they have downloaded (risk perceived to be lower).

Apple’s response was positive:

…we have been investigating the potential for a “safe” mode for local HTML. This is an area that requires a fairly deep investigation to address compatibility issues, and to determine the proper operation. Please understand that when we label this as a security hardening measure, we are not discounting the benefits that this could have.

http://www.dhanjani.com/archives/2008/05/safari_carpet_bomb.html

{ 0 comments }

Along with the dark side pushing cracks, warez, keygens for rogue programs (perhaps to dupe people into thinking the programs have value), there are also many untrustworthy sites offering to remove it. From the frying pan into the fire.

From Bleeping Computer:

This infection attempts to make it difficult to uninstall by disabling the Windows regedit.exe program and the Windows Task Manager. This makes it so you can’t edit your registry with RegEdit or kill processes that may be running with the Task Manager. As part of this fix, I have created a small tool called regallow that will re-enable the use of RegEdit so that this infection can be properly removed.

How to remove AntiSpySpider and sockins32.dll
http://www.bleepingcomputer.com/malware-removal/antispyspider

If you have an infected computer and would feel more comfortable being assisted by a trained malware remover helper, please start a topic at one of the forums. Short but trusted list in the right hand column.

{ 0 comments }

Summary.

MS08-026 Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

MS08-027 Vulnerability in Microsoft Publisher Could Allow Remote Code Execution

MS08-028 Vulnerability in Microsoft Jet Database Engine Could Allow Remote Code Execution

MS08-029 Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service

I think it is also worth noting that MS08-026 includes additional security mitigations against attacks as identified in Microsoft Security Advisory 950627. We recommend that customers install the updates provided in both MS08-026 and MS08-028 for the most up to date protection against these types of attacks.

The Microsoft Security Response Center (MSRC)

MS08-026: How to prevent Word from loading RTF files

{ 0 comments }

xpsecuritycenter has only two pages in Google at the moment, it may not be regarded as a serious threat as it was noticed in the Spring of 2008. However, xpsecuritycenter belongs to a family of rogues.

Many people rely on Site Advisor to check if a domain is good or bad, but site advisor is extremely slow to test and rate, surprising as the site belongs to Symantec McAfee.

For instance malwarebell.com was added to Symantec.com’s Rapid Release April 16, 2008

Yet at Site Advisor it still isn’t rated as of writing, and what about pandora-software.com which was given a green rank.

We tested this site and didn’t find any significant problems.

The domain name might have been a tip off.

An experienced reviewer at Site Advisor posted January 2008 that pandora-software.com is a malicious domain.

Bharath’s Security Blog: Saga of IE Defender Family

If you don’t have a HOSTS File other than the default one in Microsoft Windows please consider:
Blocking Unwanted Parasites with a Hosts File

{ 0 comments }

Mozilla Security Blog

The Vietnamese language pack for Firefox 2 contains inserted code to load remote content. This code is the result of a virus infection, but does not contain the virus itself. This usually results in the user seeing unwanted ads, but may be used for more malicious actions.

Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy. While we cannot determine the exact number of compromised downloads, there have been 16,667 total downloads of the Vietnamese language pack since November 2007, so we anticipate the impact on users to be limited.

Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload. We are also adding after-the-fact scans of everything to address this sort of case in the future.

A new language pack will be available shortly. Until then, Vietnamese language pack users should disable this package using the add-ons dialog on the Tools menu.

More information is available in bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=432406

{ 0 comments }

Scheduled May bulletin release day, Tuesday, May 13, 2008

The Microsoft Security Response Center (MSRC)

Preliminary information, subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release:

• Three Microsoft Security Bulletins rated Critical and one that is rated as Moderate. These updates may require a restart and will be detectable using the newly released version of the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

Finally, we are planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

As always, we’ll be holding the May edition of the monthly security bulletin webcast on Wednesday, May 14, 2008 at 11 a.m., Pacific Standard Time. We will review this month’s release and take your questions live on-air with answers from our panel of experts. As a friendly reminder, if you can’t make the live webcast, you can listen to it on-demand as well.

You can register for the webcast here:

http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032357221&Culture=en-US

TechNet

{ 0 comments }

Fortinet reports multiple vulnerabilities in the javascript API for Adobe Acrobat Professional / Adobe Reader.

Impact: Remote code execution and privilege escalation.
Risk: Critical
Affected Software:
Adobe Acrobat Professional 7.0.9
Adobe Reader 7.0.9

Additional Information:
Two vulnerabilities exist in the Adobe javascript api, which are exploited through a user-supplied callback function:
A memory corruption issue that can be remotely exploited, allowing a remote attacker to execute arbitrary code on the affected system
A privilege escalation issue that allows an attacker to bypass security measures to remotely access restricted functions

Solutions:
Users should apply the update supplied by Adobe to address these issues

http://www.adobe.com/support/security/bulletins/apsb08-13.html

Full Disclosure: Adobe Acrobat Professional Javascript For PDF Security Feature Bypass and Memory Corruption Vulnerabilities
http://seclists.org/fulldisclosure/2008/May/0140.html

Hosted and sponsored by Secunia

{ 0 comments }