FYI...

* http://www.adobe.com/support/security/advisories/apsa07-04.html
October 5, 2007 - "...Vulnerability identifier: APSA07-04...
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
Affected Software Versions:
Adobe Reader 8.1 and earlier versions
Adobe Acrobat Standard, Professional and Elements 8.1 and earlier versions
Adobe Acrobat 3D
Summary:
Adobe is aware of a recently published report of a critical security vulnerability in Adobe Reader and Acrobat.
Solution:
To protect Windows XP systems with Internet Explorer 7 installed from this vulnerability, administrators can disable the mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying the application options in the Windows registry*... the Secure Software Engineering team is working with the Adobe Reader Engineering team on an update to versions 8.1 of Adobe Reader and Acrobat that will resolve this issue. A security bulletin will be published on http://www.adobe.com/support/security as soon as that update is available. We expect the update to be available before the end of October. In the meantime, Adobe recommends that Acrobat and Reader customers use caution when receiving unsolicited e-mail communications requesting user action, such as opening attachments or clicking Web links..."

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5020

:fear:

FYI...

- http://www.theinquirer.net/gb/inquirer/news/2007/10/10/linux-kernel
10 October 2007 - "...There will probably be a few more patches as this new kernel sees use in a wider variety of systems - including yours, should you choose to play with it but it should be fairly stable within a couple of months, at which time you'll begin to see the major Linux distributions start releasing systems based upon it."

Release notes:
- http://kernelnewbies.org/Linux_2_6_23
9 October 2007

:spider:

FYI...

- http://secunia.com/advisories/27223/
Release Date: 2007-10-12
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
...The vulnerabilities are reported in version 5.35. Other versions may also be affected.
Software: Winamp 5.x
Solution: Update to version 5.5.
http://www.winamp.com/player ...

> http://www.winamp.com/player/version-history

:fear:

FYI...

- http://secunia.com/advisories/26619/
Release Date: 2007-10-16
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 3.x, IrfanView 4.x
...The vulnerability is confirmed in version 4.00. Other versions may also be affected.
Solution: Update to version 4.10.
http://www.irfanview.com/main_download_engl.htm

.

FYI...

- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=809
October 17, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line: "Espero que te guste"
The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75c38". In all samples, the file has been stored on compromised websites. If users click on the link and run the code, a browser window to Univision.com opens as a means of hiding what is happening in the background. The malicious code also connects to one or more additional websites to download an additional binary file, "file56.gif". This file is actually a Windows executable. The "file56.gif" binary can come from any of five different compromised sites. The file is downloaded to the Windows system32 directory and given the name "html.txt". The "html.txt" file is then renamed "html.exe" and run. The payload of the code is written in Delphi and packed with RLpack. It disables Task Manager, deletes the host file, and changes some startup options and Start menu options. It also includes an information stealing component..."

(Screenshot available at the URL above.)

.

FYI...

- http://preview.tinyurl.com/36awux
October 19, 2007 (Computerworld) - "Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited, and malicious code downloaded to any PC that wanders to a specially-crafted site. Only systems on which both RealPlayer and IE have been installed are vulnerable. Symantec ranked the attack as a "10" on its urgency scale because it has confirmed that attacks are being conducted in the wild; those attacks have resulted in malicious code downloaded to victimized PCs. The only bright spot: "We are not currently aware of widespread exploitation of this issue," the company's warning read... Symantec also referenced a blog* that had posted some information about the RealPlayer vulnerability Wednesday morning..."

* http://www.infosecblog.org/2007/10/nasa-bans-ie.html
October 18, 2007 - "I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player..."

:fear:

Real Has issued a patch--
http://service.real.com/realplayer/security/191007_player/en/

FYI...

- http://isc.sans.org/diary.html?storyid=3531
Last Updated: 2007-10-22 20:58:04 UTC

" http://www.adobe.com/support/security/bulletins/apsb07-18.html
...Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Release date: October 22, 2007
Vulnerability identifier: APSB07-18
CVE number: CVE-2007-5020
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
> Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
> Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"

The acrobat patch is available here http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows

The reader patch is available here http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows ..."

.

FYI...

- http://secunia.com/advisories/27279/
Release Date: 2007-10-23
Critical: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Notes 6.x, IBM Lotus Notes 7.x ...
Solution: Update to version 7.0.3 or 8.0.
NOTE: Version 8.0 does not fix the vulnerability in wp6sr.dll.
http://www-306.ibm.com/software/lotus/support/upgradecentral/index.html ...

http://www-1.ibm.com/support/docview.wss?uid=swg21271111
"...Fixed in Lotus Notes 7.0.3 / Proposed for 8.0.1..."

.

FYI...

- http://isc.sans.org/diary.html?storyid=3537
Last Updated: 2007-10-23 20:16:52 UTC - "The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are 'BILL.pdf' and 'INVOICE.pdf'."

> http://forums.spybot.info/showpost.php?p=129812&postcount=17

-----------------------------------

PDF Exploit Spam Used to Install Gozi Trojan in New Attack
- http://www.secureworks.com/research/threats/gozipdf/
October 23, 2007 - "...The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change. The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names. The exploit downloads executes a first-stage downloader EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it. That downloader installs a variant of the Gozi Trojan which steals data as described in the Threat Analysis posted on the SecureWorks website:
* http://www.secureworks.com/research/threats/gozi/
The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release..."

:fear::fear:

FYI...

- http://www.websense.com/securitylabs/blog/blog.php?BlogID=152
Oct 25 2007 - "...Most of you have heard by now San Diego and some surrounding Los Angeles areas are suffering from devastating fires. Since our head quarters is in San Diego we have certainly been affected by the fires and several employees were evacuated and some have lost homes. One very amazing thing has been the outpouring of support both locally within the communities, state-wide, and internationally. We have received several offers for people to house folks who have had to relocate and several others offers for help.
Unfortunately, as we saw with Katrina and several other emergencies, there are also criminals who attempt to take advantage of the supporters who are willing to help. Please make sure you are dealing with legitimate organizations and, if possible, contact them on your own. Be very careful of people reporting to be agencies such as the Red Cross asking for donations or requesting you to visit their websites. They may be fraudulent or hosting malicious code designed to steal information such as banking details. For example, many suspicious eBay auctions have appeared requesting donations..."

(Screenshot available at the URL above.)

FYI...

RealPlayer/RealOne/HelixPlayer multiple vulns - update available
- http://secunia.com/advisories/27361/
Release Date: 2007-10-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Helix Player 1.x, RealOne Player 1.x, RealOne Player 2.x, RealPlayer 10.x, RealPlayer Enterprise 1.x ...
Solution: Update to the latest versions. Please see the vendor's advisory for details.
http://service.real.com/realplayer/security/10252007_player/en/ ..."

:fear:

FYI...

Malicious PDF files being spammed out in volume
- http://www.f-secure.com/weblog/archives/00001303.html
October 26, 2007 - " Malicious PDF file (report.pdf or debt.2007.pdf or overdraft.2007.10.26.pdf or so) has been massively spammed through email during last hour and the spam run is still continuing. The PDF is spiced with CVE-2007-5020 exploit that downloads ms32.exe that downloads more componets. At this point it's not clear yet what is the final payload of the malware, because of missing files in the download chain. We are investigating further... The subjects for the spam messages include:
Your credit report
Your credit points
Your balance report
Personal Financial Statement
Personal Credit Points
Personal Balance Report
Your Credit File
Balance Report
More information in our full description*.
More on the scope of the vulnerability from a ZDNet article**."

* http://www.f-secure.com/v-descs/exploit_w32_adobereader_k.shtml

** http://blogs.zdnet.com/security/?p=614

:fear:

------------------
Adobe rdr patch info: >>> http://forums.spybot.info/showpost.php?p=129812&postcount=17

.

FYI...

Bogus email claims to come from FTC
- http://www.ftc.gov/opa/2007/10/bogus.shtm
October 29, 2007 - "A bogus email is circulating that says it is from the Federal Trade Commission, referencing a “complaint” filed with the FTC against the email’s recipient. The email includes links and an attachment that download a virus. As with any suspicious email, the FTC warns recipients not to click on links within the email and not to open any attachments. The spoof email includes a phony sender’s address, making it appear the email is from “frauddep@ftc.gov” and also spoofs the return-path and reply-to fields to hide the email’s true origin. While the email includes the FTC seal, it has grammatical errors, misspellings, and incorrect syntax. Recipients should forward the email to spam@uce.gov and then delete it. Emails sent to that address are kept in the FTC’s spam database to assist with investigations. Simply opening the email does not appear to cause harm. However, it is likely that anyone who has opened the email’s attachment or clicked on the links has downloaded the virus on their computer, and should run an anti-virus program. The virus appears to install a “key logger” that could potentially grab passwords and account numbers..."

=======================

Malicious Code: World Bank Deception: Trojan Horse
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=812
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan horse using real data from the World Bank. As in past targeted attacks, the samples that we have captured appear to be using names and email addresses taken from the contact pages of the legitimate site. In this case, the email body includes the name of a real World Bank employee.

The message reads:

Subject: WorldBank report
Dear Colleagues,
This three-year Country Partnership Strategy (CPS) builds on Bulgaria's considerable achievements over the last eight years .. *snipped for brevity* .. and the surveillance roles played by the International Monetary Fund (IMF) and the EU's Stability and Growth Pact upon Bulgaria's EU accession.
At the following link you'll find our report:
http : // <URL REMOVED> /
Thank you!
Best Regards,
Ivelina Taushanova
Associate Professor of Management Science
<USERNAME REMOVED> @ worldbank . org
http: // WorldBank . org

The link leads to the malicious executable WorldBank_doc_36146.txt.exe, which is displayed with the standard notepad.exe icon. Unless the user has configured Windows to explicitly show the file extension (which most people do not, since it requires changing the default configuration), there is no way to visually tell that this file is actually an executable. When run, the initial executable drops a plain text document with information from a real World Bank document, displayed in IE. Also dropped is a packed Trojan horse (bifrose) whose file name makes it appear to be an MSN Messenger plugin. When this article was created, no anti-virus vendors detected the initial executable as malicious. The initial executable downloaded by the victim does not actually make any outbound connection from the victim's desktop to obtain the two dropped files. Because both dropped files are derived from the initial executable, no suspicious network traffic is generated. The dropped Trojan horse (msnmsgr_plugin.exe) maintains a persistent connection to a host name on the dyndns.org domain..."

(Screenshot available at the URL above.)

=======================================

Malicious Code: Halloween Deception: Info Stealing Trojan
- http://www.websense.com/securitylabs/alerts/alert.php?AlertID=813
October 29, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico. To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures. Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer. We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines..."

(Screenshot available at the URL above.)

:fear:

FYI...

- http://www.messagelabs.com/resources/press/6418
October 30, 2007 - "...The new data reveals that spammers have introduced MP3 music files into the expanding toolbox of stock spam techniques, with 15 million emails shaping the first spam run. Use of MP3 files is the latest tactic designed to sneak messages past spam filters and ultimately control the value of stock for nefarious reasons. On October 17, MessageLabs intercepted the first copies of an estimated 15 million email spam run which lasted 36 hours and used StormWorm infected computers to disseminate the emails...

Other report highlights:
Web Security: Analysis shows that 45.9 percent of all web based malware intercepted was new in October. MessageLabs identified approximately 1,100 -new- sites per day which harbored malware, an increase of 63 percent compared to September levels. Gambling sites appeared back in the top ten of policy-based filtering triggers and rouse to fourth place for large enterprises.
Spam: In October, the global ratio of spam in email traffic from new and unknown bad sources, for which the recipient addresses were deemed valid, was 74.5 percent (1 in 1.34 emails), an increase of 1.0 percent on the previous month.
Viruses: This month, the global ratio of email-born viruses in email traffic from new and previously unknown bad sources destined for valid recipients, was 1 in 161.5 emails (0.62 percent) in October, a decrease of 1.43 percent since the previous month. This decline is almost certainly linked with the fall in the number of Storm Worm related emails, particularly active in August and September. This takes the email virus rate to the lowest level since April 2007 when virus traffic accounted for 1 in 145.5 emails.
Phishing: October saw a decrease of 0.57 percent in the proportion of phishing attacks with one in 174.0 emails comprised of some form of phishing attack. Viewed as a proportion of all email-borne threats such as viruses and trojans, the number of phishing emails has risen by 36.8 percent to 92.8 percent of the malware threats intercepted in October, the highest level on record...
The full report is available at http://www.messagelabs.com/intelligence.aspx ..."

:fear:

FYI...

Trick or Treat with Stormy Halloween
- http://www.f-secure.com/weblog/archives/00001304.html
October 30, 2007 - "New tactics from the Storm gang can be seen as they celebrate with Halloween... With an unpatched system, visiting the site will trigger an exploit to automatically download and execute a malicious file. The new filename is halloween.exe. We already detect this as Email-Worm.Win32.Zhelatin.LJ . This may be a Trick, and a bad Treat from the Storm gang so remember to keep your databases updated."

(Screenshot available at the URL above.)

:fear: