Security

Scheduled November bulletin release day, Tuesday, Nov. 11, 2008.

The Microsoft Security Response Center (MSRC)

Preliminary information, subject to change.

As part of our regularly scheduled bulletin release, we’re currently planning to release two security bulletins:

• One Microsoft Security Bulletin affecting Microsoft Windows/Microsoft Office rated as Critical, and one affecting Windows rated as Important. These updates may require a restart and will be detectable using the Microsoft Baseline Security Analyzer.

As we do each month, the Microsoft Windows Malicious Software Removal Tool will be updated.

We are also planning to release high-priority, non-security updates on Windows Update and Windows Server Update Services (WSUS) as well as high-priority, non-security updates on Microsoft Update and Windows Server Update Services (WSUS). For additional information, please see the Other Information section of the Advanced Notification.

The November edition of the monthly security bulletin webcast will be held on Wednesday, Nov. 12, 2008 at 11 a.m., Pacific Standard Time.

Register for the webcast here: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032374642&Culture=en-US

{ 0 comments }

Critical update, version 9.0.151.0 for Flash 9 users unable to update to Flash 10.

In addition to issues previously reported in Security Bulletin APSB08-18, the update addresses several other security vulnerabilities.

http://www.adobe.com/support/security/bulletins/apsb08-20.html

Certifiedbug, October 15, 2008.
Adobe Flash Player update 10.0.12.36

{ 0 comments }

The Microsoft Security Intelligence Report has been released.
Microsoft Malware Protection Center

The Microsoft Security Intelligence Report (SIR) provides an in-depth perspective on the changing threat landscape including software vulnerability disclosures and exploits, malicious software (malware), and potentially unwanted software. Using data derived from hundreds of millions of Windows users, and some of the busiest online services on the Internet, this report also provides a detailed analysis of the threat landscape and the changing face of threats and countermeasures and includes updated data on privacy and breach notifications.

Not surprisingly a high percentage of users chose to ignore potentially unwanted software (PUPS) they had installed themselves, 90.1% for Bearshare. We see a lot of P2P file sharing programs on infected computers in the forums.

The full report contains 150 pages.
SIR Volume 5 (January through June 2008) and Key Findings Summary
Key Findings Summary 18 pages.
Microsoft Security Intelligence Report volume 5 Executive Summary

{ 0 comments }

Advisory 906
Severity: Extremely Severe
Platforms: All desktop versions

When certain parameters are passed to Opera’s History Search, they can cause content not to be correctly sanitized. This can allow scripts to be injected into the History Search results page. Such scripts can then run with elevated privileges and interact with Opera’s configuration, allowing them to execute arbitrary code.

Note: There have been public demonstrations of this issue, which have altered Opera’s setup. Upgrading to 9.62 will not restore these settings. If you have opened any of these demonstrations, you may have to restore your settings manually. Typically, the mailto handler has been changed; it can be restored back to its correct value using Preferences - Advanced - Programs.

http://www.opera.com/support/search/view/906/

Advisory 907
Severity: Highly Severe
Platforms: All desktop versions

The links panel shows links in all frames on the current page, including links with JavaScript URLs. When a page is held in a frame, the script is incorrectly executed on the outermost page, not the page where the URL was located. This can be used to execute scripts in the context of an unrelated frame, which allows cross-site scripting.

http://www.opera.com/support/search/view/907/

Opera 9.62 for Windows: Download

Aviv Raff On .NET A different Opera

{ 0 comments }

The Microsoft Security Response Center (MSRC)

It’s been almost five days since we originally released MS08-067, and our tracking shows that security deployments remain strong. We’re also still unaware of any application compatibility issues with this update.

Like we’ve said, we’re continuing to watch the threat environment. Yesterday, we said that our analysis of public exploit code that was available showed it would always result in a denial of service. Today, we’ve identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067. This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000 systems. Our investigation has shown that it does not affect customers who have installed the update. We’ve just published Microsoft Security Advisory 958963 to let customers know about this new development.

http://blogs.technet.com/msrc/archive/2008/10/27/microsoft-security-advisory-958963.aspx

Certifiedbug. October 24, 2008.
Microsoft Security Bulletin MS08-067 Critical Update

{ 0 comments }

decitu.com is one of estdomain’s October registrations, checking it out my browser was redirected to porno-tube-online.com/porn/. Obviously an adult content site.

Snippet from my log,
/banners/flash/24368/json_400×600_005.swf 11,524 application/x-shockwave-flash
Host: banners.adultfriendfinder.com.

By the way, if your Adobe flash is up to date and you think you are protected from SWF exploits see Sandi’s article at Spyware Sucks.
Adobe Flash 10 does NOT stop malvertizement hijacking

A lot of malware victims end up in help forums because they were redirected to a bad site, or intentionally downloaded video codecs so they could watch such content.

The dialog informs that a codec is needed to view the video, this is where you should stop already before infecting your computer.

The anti virus program alerted.

Hiding in the background waiting for an unsuspecting user to download the codec was a rogue, the link on its own produced an error.

Domain Name: DECITU.COM
ICANN Registrar: ESTDOMAINS, INC.
Created: 2008-10-23
Expires: 2009-10-23
Updated: 2008-10-23
3 other sites hosted on this server.

Certifiedbug October 24, 2008. EstDomains, Inc. PR

From EstDomains’s Press release,

Once again EstDomains, Inc would like to address the interactive community and ask for co-operation to make the Internet clear and safe. Please report infringements that involve the activity of EstDomains, Inc customers to: https://support.estdomains.com.

The support link they provided produced,
“The requested site did not respond to a connection request and the browser has stopped waiting for a reply.”
I went directly to their website and clicked the red ‘Report Abuse’ button, same thing.

The rest of the site loads normally, it is the ’support’ page that was kapoot at time of writing.

{ 0 comments }

To read history see http://certifiedbug.com/blog/tag/estdomains/

October Press releases:
EstDomains, Inc Takes Next Step in Combating Spam and Malware
http://www.prweb.com/releases/2008/10/prweb1504344.htm

EstDomains, Inc Combating Cyber Crime — Thousands Domain Names Suspended
http://www.prweb.com/releases/2008/10/prweb1511704.htm

Edit
The Spamhaus Project.
SBL68934
89.108.95.135/32 agava.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68935
89.108.73.87/32 agava.ru
24-Oct-2008 09:03 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68936
89.108.74.33/32 agava.ru
24-Oct-2008 09:04 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

SBL68937
83.171.76.96/28 ptt.spb.ru
24-Oct-2008 10:41 GMT estdomains.com / esthost.com / Cernel - dirty host/registrar

http://www.spamhaus.org/sbl/index.lasso

{ 0 comments }

Noted by users, ‘official-download.net’ appears to be selling a product that is presented in such a way as to mislead a person searching for the download page for a well known antispyware program.

Domain Tools.
Related Sites: 2008-official.net
Website title: Earth 2009 Secrets

That’s how the banner appeared yesterday, today it looked like this.

At the bottom of the page in pale grey,

This website has no affiliation whatsoever with the owner of this software program, and provides ONLY a link to the software program. If you are a member and need support please contact us and not the software owner. This Software may be obtained freely New computer users should find our services valuable, and a time saver. If you are an advanced computer user, you probably don’t need our services.

The download button took me to secure.signupsecurity.com and the following steps requiring one fill out an email address, contact information, 1,2 or 3 year membership options and features.

No thanks…

Persistant aren’t they…

http://www.mywot.com/en/scorecard/official-download.net

The real thing: Spybot-S&D©® http://www.spybot.info/

{ 0 comments }

Victims report a rogue named ‘Spybot 2009′ received in the form of email spam posing as an application upgrade. The scam is playing off the trademark name of the well known antispyware program, Spybot-S&D.

Be warned you may also see websites offering the fake, rogue program Spybot 2009.

Screenshots of the rogue at a blog containing malicious code on Google’s blogspot.com, which is yet a separate matter to be addressed. Just going to the site will infect your computer.

http://www.avira.com/en/threats/section/fulldetails/id_vir/3684/html_infected.webpage.gen.html

Don’t fall for the rogue scam, Spybot - Search & Destroy©® is free for personal use and you can download the program at the official site here: http://www.spybot.info/

The current version of Spybot - Search & Destroy©® is at v 1.6.

{ 0 comments }