Old Alerts

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=5779
Last Updated: 2009-01-31 18:17:26 UTC - "... it appears to be reporting that every site might contain malware (i.e. it shows the "This site may harm your computer" warning with every result)...UPDATE X3: Google's reponse*..."

Google: This Internet May Harm Your Computer
- http://voices.washingtonpost.com/sec...will_harm.html
January 31, 2009 - "A glitch in a computer security program embedded deeply into Google's search engine briefly prevented users of the popular search engine from visiting any Web sites turned up in search results this morning. Instead, Google users were redirected to page that warned: "This site may harm your computer"..."
* http://googleblog.blogspot.com/2009/...mputer-on.html
January 31, 2009 - "...the URL of '/' was mistakenly checked in as a value to the file and '/' expands to all URLs. Fortunately, our on-call site reliability team found the problem quickly and reverted the file. Since we push these updates in a staggered and rolling fashion, the errors began appearing between 6:27 a.m. and 6:40 a.m. and began disappearing between 7:10 and 7:25 a.m., so the duration of the problem for any particular user was approximately 40 minutes..."
- http://blog.stopbadware.org/2009/01/...uses-confusion
January 31, 2009 - "...Users who attempted to click through the results saw the "interstitial" warning page that mentions the possibility of badware and refers people to StopBadware.org for more information. This led to a denial of service of our website, as millions of Google users attempted to visit our site for more information... [Update 2:35] Hopefully this will be the last update, as Google has acknowledged the error, apologized to its customers, and fixed the problem. As many know, we have a strong relationship with Google, which is a sponsor and partner of StopBadware.org. The mistake in Google’s initial statement, indicating that we supply them with badware data, is a common misperception. We appreciate their follow up efforts in clarifying the relationship on their blog and with the media. Despite today’s glitch, we continue to support Google’s effort to proactively warn users of badware sites, and our experience is that they are committed to doing so as accurately and as fairly as possible..."

[AplusWebMaster]

FYI...

- http://preview.tinyurl.com/cjkx72
February 20, 2009 (Computerworld) - "...nearly one-third of the estimated 200,000 DNS servers worldwide still remain unprotected against the cache-poisoning threat and need to be patched as soon as possible, Kaminsky said, adding that many of them are being attacked on a daily basis. "We are seeing attacks where people are redirecting major sites to places where they shouldn't be going," he said. "It's happening right now." The cache-poisoning flaw was publicly disclosed last July... The flaw could be used by attackers to spoof DNS traffic, potentially enabling them to redirect Web traffic and e-mail messages to systems under their control..."

Web-based DNS Randomness Test
- https://www.dns-oarc.net/oarc/services/dnsentropy
Test My DNS

...and if you are still having problems, try this:
- http://www.opendns.com/

.

[AplusWebMaster]

FYI...

- http://www.informationweek.com/share...leID=215600307
March 2, 2009 - "IBM said a recent firmware update could cause the Seagate disk drives on more than two dozen models of its business servers to fail, leading to a situation that could cause customers to lose access to critical corporate data. In a current support bulletin*, the company said the bug affects a range of models in its BladeCenter, xSeries, and System x lines of servers. "After a power cycle, the SATA drive is no longer available and becomes unresponsive," IBM warned. "Data may become inaccessible due to the drive not responding," according to the bulletin, which lists numerous IBM server configurations at risk from the problem. IBM said customers should use the ServeRAID manager or other tools to determine their disk drive model and firmware. IBM said it plans to fix the problem in a firmware update "scheduled for first quarter 2009." The company did not offer further specifics on a release date. The update, when available, will be accessible as a download from IBM's System x support Web site... IBM said the warning applies to server products sold worldwide."
* http://preview.tinyurl.com/c8fy3l
Last modified: 2009-02-18

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=6001
Last Updated: 2009-03-11 00:34:49 UTC - "...attackers used ARP spoofing to inject malicious JavaScript into content served off other web sites. The biggest problem with such attacks is that it can be very difficult to analyze them unless you remember to check layer two network traffic. Such attacks are very covert and put in danger all web sites in the same subnet...
ARP spoofing attacks happen on layer two – the Address Resolution Protocol maps IP addresses and MAC addresses, which is what is used to communicate in local subnets... The basic idea of an ARP spoofing attack is for the attacker to spoof IP address <-> MAC address pair of the default gateway. This allows him to intercept (and, if needed modify) all outgoing traffic from that subnet. The attacker can also spoof the IP address <-> MAC address pair of a local server in which case he could monitor incoming traffic, but in this scenario that was not necessary. The spoofing attack consists of the attacker sending ARP packets containing fake data to the target. In normal conditions the target machine will accept this and “believe” whatever the attacker is saying...
A server on a local subnet was compromised and the attacker installed ARP spoofing malware (together with keyloggers and other Trojans) on the machine. The ARP spoofing malware poisoned local subnet so the outgoing traffic was tunneled through it. The same malware then inserted malicious JavaScript into every HTML page served by any server on that subnet. You can see how this is fruitful for the attacker – with one compromised server they can effectively attack hundreds of web sites...
AV detection rates were similarly poor (in the mean time they improved). Particularly nasty was the Winlogon Notify hook package which simply “sniffs” all usernames/passwords of users logging in to the system (so password changes don’t help)..."

(More detail at the ISC URL above.)

> http://en.wikipedia.org/wiki/ARP_spoofing

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=6025
Last Updated: 2009-03-16 19:49:12 UTC - "...new version of rogue DHCP server malware... The malware appears to be similar to Trojan.Flush.M which was found last December. Like back then, after infecting its target, the malware installs a rogue DHCP server. The main goal of the DHCP server is to spread a bad DNS server IP address... summary of the differences:
• The new version sets the DHCP lease time to 1 hour.
• It sets the MAC destination to the broadcast address, rather then the MAC address of the DHCP client.
• It does not specify a DNS Domain Name.
• The options field does not contain an END option followed by PAD options.
• Unlike Trojan.Flush.M, the BootP Broadcast Bit is set.

The malicious DNS server is 64.86.133.51 and 63.243.173.162.
Recommendation: Monitor connections to DNS servers other then the approved one pushed out by your DHCP server. This should help you spot this kind of malware. Yes, you can block the two IP addresses listed above, but it will likely do little good."

[AplusWebMaster]

FYI...

- http://www.us-cert.gov/current/index..._vulnerability
March 18, 2009 - "US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code...
• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
http://www-01.ibm.com/support/docvie...id=swg21377573
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
http://www.symantec.com/avcenter/sec...09.03.17a.html
• Registered Autonomy Users should review the related Autonomy alert (login required).
https://customers.autonomy.com/suppo...ip.readme.html ..."

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2008-4564
Last revised: 03/20/2009
CVSS v2 Base Score: 9.3 (HIGH)

[AplusWebMaster]

FYI...

Thunderbird v2.0.0.21 released
- http://www.mozillamessaging.com/en-US/thunderbird/
March 18, 2009

Fixed in Thunderbird 2.0.0.21
- http://www.mozilla.org/security/know...erbird2.0.0.21
MFSA 2009-10 Upgrade PNG library to fix memory safety hazards
MFSA 2009-09 XML data theft via RDFXMLDataSource and cross-domain redirect
MFSA 2009-07 Crashes with evidence of memory corruption (rv:1.9.0.7)
MFSA 2009-01 Crashes with evidence of memory corruption (rv:1.9.0.6)

- http://secunia.com/advisories/33802/2/
Last Update: 2009-03-20
Critical: Highly critical
Impact: Security Bypass, Exposure of sensitive information, DoS, System access
Where: From remote
Solution Status: Vendor Patch ...
Solution: Update to version 2.0.0.21...
CVE reference:
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0040
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0352
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0353
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0772
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0774
http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0776

[AplusWebMaster]

FYI...

IBM Access Support ActiveX control stack buffer overflow
- http://www.kb.cert.org/vuls/id/340420
Date Last Updated: 2009-03-25 - "... IBM Access Support ActiveX control, which is provided by IbmEgath.dll, contains a stack buffer overflow in the GetXMLValue() method. We have confirmed that version 3.20.284.0 is vulnerable. Other versions may also contain the flaw.
... Impact: By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer (or the program using the WebBrowser control) to crash.
... Solution: We are currently unaware of a practical solution to this problem. Please consider the following workarounds: Disable the IBM Access Support ActiveX control in Internet Explorer
The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: {74FFE28D-2378-11D5-990C-006094235084} ..."

- http://secunia.com/advisories/34470/2/
Critical: Highly critical
Solution Status: Unpatched...

- http://web.nvd.nist.gov/view/vuln/de...=CVE-2009-0215
Last revised: 03/25/2009
CVSS v2 Base Score:9.3 (HIGH)...

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-03 21:35:44 UTC - "We've been keeping an eye on the issues affecting the domain servers of Register.com. Several readers have written to us with concerns ofer the lack of availability of Register.com's servers, which seem to have been under a DDoS attack. There are also reports that DNS provider NeuStar (UltraDNS) may be under DDoS, too. We don't have any information at the moment about these incidents, beyond what is reported in the following articles:
- http://www.theinquirer.net/inquirer/...ers-dos-attack
- http://www.scmagazineus.com/DDoS-att...rticle/130060/
Register.com issues are causing lots of issues across the web. One reader told us, "We are struggling to keep our websites available. DNS is the problem. We are being told by Register.com that the April 1 issues are affecting them. It sounds like they are being DOS'd and are filtering certain ISPs from querying them." Another reader said, "Register.com's DNS servers have gone offline for the second time in 24 hours. They were down yesterday from about 15:45 - 18:45 and just went down again today at about 14:30 (all times EST)..."

- http://isc.sans.org/diary.html?storyid=6121
Last Updated: 2009-04-04 02:53:13 UTC ...(Version: 2)
"Update: ... We are using all available means to restore services to every one of our customers and halt this criminal attack on our business and our customers’ business. We are working round the clock to make that happen. We are committed to updating you in as timely manner as possible, please check your inbox or our website for additional updates.
Thank you for your patience.
Larry Kutscher
Chief Executive Officer
Register.com"

[AplusWebMaster]

FYI...

- http://blog.wired.com/27bstroke6/200...-sabotage.html
April 09, 2009 | 3:58:39 PM - "Deliberate sabotage is being blamed for a sizable internet and telephone service outage Thursday in Silicon Valley. At 1:30 a.m., someone opened a manhole cover on a railroad right-of-way in San Jose, climbed down and cut four AT&T fiber optic cables. A second AT&T cable, and a Sprint cable, were cut in the same manner two hours later, farther north in San Carlos. Service for Sprint, Verizon and AT&T customers in the southern San Francisco Bay Area has been lost, according to the San Francisco Chronicle*. Police departments have put more units on the street, because nobody can call 9-1-1. A much smaller Comcast outage affecting around 4,500 customers in San Jose began at around 1:00 p.m. Pacific time. Spokesman Andrew Johnson says the company is investigating the cause.
Update: AT&T is offering a $100,000 reward** for information leading to the arrest and conviction of the vandal."

* http://www.sfgate.com/cgi-bin/articl...VTE6.DTL&tsp=1
April 10, 2009 - "... Ten fiber-optic cables... were cut at four locations in the predawn darkness..."

AT&T Offering $100,000 Reward in Bay Area Network Vandalism
** http://www.att.com/gen/press-room?pi...rticleid=26715
April 9, 2009