DP's Security Bits

Adobe is aware of a recently published report of potential vulnerabilities in Adobe Reader and Acrobat. These vulnerabilities would cause the application to crash and could potentially allow an attacker to take control of the affected system.

Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform when using Internet Explorer. Users of other browsers are not affected.

Adobe Security Advisory 

Security specialist Symantec issued a critical update on Tuesday for its Veritas NetBackup 6.0 PureDisk Remote Office Edition, whose vulnerabilities could allow attackers to gain remote control over a user's system.

Symantec issued the security update to address buffer overflow vulnerabilities found in the HTML-embedded scripting language PHP, which is used in its NetBackup 6.0 software, according to Symantec's security advisory.

CNet 

Those using online phones and instant message services will be prime targets for hackers next year, says one of the world's largest security firms.

MessageLabs today released its security threat predictions for next year, and observed that hackers were developing far more sophisticated methods to get around protection software.

Story 

A security flaw in Google's search appliances could expose Web sites that use the products to information-stealing phishing attacks, experts warned Monday.

The Google Search Appliance and Google Mini are used by organizations including banks and universities to add search features to Web sites. A flaw in the way the systems handle certain characters makes it possible to craft a Web link that looks like it points to a trusted site, but when clicked serves up content from a third, potentially malicious site.

Story at news.com.com 

Microsoft Corp. has initiated 97 lawsuits throughout Europe and the Middle East during its eight-month investigation into fraudulent Web pages, with another 32 criminal complaints filed in cooperation with local authorities, the company said Wednesday.

All of the cases are against individuals who attempted to capture the login and password details of users by constructing fraudulent Hotmail and MSN.com sign-in pages, said Jean-Christophe Le Toquin, a Microsoft attorney. A total of 253 sites were investigated, he said.

Computerworld 

Symantec Corp. launched the public beta of its new all-in-one consumer security service. Norton 360 combines Symantec’s proven, industry-leading PC security and tuneup technologies with new automated backup and online transaction security capabilities.

WebWire 

VaporStream has released software it claims will not record details of who sent an e-mail message, or who received it, and so provide a new level of privacy for electronic communications.

Such software would mean content could remain private and neither sender nor receiver would be exposed to legal risk from the communication, the company said. It would also be a means of defeating the cover-all aspects of compliance regulations and legal discovery investigations by ensuring private communications remain private.

Computerworld

The study looked at ten browser toolbars: Microsoft Explorer 7, eBay, Google, Netcraft (Mozilla), Netscape, Cloudmark (Mozilla), Earthlink, Geotrust’s TrustWatch, and Stanford University’s Spoofguard, and McAfee’s SiteAdvisor.

Even the best of the bunch -- Earthlink, Netcraft, Google, Coudmark, and Explorer 7 -- detected only 85% of fraudulent websites, a good but far from secure level of effectiveness. The rest scored under the 50% mark, with McAfee’s SiteAdvisor unable to spot any.

Computerworld 

Leading researchers say adware broker Zango continues to employ questionable business practices to distribute its programs, even as the U.S. Federal Trade Commission finalizes a settlement proposed by the company that would ban it from such activity.

In a statement posted on his Web site Nov. 20, independent adware researcher and Harvard-trained attorney Ben Edelman published a list of examples of ways in which he claims Zango is violating the terms it has proposed to the FTC, including the use of misleading EULAs (end user licensing agreements.)

eWeek 

Toughened threats have been the hallmark of this year's security scene, a prominent security researcher said Friday.

"They just got tougher this year," said Oliver Friedrichs, the director of Symantec's security response team. "They're harder to detect and harder to remove.

Techweb 

A security researcher outlines a way to hide malicious code on graphics and network cards to avoid detection and survive a full re-installation of the operating system.

Story 

Introduction

Six years ago, the SANS Institute and the National Infrastructure Protection Center (NIPC) at the FBI released a document summarizing the Ten Most Critical Internet Security Vulnerabilities. Thousands of organizations relied on that list, and on the expanded Top-20 lists that followed in succeeding years, to prioritize their efforts so they could close the most dangerous holes first. The vulnerable services that led to worms like Blaster, Slammer, and Code Red have been on SANS Top20 lists.

http://www.sans.org/top20/ 

Description:
A vulnerability has been reported in WinZip, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to several unspecified insecure methods in the FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61). This can be exploited to execute arbitrary code via a specially crafted web site.

Successful exploitation requires that the user is tricked into visiting a malicious web site.

The vulnerability is reported in WinZip 10.0 versions prior to Build 7245.

Solution:
Update to version 10.0 Build 7245.

Secunia 

Description:
Sergio Alvarez has reported some vulnerabilities in AVG Anti-Virus, which can be exploited by malicious people to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.

1) An integer overflow error when parsing CAB archives can be exploited to cause a heap-based buffer overflow via a specially crafted CAB archive.

2) An unspecified error when parsing RAR archives can be exploited to cause a heap-based buffer overflow via a specially crafted RAR archive.

3) An uninitialized variable error exists within the parsing of CAB archives.

4) A division by zero error when parsing DOC files may in certain cases cause a DoS via a specially crafted DOC file.

5) An unspecified error exists within the parsing of EXE files.

The vulnerabilities are reported in AVG Antivirus software versions prior to 7.1.407.

Solution:
Update to the latest version.

Secunia Advisory 

November 14, 2006

Today Microsoft released the following Security Bulletin(s).

Note: www.microsoft.com/technet/security and www.microsoft.com/security are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the microsoft.com download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summary 

Critical (5)

MS06-067 - Cumulative Security Update for Internet Explorer (922760)

MS06-068 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (920213)

MS06-069 - Vulnerabilities in Macromedia Flash Player from Adobe Could Allow Remote Code Execution (923789)

MS06-070 - Vulnerability in Workstation Service Could Allow Remote Code Execution (924270)

MS06-071 - Vulnerability in Microsoft XML Core Services Could Allow Remote Code Execution (928088)

A U.S. district court has shut down an operation that secretly downloaded multiple malevolent software programs, including spyware, onto millions of computers without consumers’ consent, degrading their computers’ performance, spying on them, and exposing them to a barrage of disruptive advertisements. The Federal Trade Commission has asked the court to order a permanent halt to these deceptive and unfair downloads, and to order the outfit to give up its ill-gotten gains.

http://ftc.gov/opa/2006/11/mediamotor.htm