Easily can happen when a visitor to ANY site enters the "names and e-mail addresses of...friends...". If you really want them to visit the site, just send them the URL yourself in an e-mail:

- http://www.techweb.com/article/printableArticle.jhtml?articleID=183702655&site_section=700028
March 24, 2006
"The Federal Trade Commission on Thursday nailed a spammer with a record-setting $900,000 fine for violating the CAN-SPAM Act. According to a complaint filed by the FTC, JumpStart Technologies of San Francisco, Calif. has spammed consumers since 2002, sending millions of messages disguised as personal e-mails in an attempt to hype its FreeFlixTix Web site. JumpStart, charged the FTC, collected e-mail addresses by offering free movie tickets to consumers in exchange for ratting out the names and e-mail addresses of five or more friends...
The spam scam also misled consumers who took the bait and went to FreeFlixTix, with some of the "free" ticket offers requiring credit card registration that in many cases resulted in charges made to the account. JumpStart's FreeFlixTix site is now offline..."

:(

Notes: As always, follow "Best practice...": Keep systems updated with all current MS patches and update/check 3rd party applications [Test here: http://secunia.com/software_inspector/ ].

Hacks -will- take advantage when users don't.


:spider:

FYI...

Malicious Flash Banner Ad - USATODAY.com
- http://securitylabs.websense.com/content/Alerts/3061.aspx
04.08.2008 - "Websense® Security Labs™ has received reports of a malicious Flash banner ad on USATODAY.com, a prominent news web site. The banner ad leads to the download of various spyware and ransomware, appearing as legit anti-virus scanners to the uninitiated... More details about this malicious binary from Microsoft:
http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fRenos ..."

(Screenshots of banner ad from USATODAY at the Websense URL above.)
----------------------------

Flash Player version 9.0.124.0 released
- http://forums.spybot.info/showpost.php?p=180537&postcount=5
"...Adobe categorizes this as a -critical- update and recommends affected users upgrade to version 9.0.124.0..."

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4319
Last Updated: 2008-04-22 00:39:28 UTC - "...“Apocalyptic NEWS Usama Ben Laden” is being SPAMMED out with malicious links in it. This is an attempt to get people to load a version of Zlob. The links... are malicious. DO NOT VISIT THEM. Here is the VirusTotal report on the malware I found there: http://www.virustotal.com/analisis/a914b92b454eff25407a61fa52af9d67 ..."
[Result: 13/32 (40.62%)]

:fear:

FYI...

MySpace - Maximus root kit downloads...
- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-22 22:26:50 UTC - "...A reader, GreggS, provided a link to a myspace page with a specific friendid that has java script that popsup a transparent background gif on top of the normal user page. The transparent background gif appears to be a Automatic Update of the Microsoft Malicious Software Removal Tool. This is likely to fool a fair amount of people.
“Clicking anywhere on the page (on large css layer on top) and your browser initiates a download session from an ftp at microsofpsupports .cn and you are asked to download and/or run (no!) the file.
The "Automatic Update" (not "Windows Update") dialog is simply a gif image.
hxxp ://img404.imageshared.cn/img/20048/removaltool6gx87.gif “
This appears to be a new version of Maximus
Virustotal results here:
http://www.virustotal.com/analisis/3a29d07603a0430a74e8aa77bc81e6bb ..."
Result: 10/32 (31.25%)

- http://isc.sans.org/diary.html?storyid=4325
Last Updated: 2008-04-23 17:56:24 UTC ...(Version: 3)
"UPDATE - Thanks to Ned who pointed out that "!Maximus" is the name of the heuristic detection engine for F-Prot (and hence Authentium) rather than the name of the rootkit."

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC - "A new virus was submitted to us today by a friend of ours known as SPAM_Buster. The Spamvertized URL redirects to
hxxp ://www .tera .cartoes1.com/saudlov.scr
This thing had several download stages and to do a complete analysis could take a long time. Ultimately it is some type of spyware/Trojan. I will use VirusTotal and CWSandbox to analysis some of the binaries involved. Saudlov.src 12/32 “recognized” it. Virus Total Results
http://www.virustotal.com/analisis/021d7c1131b1130f35051d41dfb05370 ...
CWSandbox analysis for saudlov.scr
https://cwsandbox.org/?page=details&id=220785&password=vyagd
Interesting strings in sadlov.scr:
c:\windows\mdword.exe
hxxp ://caixa .nexenservices .com/game/game01.exe
c:\windows\mdword.exe
C:\Arquivos de programas\Internet Explorer\IEXPLORE.EXE
hxxp ://www .terra .com .br/avisolegal/
Looks like it downloads game01.exe and something from
www[dot]terra[dot]com/br/avisolegal/
So I downloaded game01.exe and ran it thru VirusTotal. 1/32 “recognized” it. F-Secure called it "Suspicious:W32/Malware/Gemini"
http://www.virustotal.com/analisis/00e6839634881c4b247c0fa98332ea95 ..."
(Further analysis available at the ISC URL above)

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC - "There is something in the air at the moment... my mail box is chock a block full of SPAM this week... On Gmail I typically get 5-10 per week, now about 500. On my own mail the anti SPAM throws away a few hundred per week, this week about 2000..."
(Long list available at the ISC URL above)

:fear::fear:

FYI...

(A weekend mess/uptick of SPAM not helping any - AV's in "catch-up" mode.)

- http://mtc.sri.com/
Most Effective Antivirus Tools Against New Malware Binaries (only "Top 10" shown...)
Sat Apr 26 17:20:29 2008
detects = Antivirus system overall detection rate based on exposure to 1752 malware binaries
rank detects missed analyzed country vendor
1st 95% 78 1752 AT Ikarus Security Software
2nd 92% 133 1752 CZ Grisoft Inc
3rd 89% 182 1752 DE Avira
4th 89% 193 1752 RO BitDefender Inc
5th 88% 208 1752 US Secure Computing
6th 87% 222 1752 IN Quick Heal Technologies
7th 83% 284 1752 NO Norman Inc
8th 82% 309 1752 FI F-Secure Corporation
9th 82% 310 1752 RU Kaspersky Lab
10th 80% 334 1752 PL GNU Open Source..."
-----^^^

More...
- http://mtc.sri.com/live_data/av_rankings/

- http://isc.sans.org/diary.html?storyid=4346
Last Updated: 2008-04-26 18:23:13 UTC

- http://isc.sans.org/diary.html?storyid=4343
Last Updated: 2008-04-26 13:57:49 UTC

- http://www.virus-radar.com/index_c168h_enu.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4355
Last Updated: 2008-04-29 00:13:50 UTC - "Recently one of our readers, Doug, sent us an ASF file that does something interesting: when you open it in Windows Media Player, it will immediately launch Internet Explorer which will then prompt you to download an executable file. As I don't see this every day, I went to investigate this a bit further. According to Microsoft, the ASF file format (and possibly other formats) allows creation of a script stream. The script stream can use certain, simple, script commands in Windows Media Player. This information is available at http://msdn2.microsoft.com/en-us/library/aa390699(VS.85).aspx

Now, the malicious ASF file we received opened Internet Explorer with the URL pointing to
hxxp ://www.fastmp3player.com/affiliates/772465/1/?embedded=false.
This web site had a further 302 redirect to
hxxp: //www.fastmp3player.com/affiliates/772465/1/PLAY_MP3.exe
(both links are still working), which is some adware and is reasonably detected by 20 out of 32 AV programs on VirusTotal..."

:fear:

FYI...

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/28/1607314.aspx
April 28, 2008 11:52 PM sandi - "The malvertizements discovered on Yahoo are STILL there..."

- http://msmvps.com/blogs/spywaresucks/archive/2008/04/27/1605974.aspx
April 27, 2008 12:21 PM by sandi - "Yahoo aren't listening... And still the problems continue... I wonder how many hits Yahoo gets per day, and how many people are being exposed to fraudware, while these advertisements are allowed to remain online..."

(Screenshots available at the URLs above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4361
Last Updated: 2008-04-30 09:27:16 UTC - "Back in November last year we published a diary about Mac DNS changer malware*. The main idea about this was to let Mac users aware that the bad guys are not ignoring this platform any more... the way it was packed showed that the attackers meant real business. All the malware did was change local DNS servers to couple of servers in a known bad network, and tell the command and control server that a new victim is ready... Only couple of anti-virus programs detected the original sample (a DMG file). This improved a bit over the time, so when I tested the sample again today on VirusTotal, 10 anti-virus programs detected it... it changes the DNS servers and reports to a C&C server. However, one thing I noticed was that the attackers started obfuscating the installation code... it was enough to fool almost *all* anti-virus programs – according to VirusTotal, this new sample was detected by only 2 (!!) AV programs... same network as before, so make sure that you are monitoring any DNS requests going there since they indicate you have infected machines on your network..."
* http://isc.sans.org/diary.html?storyid=3595
Last Updated: 2007-11-02 02:36:39 UTC ...(Version: 2) - "... This is a professional attempt at attacking Mac systems... The second thing that folks at Sunbelt noticed ( http://sunbeltblog.blogspot.com/2007/10/screenshot-of-new-mac-trojan.html ) is that when they sent a sample to VirusTotal there were 0 (zero, nada, nilch) products that detected this..."

(More detail at each URL above)

--------------------------------------
Update...

Windows-malware already exists in some ZLOB variants (fake codecs) that will attempt the DNS client hijack - one reference:
- http://ca.com/us/securityadvisor/pest/pest.aspx?id=453119651
Latest DAT Release 03 13 2008 - "This fake codec is actually a hijacker that will change your DNS settings whether you acquire your IP settings through DHCP or set your IP information manually. This hijacker will attempt to re-route all your DNS queries through 85.255.x.29 or 85.255.x.121 (RBN).... rogue DNS servers..."

-or- SpybotS&D
- http://www.safer-networking.org/en/updatehistory/2007-02-02.html
Win32.DNSChanger
- http://www.safer-networking.org/en/updatehistory/2007-03-14.html
Zlob.DNSChanger

:fear:

FYI...

PHP multiple vulns - update available
- http://secunia.com/advisories/30048/
Release Date: 2008-05-02
Critical: Moderately critical
Impact: Unknown, Security Bypass, DoS, System access
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.2.x
...The vulnerabilities are reported in versions prior to 5.2.6.
Solution: Update to version 5.2.6.
http://www.php.net/downloads.php

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2051
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2050
5/5/2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
5/5/2008

:fear:

FYI...

- http://www.finjan.com/MCRCblog.aspx?EntryId=1949
May 07, 2008 - "During our ongoing research we came up against one curious site. The site is hacking/security oriented, and is written in Russian (hmm... last time I've checked it was in Netherlands), and not significantly different from many other similar sites. The same "news" section with recent exploits. The same "articles" section with same "How to get root on server" paper. And the forum with common "SQL Injection FAQ" thread for newbies. What makes difference is the "download" section.... I think it's the first time (we've seen) such a comprehensive, well arranged and recently updated collection of trojans, keyloggers, back-door web-shells and, the most interesting for us, attacker toolkits..."
(Screenshots available at the URL above.)
-----------------------------------------------

- http://www.finjan.com/Pressrelease.aspx?id...=1819&lan=3
May 6, 2008 - "Finjan... today announced its discovery of a server controlled by hackers (Crimeserver) containing more than 1.4 Gigabyte of business and personal data stolen from infected PCs. The data consisted of 5,388 unique log files. Both email communications and web-related data were among them. The compromised data came from all around the world and contained information from individuals, businesses, as well as renowned organizations, including healthcare providers. To illustrate the scope; the server contained among others 571 log files from the US, 621 from Germany (DE), 322 from France (FR), 308 from India (IN), 232 from Great Britain (GB), 150 from Spain (ES), 86 from Canada (CA), 58 from Italy (IT), 46 from the Netherlands (NL), and 1,037 from Turkey (TR). Due to the sheer impact, Finjan followed its company guidelines and promptly notified over 40 major international financial institutions located in the US, Europe and India whose customers were compromised as well as various law enforcements around the world.
The report contains examples of compromised data that Finjan found on the Crimeserver, such as:
* Compromised patient data
* Compromised bank customer data
* Business-related email communications
* Captured Outlook accounts containing email communication..."

:fear::fear:

FYI...

Neosploit Updated to Include an Acrobat Exploit
- http://preview.tinyurl.com/6mlnq6
05-05-2008 (Symantec Security Response Blog) - "On about April 18th, Symantec's DeepSight honeypots began capturing a new iteration of the Neosploit exploit toolkit. It appears that the pervasive exploit kit has been updated to take advantage of a circa February 2008 vulnerability in Adobe Acrobat Professional and Reader. What makes this attack vector of particular concern is that it will work reasonably silently through most browsers. If a user is enticed to a hostile Web site (who knows which ones are hostile these days) using the browser of their choice, it is reasonably likely that their computer will become infected provided that they have Acrobat installed on their computer. Although the vulnerability has been patched since early February, I suspect that many users have not applied this patch yet. We highly recommend that if you haven’t done so, go and get the latest patched versions of Adobe Acrobat Reader and Professional from here: http://www.adobe.com/support/security/advisories/apsa08-01.html ..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2042
Last revised: 5/8/2008

Security Updates available for Adobe Reader and Acrobat 7 and 8
- http://www.adobe.com/support/security/bulletins/apsb08-13.html
"...Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2...
....Users with Adobe Reader 7.0 through 7.0.9, who cannot upgrade to Reader 8.1.2, should upgrade to Reader 7.1.0..."

Adobe Reader 7.1.0 released
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=3952
5/7/2008 - "The Adobe® Reader® 7.1.0 update addresses a number of customer issues and security vulnerabilities..."

Release notes:
- http://kb.adobe.com/selfservice/viewContent.do?externalId=kb403541&sliceId=1

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3089.aspx
05.09.2008 - "Websense... has detected malicious code hosted on China.com's game site. The malware is a variant of VBS/Redlof and is known to commonly infect files with the extension of "html", "htm", "php", "jsp", "htt", "vbs", and "asp". This malicious download (MD5: e6df57ea75a77112e94036e5138bd063) is placed in a directory that appears to be reserved for game patch downloads. This virus attempts to spread itself by infecting all outbound emails sent by the victim with MS Outlook or Outlook Express. More details on the Microsoft VM ActiveX component vulnerability (MS00-075*)..."
* http://www.microsoft.com/technet/security/bulletin/MS00-075.mspx

(Screenshot available at the Websense URL.)

:fear:

FYI...

- http://preview.tinyurl.com/5zvnrx
May 9, 2008 (Avert Labs blog) - "Sometime back we had come across this interesting vulnerability posted by a Chinese researcher in his blog, claiming to have found a zero day vulnerability in php 5.2.3. We got a chance to dig a bit deeper into this and were able to reproduce the vulnerability based on the information provided in the blog. After investigation, we found that this vulnerablility affects not only verion 5.2.3 but also version 5.2.5. It is a heap overflow which can be triggered when a web server with PHP receives a malformed URI request, it can be a simple request like “GET /index.php/aa HTTP/1.1″ . Successful exploitation of this can result in arbitrary code execution with the privileges of the WEB Server... We highly recommend users to update with the latest version of PHP 5.2.6 released*. This patch besides this issue, fixes a host of other security related fixes, some of which we deem as critical..."
* http://forums.spybot.info/showpost.php?p=188217&postcount=61

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0599
Last revised: 5/9/2008
CVSS v2 Base score: 10.0 (High)

:fear:

- http://isc.sans.org/diary.html?storyid=4421
Last Updated: 2008-05-15 23:16:38 UTC ...(Version: 3)
- http://www.us-cert.gov/current/#debian_openssl_vulnerability
May 15, 2008
- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0166
Threatcon - Symantec
- http://www.symantec.com/security_response/threatconlearn.jsp
2008-05-16 05:28 - "ThreatCon is currently at Level 2: Elevated.
The ThreatCon is at level 2. Advisories have been released addressing an issue related to weak key generation in Debian and its variants, such as Ubuntu. Using a weak random number generator in the OpenSSL package, the system generates a weak key when installing services such as Secure Shell (SSH) and OpenVPN. To fix this issue, users are advised to apply available updates for the OpenSSL library and to regenerate all cryptographic keys generated previously by the library. Keys generated from GNUPG and GNUTLS packages are reportedly unaffected. Several tools are already available that allow a brute-force attack against the weak keys. H D Moore has released a database of all weak keys generated for a typical encryption key space:
( http://metasploit.com/users/hdm/tools/debian-openssl/ )
A script to brute-force the keys using that database has also been released on milw0rm by M. Mueller:
( http://www.milw0rm.com/exploits/5622 )
These tools could be used to bypass key-based login for shell services such as SSH. Other potential tools could be used to decrypt traffic such as login information or to forge digital signatures.
The Debian advisory addressing the issue provides information on how to tell if your system was using vulnerable keys. The following Debian and Ubuntu advisories are available:
DSA-1571-1 openssl -- predictable random number generator
( http://www.debian.org/security/2008/dsa-1571 )
USN-612-1: OpenSSL vulnerability
( http://www.ubuntu.com/usn/USN-612-1 ) ."

-----------

FYI...

- http://www.us-cert.gov/current/#cisco_releases_security_advisories2
May 22, 2008 - "Cisco has released three security advisories to address multiple vulnerabilities in Cisco IOS Secure Shell, Service Control Engine, and Voice Portal. These vulnerabilities may allow an attacker to take control of the affected system or cause a denial-of-service condition. US-CERT encourages users to review the following Cisco Security Advisories and apply any necessary updates or workarounds.

* Cisco IOS Secure Shell Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099567f.shtml
* Cisco Service Control Engine Denial of Service Vulnerabilities
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099bf65.shtml
* Cisco Voice Portal Privilege Escalation Vulnerability
- http://www.cisco.com/en/US/products/products_security_advisory09186a008099beae.shtml

:fear:

FYI...

- http://sunbeltblog.blogspot.com/2008/05/no-this-is-not-castlecops.html
May 22, 2008 - "No, this is not CastleCops
mezzicodec(dot)net masquerades as the legitimate CastleCops site... The site is mirroring, in near real-time, CastleCops. It seems to be primarily used for SEO purposes and possibly to steal valid user accounts, but could serve malware or exploits. Avoid this site."

- http://sunbeltblog.blogspot.com/2008/05/rash-of-fake-sites-copying-pc-world.html
May 22, 2008 - "As a follow-up to my post earlier today about a fake CastleCops page, there’s more to the story. There are other domains sharing the same IP (207.226.177.250):
pepato org
slim-cash com
spyware-wiper com
Cpaypal com
Crazycounter net
All are copying legitimate sites. Pepato is loading a fake dvdplanet.com page... These domains belong to the "Vladzone" malware gang. A while back, we believe that they were responsible for DDoS attacks against webhelper4u.com (Patrick Jordan, who works for Sunbelt) and spamhuntress.com — and maybe a few others. I would not visit these sites."

(Screenshots available at both Sunbeltblog URLs above.)

:fear::sad::mad::yuck:

FYI...

- http://secunia.com/advisories/30309/
Release Date: 2008-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Sametime 7.x, IBM Lotus Sametime 8.x
...Successful exploitation may allow execution of arbitrary code.
Solution: Update to version 8.0.1 or apply hotfix ICAE-7DPP83 for Lotus Sametime 7.5.1 Cumulative Fix 1 (CF1). Contact IBM support for the patch if Sametime 7.5.1 CF1 is not deployed or if unable to update to 8.0.1.
http://preview.tinyurl.com/5s6mz9
Original Advisory:
IBM: http://www-1.ibm.com/support/docview.wss?uid=swg21303920

- http://www.us-cert.gov/current/#ibm_lotus_sametime_vulnerability
May 22, 2008

- http://isc.sans.org/diary.html?storyid=4460
Last Updated: 2008-05-26 23:54:12 UTC - "Take a look at port 1533*. That's quite an increase in targeted computers reporting via DShield over the past few days..."

* http://isc.sans.org/port.html?port=1533
"...tcp 1533 used by Lotus Sametime for chat and awareness..."

:fear:

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4465
Last Updated: 2008-05-27 18:12:46 UTC ...(Version: 2) - "A vulnerability has been reported in Adobe Flash Player versions 9.0.124.0 and older, which is the current version available...
Update1: Symantec has observed that this issue is being actively exploited in the wild and have elevated their ThreatCon*.
Update2: A SecurityFocus article is now live here**."

ThreatCon is currently at Level 2: Elevated
* http://www.symantec.com/security_response/threatconlearn.jsp
"The DeepSight ThreatCon is being raised to Level 2 in response to the discovery of in-the-wild exploitation of an unspecified and unpatched vulnerability affecting Adobe Flash Player. The flaw occurs when processing a malicious SWF file. At the time of writing, details related to this vulnerability are scarce, but Symantec Security Response has been able to trigger the flaw in some scenarios. We're currently investigating the vulnerability to uncover additional details, including the sites used to host the attack... Currently two Chinese sites are known to be hosting exploits for this flaw: wuqing17173 .cn and woai117 .cn. The sites appear to be exploiting the same flaw, but are using different payloads... Network administrators are advised to blacklist these domains to prevent clients from inadvertently being redirected to them. Further analysis into these attacks, specifically the woai117 .cn attack, uncovered another domain involved dota11 .cn . We have discovered that this site is being actively injected into sites through what is likely SQL injection vulnerabilities. A google search reports approximately 20,000 web pages (not necessarily distinct servers or domains) injected with a script redirecting users to this malicious site..."

** http://www.securityfocus.com/bid/29386

Malicious swf files?
- http://isc.sans.org/diary.html?storyid=4468
Last Updated: 2008-05-27 18:46:44 UTC ...(Version: 2) - "...potentially malicious site found at hxxp ://www .play0nlnie .com/pcd/topics/ff11us/20080311cPxl31/07.jpg
The JPG file is actually a script... Unknown at this time if these SWF files are related to this vulnerability."

:fear:

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080527
May 27, 2008 - 11:16 PM - "...important that you make sure you have updated your Adobe Flash Player to the latest version* (9.0.124.0 at the time of this writing)... it seems that several websites are now taking advantage of a flaw in the Adobe Flash Player previously covered by CVE-2007-0071**. It appears that Symantec started noticing this activity being exploited in the wild and initially labeled it a 0-day threat as they thought it affected 9.0.124.0. However, they have since posted an update*** potentially changing this view. Both Symantec and the Internet Storm Center have posted information surrounding the vulnerability and some of the websites that are actively exploiting it. It would appear this is in fact fully patched with the latest version and is the same vulnerability described by CVE-2007-0071. We decided to look into this a bit more and see what other websites are out there exploited this vulnerability and what they attempted to install. It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so... Did we mention that you should UPGRADE YOUR FLASH PLAYER (if you haven't already)? It's always a good idea to keep your software up-to-date, but it should surely be a priority to do so now..."

* http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash

** http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

*** http://www.symantec.com/security_response/threatcon/index.jsp

- http://blogs.adobe.com/psirt/2008/05/potential_flash_player_issue_u_1.html
May 28, 2008 11:09AM - "...This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0*..."
* http://www.adobe.com/go/getflashplayer

---------------

Retired: Adobe Flash Player SWF File Remote Code Execution Vulnerability
- http://www.securityfocus.com/bid/29386/discuss
Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired."

** http://www.securityfocus.com/bid/28695/solution
"...The vendor released Flash Player 9.0.124.0 to address this issue..."

FYI...

- http://securitylabs.websense.com/content/Alerts/3096.aspx
05.29.2008 - "Websense... has detected thousands of web sites infected with the recent mass JavaScript injection that exploits a vulnerability in Adobe Flash (CVE-2007-0071*) to deliver its malicious payload... This vulnerability is not a 0-day and users with the latest version of Flash Player (version 9.0.124.0) are safe. However, there are still many on older versions of Flash that are unaware of this mass web infection and are susceptible to this drive-by attack. An update to the latest version of Flash Player is highly recommended**.
Websense ThreatSeeker has been tracking these malicious web sites and have discovered numerous reputable web sites that are now unwilling participants, infecting their very own visitors. These sites are from various industries such as government, education, healthcare, finance, media, and entertainment. This attack also attempts to exploit other popular vulnerabilities such as MDAC, RealPlayer, and various ActiveX controls... drive-by threat... site screenshots from: Microsoft, Dept. of Education (Australia), PBS, Durex, CDC (Centers for Disease Control and Prevention), Discovery Channel, various universities and a Pakistani district government."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

** http://www.adobe.com/go/getflashplayer

(Screenshots available at the Websense URL above.)

:fear:

FYI...

DHS PDF
- http://www.f-secure.com/weblog/archives/00001449.html
June 1, 2008 - "...The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May. 'Looks like a Department of Homeland Security form G-325A.
Look again. What's the filename? It's -not- f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf. This is -not- the document we opened. So what happens here? Apparently this PDF has been used in a targeted attack against an unknown target. When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat
The SYS component is a -rootkit- that tries to hide all this activity on the infected machine. The backdoor tries to connect to port 80 of a host called nbsstt .3322 .org. Anybody operating this machine would have full access to the infected machine. Well, 3322 .org is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as bbs .cjdby .net. Where does nbsstt .3322 .org point to? IP address 125.116.97.19 is in Zhejiang, China. And it's live right now, answering requests at port 80."

(Screenshots available at the URL above.)

:fear:

FYI...

- http://www.skype.com/security/skype-sb-2008-003.html
Impact: Exploitation of this issue allows an attacker to execute arbitrary code on the targeted victim's machine. An attacker would need to construct a malicious file: URI and send it to the intended victim. Upon clicking the link execution of arbitrary code on the victim's machine will be possible.
Affected software: ...The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.8.*.115
Solution: Skype has fixed the vulnerability in version 3.8.0.139
Download:
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
x86 platform, Linux: http://www.skype.com/download/skype/linux/
PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1805
Original release date: 6/6/2008

:fear:

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com/support/security/bulletins/apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2641
Platform: All platforms
Affected software versions:
* Adobe Reader 8.0 through 8.1.2
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
* Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3967
For Macintosh: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloads/detail.jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmicro.com/pdf-exploit-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com/support/security/bulletins/apsb08-15.html
---

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com/8301-13554_3-9979638-33.html
June 27, 2008

:fear:

FYI...

- http://blogs.zdnet.com/security/?p=1356
June 26, 2008 - "What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how (to) prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today... NetDevilz left the following message on all of the domains:
“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha ... (Lovable Turkish hackers group)”..."
- http://www.zone-h.org/content/view/14973/30/
27 June 2008 - "...Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com". We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited..."

(Screenshots available at the ZDnet URL above.)

:fear::spider::fear:

FYI...

- http://www.securityfocus.com/news/11526
2008-07-08 - "...The CERT vulnerability note* describing the issue lists more than 90 software developers and network equipment vendors that may be affected by the issue...Internet service providers and companies each received the fix on Tuesday... The goal: To have every major service provider and company apply their software patches in 30 days..."

* U.S.CERT: http://www.kb.cert.org/vuls/id/800113

- http://isc.sans.org/diary.html?storyid=4687
Last Updated: 2008-07-08 23:09:39 UTC ...(Version: 4)

Microsoft MS08-037: http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Internet Software Consortium (BIND): http://www.isc.org/sw/bind/bind-security.php ...

DNSSEC Overview: http://www.dnssec.org
DNSSEC Deployment Initiative: http://www.dnssec-deployment.org
DNSSEC HowTo: http://www.nlnetlabs.nl/dnssec_howto

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
7/8/2008
- http://www.us-cert.gov/cas/techalerts/TA08-190B.html
7/8/2008

DNS Checker:
- http://www.doxpara.com/?p=1162
Dan Kaminsky - July 9, 2008

:fear:

FYI...

* http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Last Revised: 9 July 2008
"Overview: Microsoft Update KB951748 [MS08-037] is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.
Impact: Sudden loss of internet access
Platforms Affected: ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite ...
Recommended Actions:
Download and install the latest versions which solve the loss of internet access problem here*..."

//

FYI...

Oracle Critical Patch Update Advisory - July 2008
- http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
2008-JUL-15 - Initial release
"...Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible..."

- http://isc.sans.org/diary.html?storyid=4732
Last Updated: 2008-07-15 20:45:56 UTC ...(Version: 2) - "...first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware..."

- http://www.us-cert.gov/current/#oracle_releases_critical_patch_update3
July 15, 2008 - "Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. This update contains the following security fixes:
* 11 updates for Oracle Database
* 3 updates for Times Ten In-Memory Database
* 9 updates for Oracle Application Server
* 6 updates for Oracle E-Business Suite and Applications
* 2 updates for Oracle Enterprise Manager
* 7 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
* 7 updates for BEA Product Suite ..."

:fear::spider:

RE: http://forums.spybot.info/showpost.php?p=210672&postcount=77

FYI... http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-22 11:01:30 UTC - "It seems the cat might be out of the bag regarding Dan Kaminsky's upcoming presentation at Blackhat. Since this now means the bad guys have access to it at will - I found the speculations using Google, I'm sure they have done so already, the urgency of patching your recursive DNS servers just increased significantly..."

- http://preview.tinyurl.com/64wtnc
July 21, 2008 (Computerworld)

- http://www.us-cert.gov/current/#dns_implementations_vulnerable_to_cache
updated July 22, 2008 - "...UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
CVSS v2 Base score: 7.5 (High)

:fear:

FYI...

- http://securitylabs.websense.com/content/Alerts/3139.aspx
07.23.2008 - "...At time of this alert, an exploit targeting this flaw has been added to Metasploit, an open source penetration testing tool that is free and publicly available. The US-CERT advisory also makes the several important “DNS best practices” recommendations. Please reference the advisory for complete details. http://www.kb.cert.org/vuls/id/800113 "

- http://www.microsoft.com/technet/security/Bulletin/MS08-037.mspx
Revisions
• V2.1 (July 23, 2008): Affected Software table revised to add MS06-064, MS07-062, and MS08-001 as bulletins replaced by this update.

//

FYI...

DNS Exploit in the Wild...
- http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-24 13:15:25 UTC ...(Version: 6) - "... A second module has been released for domains, which replaces the nameservers of the target domain. Unlike the first module which will not replace a cached entry, this exploit will do cache overwrites.
See http://blog.wired.com/27bstroke6/2008/07/dns-exploit-in.html
...Emerging Threats is offering a freely available snort signature* for DNS servers. As always, test before using in critical production environments."

* http://www.emergingthreats.net/content/view/87/1/
24 July 2008

:fear:

FYI...

- http://www.theregister.co.uk/2008/07/25/isps_slow_to_patch/
25 July 2008 - "More than two weeks after security researchers warned of a critical defect in the net's address lookup system, some of the world's biggest internet service providers - including AT&T, BT, Time Warner and Bell Canada - have yet to install a patch inoculating their subscribers against attacks. According to an informal survey of Register readers, 15 ISPs failed the "Check my DNS" test*... Now that attack code exploiting the vulnerability has been leaked into the wild, millions of subscribers are at risk of being silently redirected to impostor sites that try to install malware or steal sensitive information. Comcast and Plusnet were the only two ISPs we found that weren't vulnerable... Subscribers of ISPs that are still vulnerable ought to hardwire an alternate DNS server into their operating system. We're partial to OpenDNS**. They've been vulnerability free... Other ISPs that were reported vulnerable include: Skybroadband, Carphone Warehouse Broadband, Opal Telecom, T-Mobile, Videotron Telecom, Roadrunner, Orange, Enventis Telecom, Earthlink, Griffin Internet and Jazztel. Demon Internet was reported as potentially being vulnerable..."

* http://www.doxpara.com/

** http://opendns.org/

:fear:

FYI...

- http://db.tidbits.com/article/9706
24 Jul 2008 - "...Apple has yet to patch this vulnerability, which affects both Mac OS X and Mac OS X Server. While individual computers that look up DNS are vulnerable, servers are far more at risk due to the nature and scope of the attack. Apple uses the popular Internet Systems Consortium BIND DNS server which was one of the first tools patched, but Apple has yet to include the fixed version in Mac OS X Server, despite being notified of vulnerability details early in the process and being informed of the coordinated patch release date. All users of Mac OS X Server who use it for recursive DNS must immediately switch to an alternative* or risk being compromised and traffic being redirected..."

Apple server alternative:
* https://www.opendns.com/start?device=apple-osx-server

Apple client alternatives:
* OS X Leopard: https://www.opendns.com/start?device=apple-osx-leopard
* OS X Tiger: https://www.opendns.com/start?device=apple-osx-tiger
* OS 9: https://www.opendns.com/start?device=apple-os9

:fear:

FYI...

- http://www.securityfocus.com/brief/783
2008-07-28 - "A group of security researchers demonstrated on Monday one way to use the recent domain-name service (DNS) security issue to compromise computers by redirecting insecure update services to fake servers that install malicious code instead. The attack tool - dubbed Evilgrade by its creators at non-profit Infobyte Security Research - will enable penetration testers to exploit computers using the automated update feature of Sun Microsystems' Java, Winzip, Winamp, Mac OS X, OpenOffice, iTunes, Linkedin Toolbar, DAP, Notepad++, and Speedbit, according to the group*..."
* http://blog.metasploit.com/2008/07/evilgrade-will-destroy-us-all.html

:fear:

FYI...

DNS patches cause problems...
The patches have caused slowdown in servers running BIND and have have crippled some machines running Windows Server
- http://preview.tinyurl.com/65ujxu
July 29, 2008 (Infoworld) - "Patches released earlier this month to quash a critical bug in the DNS (Domain Name System) have slowed servers running BIND (Berkeley Internet Name Domain), the Internet's most popular DNS software, and crippled some systems versions of Windows Server. Paul Vixie, who heads the Internet Systems Consortium (ISC), the group responsible for the BIND software, acknowledged issues with the July 8 fix that was rolled out... Vixie wasn't specific about the extent of the performance problems facing high-volume DNS servers, but said that a second round of patches, due later this week, will remedy port allocation issues and "allow TCP queries and zone transfers while issuing as many outstanding UDP queries as possible." Versions of the second update, which will be designated P2 when they're unveiled, are currently available in beta form for BIND 9.4.3* and BIND 9.5.1**...
ISC wasn't the only vendor involved in first-round DNS patching that has issued a mea culpa. Two weeks ago, Microsoft confirmed that the July 8 DNS update, tagged as MS08-037, was crippling machines running Windows Small Business Server, a suite based on, among other programs, Windows Server 2003... Last Friday, the company unveiled a pair of support documents that spelled out the patch's unintended side effects, but also added Exchange Server 2003 and Internet Security and Acceleration (ISA) Server to the affected list***. A second issue involves every supported version of Windows, ranging from Windows 2000, XP and Vista to Server 2003 and Server 2008.****..."

* http://www.isc.org/sw/bind/view?release=9.4.3b2

** http://www.isc.org/sw/bind/view?release=9.5.1b1

*** http://support.microsoft.com//kb/956189
Last Review: July 25, 2008 - Revision: 1.0

**** http://support.microsoft.com/kb/956188
Last Review: July 25, 2008 - Revision: 1.1

:fear:

FYI...

Apple Security Update 2008-005...
- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 08:27:35 UTC - "Apple released their patch overnight... Most importantly it contains the workaround for the DNS bug CVE-2008-1447. Also included is an upgrade to PHP 5.2.6 (which was released in source code at http://www.php.net/ on May 1st). Seems we all need to urge Job's gang to release patches significantly faster: it's the price to pay to base parts of your system on open source code. Apple Mac OS X users get it though software update. As always it's one big patch, given that little choice, you'll want to PATCH NOW."

- http://support.apple.com/kb/HT2647
August 01, 2008

- http://www.apple.com/support/downloads/
07/31/2008

- http://secunia.com/advisories/31326/
Release Date: 2008-08-01
Critical: Highly critical
Impact: Security Bypass, Spoofing, Privilege escalation, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple Macintosh OS X ...
Solution: Apply Security Update 2008-005...

---

- http://isc.sans.org/diary.html?storyid=4810
Last Updated: 2008-08-01 20:06:50 UTC ...(Version: 3) "...UPDATE ...Apple might have fixed some of the more important parts for servers, but is far from done yet as all the clients linked against a DNS client library still need to get the workaround for the protocol weakness..."

---

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy

:fear:

FYI...

BIND: -P2 patches are released
- http://isc.sans.org/diary.html?storyid=4816
Last Updated: 2008-08-02 11:12:39 UTC - "As expected, the Internet Systems Consortium released patches today addressing stability and performance issues some of those having significant load on their systems were struggling with.
* BIND 9.5.0-P2: http://www.isc.org/sw/bind/view/?release=9.5.0-P2
* BIND 9.4.2-P2: http://www.isc.org/sw/bind/view/?release=9.4.2-P2
* BIND 9.3.5-P2: http://www.isc.org/sw/bind/view/?release=9.3.5-P2 ..."

:fear:

For the end-user, to recap all this, IMHO, the bottom line is here:

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you still have problems, go here and DO IT:
- http://www.opendns.com/


.

FYI...

- http://securitylabs.websense.com/content/Alerts/3151.aspx
08.06.2008 - "Websense... has discovered that a CNET Networks <http://www.cnet.com/about/?tag=ft> site has been compromised. The main page of the CNET Clientside Developer Blog contains malicious JavaScript code that de-obfuscates into an iframe that loads its primary malicious payload from a different host.

The malicious code is observed to exploit a known integer overflow vulnerability in Adobe Flash ( http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071 ). At the time of this alert, the site is still hosting the malicious code. Visitors who are not patched against this vulnerability will be infected without any user interaction.
Software vulnerable to this attack includes:
- Adobe, Flash Player, 9.0.115.0*, and previous
- Adobe, Flex, 3.0
- Adobe, AIR, 1.0 ..."

(Screenshot available at the Websense URL above.)

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

:fear::spider:

FYI...

- http://securitylabs.websense.com/content/Alerts/3163.aspx
08.19.2008 - "Websense... has detected that the DNS cache on the default DNS server used by the customers of China Netcom (CNC) has been poisoned. When China Netcom customers mistype and enter an invalid domain name, the poisoned DNS server directs the visitor's browser to a page that contains malicious code. China Netcom is among the top ISPs in that country.
When users mistype a domain name, they are sometimes directed by their ISPs to a placeholder Web site with generic advertisements. This is typically an additional revenue source for the ISP. In the case of CNC, customers of this prominent ISP are directed to a Web site under the control of an attacker. These malicious sites contain an iframe with malicious code that attempts to exploit, among other applications and plug-ins, the Microsoft Snapshot Viewer vulnerability... The malicious iframe points to a server in China hosting exploits for RealPlayer, MS06-014, MS Snapshot Viewer and Adobe Flash player..."

(Screenshots available at the URL above.)

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4919
Last Updated: 2008-08-22 14:51:00 UTC - "A RedHat list post* acknowledges that last week "some Fedora servers were illegally accessed. The intrusion into the servers was quickly discovered, and the servers were taken offline. Security specialists and administrators have been working since then to analyze the intrusion and the extent of the compromise as well as reinstall Fedora systems".
* https://www.redhat.com/archives/fedora-announce-list/2008-August/msg00012.html

===

- http://isc.sans.org/diary.html?storyid=4921
Last Updated: 2008-08-22 15:45:39 UTC ...(Version: 2) - "...RedHat has released "shell script* which lists the affected packages and can verify that none of them are installed on a system".
* http://www.redhat.com/security/data/openssh-blacklist.html

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=4937
Last Updated: 2008-08-26 21:52:26 UTC - "...Sources of compromised keys could include the weak key vulnerability in Debian-based systems a few months ago, so if you haven't updated and replaced those keys, you ought to do so now. The biggest defense is to have any keys, especially those used to authenticate to remote machines and certainly internet facing ones, require a passphrase to use. Check your logs, especially if you use SSH key-based auth, to identify accesses from remote machines that have no business accessing you. If you have IPs, that would be good. To detect if you have Phalanx2, look for /etc/khubd.p2/ (access by cd, not ls) or any directory that is called "khubd.p2". /dev/shm/ may contain files from the attack as well. Tripwire, AIDE and friends should also be able to detect filesystem changes."

- http://www.us-cert.gov/current/#ssh_key_based_attacks
August 26, 2008 - "US-CERT is aware of active attacks against linux-based computing infrastructures using compromised SSH keys. The attack appears to initially use stolen SSH keys to gain access to a system, and then uses local kernel exploits to gain root access. Once root access has been obtained, a rootkit known as "phalanx2" is installed.
Phalanx2 appears to be a derivative of an older rootkit named "phalanx". Phalanx2 and the support scripts within the rootkit, are configured to systematically steal SSH keys from the compromised system. These SSH keys are sent to the attackers, who then use them to try to compromise other sites and other systems of interest at the attacked site. Detection of phalanx2 as used in this attack may be performed as follows:
* "ls" does not show a directory "/etc/khubd.p2/", but it can be entered with "cd /etc/khubd.p2".
* "/dev/shm/" may contain files from the attack.
* Any directory named "khubd.p2" is hidden from "ls", but may be entered by using "cd".
* Changes in the configuration of the rootkit might change the attack indicators listed above. Other detection methods may include searching for hidden processes and checking the reference count in "/etc" against the number of directories shown by "ls".

US-CERT encourages administrators to perform the following actions to help mitigate the risks:
* Proactively identify and examine systems where SSH keys are used as part of automated processes. These keys will typically not have passphrases or passwords.
* Encourage users to use the keys with passphrase or passwords to reduce the risk if a key is compromised.
* Review access paths to internet facing systems and ensure that systems are fully patched.

If a compromise is confirmed, US-CERT recommends the following actions:
* Disable key-based SSH authentication on the affected systems, where possible.
* Perform an audit of all SSH keys on the affected systems.
* Notify all key owners of the potential compromise of their keys.
US-CERT will provide additional information as it becomes available."

:fear::mad::fear:

FYI...

- http://preview.tinyurl.com/5e65le
September 5, 2008 (Computerworld) - "...Symantec urged users* of Norton Internet Security 2008 to first update to Version 15.5, which in turn would allow them to download and install a Firefox 3.0 compatibility update. A separate Firefox 3.0 compatibility patch is available for Norton 360**. Both patches can be obtained by launching Symantec's Live Update feature from within the security applications. This wouldn't be the first time that Symantec's Norton software has created problems for other vendors.."

* http://community.norton.com/norton/board/message?board.id=nis_feedback&thread.id=3365

** http://community.norton.com/norton/board/message?board.id=Norton_360&thread.id=1475

:thud: :sad:

FYI...

Vista 'BSOD' caused by iTunes 8.0
- http://preview.tinyurl.com/4xaol6
September 11, 2008 (Computerworld) - "Apple Inc.'s latest version of iTunes crashes Windows Vista when an iPod or iPhone is connected to the PC, scores of users have reported on Apple's support forum..."


:fear:

FYI...

Cisco - multiple alerts
- http://www.us-cert.gov/current/#cisco_releases_security_alerts
September 24, 2008 - "Cisco has released multiple security alerts to address vulnerabilities in the Unified Communications Manager and IOS. These vulnerabilities may allow a remote unauthenticated attacker to cause a denial-of-service condition, obtain sensitive information, or operate with escalated privileges..."

Direct links available here:
- http://www.cisco.com/en/US/products/products_security_advisories_listing.html
(See those dtd. 24-Sept-2008)

Cisco IOS multiple vulnerabilities
- http://secunia.com/advisories/31990/
Release Date: 2008-09-25
Critical: Moderately critical

ISC analysis
- http://isc.sans.org/diary.html?storyid=5078
Last Updated: 2008-09-26 03:16:41 UTC

:fear:

FYI...

- http://www.us-cert.gov/current/#adobe_pdf_exploit_toolkits_circulating
September 25, 2008 - "US-CERT is aware of public reports* of improved attack toolkits for exploiting vulnerabilities in PDF reader software..."

* http://www.trustedsource.org/blog/153/Rise-Of-The-PDF-Exploits
September 22, 2008 - "...Secure Computing... spotted a new and yet unknown exploit toolkit which exclusively targets Adobe’s PDF format. This toolkit is dubbed the “PDF Xploit Pack”... This new toolkit targets only PDFs, no other exploits are used to leverage vulnerabilities. Typical functions like caching the already infected users are deployed by this toolkit on the sever-side. Whenever a malicious PDF exploit is successfully delivered, the victim’s IP address is remembered for a certain period of time. During this “ban time” the exploit is not delivered to that IP again, which is another burden for incident handling. Other existing toolkits have also been enhanced with PDF exploits lately..."

** http://www.trustedsource.org/blog/118/Recent-Adobe-Reader-vulnerability-exploited-in-the-wild
"...users should make sure to upgrade to Adobe Reader 8.1.2*** as soon as possible..."
*** http://www.adobe.com/support/security/#readerwin

:fear:

FYI...

- http://www.ftc.gov/bcp/edu/pubs/consumer/alerts/alt089.shtm
October 2008 - "If the recent changes in the financial marketplace have you confused, you’re not alone. The financial institution where you did business last week may have a new name today, and your checks and statements may come with a new look tomorrow. A new lender may have acquired your mortgage, and you could be mailing your payments to a new servicer. Procedures for the banking you do online also may have changed. According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, the upheaval in the financial marketplace may spur scam artists to phish for your personal information.
Phishers may send attention-getting emails that look like they’re coming from the financial institution that recently acquired your bank, savings and loan, or mortgage. Their intent is to collect or capture your personal information, like your credit card numbers, bank account information, Social Security number, passwords, or other sensitive information. Their messages may ask you to “update,” “validate,” or “confirm” your account information..."

(More detail at the URL above.)

:fear::fear:

FYI... http://isc.sans.org/diary.html?storyid=5312
Last Updated: 2008-11-07 15:54:09 UTC - "...at the time of writing this article, according to VirusTotal 0 (yes – ZERO) AV products detected this malicious PDF. Very, very bad. The payload is in a JavaScript object embedded in the PDF document... if you haven't patched your Adobe Reader installations – do it ASAP as the attacks are in the wild."
---

Security Update available for Adobe Reader 8 and Acrobat 8
- http://www.adobe.com/support/security/bulletins/apsb08-19.html
Release date: November 4, 2008
Vulnerability identifier: APSB08-19 ...
Platform: All Platforms
Summary:
Critical vulnerabilities have been identified in Adobe Reader and Acrobat 8.1.2 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe Reader 9 and Acrobat 9 are -not- vulnerable to these issues.
Adobe recommends users of Acrobat 8 and Adobe Reader 8 who can’t update to Adobe Reader 9 install the 8.1.3 update to protect themselves from potential vulnerabilities...

Adobe Reader:
> Adobe recommends Adobe Reader users update to Adobe Reader 9, available here:
http://www.adobe.com/go/getreader [AdbeRdr90_en_US.exe]
> Users with Adobe Reader 8.0 through 8.1.2, who can’t update to Adobe Reader 9, should update to Adobe Reader 8.1.3:
http://www.adobe.com/products/acrobat/readstep2_allversions.html [AdbeRdr813_en_US.exe] ..."

- http://secunia.com/advisories/29773
Last Update: 2008-11-05
Critical: Highly critical
Impact: Privilege escalation, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Acrobat 3D 8.x, Adobe Acrobat 8 Professional, Adobe Acrobat 8.x. Adobe Reader 8.x
Solution: Upgrade to version 9 or update to version 8.1.3...

:fear::fear:

---
If you were thinking of replacing your Adobe Reader with Foxit, -now- would be the time...

Adobe Reader v9... 33.5MB
- http://www.adobe.com/go/getreader
-OR-
- http://www.foxitsoftware.com/downloads/
Latest version: Foxit Reader 2.3 (.exe) 2.3 Build 3309 - 2.57 MB - 10/14/08

- http://asert.arbornetworks.com/2008/11/pdf-exploit-in-the-wild-and-how-to-decode/
November 7th, 2008 - "...We keep seeing Acrobat get hosed with JS exploits, this won't be the last time."

:wink:

More PDF exploits...

- http://blog.trendmicro.com/adobe-reader-vulnerability-actively-being-exploited/
Nov. 11, 2008 - "Several active exploits targeting a vulnerability in Adobe Reader are now in the wild... Users with unpatched Adobe Reader software may be infected when they unknowingly access a certain remote website or are redirected there from malicious banners and ads. Upon execution, TROJ_PIDIEF.CB could crash Reader and then allow a malicious user to take control of an affected system. This compromises system security and exposes it to more threats as malicious users could easily dump adware and malicious programs..."

:fear::spider:

FYI...

Adobe Reader v9 users w/AIR v1.1 installed
- http://isc.sans.org/diary.html?storyid=5363
Last Updated: 2008-11-17 22:21:15 UTC - "...Adobe has released a bulletin and update to Adobe AIR* that they classify as critical. It fixes some of the same vulnerabilities announced earlier in Flash player. Time to update if you are using AIR..."
* http://www.adobe.com/support/security/bulletins/apsb08-23.html

> http://get.adobe.com/air/
Adobe AIR v1.5 Installer
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5108

- http://secunia.com/advisories/32772/
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch

:fear:

FYI...

How to Protect Your Wi-Fi Network from the WPA Hack
- http://lifehacker.com/5079721/how-to-protect-your-wi+fi-network-from-the-wpa-hack
Nov 7 2008 - "WEP Wi-Fi security has been known as an easy-to-crack security protocol for a while now, which is why it was superseded by the more secure Wi-Fi Protected Access (WPA) standard. But now a PhD candidate studying encryption has found an exploit in the WPA standard that would allow a hacker to "send bogus data to an unsuspecting WiFi client," completely compromising your Wi-Fi security and opening your network to all sorts of hacking. Lucky for you, it's not terribly difficult to protect yourself against the new exploit.
The key: Just log into your router, switch off Temporal Key Integrity Protocol (TKIP) as an encryption mode, and use Advanced Encryption System (AES) only. TKIP is the only protocol that the hack applies to, so switching to AES-only will ensure that your Wi-Fi network is safe again. It's quick and easy, so do yourself a favor and make the adjustment now so you don't run into any problems in the future."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-5230
Last revised: 11/26/2008

:fear:

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187605
November 21, 2008 - "Some of you might have seen the blogpost* that our colleague Ryan Naraine has put at ZDNET about malware being distributed along with a pack of Lenovo Thinkpad drivers. Here are some more details on that story. Working together with fellow researchers in Microsoft we discovered an URL that pointed to a file on IBM’s ftp site that looked like a false positive, so we sent them a ‘heads up’ message. Careful analysis of the file, which was named ‘q3tsk04us13.exe’ (Lenovo Trust Key Software for WinXP) showed that the file in question did indeed contain a virus named Virus.Win32.Drowor.a. Luckily, the virus was broken and it didn’t work. Naturally, we've notified IBM immediately – and IBM took the file offline... We’d like to salute IBM's prompt response and to thank our friends at MS for their initial analysis."
(Screenshot available at the URL above.)

* http://blogs.zdnet.com/security/?p=2203

:fear:

FYI...

- http://www.theregister.co.uk/2008/12/03/checkfree_hijacked/
3 December 2008 - "Online payment service CheckFree lost control of at least two of its domains on Tuesday in an attack that sent customers to servers run by a notorious crime gang believed to be based in Eastern Europe... Security experts say the 91.203.92.63 IP address has long served as a conduit for online crime. Spamhaus offers this laundry list* of alleged dirty deeds that includes running botnet command channels and various drive-by download sites. According to security researcher Paul Ferguson of anti-virus software provider Trend Micro, the IP address was recently observed handing off booby-trapped PDF files that infected those unfortunate enough to open them... It's unclear how long checkfree .com and mycheckfree .com were redirected to the rogue servers or whether customers have been warned they may have been compromised... It's also unclear how the culprits managed to hijack the domains. While security experts say DNS poisoning wasn't out of the question, the more likely explanation is malicious transfer of the domains through their registrar..."
* http://www.spamhaus.org/sbl/listings.lasso?isp=uatelecom.co.ua

Follow-up...
- http://voices.washingtonpost.com/securityfix/2008/12/hackers_hijacked_large_e-bill.html
December 3, 2008 - "... CheckFree regained control over its site by 5 a.m. on Dec. 2... It appears hackers were able to hijack the company's Web sites by stealing the user name and password needed to make account changes at the Web site of Network Solutions, CheckFree's domain registrar... a spokeswoman for the Herndon, Va., based registrar, said that at around 12:30 a.m. Dec. 2, someone logged in using the company's credentials and changed the address of CheckFree's authoritative domain name system (DNS) servers to point CheckFree site visitors to the Internet address in the Ukraine..."

:fear::mad::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5434
Last Updated: 2008-12-05 00:29:47 UTC - "Fellow researchers from Symantec posted technical details about an interesting variant of a well known DNSChanger malware. The analysis is available at http://www.symantec.com/security_response/writeup.jsp?docid=2008-120318-5914-99&tabid=1
The DNSChanger malware has been in the wild for quite some time and already drew our attention previously when authors started attacking popular ADSL modems. As the name says, the malware changed DNS server settings, typically to servers in the "popular" 85.255 network. We published several diaries about this malware, the most recent one... is available at http://isc.sans.org/diary.html?storyid=5390 . The evolution went from changing local DNS servers in the operating system (for both Windows and Mac!) to changing DNS server settings in ADSL modems/routers/cable modems. The malware described by Symantec goes a step further – it installs a rogue DHCP server on the network... we can confirm that this malware is in the wild. What does it do? The malware installs a legitimate driver, NDISProt which allows it to send and receive raw Ethernet frames. Once the driver is installed, the malware "simulates" a DHCP server. It starts monitoring network traffic and when it sees a DHCP discover packet it replies with its own DHCP Offer packet. As you can guess, the offered DHCP lease will contain malicious DNS servers... While not too sophisticated, the whole attack is very interesting. First, it's about a race between the rogue DHCP server and the legitimate one. Second, once a machine has been poisoned it is impossible to detect how it actually got poisoned in the first place – you will have to analyze network traffic to see the MAC address of those DHCP Offer packets to find out where the infected machine actually is. As we wrote numerous times before, it's probably wise to at least monitor traffic to 85.255.112.0 – 85.255.127.255, if not block it."
Also see: https://forums.symantec.com/syment/blog/article?blog.id=emerging&thread.id=118
12-04-2008

- http://isc.sans.org/diary.html?storyid=5437
Last Updated: 2008-12-05 00:30:36 UTC - "...a new wave of rogue "Flash Player" updates is making the rounds. This latest version is pretty artfully done - the pages hosting this malware actually do contain a real flash movie that is not malicious and plays in a Youtube-like embedded frame. After the movie has been running for a couple seconds though, a pop-up opens that indicates that a "Flash Player Update is available". It all looks credibly enough like one of those usual auto-update pop-ups, but if you click OK, you get an EXE which isn't really a Flash player update of course. So far, the URLs where the malware is coming from all seem to have in common that port 7777 is used. This is rare enough that trolling through your proxy logs for any of your users going to a URL containing :7777/dt might give you a better indication than your anti-virus. Because AV coverage (VirusTotal*) is only slowly improving."
* http://www.virustotal.com/analisis/17fa41ce1d124a653141a7469f9d0e5a

:fear::mad::fear::mad:

FYI...

- http://blog.trendmicro.com/most-abused-infection-vector/
Dec. 7, 2008 - "We gathered malware data from January to November 2008 to give us an idea of just how dangerous surfing the Internet is. We analyzed the arrival methods of the top 100 malware infecting the most number of systems for the said period... a majority of the top 100 malware that was most prevalent during this year arrived by surfing malicious or unknown sites. A sad confirmation that despite all awareness campaigns for safe computing, users still tend to victimize themselves out of curiosity."

Coverage: Malware Analyzed by Trend Micro Researchers
Date Range: January 1, 2008 to November 25, 2008

(Charts available at the URL above.)

:fear:

FYI...

- http://www.theregister.co.uk/2008/12/09/stolen_german_bank_accounts_for_sale/
9 December 2008 - "Identity thieves who claim they stole details of 21 million German bank accounts are offering to sell the data on the black market for €12 million (US $15.3 million), a German magazine reported over the weekend. To prove they weren't bluffing, the crooks produced the compact disc containing the names, addresses, phone numbers, birthdays account numbers, and bank routing numbers of 1.2 million accounts. Two investigative reporters for WirtschaftsWoche* say they obtained the CD during a face-to-face meeting at a hotel in Hamburg with two individuals involved with the theft. The journalists were posing as interested buyers working for a gambling operation. "We took away with us the first delivery, a CD with 1.2 million accounts, that we couldn't imagine," said one of the editors overseeing the investigation. "In the worst case, three out of four German households would have to be afraid that some money could be taken from their checking account without their authorisation, and perhaps even without their realising it," the magazine stated. The information was most likely collected from call center employees, the magazine said. It's Germany's second mega heist of personal information in as many months. In October, T-Mobile admitted losing records belonging to 17 million customers that included their names, addresses, dates of birth, phone numbers, and email addresses..."
* http://preview.tinyurl.com/6drwpg
(Untranslated - in German)

:fear::mad::sad::devil:

FYI...

- http://www.intego.com/news/ism0901.asp
January 22, 2009 - "Intego has discovered a new Trojan horse, OSX.Trojan.iServices.A, which is currently circulating in copies of Apple’s iWork 09 found on BitTorrent trackers and other sites containing links to pirated software. The version of iWork 09, Apple’s productivity suite, are complete and functional, but the installer contains an additional package called iWorkServices.pkg... When installing iWork 09, the iWorkServices package is installed. The installer for the Trojan horse is launched as soon as a user begins the installation of iWork, following the installer’s request of an administrator password... Intego is issuing this alert to warn Mac users not to download iWork 09 installers from sites offering pirated software. (As of 6 am EST, at least 20,000 people have downloaded this installer.) The risk of infection is serious, and users may face extremely serious consequences if their Macs are accessible to malicious users. Intego VirusBarrier X4 and X5 with virus definitions dated January 22, 2009 or later protect against this Trojan horse. Intego recommends that users never download and install software from untrusted sources or questionable web sites..."

- http://voices.washingtonpost.com/securityfix/2009/01/pirated_iwork_software_infects.html
"Update, 11:16 p.m. ET: ...While the attackers may indeed be targeting other sites, dollarcardmarketing .com remains under a fairly consistent DDoS attack as of this writing..."

:fear:

FYI...

Novell releases updates for GroupWise
- http://www.us-cert.gov/current/#novell_releases_updates_for_groupwise
January 30, 2009 - "Novell has released updates for GroupWise 7 and 8 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, compromise a GroupWise account, conduct cross-site scripting attacks, or obtain sensitive information. US-CERT encourages users to review the Novell download page* and apply the appropriate patch to help mitigate the risks."
* http://preview.tinyurl.com/4et673

- http://secunia.com/advisories/33744/
Release Date: 2009-02-02
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, DoS, System access
Where: From remote
Solution Status: Vendor Patch...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=5779
Last Updated: 2009-01-31 18:17:26 UTC - "... it appears to be reporting that every site might contain malware (i.e. it shows the "This site may harm your computer" warning with every result)...UPDATE X3: Google's reponse*..."

Google: This Internet May Harm Your Computer
- http://voices.washingtonpost.com/securityfix/2009/01/google_this_internet_will_harm.html
January 31, 2009 - "A glitch in a computer security program embedded deeply into Google's search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: "This site may harm your computer"..."
* http://googleblog.blogspot.com/2009/01/this-site-may-harm-your-computer-on.html
January 31, 2009 - "...the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes..."
- http://blog.stopbadware.org/2009/01/31/google-glitch-causes-confusion
January 31, 2009 - "...Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information... [Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible..."

:spider::lip::red:

FYI...

Acrobat [Reader] 0-Day On the Loose
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219
2009-02-19 - "The Shadowserver Foundation has recently become aware of a very severe vulnerability in Adobe Acrobat affecting versions 8.x and 9 that is currently on the loose in the wild and being actively exploited. We are aware of several different variations of this attack, however, we were provided with a sample last week in which we were permitted to analyze and detail in this post. We want to make it clear that we did not discover this vulnerability and are only posting this information to make sure others are aware and can adequately protect themselves. All of our testing was done on Adobe Acrobat Reader 8.1.0, 8.1.1, 8.1.2, 8.1.3 (latest release of 8), and 9.0.0 (latest release of 9)... We would HIGHLY recommend that you DISABLE JAVASCRIPT in your Adobe Acrobat [Reader] products. You have the choice of small loss in functionality and a crash versus your systems being compromised and all your data being stolen. It should be an easy choice. Disabling JavaScript is easy. This is how it can be done in Acrobat Reader:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript ... Adobe has since issued a public advisory* about this issue that has been posted here. They are expecting an update by March 11th, 2009 for Adobe 9 and updates for other version (8 and 7) to follow soon after..."
* http://www.adobe.com/support/security/advisories/apsa09-01.html
February 19, 2009 - "...Adobe categorizes this as a critical issue..."

- http://blogs.adobe.com/psirt/2009/02/adobe_reader_and_acrobat_issue.html
February 19, 2009 09:18 PM

:fear::mad:

More on this:

- http://preview.tinyurl.com/bp67qy
February 20, 2009 Security Fix - "...In the past I have recommended the free version of Foxit Reader as a faster and more lightweight alternative for viewing PDF files. However, I have not yet been able to verify whether Foxit Reader may be similarly vulnerable...
Update, 10:34 a.m. ET: "Sherry" from Foxit wrote me back to say the company has no information to suggest Foxit is similarly vulnerable: "Currently Foxit Software have not suffered these problems. And we will pay attention to it in the future." Also, Symantec has now posted its writeup on this flaw*, saying it has received reports of targeted attacks against government, large enterprise and financial services organizations..."
* http://preview.tinyurl.com/cajqre
02-20-2009 Symantec Security Response Blog
* http://preview.tinyurl.com/cqs68s
February 12, 2009 Symantec Security Response - "... The Trojan opens a backdoor on the compromised computer. It then contacts the following remote host in order to steal information from the compromised computer: js001 .3322 .org ..."

- http://secunia.com/advisories/33901/
Release Date: 2009-02-20
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

:fear::fear:

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221
21 February 2009 - "...Work Arounds & Windows Group Policy Object (GPO)
As we mentioned the main work around for this is to disable JavaScript. Acrobat will still crash but the exploit should fail. While all platforms are reportedly affected, we should note that we have only seen active exploits for Windows and not Linux or OS X platforms. Once again to disable JavaScript in Acrobat [Reader], take the following steps:
Click: Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript
Elazar Broad also wrote into us the other day and provided a GPO that can be used to disable JavaScript for Adobe Acrobat [Reader]. We have not tested it but you can grab it by clicking here*. Basically these are the keys of interest (from HKEY_CURRENT_USER):
Adobe Acrobat Reader:
Software\Adobe\Acrobat Reader\x.0\JSPrefs
Adobe Acrobat:
Software\Adobe\Adobe Acrobat\x.0\JSPrefs
Setting the DWORD "bEnableJS" to 0 will disable JavaScript...
Details Released
We knew it would not take too long - the details of the vulnerable function and enough information to potentially recreate the exploit have now been published publicly... Expect that a wider set of attackers will now start using this exploit in the near future before the patch is released. In other words... DISABLE JAVASCRIPT and patch as soon as it becomes available!"
* http://www.shadowserver.org/wiki/uploads/Calendar/adobe.txt

- http://www.kb.cert.org/vuls/id/905281
Last Updated: 2009-02-23

:fear:

FYI...

- http://preview.tinyurl.com/cjkx72
February 20, 2009 (Computerworld) - "...nearly one-third of the estimated 200,000 DNS servers worldwide still remain unprotected against the cache-poisoning threat and need to be patched as soon as possible, Kaminsky said, adding that many of them are being attacked on a daily basis. "We are seeing attacks where people are redirecting major sites to places where they shouldn't be going," he said. "It's happening right now." The cache-poisoning flaw was publicly disclosed last July... The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control..."

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you are still having problems, try this:
- http://www.opendns.com/

.

FYI...

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=215600307
March 2, 2009 - "IBM said a recent firmware update could cause the Seagate disk drives on more than two dozen models of its business servers to fail, leading to a situation that could cause customers to lose access to critical corporate data. In a current support bulletin*, the company said the bug affects a range of models in its BladeCenter, xSeries, and System x lines of servers. "After a power cycle, the SATA drive is no longer available and becomes unresponsive," IBM warned. "Data may become inaccessible due to the drive not responding," according to the bulletin, which lists numerous IBM server configurations at risk from the problem. IBM said customers should use the ServeRAID manager or other tools to determine their disk drive model and firmware. IBM said it plans to fix the problem in a firmware update "scheduled for first quarter 2009." The company did not offer further specifics on a release date. The update, when available, will be accessible as a download from IBM's System x support Web site... IBM said the warning applies to server products sold worldwide."
* http://preview.tinyurl.com/c8fy3l
Last modified: 2009-02-18

:fear::sad::fear:

FYI...

Foxit Reader multiple vulns - update available
- http://secunia.com/advisories/34036/2/
Release Date: 2009-03-09
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Foxit Reader 2.x, Foxit Reader 3.x
...This vulnerability is confirmed in version 3.0.2009.1301 and reported in versions 2.3 and 3.0.
Successful exploitation of the vulnerabilities may allow execution of arbitrary code...
Solution: Update to version 3.0 Build 1506 or version 2.3 Build 3902 * ...
Original Advisory: Foxit Software: http://www.foxitsoftware.com/pdf/reader/security.htm
Release Date: Mar. 9, 2009
Stack-based Buffer Overflow in Foxit Reader 3.0
Security Authorization Bypass in Foxit Reader 2.3 and 3.0
JBIG2 Symbol Dictionary Processing in Foxit Reader 2.3 and 3.0...
2009-03-09: Foxit released fixed version 3.0 Build 1506...
Secunia Research: http://secunia.com/secunia_research/2009-11/
CVE reference: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0191

* http://www.foxitsoftware.com/downloads/index.html
Last Updated: 2009-03-09
OS: Windows 2000/XP/2003/Vista

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0191

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0836

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0837

:fear:

FYI...

Security Updates available for Adobe Reader 9 and Acrobat 9
- http://www.adobe.com/support/security/bulletins/apsb09-03.html
Release date: March 10, 2009
Vulnerability identifier: APSB09-03
CVE number: CVE-2009-0658
Platform: All Platforms...
Affected software versions:
Adobe Reader 9 and earlier versions
Adobe Acrobat 9 Standard, Pro, and Pro Extended and earlier versions
Solution: Adobe Reader
Adobe recommends Adobe Reader users update to Adobe Reader 9.1, available here:
- http://get.adobe.com/reader/
Acrobat 9
Adobe recommends Acrobat 9 Standard and Acrobat 9 Pro users on Windows update to Acrobat 9.1, available at the following URLs:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4375
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4382
Adobe recommends Acrobat 9 Pro Extended users on Windows update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4381
Adobe recommends Acrobat 9 Pro users on Macintosh update to Acrobat 9.1, available here:
- http://www.adobe.com/support/downloads/detail.jsp?ftpID=4374
Severity rating:
Adobe categorizes this as a critical issue and recommends that users apply the update for their product installations...

> http://blogs.adobe.com/psirt/2009/03/_adobe_reader_and_acrobat_91_u.html

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6001
Last Updated: 2009-03-11 00:34:49 UTC - "...attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet...
ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets... The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying...
A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites...
AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help)..."

(More detail at the ISC URL above.)

> http://en.wikipedia.org/wiki/ARP_spoofing

:fear::fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6025
Last Updated: 2009-03-16 19:49:12 UTC - "...new version of rogue DHCP server malware... The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address... summary of the differences:
• The new version sets the DHCP lease time to 1 hour.
• It sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client.
• It does not specify a DNS Domain Name.
• The options field does not contain an END option followed by PAD options.
• Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

The malicious DNS server is 64.86.133.51 and 63.243.173.162.
Recommendation: Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little good."

:fear::fear:

FYI...

- http://www.us-cert.gov/current/index.html#autonomy_keyview_sdk_vulnerability
March 18, 2009 - "US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code...
• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
http://www-01.ibm.com/support/docview.wss?uid=swg21377573
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
http://www.symantec.com/avcenter/security/Content/2009.03.17a.html
• Registered Autonomy Users should review the related Autonomy alert (login required).
https://customers.autonomy.com/support/secure/docs/Updates/Keyview/Filter%20SDK/10.4/kv_update_nti40_10.4.zip.readme.html ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4564
Last revised: 03/20/2009
CVSS v2 Base Score: 9.3 (HIGH)

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6034
Last Updated: 2009-03-18 20:04:58 UTC - "Adobe has released security advisory APSB09-04* for Adobe Reader and Acrobat. The CVE entries related to the vulnerabilities being patched are CVE-2009-0658 and CVE-2009-0927. Current versions are now 9.1, 8.1.4, and 7.11. Updates for both Windows and Macintosh platforms are available..."
* http://www.adobe.com/support/security/bulletins/apsb09-04.html
Release date: March 18, 2009 - "... Users with Adobe Reader 7.0 through 8.1.3, who can’t update to Adobe Reader 9.1, should update to Adobe Reader 8.1.4 or Adobe Reader 7.1.1, available from one of the following links:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh ..."

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0658
Last revised: 03/06/2009

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927
Last revised: 03/19/2009

- http://www.eset.com/threat-center/blog/?p=805
March 20, 2009 - "...updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it..."

:fear:

FYI...

Thunderbird v2.0.0.21 released
- http://www.mozillamessaging.com/en-US/thunderbird/
March 18, 2009

Fixed in Thunderbird 2.0.0.21
- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.21
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33802/2/
Last Update: 2009-03-20
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to version 2.0.0.21...
CVE reference:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0040
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0352
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0353
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0772
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0774
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0776

:fear:

FYI...

IBM Access Support ActiveX control stack buffer overflow
- http://www.kb.cert.org/vuls/id/340420
Date Last Updated: 2009-03-25 - "... IBM Access Support ActiveX control, which is provided by IbmEgath.dll, contains a stack buffer overflow in the GetXMLValue() method. We have confirmed that version 3.20.284.0 is vulnerable. Other versions may also contain the flaw.
... Impact: By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
... Solution: We are currently unaware of a practical solution to this problem. Please consider the following workarounds: Disable the IBM Access Support ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084} ..."

- http://secunia.com/advisories/34470/2/
Critical: Highly critical
Solution Status: Unpatched...

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0215
Last revised: 03/25/2009
CVSS v2 Base Score:9.3 (HIGH)...

:fear:

FYI...

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-03 21:35:44 UTC - "We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that DNS provider NeuStar (UltraDNS) may be under DDoS, too. We don't have any information at the moment about these incidents, beyond what is reported in the following articles:
- http://www.theinquirer.net/inquirer/news/638/1051638/register-com-suffers-dos-attack
- http://www.scmagazineus.com/DDoS-attacks-hit-major-web-services/article/130060/
Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)..."

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-04 02:53:13 UTC ...(Version: 2)
"Update: ... We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen. We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.
Thank you for your patience.
Larry Kutscher
Chief Executive Officer
Register.com"

:fear::fear:

FYI...

- http://blog.wired.com/27bstroke6/2009/04/cable-sabotage.html
April 09, 2009 | 3:58:39 PM - "Deliberate sabotage is being blamed for a sizable internet and telephone service outage Thursday in Silicon Valley. At 1:30 a.m., someone opened a manhole cover on a railroad right-of-way in San Jose, climbed down and cut four AT&T fiber optic cables. A second AT&T cable, and a Sprint cable, were cut in the same manner two hours later, farther north in San Carlos. Service for Sprint, Verizon and AT&T customers in the southern San Francisco Bay Area has been lost, according to the San Francisco Chronicle*. Police departments have put more units on the street, because nobody can call 9-1-1. A much smaller Comcast outage affecting around 4,500 customers in San Jose began at around 1:00 p.m. Pacific time. Spokesman Andrew Johnson says the company is investigating the cause.
Update: AT&T is offering a $100,000 reward** for information leading to the arrest and conviction of the vandal."

* http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2009/04/09/BAP816VTE6.DTL&tsp=1
April 10, 2009 - "... Ten fiber-optic cables... were cut at four locations in the predawn darkness..."

AT&T Offering $100,000 Reward in Bay Area Network Vandalism
** http://www.att.com/gen/press-room?pid=4800&cdvn=news&newsarticleid=26715
April 9, 2009

:mad::mad::mad:

FYI...

- http://www.pcworld.com/article/163574/ditch_adobe_reader_for_better_security.html
Apr 21, 2009 - "... In 2008, from Jan. 1 through April 16, F-Secure saw PDFs used in 128 dangerous drive-by attacks. This year, during the same time frame, the company has seen 2,305 drive-by's using PDFs. Such attacks go after a vulnerable Reader browser plugin... Poisoned PDFs are also often used as part of a customized, targeted attack, he says, when they're sent to a specifically selected recipient attached to a well-crafted e-mail. Hypponen didn't recommend any particular alternative program, but suggested heading to http://www.pdfreaders.org for a list of free apps. He did point out that at the time of IE 6's security infamy, many switched over to using Firefox. And as that browser gained significant market share, it also drew the hacker's eye..."

Another freeware alternative: Foxit PDF Reader
- http://www.foxitsoftware.com/pdf/reader/download.php

:fear::sad:

FYI...

- http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
April 28, 2009 - "... All currently supported shipping versions of Adobe Reader and Acrobat (Adobe Reader and Acrobat 9.1, 8.1.4, and 7.1.1 and earlier versions) are vulnerable to this issue. Adobe plans to provide updates for all affected versions for all platforms (Windows, Macintosh and Unix) to resolve this issue. We are working on a development schedule for these updates and will post a timeline as soon as possible. We are currently not aware of any reports of exploits in the wild for this issue. To mitigate the issue disable JavaScript in Adobe Reader and Acrobat using the following instructions below:
1. Launch Acrobat or Adobe Reader.
2. Select Edit >Preferences
3. Select the JavaScript Category
4. Uncheck the ‘Enable Acrobat JavaScript’ option
5. Click OK
... Adobe is also currently investigating the issue posted on SecurityFocus as BID 34740*..."
* http://www.securityfocus.com/bid/34740/info
Updated: Apr 29 2009

- http://isc.sans.org/diary.html?storyid=6286
Last Updated: 2009-04-29 03:22:48 UTC

- http://www.f-secure.com/weblog/archives/00001671.html
April 29, 2009

- http://www.adobe.com/support/security/advisories/apsa09-02.html
May 1, 2009 - "...Adobe expects to make available Windows updates for Adobe Reader versions 9.X, 8.X, and 7.X and Acrobat versions 9.X, 8.X, and 7.X, Macintosh updates for Adobe Reader versions 9.X and 8.X and Acrobat versions 9.X and 8.X, as well as Adobe Reader for Unix versions 9.X and 8.X, by May 12th, 2009..."

CVE numbers:
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1492
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1493

:fear::spider::fear:

FYI...

- http://www.f-secure.com/weblog/archives/00001676.html
May 6, 2009 - "... we decided to take a look at targeted attacks and see which file types were the most popular during 2008 and if that has changed at all during 2009. In 2008 we identified about 1968 targeted attack files. The most popular file type was DOC, i.e. Microsoft Word representing 34.55%... So far in 2009 we have found 663 targeted attack files and the most popular file type is now PDF. Why has it changed? Primarily because there has been more vulnerabilities in Adobe Acrobat Reader than in the Microsoft Office applications... More info about targeted attacks and how they work can be found in our YouTube video*."

(Charts available at the URL above.)

* http://www.youtube.com/watch?v=nFw9ZHy0V3c

:fear:

FYI... http://isc.sans.org/diary.html?storyid=6373

- http://technet.microsoft.com/sysinternals/bb963902.aspx
Autoruns v9.5: This update to Autoruns, a powerful autostart manager, adds display of audio and video codecs, which are gaining popularity as an extension mechanism used by malware to gain automatic execution.
- http://technet.microsoft.com/sysinternals/bb897544.aspx
PsLoglist v2.7: This version of PsLoglist, a command-line event log display utility, now properly displays event log entries for default event log sources on Windows Vista and higher and accepts wildcard matching for event sources.
- http://technet.microsoft.com/sysinternals/bb897553.aspx
PsExec v1.95: This version of PsExec, a utility for executing applications remotely, fixes an issue that prevented the -i (interactive) switch from working on Windows XP systems with a recent hotfix and includes a number of minor bug fixes.

May 08, 2009

:bigthumb:

FYI...

Security Updates available for Adobe Reader and Acrobat
- http://www.adobe.com/support/security/bulletins/apsb09-06.html
May 12, 2009 - "...Adobe recommends users of Adobe Reader 9.1 and Acrobat 9.1 and earlier versions update to Adobe Reader 9.1.1 and Acrobat 9.1.1. Adobe recommends users of Acrobat 8 update to Acrobat 8.1.5, and users of Acrobat 7 update to Acrobat 7.1.2. For Adobe Reader users who can’t update to Adobe Reader 9.1.1, Adobe has provided the Adobe Reader 8.1.5 and Adobe Reader 7.1.2 updates.
Affected software versions: Adobe Reader 9.1 and earlier versions. Adobe Acrobat Standard, Pro, and Pro Extended 9.1 and earlier versions.
Solution
Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...

Adobe Reader and Acrobat 9.1.1, 8.1.5 and 7.1.2 Release Notes
- http://kb2.adobe.com/cps/490/cpsid_49013.html
May 12, 2009

:fear:

FYI...

- http://googleblog.blogspot.com/2009/05/this-is-your-pilot-speaking-now-about.html
5/14/2009 - "... An error in one of our systems caused us to direct some of our web traffic through Asia, which created a traffic jam. As a result, about 14% of our users experienced slow services or even interruptions. We've been working hard to make our services ultrafast and "always on," so it's especially embarrassing when a glitch like this one happens. We're very sorry that it happened, and you can be sure that we'll be working even harder to make sure that a similar problem won't happen again..."

- http://isc.sans.org/diary.html?storyid=6388
Last Updated: 2009-05-14 22:36:04 UTC ...(Version: -13-)

- http://asert.arbornetworks.com/2009/05/the-great-googlelapse/
May 14th, 2009 at 4:36 pm

:fear::spider::confused:

FYI...

- http://preview.tinyurl.com/rbxxwa
May 14, 2009 PC World - "A new round of website hijacks is attempting to install malicious, Google-focused software on unpatched PCs, according to security company ScanSafe, further cementing the drive-by-download approach as a bad-guy tactic of choice. The attack, dubbed "Gumblar" by ScanSafe*, starts by hijacking legitimate sites and inserting attack code. The more than 1,500 hacked sites, including Tennis.com and Variety.com, don't represent an especially huge number, but it's growing rapidly. Since last week, the attack has grown by 80 percent, according to the company, and has spiked 188 percent since yesterday.
The inserted attack code attempts to identify old, unpatched vulnerabilities on a victim PC that browses a hacked site, and will take advantage of any discovered hole to install malware. These kinds of drive-by-download attacks are sneaky and dangerous, but the good news is that while the actual exploits used vary as time passes, the company says none have yet gone after zero-day holes that don't yet have a fix available. The attack code has largely gone after PDF and Flash flaws discovered in the last year..."
* http://blog.scansafe.com/journal/2009/5/14/gumblar-qa.html

- http://www.theregister.co.uk/2009/05/14/viral_web_infection/
14 May 2009 - "... The exploit code is unique for every website, making it impossible to identify a compromised site until someone has accidentally surfed there. It uses obfuscated Javascript that's burrowed deep into a website's source code to exploit unpatched vulnerabilities in a visitor's Adobe Flash and Reader programs. Victims then join a botnet that manipulates their Google search results... By injecting ads and links into certain searches, infected users see results that are different than they would otherwise be..."

- http://www.darkreading.com/shared/printableArticle.jhtml?articleID=217500218
May 14, 2009 - "... difficult to find and bring down... its source IP addresses have been traced to Latvia and Russia, and its servers are located in the U.K..."

Gumblar .cn exploit
- http://preview.tinyurl.com/r5cplm
07 May 09 (Unmask Parasites blog)

More Facts about the Gumblar attack
- http://preview.tinyurl.com/qg5c8d
15 May 09 (Unmask Parasites blog)

Troj/JSRedir-R attacks
- http://www.sophos.com/blogs/sophoslabs/v/post/4422
May 14, 2009

• http://google.com/safebrowsing/diagnostic?site=gumblar.cn/
"... Malicious software includes 24 scripting exploit(s), 6 trojan(s)... site has hosted malicious software over the past 90 days. It infected 12799 domain(s)..."

:fear::mad:

FYI...

- http://www.cpsc.gov/cpscpub/prerel/prhtml09/09221.html
May 14, 2009 - "... recall of the following consumer product. Consumers should stop using recalled products immediately unless otherwise instructed.
Name of Product: Lithium-Ion batteries used in Hewlett-Packard and Compaq notebook computers
Units: About 70,000
Importer: Hewlett-Packard Co., of Palo Alto, Calif.
Hazard: The recalled lithium-ion batteries can overheat, posing a fire and burn hazard to consumers..."
(HP Pavilion, Compaq Presario, HP, HP Compaq - see link above for specific models)

- http://www.theinquirer.net/inquirer/news/1137353/hp-recalls-lithium-ion-batteries
15 May 2009 - "... Hewlett-Packard is voluntarily recalling about 70,000 lithium-ion batteries that shipped with several models of its HP and Compaq laptops. Nine models of HP Pavilions, nine models of Compaq Presarios, two HP laptop models, and one HP Compaq laptop model sold between August 2007 and March 2008 all shipped with the dodgy battery... HP said that owners of the affected laptop models should pull the battery out of the machine and give it a ring* so it can ship a free replacement."
* http://bpr.hpordercenter.com/hbpr/M14.aspx

:fear::fear:

More...

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-18 17:54:18 UTC - "... Gumblar/JSRedir-R drive-bys. Although this malware has been around for a while, several A/V vendors and some relatively mainstream news outlets have recently reported a large increase in websites injected with JSRedir-R/Gumblar. According to Sophos* this malware accounted for approximately 42% of all infected websites detected in the last week, nearly 6 times its closest rival. Although the infection method is not clear, given the variety of servers and platforms, it is most likely weak login credentials..."
* http://www.sophos.com/blogs/gc/g/2009/05/14/malicious-jsredir-javascript-biggest-malware-threat-web
May 14, 2009

> http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

- http://preview.tinyurl.com/qlr9ba
05-19-2009 Symantec Security Response Blog - "The malicious code Whac-a-Mole game continues. Just as security vendors start detecting the domains and malware associated with the drive-by download attacks coming from the malicious Gumblar domains, the bad guys are changing the game and popping up from Martuz dot cn, which, according to Who.is, is located in the UK with a 95.129.x.x IP Address. The JavaScript appearing on the websites has also become more obfuscated, making the attacks slightly harder for IT managers and Web administrators to detect. The attackers are easily able to change the obfuscation by substituting portions of the domain name with variables instead of spelling out the domain all at once. The updated malicious JavaScript also performs a test to deliver a different payload for users of Google Chrome browsers, since Chrome has a blacklist of suspicious and malicious domains. The drive-by download tries to exploit a number of underlying vulnerabilities, including some for Adobe Acrobat and Adobe Flash. Users should make sure that their systems are running the latest versions of these and other third-party applications to help mitigate the risk of being compromised.
So how is that so many websites are compromised at one time? Often it is due to SQL injection errors or direct hacking into the back end of the hosting companies, but it appears that this recent problem may be more about compromised FTP passwords that belonged to the people that administer the websites. In any case, it means the bad guys are able to continually change the malicious code until the admin changes the FTP passwords and blocks the trespassing... We expect the domains and malicious JavaScript appearing on the websites to continually change as one mole is whacked, and another pops up..."

- http://isc.sans.org/diary.html?storyid=6403
Last Updated: 2009-05-19 13:02:01 UTC - "... the dropbox for this trojan, gumblar .cn has been offline since last friday, but a successor has come online, martuz .cn..."

- http://blog.scansafe.com/journal/2009/5/19/gumblar-up-another-7-martuzcn-is-down.html
May 19, 2009
- http://blog.scansafe.com/journal/2009/5/18/japans-geno-gumblar.html
- http://blog.scansafe.com/journal/2009/5/18/gumblar-a-botnet-of-compromised-websites.html

- http://www.us-cert.gov/current/index.html#gumblar_malware_attack_circulating
May 18, 2009

:fear::fear:

FYI...

QuickTime vuln - unpatched
- http://secunia.com/advisories/35091/
Release Date: 2009-05-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Software: Apple QuickTime 7.x ...
... The vulnerability is caused due to an error in the processing of "0x77" tags within PICT images, which can be exploited to cause a heap-based buffer overflow when the user opens a specially crafted PICT image or visits a malicious web site...
Solution: Do not browse untrusted web sites. Do not open files from untrusted sources..."

Fix/patch released:
- http://forums.spybot.info/showpost.php?p=315588&postcount=2
2009-06-01

:sad::fear:

FYI...

Gumblar/Martuz/Geno attack
- http://isc.sans.org/diary.html?storyid=6430
Last Updated: 2009-05-21 19:29:48 UTC - "... client side analysis* and writeup of recent gumblar malware attacks..."
* http://preview.tinyurl.com/pc26gr
May 21, 2009 InfoSec from the trenches - "... Once compromised by the Gumblar/Martuz/Geno, victims will have many pieces of malware loaded onto their machines, this malware does the following:
• Steals FTP credentials
• Sends SPAM
• Installs fake anti virus
• Highjacks Google search queries
• Disables security software
The exploits used are for Adobe Acrobat and Adobe Flash Player...
...this is a very large attack encompassing many malicious payloads..."

// http://forums.spybot.info/showpost.php?p=312220&postcount=82

FYI...

- http://www.theregister.co.uk/2009/06/04/3fn_shut_down/
4 June 2009 - "Federal authorities have shut down what they said was the worst US-based web hosting provider after convincing a judge it actively participated in the distribution of child pornography, spam, malware, and other net-based menaces. The US Federal Trade Commission obtained the court order against 3FN.net, a service provider with servers mostly located in San Jose, California that also operated under the name Pricewert. Dated June 2, it commanded all companies providing upstream services to 3FN to immediately pull the plug. The order was issued in secret to prevent the operators from being able to destroy evidence or find new hosts, something FTC attorneys said was necessary given the extreme nature of the data it hosted. "This content includes a witches' brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites, and pornography featuring violence, bestiality, and incest," they wrote in court documents. "In addition to recruiting and willingly distributing this illegal, malicious and harmful content, Pricewert actively colludes with its criminal clientele in several areas, including the maintenance and deployment of networks of compromised computers known as botnets." This week's action is the most significant shutdown since the shuttering in November of McColo, another Northern California-based service provider with ties to online crime... One of the biggest complaints among white hat hackers is the difficulty of shutting down networks that flagrantly violate the law. This week's action is the first time the FTC has used its congressional mandate to protect US consumer to sever a service provider suspected of illegal activity... Court documents are available here*."
* http://www.ftc.gov/os/caselist/0923148/index.shtm

- http://news.cnet.com/8301-1009_3-10257588-83.html
June 4, 2009 - "... In its filings with the district court, the FTC estimates that more than 4,500 malicious software programs are controlled by command-and-control servers hosted by 3FN. This malware includes programs capable of keystroke logging, password and data stealing, programs with hidden backdoor remote control activity, and programs involved in spam distribution. This case was brought to light with the assistance of multiple agencies and people including NASA's Office of Inspector General; the Department of Justice's Computer Crime Division; Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham; the National Center for Missing and Exploited Children; the Shadowserver Foundation; the Spamhaus Project; and Symantec..."

- http://www.informationweek.com/shared/printableArticle.jhtml?articleID=217701956
June 4, 2009 - "... The only entity named in the case is Pricewert. Ethan Arenson, an attorney with the FTC's Bureau of Consumer Protection, said that the individuals behind the company are overseas in Eastern Europe. He declined to comment on a possible extradition effort or coordination with authorities abroad. Whether the individuals doing business as Pricewert will face charges remains an open question. Pricewert is essentially an Oregon shell corporation with some servers in San Jose..."

- http://voices.washingtonpost.com/securityfix/pushdo.htm

- http://asert.arbornetworks.com/2009/06/things-in-3fn/

:bigthumb:

FYI...

Adobe Reader and Acrobat updated
- http://www.adobe.com/support/security/bulletins/apsb09-07.html
June 9, 2009
"Adobe Reader: Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows .
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh .

Acrobat: Acrobat Standard, Pro and Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows .
Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows .
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ...

Critical vulnerabilities have been identified in Adobe Reader 9.1.1 and Acrobat 9.1.1 and earlier versions. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Adobe Reader and Acrobat update their product installations to versions 9.1.2, 8.1.6, or 7.1.3 using the instructions above to protect themselves from potential vulnerabilities...
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

- http://secunia.com/advisories/34580/2/
Release Date: 2009-06-10
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Partial Fix ...
Original Advisory: Secunia Research: http://secunia.com/secunia_research/2009-24/
Adobe: http://www.adobe.com/support/security/bulletins/apsb09-07.html

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0198
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0509
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0510
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0511
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0512
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0888
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0889
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1855
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1856
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1857
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1858
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1859
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1861

:fear:

FYI...

- http://blog.trendmicro.com/beware-of-repackaged-hijackthis-downloads/
June 9, 2009 - "HijackThis™ is one of the well-known free utilities of Trend Micro that quickly scans a user’s Windows computer to find settings that may have been changed by spyware, malware, or other unwanted programs. By itself, it does not determine what is good or bad but it lists registry keys and files system of the scanned system where unwanted programs potentially could reside. Only experienced users and IT experts with outstanding practice in HijackThis could use the initial text information without the community help. Almost all users of this tool rely on the online evaluation and analysis of the report, provided by several HijackThis communities. A list of some of these communities can be found here*. Edgardo Diaz, Jr., Escalation Engineer in TrendLabs, found a certain executable program (Loaris Trojan Remover) that contained the HijackThis program repackaged using Delphi-based packager InnoSetup. Upon extraction, the user interface (UI) gives the user the option of running HijackThis from an external source. The application really does install HijackThis on the user’s computer. Unlike the real version, however, Loaris’ repackaged version sells its own antivirus solution using HijackThis as a come-on. Users who are really interested in using HijackThis, may thus be tricked into buying the antivirus by accepting the end-user license agreement (EULA - see Screenshot at the Trendmicro URL above) that comes with the installer.
>>> Beware, Trend Micro does NOT sell nor intend to sell HijackThis. Trend Micro supports its communities by providing information and updates to registry keys, validity of system or BHO (browser helper object) files. Details and free downloads are available at TrendSecure web site**.
** http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis
This is not the first, not the only and not the last software used in illicit schemes. Users are strongly advised to download software only from the official vendor sites or highly trusted communities."
* http://hjt-data.trendmicro.com/hjt/analyzethis/index.php

:mad:

FYI...

Adobe Reader UNIX update v9.1.2
- http://www.adobe.com/support/security/bulletins/apsb09-07.html
June 16, 2009 - Bulletin updated with link to Adobe Reader UNIX update...
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix ..."

:fear:

FYI...

Apple iPhone / iPod touch multiple vulns - update available
- http://secunia.com/advisories/35449/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: Security Bypass, Cross Site Scripting, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch
OS: Apple iPhone, Apple iPod touch
Original Advisory: Apple: http://support.apple.com/kb/HT3639 ...

iPhone OS 3.0 Software Update
> http://www.apple.com/iphone/softwareupdate/

:fear:

FYI...

IrfanView vuln - update available
- http://secunia.com/advisories/35359/2/
Release Date: 2009-06-18
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 4.x ...
Solution: Update to version 4.25.
http://irfanview.com/main_download_engl.htm ...

Also: The current PlugIns version is: 4.25
- http://www.software.com/irfanview-plugin

- http://www.irfanview.net/main_history.htm
Release date: 2009-06-16

:fear::spider:

FYI...

- http://isc.sans.org/diary.html?storyid=6619
Published: 2009-06-21 - "...Upon further investigation it appears that her server had been compromised by exploitation of the vulnerability detailed in PMASA-2009-4**. The attacker uploaded a lot of the same old types of tools such as a misnamed EnergyMech IRC bot, a perl based UDP flodding tool, and an automated tool to attempt phpMyAdmin. It is now past time to update to phpMyAdmin 3.1.3.2* (or higher) and/or updating firewall rules to limit the public Internet from touching this web application...
06/22/2009 22:30 UTC - ...more reports locally about activity which seems to point to phpMyAdmin scanning and exploitation..."

* http://www.phpmyadmin.net/home_page/index.php
phpMyAdmin 3.2.0
File Release Notes and Changelog
- http://sourceforge.net/project/shownotes.php?release_id=690019
Last Update: Jun 15 2009

** http://www.phpmyadmin.net/home_page/security/PMASA-2009-4.php

:fear:

FYI...

Foxit Reader vuln - update available
- http://secunia.com/advisories/35512/2/
Release Date: 2009-06-22
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Foxit Reader JPEG2000/JBIG Decoder Add-On 2.x
Solution: Update to version 2.0 Build 2009.616.
http://www.foxitsoftware.com/downloads/addons/jpg_decoder2.0.20096.html
Original Advisory: US-CERT VU#251793:
http://www.kb.cert.org/vuls/id/251793
"...This issue is addressed in Foxit Reader 3.0 Build 1817 ..."
Foxit Software:
http://www.foxitsoftware.com/pdf/reader/security.htm#0602

- http://www.foxitsoftware.com/downloads/
Foxit Reader 3.0 Build 1817(exe) 3.57MB 06/19/09
JPEG2000/JBIG Decoder 2.0 Build 2009.616(fzip) 169KB 06/19/09

- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0690
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0691

-OR-
From an Admin account >Start Foxit Reader >Help >Check for Updates (select/add) ...Build 1817 ...Install

:fear:

FYI...

Thunderbird v2.0.0.22 released
- http://www.mozillamessaging.com/thunderbird/
June 22, 2009

- http://secunia.com/advisories/35440/2/
Last Update: 2009-06-23
Critical: Highly critical
Impact: Security Bypass, Spoofing, DoS, System access
Where: From remote...
Solution: Update to version 2.0.0.22, which fixes some of the vulnerabilities...

- http://www.mozilla.org/security/known-vulnerabilities/thunderbird20.html#thunderbird2.0.0.22
Fixed in Thunderbird 2.0.0.22
MFSA 2009-33 Crash viewing multipart/alternative message with text/enhanced part
MFSA 2009-32 JavaScript chrome privilege escalation
MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null
MFSA 2009-27 SSL tampering via non-200 responses to proxy CONNECT requests
MFSA 2009-24 Crashes with evidence of memory corruption (rv:1.9.0.11)
MFSA 2009-17 Same-origin violations when Adobe Flash loaded via view-source: scheme
MFSA 2009-14 Crashes with evidence of memory corruption (rv:1.9.0.9)

:fear:

FYI...

Shockwave Player vuln - update v11.5.0.600 available
- http://www.adobe.com/support/security/bulletins/apsb09-08.html
June 23, 2009 - "A critical vulnerability has been identified in Adobe Shockwave Player 11.5.0.596 and earlier versions. This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system... To resolve this issue, Shockwave Player users on Windows should -uninstall- Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: http://get.adobe.com/shockwave/ . This issue is remotely exploitable..."

- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
June 25, 2009 - "...Readers should be aware that by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1860
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2186

- http://secunia.com/advisories/35544/2/
Release Date: 2009-06-24
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 11.x ...
Solution: Uninstall versions prior to 11.5.0.600, restart the system, and install version 11.5.0.600:
http://get.adobe.com/shockwave/

- http://www.us-cert.gov/current/#adobe_releases_update_for_shockwave
June 24, 2009

:fear:

FYI...

Koobface worm infections exploding
- http://www.threatpost.com/blogs/koobface-worm-infections-exploding
July 6, 2009 - "In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing... Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well... the pool of potential victims is growing day by day - just take a look at the Alexa stats* for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often."
* http://www.alexa.com/siteinfo/facebook.com
"... Percent of global Internet users who visit facebook.com:
... 7 day avg: 20.01% ..."

:fear::mad::fear:

FYI...

Hotfix available for potential ColdFusion 8 input sanitization issue
- http://www.adobe.com/support/security/bulletins/apsb09-09.html
July 8, 2009 - "... Adobe recommends affected ColdFusion customers update their installation using the instructions below:
NOTE: ColdFusion 8 customers who have not already done so should first update to ColdFusion 8.0.1*
* http://www.adobe.com/support/coldfusion/downloads_updates.html#cf8 ...
Severity rating: Adobe categorizes this as a critical issue and recommends affected users patch their installations..."
Revisions: July 9, 2009 - Bulletin updated with Acknowledgment and information on ColdFusion 8.0 hotfix
(More detail and links at the first URL above.)

- http://secunia.com/advisories/35747/2/
Release Date: 2009-07-09
Critical: Highly critical
Impact: Exposure of system information, Exposure of sensitive information, System access
Solution: Update to version 8.0.1 and apply hot fix...

- http://blog.trendmicro.com/coldfusion-spurs-another-mass-compromise/
July 8, 2009

:fear:

FYI...

Imageshack - pwned
- http://isc.sans.org/diary.html?storyid=6769
Last Updated: 2009-07-11 03:43:37 UTC - "... Imageshack was attacked by the anti-sec group. This seems to be affecting other sites that draw images from imageshack such as user pages on blogger.com. Details were posted on Full Disclosure by anti-sec*. The "session" they display reminds us of the log file they made public following their attack on SSANZ** last weekend..."

* http://seclists.org/fulldisclosure/2009/Jul/0095.html
11 Jul 2009 05:15:36 +0300

** http://seclists.org/fulldisclosure/2009/Jul/0028.html
04 Jul 2009

:fear::mad:

FYI...

Adobe Shockwave v11.5.1.601 released
- http://www.adobe.com/support/security/bulletins/apsb09-11.html
July 28, 2009 - "...Adobe recommends Shockwave Player users on Windows install Shockwave version 11.5.1.601, available here: http://get.adobe.com/shockwave/ .
Users who are unable to update to version 11.5.1.601 of Shockwave Player should consider installing MS09-034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Shockwave Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035... Adobe categorizes this as a critical update and recommends that users apply the update for their product installations..."

Once again ...
- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

- http://secunia.com/advisories/36049/2/
Release Date: 2009-07-29
Critical: Highly critical
Impact: System access, Exposure of sensitive information, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: Shockwave Player 10.x, Shockwave Player 11.x, Shockwave Player 8.x, Shockwave Player 9.x
Solution: Update to version 11.5.1.601.
http://get.adobe.com/shockwave/
Original Advisory:
http://www.adobe.com/support/security/bulletins/apsb09-11.html ...

- http://www.us-cert.gov/current/#adobe_releases_shockware_player_11
updated July 31, 2009

Test site: http://www.adobe.com/shockwave/welcome/

:fear:

FYI...

Adobe Reader v9.1.3 - Acrobat v9.1.3 released
- http://www.adobe.com/support/security/advisories/apsa09-03.html
Last Updated: July 31, 2009
"...Adobe Reader
Users who download the full 9.1 installer from http://get.adobe.com/reader/ will be offered the Adobe Reader 9.1.3 patch by the Adobe Updater technology on first launch. Users can also click "Help > Check for Updates" to be sure their installation is fully patched and up-to-date...
Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows.
... Adobe Reader 9.1.3 update - Multiple Languages | 1.6MB | 7/31/2009 ...
Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh.
Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix.
Acrobat
Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows.
... Adobe Acrobat 9.1.3 Professional and Standard Update - Multiple Languages 1.6MB | 7/31/2009
Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows.
Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh.
Severity rating
Adobe categorizes these as critical issues and recommends affected users patch their installations..."

:fear:

FYI...

Adobe ColdFusion / JRun multiple vulns - updates available
- http://secunia.com/advisories/36329/2/
Release Date: 2009-08-18
Critical: Moderately critical
Impact: Security Bypass, Cross Site Scripting, Exposure of system information, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe ColdFusion 8.x, Adobe ColdFusion MX 7.x, Macromedia Jrun 4.x ...
Original Advisory: Adobe:
http://www.adobe.com/support/security/bulletins/apsb09-12.html
"... Adobe categorizes these as critical issues and recommends affected users patch their installations..."

- http://www.us-cert.gov/current/index.html#adobe_releases_hotfixes_for_coldfusion
August 18, 2009

- http://www.adobe.com/support/security/bulletins/apsb09-12.html
August 21, 2009 - Bulletin updated with additional information regarding CVE-2009-1876.

> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1872_1877.txt
"ColdFusion... hotfix includes fixes for CVE-2009-1872, CVE-2009-1877..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1872
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1877

> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1875.txt
"ColdFusion... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1875

> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1876.txt
"ColdFusion... fix for CVE-2009-1876..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1876

> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1878.txt
"... hotfix for ColdFusion 7.0.2, ColdFusion 8, ColdFusion 8.0.1.."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1878

> http://download.macromedia.com/pub/coldfusion/updates/ReadMe_1873_1874.txt
"JRun... fixes for CVE-2009-1873, CVE-2009-1874..."
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1873
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-1874

:fear::fear:

FYI...

Sites pulling sneaky Flash cookie-snoop
- http://www.theregister.co.uk/2009/08/19/flash_cookies/
19 August 2009 - "Many websites are using Flash-based cookies to track users, but often omit to mention this in their privacy policies... Browser-based cookies constitute a well understood and widely deployed technology that poses serious questions about privacy, depending on its usage. What's far less well known is that Adobe Flash software also features cookies that can be used in much the same way as HTTP cookies. Flash cookies can be used for storing the volume level of a Flash video but the technology can also be used as "secondary, redundant unique identifiers that enable advertisers to circumvent user preferences and self-help"... researchers conclude that Flash cookies are more effective at tracking users' visits around websites than traditional HTTP cookies because they operate in the shadows and are infrequently removed. By default Flash cookies have no built-in expiration date. Browser-based actions such as deleting browser histories or switching to private mode does not affect the operation of Flash cookies..."

- https://addons.mozilla.org/firefox/addon/6623
Better privacy - "... Concerning privacy Flash- and DOM Storage objects are most critical. This addon was made to make users aware of those hidden, never expiring objects and to offer an easy way to get rid of them - since browsers are unable to do that for you. Flash-cookies (Local Shared Objects, LSO) are pieces of information placed on your computer by a Flash plugin. Those Super-Cookies are placed in central system folders and so protected from deletion..."

> http://www.macromedia.com/support/documentation/en/flashplayer/help/settings_manager07.html

:fear:

FYI...

- http://countermeasures.trendmicro.eu/apache-ssh-key-compromised/
Aug. 28, 2009 - "... Details of the attack/compromise are few at the moment, as this is breaking news. It is worth remembering however that a compromised SSH key led to in-the-wild exploitation of Linux based systems exactly this time last year, for the purposes of installing rootkits. Keep your eye on how this story develops. Apache servers account for around 50% of all web servers in the July 2009 web server survey*."
* http://news.netcraft.com/archives/2009/07/28/july_2009_web_server_survey.html

- https://blogs.apache.org/infra/entry/apache_org_downtime_initial_report
Aug 28, 2009

> http://isc.sans.org/diary.html?storyid=7030
Last Updated: 2009-08-28 14:32:28 UTC ...(Version: 2) - "... compromised due to an SSH key being exposed. The SSH key was used by an account to perform backups. No vulnerabilities in apache or ssh software was used in this attack. When the incident was identified apache cut access to all of their services as a containment measure. Their web sites are now back online..."

> https://blogs.apache.org/infra/entry/apache_org_downtime_report
Sep 02, 2009

:fear::spider::fear:

FYI...

Foxit Reader v3.1.1.0901 released
- http://www.foxitsoftware.com/pdf/reader/bugfix.htm
Fixed in Foxit Reader 3.1.1.0901
1. The reported issue of Foxit Reader 3.1.0.0824 crashing when users are viewing certain PDF files has been updated and is no longer a problem.
2. Fixed an issue where Foxit Reader may not be launched in the system without installing Microsoft Visual C++ 2005 Redistributable.

- http://www.foxitsoftware.com/downloads/index.php
Foxit Reader 3.1.1.0901(exe) - 5.05 MB - 09/03/09
-OR-
From an Admin account >Start Foxit Reader >Help >Check for Updates (select/add) ...FoxIt Reader 3.1.1.0901 Upgrade ...Install

:fear:

FYI...

- http://news.cnet.com/8301-1009_3-10345900-83.html
September 5, 2009 - "A worm is circulating that can post malware and spam to some WordPress blogs using outdated versions of the blogging software... The vulnerability allowing the attack was discovered August 11, at which point WordPress encouraged users to upgrade to version 2.8.4... The worm does not affect the current version 2.8.4 and the one prior to it. And it only affects people who host their own WordPress blog. Blogs hosted on WordPress.com are unaffected..."

- http://wordpress.org/development/2009/09/keep-wordpress-secure/
September 5, 2009

WordPress v2.8.4 released
- http://wordpress.org/download/
August 12, 2009 - "The latest stable release of WordPress (Version 2.8.4) is available..."

- http://secunia.com/advisories/36237/2/
Release Date: 2009-08-12

:fear::mad:

FYI...

Hotmail user info leaked...
- http://blog.trendmicro.com/windows-live-hotmail-user-information-leaked/
Oct. 6, 2009

Time to change your hotmail password
- http://isc.sans.org/diary.html?storyid=7276
Last Updated: 2009-10-05 23:33:47 UTC - "... Microsoft has confirmed that thousands of Windows Live accounts have been compromised with their passwords posted online... Some information is posted here*..."
* http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry?wa=wsignin1.0&sa=363915619
10/5/2009

:fear::fear:

FYI...

Gmail, AOL, Yahoo all hit by webmail phishing scam
- http://www.theregister.co.uk/2009/10/06/gmail_webmail_phish/
6 October 2009 - "Google has confirmed that Gmail has also been targeted by an "industry-wide phishing scheme" which first hit Hotmail accounts. Yahoo! and AOL are also reportedly affected. Hackers used fake websites to gain the login credentials attached to various webmail accounts. The attack emerged after a list of 30,000 purloined usernames and passwords was posted online. These leaked details reportedly referred to Gmail, Comcast and Earthlink accounts. A second list containing webmail addresses and passwords referring to Hotmail, Yahoo, AOL and Gmail also surfaced online. Some of the addresses on this list were old and fake, but at least some were genuine, the BBC reports*. Both lists have been taken offline, so are no longer directly accessible. The search engine giant confirmed that an unspecified number of accounts were compromised, adding that it had reset the passwords of the compromised accounts... The combined incidents serve to further illustrate the importance of password security. Using a different, hard-to-guess password on every site is a very good start in this direction."
* http://news.bbc.co.uk/2/hi/technology/8292928.stm

- http://www.eset.com/threat-center/blog/2009/10/06/webmail-hacks
October 6, 2009 - "... If you receive an email telling you to provide your password it is a phish. That is as simple as it gets. Never give out your password..."

:fear::fear:

FYI...

FBI warns public of fraudulent SPAM email
- http://www.us-cert.gov/current/#federal_bureau_of_investigation_warns
October 6, 2009 - "The Federal Bureau of Investigation (FBI) has released information warning the public about fraudulent email messages purporting to come from the FBI or the Department of Homeland Security. These email messages contain a malicious attachment that claims to provide an intelligence report or bulletin, but in reality attempts to launch malware on the user's system. More information regarding these messages can be found in the Federal Bureau of Investigation's New E-Scams and Warnings web site*. To help protect against this type of attack, US-CERT recommends that users avoid opening attachments contained in unsolicited email messages..."
* http://www.fbi.gov/cyberinvest/escams.htm

:fear:

FYI...

Adobe Reader/Acrobat vuln - unpatched
- http://blogs.adobe.com/psirt/2009/10/adobe_reader_and_acrobat_issue_1.html
October 8, 2009 - "Adobe is aware of reports of a critical vulnerability in Adobe Reader and Acrobat 9.1.3 and earlier (CVE-2009-3459) on Windows, Macintosh and UNIX. There are reports that this issue is being exploited in the wild in limited targeted attacks; the exploit targets Adobe Reader and Acrobat 9.1.3 on Windows. Adobe plans to resolve this issue as part of the upcoming Adobe Reader and Acrobat quarterly security update*, scheduled for release on October 13. Adobe Reader and Acrobat 9.1.3 customers with DEP enabled on Windows Vista will be protected from this exploit. Disabling JavaScript also mitigates against this specific exploit, although a variant that does not rely on JavaScript could be possible. In the meantime, Adobe is also in contact with Antivirus and Security vendors regarding the issue and recommends users keep their anti-virus definitions up to date..."
* http://www.adobe.com/support/security/bulletins/apsb09-15.html

- http://secunia.com/advisories/36983/2/
Release Date: 2009-10-09
Critical: Extremely critical
Impact: System access
Where: From remote
Solution Status: Unpatched...

- http://blog.trendmicro.com/new-adobe-zero-day-exploit/
Oct. 9, 2009 - "... users are recommended to disable JavaScript in Adobe Acrobat/Reader to mitigate the said attack. To do this, they should follow these steps:
1. Run Acrobat or Adobe Reader.
2. Go to Edit > Preferences.
3. Select JavaScript under the Categories tab.
4. Uncheck the “Enable Acrobat JavaScript” option.
5. Click OK..."

:fear:

FYI...

Adobe Reader 9.2 and Acrobat 9.2 released
- http://www.adobe.com/support/security/bulletins/apsb09-15.html
October 13, 2009 - "... This update resolves a heap overflow vulnerability that could lead to code execution (CVE-2009-3459*)... Adobe recommends users of Adobe Reader 9.1.3 and Acrobat 9.1.3 and earlier versions update to Adobe Reader 9.2 and Acrobat 9.2. Adobe recommends users of Acrobat 8.1.6 and earlier versions update to Acrobat 8.1.7, and users of Acrobat 7.1.3 and earlier versions update to Acrobat 7.1.4. For Adobe Reader users who cannot update to Adobe Reader 9.2, Adobe has provided the Adobe Reader 8.1.7 and Adobe Reader 7.1.4 updates. Updates apply to all platforms: Windows, Macintosh and UNIX...
Solution:
Adobe Reader
- Adobe Reader users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows
- Adobe Reader users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Macintosh
- Adobe Reader users on UNIX can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Unix
Acrobat
- Acrobat Standard and Pro users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Windows
- Acrobat Pro Extended users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=158&platform=Windows
- Acrobat 3D users on Windows can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=112&platform=Windows
- Acrobat Pro users on Macintosh can find the appropriate update here:
http://www.adobe.com/support/downloads/product.jsp?product=1&platform=Macintosh ..."

* http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3459
Last revised: 10/13/2009
CVSS v2 Base Score: 9.3 (HIGH)

Adobe Plugs 29 Critical Reader, Acrobat Holes
- http://voices.washingtonpost.com/securityfix/2009/10/adobe_plugs_critical_reader_ac.html
October 13, 2009

CVE-2007-0048, CVE-2007-0045, CVE-2009-2564, CVE-2009-2979, CVE-2009-2980, CVE-2009-2981, CVE-2009-2982, CVE-2009-2983, CVE-2009-2984, CVE-2009-2985, CVE-2009-2986, CVE-2009-2987, CVE-2009-2988, CVE-2009-2989, CVE-2009-2990, CVE-2009-2991, CVE-2009-2992, CVE-2009-2993, CVE-2009-2994, CVE-2009-2995, CVE-2009-2996, CVE-2009-2997, CVE-2009-2998, CVE-2009-3431, CVE-2009-3458, CVE-2009-3459, CVE-2009-3460, CVE-2009-3461, CVE-2009-3462

- http://blogs.adobe.com/psirt/2009/10/second_quarterly_security_upda.html
October 13, 2009

:fear:

FYI...

Adobe PDF Reader exploit in the wild
- http://blog.trendmicro.com/asprox-resurfaces-with-a-mass-compromise-in-tow/
Oct. 15, 2009 - "A specially crafted .PDF file, detected by Trend Micro as TROJ_PIDIEF.ASP, was recently found to have infected several Indian, Thai, and New Zealand websites. The Trojan takes advantage of critical vulnerabilities in Adobe Reader 9.1.3 and Acrobat 9.1.3; Adobe Reader 8.1.6 and Acrobat 8.1.6 for Windows, Macintosh, and UNIX; and Adobe Reader 7.1.3 and Acrobat 7.1.3 for Windows and Macintosh. These vulnerabilities can cause the application to crash and can potentially allow an attacker to take control of an affected system. Adobe has thus advised users to patch their systems and download the necessary updates*. The Trojan belongs to an old but notable malware family known as “ASProx,” which plagued the Web last year. It was so notable that it made its way to Trend Micro’s Top 8 in 2008 list. Most ASProx variants, including this most recent one, exhibited the same payload. They first compromised several websites. Visiting the said sites then triggerred redirections to various malicious URLs that ultimately led to the download of more malicious files. The recent reemergence of the ASProx code or the cybercriminals behind it may not have brought anything new to the table but it is noteworthy in that this attack seemingly brought the botnet back from the dead after almost a year of inactivity..."
* http://www.adobe.com/support/security/bulletins/apsb09-15.html
October 13, 2009

:fear::fear:

FYI...

Foxit PDF Reader Firefox Plugin Memory Corruption vuln
- http://secunia.com/advisories/37049/2/
Release Date: 2009-10-15
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched * (?)
Software: Foxit Reader 3.x ...
Solution: Do not visit untrusted websites or follow untrusted links.
Disable the Foxit Reader plugin in Firefox.
Original Advisory: http://seclists.org/fulldisclosure/2009/Oct/198
14 Oct 2009 - "It would appear that Foxit reader version 3.1.1.0928 is also vulnerable to this memory corruption flaw. Foxit reader was also vulnerable to the JPEG2000/JBIG2 decoder bug..."
Other References: SA36983: http://secunia.com/advisories/36983/2/

* http://www.foxitsoftware.com/pdf/reader/bugfix.htm
Fixed in Foxit Reader 3.1.2.1013: Fix the memory leak issue where the memory usage will continuously grow while viewing PDF files with Foxit Reader.
- http://www.foxitsoftware.com/downloads/index.php
Foxit Reader 3.1.2.1013(exe) 5.06 MB - 10/13/09

:fear:

FYI..

FoxIt PDF Reader - print rendering problem noted w/v3.1.2.1013
- http://forums.foxitsoftware.com/showpost.php?p=35481&postcount=7
October 21, 2009 - "... with this version when printing a pdf - only part of the document is printed..."

:confused::fear:

FYI...

Guardian Jobs website hacked...
- http://www.sophos.com/blogs/gc/g/2009/10/25/guardian-jobs-website-hacked-personal-data-risk/
October 25, 2009 - "... the UK version of the Guardian Jobs website has been broken into by hackers. The site, which is described as one of the top five job websites in the UK, with some two million users a month, would be a rich data mine for identity thieves who would be rubbing their hands in glee at the prospect of getting their hands on confidential information from innocent people's CVs and job applications. Details of how the hack was committed have not been revealed, but warning emails sent to people who have used the jobs.guardian.co.uk site to make job applications described the attack as "sophisticated and deliberate"... this isn't the first time that online recruitment websites have suffered at the hands of cybercriminals. Earlier this year... the databases of Monster.com and USAJobs.gov were compromised*, and contact and account information was stolen..."
* http://www.sophos.com/blogs/gc/g/2009/01/24/security-alert-monstercom-usajobs-users/

:fear::mad:

See the site - use menu at top of display "Modes > Attacks":

- http://www.akamai.com/html/technology/dataviz1.html
2009.10.27 - 34% above normal ...!

- http://www.akamai.com/html/technology/realtime_web_methodology.html
"Attack Traffic:
Akamai measures attack traffic in real time across the Internet with our diverse network deployments. We collect data on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. The attack traffic depicts the total number of attacks over the last twenty-four hours.
Values are measured in attacks per 24 hours (attacks/24hrs). Regions are displayed as countries or states."
___

- http://www.v3.co.uk/v3/news/2252011/trend-micro-sees-blocked
27 Oct 2009 - "The sheer scale of the cyber security threat to businesses was highlighted again today, after new statistics from security vendor Trend Micro revealed that its Smart Protection Network (SPN) now blocks an average of more than four billion threats a day. SPN is Trend Micro's newest technology designed to fight today's threats as effectively as possible, combining cloud-based reputation technology with behavioural analysis techniques. The system stops many of the threats in the cloud, crucially negating the problems associated with traditional security tools, such as eating up processing power and network bandwidth... SPN has been up and running for 16 months, but saw significant growth between the third quarter of 2008 and the second quarter of 2009, when the number of global user queries jumped 289 per cent to over 29 billion a day. The number of threats blocked over the same period rose 277 per cent to just over four billion, the company said. Threats in this instance include infected files, as well as web destinations reached through the browser and infected PCs trying to connect to a resource on the internet..."

:sad::fear::spider:

FYI...

Adobe Shockwave Player v11.5.2.602 released
- http://www.adobe.com/support/security/bulletins/apsb09-16.html
Release date: November 3, 2009
Affected software versions: Shockwave Player 11.5.1.601 and earlier versions
Solution: Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here:
http://get.adobe.com/shockwave/
Severity rating: Adobe categorizes this as a critical update and recommends that users apply the update for their product installations...
CVE number:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3244
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3463
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3464
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3465
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3466
Platform: Windows and Macintosh

Once again, still ...
- http://voices.washingtonpost.com/securityfix/2009/06/critical_security_fix_for_adob.html
"... by default this patch will also try to install Symantec's Norton Security Scan, a clever marketing tool by Symantec that checks to see if you have malware on your system and then prompts you to buy their software to remove any found items. I find the bundling of a serious security update with this otherwise useless tool annoying, and potentially counter-productive... did they borrow the idea from the people pushing rogue anti-virus products (or was it the other way around?) At any rate, if you don't want this extra software, be sure to deselect that option before proceeding with the update."

Test site:
- http://www.adobe.com/shockwave/welcome/

- http://secunia.com/advisories/37214/2/
Release Date: 2009-11-04
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch...
Solution: Update to version 11.5.2.602...

- http://news.techworld.com/security/3205708/adobe-patches-five-critical-shockwave-player-bugs/
"... installed on some 450 million PCs..."

:fear:

FYI...

87% of web apps - "serious vulnerabilities..."
- http://sunbeltblog.blogspot.com/2009/11/3100-vulnerabilities-connected-with-web.html
November 10, 2009 - "If anyone ever needed a great example for the lectures they give friends, relatives or employees about the importance of installing software updates, here it is. Security firm Cenzic* has made public a report documenting 3,100 vulnerabilities that affect the software used on web sites and in browsers! The report included patched and unpatched vulnerabilities. Cenzic, which provides software as a service, said in their report “Web Application Security Trends Report Q1-Q2, 2009” that Cross Site Scripting and SQL Injection vulnerabilities were a factor in half of all web attacks. They said 87 per cent of web applications their researchers looked at "had serious vulnerabilities that could potentially lead to the exposure of sensitive or confidential user information during transactions"..."
* http://www.cenzic.com/resources_reg-not-required_trends/
Q1-Q2 2009
http://www.cenzic.com/downloads/Cenzic_AppSecTrends_Q1-Q2-2009.pdf

:fear::mad:

FYI...

Apple Safari v4.0.4 released
- http://secunia.com/advisories/37346/2/
Release Date: 2009-11-12
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: Apple Safari 4.x
Solution: Update to version 4.0.4...
Original Advisory:
http://support.apple.com/kb/HT3949

CVE reference: CVE-2009-2414, CVE-2009-2416, CVE-2009-2804, CVE-2009-2816, CVE-2009-2841, CVE-2009-2842, CVE-2009-3384

- http://support.apple.com/downloads/

:fear:

FYI...

Still - "It's a jungle out there...".

2009 - Top Internet Security Trends
- http://www.symantec.com/connect/blogs/breadth-security-issues-2009-stunning
November 17, 2009 - "... Top Internet Security Trends of 2009...
• Malware-Bearing Spam...
• Social Networking Site Attacks Become Commonplace...
• Rogue Security Software...
• Ready-Made Malware...
• Bot Networks Surge...
• Intra- and Cross-Industry Cooperation to Stamp Out Internet Threats...
• Current Events Leveraged More Than Ever...
• Drive-by-Downloads Lead the Way...
• The Return of Spam to Pre-McColo Levels...
• The Rise of Polymorphic Threats...
• An Increase in Reputation Hijacking...
• Data Breaches Continue..."

(Detail available at the URL above.)

:fear::spider:

FYI...

PHP v5.3.1 released
- http://secunia.com/advisories/37412/2/
Release Date: 2009-11-20
Critical: Moderately critical
Impact: Unknown, Security Bypass
Where: From remote
Solution Status: Vendor Patch
Software: PHP 5.3.x ...
Solution: Update to version 5.3.1.
Original Advisory: PHP:
http://www.php.net/releases/5_3_1.php
CVE reference: CVE-2009-3292, CVE-2009-3557, CVE-2009-3558

ChangeLog
- http://www.php.net/ChangeLog-5.php#5.3.1

- http://isc.sans.org/diary.html?storyid=7615
"... With many of the websites on the net relying on PHP and the number of attacks we see, consider upgrading. This release has over 100 bug fixes..."

:fear: