IrfanView vuln - update available
FYI...
- http://secunia.com/advisories/26619/
Release Date: 2007-10-16
Critical: Moderately critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: IrfanView 3.x, IrfanView 4.x
...The vulnerability is confirmed in version 4.00. Other versions may also be affected.
Solution: Update to version 4.10.
http://www.irfanview.com/main_download_engl.htm
.
Malicious Code: ...spammed in Latin America
FYI...
- http://www.websense.com/securitylabs...hp?AlertID=809
October 17, 2007 - "Websense® Security Labs™ has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line: "Espero que te guste"
The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75c38". In all samples, the file has been stored on compromised websites. If users click on the link and run the code, a browser window to Univision.com opens as a means of hiding what is happening in the background. The malicious code also connects to one or more additional websites to download an additional binary file, "file56.gif". This file is actually a Windows executable. The "file56.gif" binary can come from any of five different compromised sites. The file is downloaded to the Windows system32 directory and given the name "html.txt". The "html.txt" file is then renamed "html.exe" and run. The payload of the code is written in Delphi and packed with RLpack. It disables Task Manager, deletes the host file, and changes some startup options and Start menu options. It also includes an information stealing component..."
(Screenshot available at the URL above.)
.
RealPlayer 0-day exploit attacks in progress
FYI...
- http://preview.tinyurl.com/36awux
October 19, 2007 (Computerworld) - "Attackers are exploiting a zero-day vulnerability in RealPlayer in order to infect Windows machines running Internet Explorer, Symantec Corp. said late Thursday. The security company issued an alert that rated the threat with its highest possible score. According to a warning issued to customers of its DeepSight threat network, Symantec said an ActiveX control installed by RealNetworks Inc.'s RealPlayer program is flawed. When combined with Microsoft Corp.'s Internet Explorer (IE) browser -- which relies on ActiveX controls to extend its functionality -- the bug can be exploited, and malicious code downloaded to any PC that wanders to a specially-crafted site. Only systems on which both RealPlayer and IE have been installed are vulnerable. Symantec ranked the attack as a "10" on its urgency scale because it has confirmed that attacks are being conducted in the wild; those attacks have resulted in malicious code downloaded to victimized PCs. The only bright spot: "We are not currently aware of widespread exploitation of this issue," the company's warning read... Symantec also referenced a blog* that had posted some information about the RealPlayer vulnerability Wednesday morning..."
* http://www.infosecblog.org/2007/10/nasa-bans-ie.html
October 18, 2007 - "I heard that NASA is telling employees and contractors not to use IE due to malware affecting Internet Explorer and Real Player..."
:fear:
Adobe Reader/Acrobat v8.1 vuln
FYI...
- http://isc.sans.org/diary.html?storyid=3531
Last Updated: 2007-10-22 20:58:04 UTC
" http://www.adobe.com/support/securit...apsb07-18.html
...Update available for vulnerability in versions 8.1 and earlier of Adobe Reader and Acrobat
Release date: October 22, 2007
Vulnerability identifier: APSB07-18
CVE number: CVE-2007-5020
Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed
> Affected software versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
> Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier"
The acrobat patch is available here http://www.adobe.com/support/downloa...atform=Windows
The reader patch is available here http://www.adobe.com/support/downloa...atform=Windows ..."
.
IBM Lotus Notes multiple vulns - update available
FYI...
- http://secunia.com/advisories/27279/
Release Date: 2007-10-23
Critical: Highly critical
Impact: Exposure of sensitive information, System access
Where: From remote
Solution Status: Vendor Patch
Software: IBM Lotus Notes 6.x, IBM Lotus Notes 7.x ...
Solution: Update to version 7.0.3 or 8.0.
NOTE: Version 8.0 does not fix the vulnerability in wp6sr.dll.
http://www-306.ibm.com/software/lotu...ral/index.html ...
http://www-1.ibm.com/support/docview...id=swg21271111
"...Fixed in Lotus Notes 7.0.3 / Proposed for 8.0.1..."
.
PDF mailto exploit documents in the wild
FYI...
- http://isc.sans.org/diary.html?storyid=3537
Last Updated: 2007-10-23 20:16:52 UTC - "The vulnerability initially reported here http://isc.sans.org/diary.html?storyid=3406 and confirmed here (with workaround) http://isc.sans.org/diary.html?storyid=3477 and patched here http://isc.sans.org/diary.html?storyid=3531 now appears to have been spotted in the wild. The proof of concept code had been released, and a number of people have reported receiving the PDFs which exploit the vulnerability. Obviously please patch, apply the workarounds, and/or ensure you can detect and block the exploit. File names seen so far are 'BILL.pdf' and 'INVOICE.pdf'."
> http://forums.spybot.info/showpost.p...2&postcount=17
-----------------------------------
PDF Exploit Spam Used to Install Gozi Trojan in New Attack
- http://www.secureworks.com/research/threats/gozipdf/
October 23, 2007 - "...The attachment may instead be represented by an icon used to represent PDF files. These attachments use filenames such as BILL.pdf or INVOICE.pdf, but those filenames, as well as the sender and message content itself, may change. The attached exploit may be detected by some anti-malware vendors as Downloader.PDF, Pidief.A or similar names. The exploit downloads executes a first-stage downloader EXE file from an RBN (Russian Business Network) server via anonymous FTP and executes it. That downloader installs a variant of the Gozi Trojan which steals data as described in the Threat Analysis posted on the SecureWorks website:
* http://www.secureworks.com/research/threats/gozi/
The latest Gozi variant (Gozi.F) installed by this exploit was detected by 26% of 32 of the largest anti-malware vendors at the time of release..."
:fear::fear:
Southern California Wildfire Scams
FYI...
- http://www.websense.com/securitylabs...php?BlogID=152
Oct 25 2007 - "...Most of you have heard by now San Diego and some surrounding Los Angeles areas are suffering from devastating fires. Since our head quarters is in San Diego we have certainly been affected by the fires and several employees were evacuated and some have lost homes. One very amazing thing has been the outpouring of support both locally within the communities, state-wide, and internationally. We have received several offers for people to house folks who have had to relocate and several others offers for help.
Unfortunately, as we saw with Katrina and several other emergencies, there are also criminals who attempt to take advantage of the supporters who are willing to help. Please make sure you are dealing with legitimate organizations and, if possible, contact them on your own. Be very careful of people reporting to be agencies such as the Red Cross asking for donations or requesting you to visit their websites. They may be fraudulent or hosting malicious code designed to steal information such as banking details. For example, many suspicious eBay auctions have appeared requesting donations..."
(Screenshot available at the URL above.)
RealPlayer/RealOne/HelixPlayer multiple vulns - update available
FYI...
RealPlayer/RealOne/HelixPlayer multiple vulns - update available
- http://secunia.com/advisories/27361/
Release Date: 2007-10-26
Critical: Highly critical
Impact: System access
Where: From remote
Solution Status: Vendor Patch
Software: Helix Player 1.x, RealOne Player 1.x, RealOne Player 2.x, RealPlayer 10.x, RealPlayer Enterprise 1.x ...
Solution: Update to the latest versions. Please see the vendor's advisory for details.
http://service.real.com/realplayer/s...007_player/en/ ..."
:fear: