Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 26

Thread: 2006 Alerts - Q1

  1. #11
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation IE vuln posts copy text to web (!)

    FYI...

    - http://www.theinquirer.net/?article=29856
    23 February 2006
    "A WARNING RECEIVED highlights what appears to be a real Explorer danger that text copied onto the clipboard can be seen on the web. Some people who should, appear to know all about this, while it was news to others we contacted.

    So try this:
    1) Copy any text by ctrl+c
    2) Click the Link:
    http://www.sourcecodesworld.com/special/clipboard.asp
    ("...The best way to solve this problem is to use Firefox...")
    3) You will see the text you copied on the Screen which was accessed by this web page.
    The advice is do not keep sensitive data (like passwords, credit card numbers, PIN etc.) in the clipboard while surfing the web. It is extremely easy to extract the text stored in the clipboard.

    To fix this it is simple, do the following in your browser:
    Tools->Internet Options->Security->Custom Level scroll down to "Scripting"
    Disable "Allow paste operation via script"
    Hit OK and you should be good to go.

    To verify, repeat step 1 & 2 and you will see the link can not see your clipboard.
    Good luck."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  2. #12
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Winamp buffer overflow vuln - update available

    FYI...

    - http://isc.sans.org/diary.php?storyid=1149
    Last Updated: 2006-02-25 15:33:14 UTC
    "We have been monitoring a reported flaw with Winamp 5.12 and 5.13. A buffer overflow condition with a playlist containing a long file name can cause the application to crash at best and execute arbitrary code at worst. To date, we are not aware of any POC that uses this vulnerability sucesfully for malicious purposes. This problem is fixed in Winamp 5.2 so users are advised to update..."

    - http://secunia.com/advisories/18848
    Release Date: 2006-02-16
    Last Update: 2006-02-23
    Critical: Highly critical
    Impact: DoS, System access
    Where: From remote
    Solution Status: Vendor Patch
    Software: Winamp 5.x...
    ...The vulnerability has been reported in versions 5.12 and 5.13. Prior versions may also be affected.
    Solution:
    Update to version 5.2 ..."

    Winamp 5.2 Player Download
    >>> http://www.winamp.com/player/
    Version History
    - http://www.winamp.com/player/version_history.php

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  3. #13
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Fresh Apple Patches

    FYI...

    Fresh Apple Patches
    - http://isc.sans.org/diary.php?storyid=1160
    Last Updated: 2006-03-02 00:09:47 UTC
    "Apple released a security update called "2006-001". It is claiming to update following components:
    - apache_mod_php
    - automount
    - Bom
    - Directory Services
    - iChat
    - IPSec
    - LaunchServices
    - LibSystem
    - loginwindow
    - Mail
    - rsync
    - Safari
    - Syndication
    For detailed information on this update, we'll refer you to apple's article 303382*. This update is very critical to install on your Mac OS X machines..."

    * http://docs.info.apple.com/article.html?artnum=303382

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  4. #14
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New IM Worms Delete Files, Hijack PCs

    FYI...

    - http://www.techweb.com/article/print...section=700028
    March 07, 2006
    "An anti-virus vendor warned Tuesday that two new worms spreading on Microsoft's and America Online's instant messaging networks delete files and leave systems open to hijacking. Symantec posted alerts for the "Hotmatom" and "Maniccum" worms, and ranked both as a level "2" threat. The Cupertino, Calif.-based security company uses a 1 through 5 scale to label worms, viruses, and Trojans. Hotmatom, said Symantec, is a Spanish-language worm transmitted over Microsoft's MSN instant messaging network. A message arrives, seemingly from a trusted IM contact, that claims a "very dangerous virus" (virus muy peligroso) has been detected, and offers a link to a free patch. Clicking on the link, however, actually installs the worm. Once on a PC, Hotmatom* deletes files at the root level of the A:/ and C:/ drives, then assigns those deleted filenames to copies of itself. It also appends text to any future Microsoft Hotmail e-mail messages sent by that computer; the text, which can be in either Spanish or English, includes links to the same malicious code. Maniccum**, meanwhile, propagates via both America Online's AIM and MSN's networks, and if installed, opens a backdoor on that PC and tries to disable security programs, including anti-virus and firewall software. The backdoor, which accepts commands from the attacker via IRC, can be used to access files, update the worm, upload more malicious code, send additional AIM and/or MSN messages, and launch denial-of-service (DoS) attacks, said Symantec."

    * http://www.symantec.com/avcenter/ven....hotmatom.html

    ** http://www.symantec.com/avcenter/ven....maniccum.html

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  5. #15
    Spybot Advisor Team [Retired] md usa spybot fan's Avatar
    Join Date
    Oct 2005
    Posts
    5,859

    Default

    McAfee AntiVirus Users:

    Unfortunately it appears that McAfee, Inc. may not consider the above threat as serious as one would hope.

    The latest McAfee DAT file (DAT 4712) was just released and it does not appear to include the detection for the "W32/Hotmatom.worm":

    DAT Version: 4712
    DAT Release Date: 03/07/2006
    Threats Detected: 181664
    New Detections: 21
    Enhanced Detections: 100
    According to the following the detection for the "W32/Hotmatom.worm" is rated "Low" for both Home and Corporate users:

    Virus Profile: W32/Hotmatom.worm
    Risk Assessment
    - Home Users: Low
    - Corporate Users: Low
    Date Discovered: 3/7/2006
    Date Added: 3/7/2006
    Origin: Unknown
    Length: 204,800 bytes
    Type: Virus
    SubType: Worm
    DAT Required: 4713
    Since the latest detection file is "DAT 4712" and "W32/Hotmatom.worm" is not being detected until "DAT 4713" (which would not normally be published until tomorrow) please be careful or restrict your instant messaging activity until McAfee's AntiVirus includes signatures for this threat.

    Getting an answer is one thing, learning is another.


    Microsoft Windows XP Home Edition running on a 2.40GHz Intel® Pentium® 4 Processor with 512 MB of RAM and a 533 MHz System Bus.

  6. #16
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation New IM Worms Delete Files, Hijack PCs

    Even with all that stuff from Symantec:

    - http://www.sarc.com/
    ...currently, the "ThreatCon Level is 1 - The ThreatCon is being maintained at Level 1. DeepSight TMS is not currently reporting any anomalous or notable activity" (... in spite of the "level '2' threat" on both items named).

    ...so, it makes you wonder whether the right hand knows what the left is doing at times.

    'Suffices to say, use caution with IM while these uglies are out and about at AOL and MSN.


    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  7. #17
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Fraudulent Nokia site hosting Crimeware Keylogger

    FYI...

    - http://www.websensesecuritylabs.com/...hp?AlertID=441
    March 09, 2006
    "Websense® Security Labs™ has received reports of a malicious website, which is hosting a Trojan Horse keylogger. This keylogger is designed to steal end-user information for popular online games. The malicious code's filename is main_n80.scr and was discovered on a site, which appears to be a fraudulent version of the Nokia Taiwan website.
    The site uses a cousin domain name and simply has an image screenshot of the real Nokia Taiwan website. It is hosted in Hong Kong and appears to have been registered with fraudulent information.
    Other Details:
    The main_80.scr file is an SFX self-extracting executable file that contains four files:
    * download.exe
    * winlogin.exe
    * server.exe
    * error.jpg
    When the main_80.scr file is executed, it will use download.exe to copy the extracted files to the system32 dir and execute its version of run32dll.exe. The rundll32.exe file will show error.jpg. Once the user closes the .jpg file,rundll32.exe will execute the rest of the extracted .exe files. These extracted .exe files modify the registry, as detailed below, to ensure that it starts on restart, and checks for the existence of the application Lineage.
    * Modifies or creates files and stores in system32 directory
    * Kerne0110.exe is a copy of winlogin.exe
    * Rundll32.exe is a copy of download.exe
    * gg.bat is created
    * _2dll.dll is created
    * microsoftie0110.dll is created
    * msabc.dll is created
    * pKerme123.dll is created
    * RegistryInfo.dll is created
    * Verifies installation of lineage..."

    (Screenshot available at the URL above.)

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  8. #18
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation McAfee/NAI rolls bad pattern

    FYI...

    - http://isc.sans.org/diary.php?storyid=1179
    Last Updated: 2006-03-11 01:29:45 UTC
    "NAI/McAfee today released pattern version 4716 only hours after 4715 had come out. Pattern 4715 triggered false positive virus alerts for "W95/CTX" on a number of files that are part of quite prominent third party products. Good for you if you have your AV configured to "quarantine" bad files and not to delete them outright, this makes restoring the chewed up files after a false positive considerably faster. Nevertheless, things like this can get messy pretty quickly if the AV scanner starts to quarantine vital components of your environment.
    If you weren't affected and/or are using a different AV product, it might still be worthwhile to spend a couple of minutes on the following questions:
    * How would you detect such a "bad pattern" in your environment, and, more importantly, how would you distinguish between "false positive" and "virus outbreak"?
    * Would you have the capability to roll back to the last "known good" pattern if help from the vendor were not forthcoming? Where exactly do these patterns come from? Is the previous pattern version available there as well?"

    -------------------------------------------------
    EDIT/ADD:
    RE: False positives from 4715 DAT file of 3.10.2006:
    - http://vil.nai.com/vil/content/v_138884.htm
    "...Users who have moved detected files to quarantine should restore them to their original location. Windows users who have had files deleted should restore files from backup or use System Restore.
    Virusscan Online users can restore the falsely detected file from the Manage Quarantined Files by clicking on the Restore button as shown..."
    >>> (See URL above for complete info and screenshots.)
    Also see:
    - http://isc.sans.org/diary.php?storyid=1184
    Last Updated: 2006-03-12 18:58:01 UTC

    --------------------------------------------------
    More...
    - http://vil.nai.com/vil/content/v_138884.htm
    W95/CTX ...
    "... Update March 12, 2006 - 15:28 PDT --
    A complete list of files, which are known to trigger this incorrect identification, can be downloaded here*."
    * http://vil.nai.com/images/CTX_file_list.pdf
    EDIT/ADD:
    - http://isc.sans.org/diary.php?compare=1&storyid=1184
    "...Update: 02:43 UTC 2006-03-13 - McAfee has release a list of (supposedly) all the files affected by DAT 4715. It includes some other interesting ones in addition to excel.exe, like setup.exe, uninstall.exe, shutdown.exe, and reg.exe to name just a few, but is clearly incomplete since it doesn't include any of the Oracle binaries that have been reported to be affected by some of our readers..."

    ---------------------------------------------
    FYI... re: http://isc.sans.org/diary.php?compare=1&storyid=1184
    "...McAfee has developed a tool that will restore files that were quarantined by DAT 4715..."

    - http://vil.nai.com/vil/content/v_138884.htm
    "...Update March 13, 2006 - 17:45 PDT --
    Tools for recovering quarantine files due to this incorrect identification can be found here*..."

    McAfee W95/CTX Quarantine File Restore Utility
    * http://vil.nai.com/vil/stinger/ctxundo.asp

    :(
    Last edited by AplusWebMaster; 2006-03-14 at 16:42. Reason: Additional info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  9. #19
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation "Acts of terrorism..." trojan

    FYI...

    - http://isc.sans.org/diary.php?storyid=1181
    Last Updated: 2006-03-11 19:54:39 UTC
    "Don't open zips you get in the mail. Today's gem claims to be video about new acts of terrorism. Attached to the email was a 47KB zip file news.zip. Inside news.zip is news.exe. But its a trojan, of course. Only about half of the av scanners recognized it. Those that did identified it as a trojan downloader of some sort.
    TEXT of the virus message:

    From: BBC World News [mailto:news@info.bbc.com]
    Sent: Fri 3/10/2006 7:24 PM
    To: Smith, Donald
    Subject: New acts of terrorism in New York and London

    Today FBI and SCOTLAND YARD has informed on set of new acts of terrorism in New York and London. On a communique was lost more than two thousand person and about ten thousand have received the wounds which were much of them are in a grave condition.Police and MI5 identified an Al-Qaeda cell that had carried out extensive research and video-recorded reconnaissance missions in preparation for the attack. You can learn the detailed information in the attached file."

    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

  10. #20
    Adviser Team AplusWebMaster's Avatar
    Join Date
    Oct 2005
    Location
    USA
    Posts
    6,881

    Exclamation Apple Mac OS X security patch bundle 2006-002

    Once again...

    Apple Mac OS X security patch bundle 2006-002
    - http://isc.sans.org/diary.php?storyid=1188
    Last Updated: 2006-03-13 23:44:56 UTC
    "Apple released some more security patches today for Mac OS X in a bundle called 2006-002*.
    * CoreTypes: CVE-2006-0400
    Fix for an XSS scripting vulnerability in archives by flagging the documents as unsafe.
    * Mail: CVE-2006-0396
    Fix for a vulnerability allowing arbitrary code execution by clicking on crafted email messages
    * Safari, LaunchServices, CoreTypes: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399
    Additional checks on top of those in the previous update.
    * Various non security rated regression fixes in a.o. apache_mod_php (still based on PHP 4.4.1, not on the latest 4.4.2) and rsync..."

    * http://docs.info.apple.com/article.html?artnum=303453

    ------------------------------------------------

    - http://secunia.com/advisories/19129/
    Release Date: 2006-03-14
    Critical: Extremely critical
    Impact: Security Bypass, System access
    Where: From remote
    Solution Status: Vendor Patch
    OS: Apple Macintosh OS X...
    Description:
    Apple has issued a security update for Mac OS X, which fixes multiple vulnerabilities.
    1) Under certain circumstances, it is possible for JavaScript to bypass the same-origin policy via specially crafted archives.
    2) A boundary error in Mail can be exploited to cause a buffer overflow via a specially crafted email. This allows execution of arbitrary code on a user's system if a specially crafted attachment is double-clicked.
    3) An error in Safari / LaunchServices can cause a malicious application to appear as a safe file type. This may cause a malicious file to be executed automatically when visiting a malicious web site...
    Solution:
    Apply Security Update 2006-002 ( http://docs.info.apple.com/article.html?artnum=303453 ).

    .
    Last edited by AplusWebMaster; 2006-03-14 at 14:25. Reason: Additional info...
    The machine has no brain.
    ......... Use your own.
    Browser check for updates here.
    YOU need to defend against -all- vulnerabilities.
    Hacks only need to find -1- to get in...
    .

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •