Security Updates
Oct 24 2008

Microsoft is breaking from their standard monthly release of Security Bulletins on the 2nd Tuesday of each month to release MS08-67. This Critical Security Bulletin addresses a vulnerability in the Server Service that could allow remote code execution by an attacker.

Here is how Microsoft describes the problem in the executive summary of the Security Bulletin:

This security update resolves a privately reported vulnerability in the Server service. The vulnerability could allow remote code execution if an affected system received a specially crafted RPC request. On Microsoft Windows 2000, Windows XP, and Windows Server 2003 systems, an attacker could exploit this vulnerability without authentication to run arbitrary code. It is possible that this vulnerability could be used in the crafting of a wormable exploit. Firewall best practices and standard default firewall configurations can help protect network resources from attacks that originate outside the enterprise perimeter.

This security update is rated Critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, and rated Important for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by correcting the way that the Server service handles RPC requests. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

This flaw affects all versions of Microsoft Windows. Part of the reason for the urgency of the concern, as stated in the Executive Summary above, is that on many versions of Windows the vulnerability can be exploited without interaction or authentication by the user, making it possible for an attacker to develop a worm based on this vulnerability.

!

Fake 404 Error

!

Sometimes, a user comes across a webpage that is no longer available. In that case, he or she will see an error. A few days ago, F-Secure posted a blog entry about a fake error message which tries to convince the user to download a file to be able to see the webpage.

The article includes a screen shot of what it looks like and it shows which domain name attempted this trick. FraudTool.Win32.Agent.eh is the name of the file that users would have or could have downloaded if they fall for the trick.

Source: F-Secure

.im Phising Domains on Facebook

!

The users of Facebook are facing another phishing campaign according to an article at The Register.

The fraudulent messages attempts to trick users to give away their login details. The websites that are associated with the attack have .im domains including 151.im and 123.im.

The staff at Facebook are removing the messages and they are also helping to solve the compromised accounts.

One of the reasons why cybercrooks do this is because many consumers share the same password on other sites.

Source: The Register

XSS Flaws on MPAA Websites
!

The Register reported on its website that cross-site scripting (XSS) security flaws were exploited by cheeky crackers to inject listings from Pirate Bay to the Motion Picture Association of America (MPAA) websites.

The result is that links from a controversial torrent site The Pirate Bay are listed under the MPAA’s recommended list of sites.

Vektor who is a member of a group of hackers called Team Elite notes that the Recording Industry Association of America (RIAA) is also vulnerable to similar flaws.

Source: The Register

UK2.net Emails – 1-Week Offline

!

Customers of UK2.net had experienced downtime since October 31. 2009 Today, the web host said that they could now send and receive emails normally.

“We apologise to all customers hit by this, we’re moving the emails across as quickly as we can and should be finished by Sunday evening,” said Martin Baker who is the managing director of UK2.

A storage array failure is the cause of the problem according to Baker.

No emails have been lost and the company will copy them from its current storage network to its new one.

Source: The Register

Default Windows 7 Malware Vulnerability

!

Posted: 06 Nov 2009 07:52 PM PST

According to a test that was made by Sophos about running Windows 7 on a clean system, the operating system is vulnerable with malware.

Sophos said, “Unfortunately, despite Microsoft’s claims, Windows 7 disappointed just like earlier versions of Windows. The good news is that, of the freshest 10 samples that arrived, 2 would not operate correctly under Windows 7.”

The UAC only blocked one sample.

Chester Wisniewski of Sophos concludes that Windows 7 users still need an anti-virus software for their OS.

Source: The Tech Herald

Compromised Web Pages

!

Posted: 01 Oct 2009

Google and other search engines are being tricked to display millions of webpages that are compromised. These webpages attempts to hijack critical information on a user’s PC such as credit card numbers.

One of the attacks use the phrase “cheap vista for students” and redirects the searchers to soft4pcs.com when they visit a compromised site. The search returns more than 19 million results.

Microsoft’s security team are working to remove the links in Bing. The team also added ads-t.ru to a list of malicious sites since it attempts to serve a file that installs malware.

Source: The Register

New Windows Attack Code Released

!
 vulnerability in Windows that is known since September 7 is being taken advantage of by releasing the code in public. The code crashes a computer but Harmony Security Senior Researcher Stephen Fewer has developed a code that lets an attacker run a program on a user’s machine which is more dangerous than the other situation.

Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server are the operating systems that are vulnerable to the exploit according to Metasploit developer HD Moore.

An Immunity Senior Researcher said that the code only works on Vista.

Source: PC World

Yahoo Mail Password Hole

!
A security hole that is two years old is being exploited by scammers.

“If the front gate of your castle is your login page to Yahoo Mail, they’ve done a good job of securing it,” said Ryan Barnett of Breach Security regarding a backdoor that exists due to Yahoo’s failure to carry out a variety of security checks that follows the login page of Yahoo Mail. Barnett told Yahoo about the hole in 2007.

The article also notes that the company also has no rules barring weak passwords for its users.

“Yahoo! takes online security very seriously. We are investigating the situation and will take appropriate action,” said a company spokesman.

Source: The Register

MS06-028 Vulnerability on PowerPoint Documents

!

Sophos has posted a blog entry about malicious documents that exploit the MS06-028 vulnerability. The vulnerability was patched three years ago.

If a user’s machine has been patched, he or she will get a warning that says that “Powerpoint was unable to display some of the text, images…” when he or she tries to open the file.

A brief flicker will occur on-screen before the first slide of the presentation shows up. The malicious documents are detected as Troj/ExpPPT-G.

Source: Sophos