Old Alerts

[AplusWebMaster]

FYI...

- http://www.shadowserver.org/wiki/pmw...endar.20080527
May 27, 2008 - 11:16 PM - "...important that you make sure you have updated your Adobe Flash Player to the latest version* (9.0.124.0 at the time of this writing)... it seems that several websites are now taking advantage of a flaw in the Adobe Flash Player previously covered by CVE-2007-0071**. It appears that Symantec started noticing this activity being exploited in the wild and initially labeled it a 0-day threat as they thought it affected 9.0.124.0. However, they have since posted an update*** potentially changing this view. Both Symantec and the Internet Storm Center have posted information surrounding the vulnerability and some of the websites that are actively exploiting it. It would appear this is in fact fully patched with the latest version and is the same vulnerability described by CVE-2007-0071. We decided to look into this a bit more and see what other websites are out there exploited this vulnerability and what they attempted to install. It did not take us long to find several other websites beyond those already mentioned. It would appear that this exploit has been pretty widely known within the Chinese community for the past two days or so... Did we mention that you should UPGRADE YOUR FLASH PLAYER (if you haven't already)? It's always a good idea to keep your software up-to-date, but it should surely be a priority to do so now..."

* http://www.adobe.com/shockwave/downl...ShockwaveFlash

** http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

*** http://www.symantec.com/security_res...tcon/index.jsp

- http://blogs.adobe.com/psirt/2008/05...issue_u_1.html
May 28, 2008 11:09AM - "...This exploit does NOT appear to include a new, unpatched vulnerability as has been reported elsewhere – customers with Flash Player 9.0.124.0 should not be vulnerable to this exploit. We’re still looking in to the exploit files, and will update everyone with further information as we get it, but for now, we strongly encourage everyone to download and install the latest Flash Player update, 9.0.124.0*..."
* http://www.adobe.com/go/getflashplayer

---------------

Retired: Adobe Flash Player SWF File Remote Code Execution Vulnerability
- http://www.securityfocus.com/bid/29386/discuss
Updated: May 28 2008 07:53PM - "...Further research indicates that this vulnerability is the same issue described in BID 28695** (Adobe Flash Player Multimedia File Remote Buffer Overflow Vulnerability), so this BID is being retired."

** http://www.securityfocus.com/bid/28695/solution
"...The vendor released Flash Player 9.0.124.0 to address this issue..."

[AplusWebMaster]

FYI...

- http://securitylabs.websense.com/con...erts/3096.aspx
05.29.2008 - "Websense... has detected thousands of web sites infected with the recent mass JavaScript injection that exploits a vulnerability in Adobe Flash (CVE-2007-0071*) to deliver its malicious payload... This vulnerability is not a 0-day and users with the latest version of Flash Player (version 9.0.124.0) are safe. However, there are still many on older versions of Flash that are unaware of this mass web infection and are susceptible to this drive-by attack. An update to the latest version of Flash Player is highly recommended**.
Websense ThreatSeeker has been tracking these malicious web sites and have discovered numerous reputable web sites that are now unwilling participants, infecting their very own visitors. These sites are from various industries such as government, education, healthcare, finance, media, and entertainment. This attack also attempts to exploit other popular vulnerabilities such as MDAC, RealPlayer, and various ActiveX controls... drive-by threat... site screenshots from: Microsoft, Dept. of Education (Australia), PBS, Durex, CDC (Centers for Disease Control and Prevention), Discovery Channel, various universities and a Pakistani district government."

* http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0071
Last revised: 4/25/2008 - "...Adobe Flash Player 9.0.115.0 and earlier..."

** http://www.adobe.com/go/getflashplayer

(Screenshots available at the Websense URL above.)

[AplusWebMaster]

FYI...

DHS PDF
- http://www.f-secure.com/weblog/archives/00001449.html
June 1, 2008 - "...The only information we have on this 130kB sample is that it was named f1be1cdea0bcc5a1574a10771cd4e8e8.pdf (after it's MD5 hash) and that it was submitted on the 23rd of May. 'Looks like a Department of Homeland Security form G-325A.
Look again. What's the filename? It's -not- f1be1cdea0bcc5a1574a10771cd4e8e8.pdf. It's 0521.pdf. This is -not- the document we opened. So what happens here? Apparently this PDF has been used in a targeted attack against an unknown target. When this PDF is opened in Acrobat Reader, it uses a known exploit to to drop files. Specifically, it creates two files in the TEMP folder: D50E.tmp.exe and 0521.pdf. Then it executes the EXE and launches the clean 0521.pdf file to Adobe Reader in order to fool the user that everything is all right. D50E.tmp.exe is a backdoor that creates lots of new files with innocent-sounding filenames, including:
\windows\system32\avifil16.dll
\windows\system32\avifil64.dll
\windows\system32\drivers\pcictrl.sys
\windows\system32\drivers\Nullbak.dat
\windows\system32\drivers\Beepbak.dat
The SYS component is a -rootkit- that tries to hide all this activity on the infected machine. The backdoor tries to connect to port 80 of a host called nbsstt .3322 .org. Anybody operating this machine would have full access to the infected machine. Well, 3322 .org is one of the well-known Chinese DNS-bouncers that we see a lot in targeted attacks. Does nbsstt mean something? Beats me, but Google will find a user with this nickname posting to several Chinese military-related web forums, such as bbs .cjdby .net. Where does nbsstt .3322 .org point to? IP address 125.116.97.19 is in Zhejiang, China. And it's live right now, answering requests at port 80."

(Screenshots available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.skype.com/security/skype-sb-2008-003.html
Impact: Exploitation of this issue allows an attacker to execute arbitrary code on the targeted victim's machine. An attacker would need to construct a malicious file: URI and send it to the intended victim. Upon clicking the link execution of arbitrary code on the victim's machine will be possible.
Affected software: ...The following Skype clients are vulnerable to this attack:
Skype for Windows: All releases prior to and including 3.8.*.115
Solution: Skype has fixed the vulnerability in version 3.8.0.139
Download:
x86 platform, Microsoft Windows 2000 or Microsoft Windows XP: http://www.skype.com/download/skype/windows/
x86 platform, Linux: http://www.skype.com/download/skype/linux/
PPC and x86 platforms, Mac OS X v10.3.9 or later: http://www.skype.com/download/skype/macosx/
Pocket PC platform, Microsoft Windows Mobile 2003: http://www.skype.com/download/skype/pocketpc/

> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1805
Original release date: 6/6/2008

[AplusWebMaster]

FYI...

Security Update available for Adobe Reader and Acrobat 8.1.2
- http://www.adobe.com/support/securit...apsb08-15.html
Release date: June 23, 2008
Vulnerability identifier: APSB08-15
CVE number: http://cve.mitre.org/cgi-bin/cvename...=CVE-2008-2641
Platform: All platforms
Affected software versions:
* Adobe Reader 8.0 through 8.1.2
* Adobe Reader 7.0.9 and earlier
* Adobe Acrobat Professional, 3D and Standard 8.0 through 8.1.2
* Adobe Acrobat Professional, 3D and Standard 7.0.9 and earlier
NOTE: Adobe Reader 7.1.0 and Acrobat 7.1.0 are not vulnerable to this issue. Adobe Reader 9 and Acrobat 9, expected to be available by July 2008, are also not vulnerable to this issue.

Summary:
A critical vulnerability has been identified in Adobe Reader and Acrobat 8.1.2. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.
Adobe recommends users of Acrobat 8 and Adobe Reader install the 8.1.2 Security Update 1 patch.

Solution:
Acrobat 8 and Adobe Reader: Adobe recommends Adobe Reader 8 users update to Adobe Reader 8.1.2 Security Update 1, available at the links below:
For Windows: http://www.adobe.com/support/downloa...jsp?ftpID=3967
For Macintosh: http://www.adobe.com/support/downloa...jsp?ftpID=3966
Adobe recommends Acrobat 8 users on Windows update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloa...jsp?ftpID=3976
Adobe recommends Acrobat 8 users on Macintosh update to Acrobat 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloa...jsp?ftpID=3977
Adobe recommends Acrobat 3D Version 8 users on Windows update to Acrobat 3D Version 8.1.2 Security Update 1, available here: http://www.adobe.com/support/downloa...jsp?ftpID=3975
Users with Adobe Reader 7.0 through 7.0.9 should upgrade to Adobe Reader 7.1.0: http://www.adobe.com/go/getreader.
Acrobat 7
Adobe recommends Acrobat 7 users on Windows update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloa...atform=Windows
Adobe recommends Acrobat 7 users on Macintosh update to Acrobat 7.1.0, available here: http://www.adobe.com/support/downloa...form=Macintosh

Severity rating:
Adobe categorizes this as an critical issue and recommends affected users update their installations...
NOTE: there are reports that this issue is being exploited in the wild..."

- http://blog.trendmicro.com/pdf-exploit-causes-bsod/
June 25, 2008 - "...According to the Adobe Security Bulletin on this issue*, the vulnerability exists in Adobe Reader 7.0.9 and earlier versions, 8.0 to 8.1.2, and in Adobe Acrobat 7.0.9 and earlier versions, 8.0 to 8.1.2... As of the most recent testing, TROJ_PIDIEF.AC is observed to download an info-stealer (mostly monitoring and gathering information about running processes, installed programs and system information) and a spammer which connects the compromised PC to a botnet. The common danger faced by users who encounter downloaders: you never really know what you’re going to get. Since malware writers have continuous access to the URL, they can update the downloaded file with different or more damaging payloads..."
* http://www.adobe.com/support/securit...apsb08-15.html
---

Adobe Reader patch, now you see it, now you don't
- http://news.cnet.com/8301-13554_3-9979638-33.html
June 27, 2008

[AplusWebMaster]

FYI...

- http://blogs.zdnet.com/security/?p=1356
June 26, 2008 - "What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how (to) prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community. The official domains of ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority were hijacked earlier today... NetDevilz left the following message on all of the domains:
“You think that you control the domains but you don’t! Everybody knows wrong. We control the domains including ICANN! Don’t you believe us? haha ... (Lovable Turkish hackers group)”..."
- http://www.zone-h.org/content/view/14973/30/
27 June 2008 - "...Hijacked domains include "icann.com", "icann.net", "iana.com" and "iana-servers.com". We reached the defacers by email but they refused to tell us how they changed the DNS records, however a cross-site scripting or cross-site request forgery vulnerability might have been exploited..."

(Screenshots available at the ZDnet URL above.)

[AplusWebMaster]

FYI...

- http://www.securityfocus.com/news/11526
2008-07-08 - "...The CERT vulnerability note* describing the issue lists more than 90 software developers and network equipment vendors that may be affected by the issue...Internet service providers and companies each received the fix on Tuesday... The goal: To have every major service provider and company apply their software patches in 30 days..."

* U.S.CERT: http://www.kb.cert.org/vuls/id/800113

- http://isc.sans.org/diary.html?storyid=4687
Last Updated: 2008-07-08 23:09:39 UTC ...(Version: 4)

Microsoft MS08-037: http://www.microsoft.com/technet/sec.../MS08-037.mspx
Internet Software Consortium (BIND): http://www.isc.org/sw/bind/bind-security.php ...

DNSSEC Overview: http://www.dnssec.org
DNSSEC Deployment Initiative: http://www.dnssec-deployment.org
DNSSEC HowTo: http://www.nlnetlabs.nl/dnssec_howto

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
7/8/2008
- http://www.us-cert.gov/cas/techalerts/TA08-190B.html
7/8/2008

DNS Checker:
- http://www.doxpara.com/?p=1162
Dan Kaminsky - July 9, 2008

[AplusWebMaster]

FYI...

* http://download.zonealarm.com/bin/fr...cessIssue.html
Last Revised: 9 July 2008
"Overview: Microsoft Update KB951748 [MS08-037] is known to cause loss of internet access for ZoneAlarm users on Windows XP/2000. Windows Vista users are not affected.
Impact: Sudden loss of internet access
Platforms Affected: ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Anti-Spyware, and ZoneAlarm Security Suite ...
Recommended Actions:
Download and install the latest versions which solve the loss of internet access problem here*..."

//

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - July 2008
- http://www.oracle.com/technology/dep...pujul2008.html
2008-JUL-15 - Initial release
"...Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible..."

- http://isc.sans.org/diary.html?storyid=4732
Last Updated: 2008-07-15 20:45:56 UTC ...(Version: 2) - "...first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware..."

- http://www.us-cert.gov/current/#orac..._patch_update3
July 15, 2008 - "Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. This update contains the following security fixes:
* 11 updates for Oracle Database
* 3 updates for Times Ten In-Memory Database
* 9 updates for Oracle Application Server
* 6 updates for Oracle E-Business Suite and Applications
* 2 updates for Oracle Enterprise Manager
* 7 updates for Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
* 7 updates for BEA Product Suite ..."

[AplusWebMaster]

RE: http://forums.spybot.info/showpost.p...2&postcount=77

FYI... http://isc.sans.org/diary.html?storyid=4765
Last Updated: 2008-07-22 11:01:30 UTC - "It seems the cat might be out of the bag regarding Dan Kaminsky's upcoming presentation at Blackhat. Since this now means the bad guys have access to it at will - I found the speculations using Google, I'm sure they have done so already, the urgency of patching your recursive DNS servers just increased significantly..."

- http://preview.tinyurl.com/64wtnc
July 21, 2008 (Computerworld)

- http://www.us-cert.gov/current/#dns_...rable_to_cache
updated July 22, 2008 - "...UPDATE: Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch vulnerable systems immediately..."

- http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
CVSS v2 Base score: 7.5 (High)