DP's Security Bits

Google Inc. has enhanced the way it notifies webmasters that their sites contain malware, improving on a service the Mountain View, California, company launched in November of last year in a partnership with The Stop Badware Coalition.

Google has begun providing more detailed alerts and to send these notifications via e-mail to webmasters, according to a posting Monday on an official Google blog.

Previously, Google only informed webmasters that their sites had been identified as having malware and made generic suggestions for fixing the problem. Now, the company also points webmasters to specific offending pages from their sites that Google has determined contain malicious components.

Computerworld 

The vulnerable tools are often used by Internet service providers, PC makers and others to provide support functions such as remote assistance, the U.S. Computer Emergency Readiness Team said in an alert published Thursday. The tools, provided by SupportSoft, contain multiple vulnerabilities, it warned.

US-CERT lists nearly 40 companies and other organizations that have shipped the affected software. Some have addressed the problem, while others are still listed as vulnerable or unknown. Those that have yet to fix the SupportSoft issue include IBM and Internet access providers BellSouth, Comcast and Time Warner, it said.

Story continues at news.com.com 

Mozilla Corp. updated Firefox Friday to patch 14 vulnerabilities, three of them critical, but pushed out the new versions without fixing several flaws.

Firefox 2.0.0.2 and Firefox 1.5.0.10, which originally were to release on Wednesday, were delayed to patch a series of bugs, including some disclosed this month by Polish researcher Michal Zelewski. Two others forwarded to Mozilla developers by Zelewski, however, didn't make it into today's updates.

"Neither of those will make this release," said Daniel Veditz, of the Mozilla security in an e-mail. "It is important that we get the security fixes we have into the hands of our users."

Story continues at computerworld.com 

Websense® Security Labs™ has discovered emails that attempt to lure users to click on a link in order to upgrade their system security. The emails, which are spoofed from Monster, are written in HTML and claim that Monster systems have been upgraded and that users need to download a certified utility to be able to use Monster.  The domain name that the emails point to are using five different IP addresses. Upon connecting to one of the IP addresses, the code is run, several files are downloaded and installed on the user's machine, and another file is downloaded and installed from a server in Denmark. The files appear to be designed to steal end-user information.

Details 

Issued: February 23, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-010
  * MS06-058

Bulletin Information:

MS07-010

Reason for Revision: Bulletin updated: "Frequently Asked Questions (FAQ) Related to This Security Update" section in "Executive Summary" for WSUS Windows Defender update process.

Originally posted: February 13, 2007
Updated: February 22, 2007
Bulletin Severity Rating: Critical
Version: 1.1

MS06-058

Reason for Revision: Bulletin updated: Further investigation of CVE-2006-3877 as originally revealed that the update was not effective in removing the vulnerability from affected systems. The Microsoft Security bulletin, MS07-015 has been issued to properly address CVE-2006-3877 and customers should apply the updates in this bulletin immediately.

Originally posted: October 10, 2006
Updated: February 21, 2007
Bulletin Severity Rating: Critical
Version: 1.1

Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

Websense Security Labs(TM) has received reports of new malicious websites designed to install Trojan Horse bots that allow attackers to compromise end-user banking credentials for more than 50 financial institutions and ecommerce websites.

The websites are hosted in Germany, England, and Estonia, and appear to be using round robin DNS, resolving to five unique IP address that revolve on each lookup. Each site hosts the same exploit code. This code attempts to exploit the Microsoft AdoDB / XML HTTP (MS06-014) vulnerability to download and install a Trojan downloader without end-user interaction.

When end-users visit the site, they are directed to one of the five servers. If the end-user machine is vulnerable, a file called "iexplorer.exe" is downloaded and run. The site displays a simple page that says the sever is temporarily busy and suggests that the user shut down any firewall and antivirus software. The "iexplorer.exe" file downloads and installs five additional files from a server in Russia. The filenames are:

IEMod.dll
IEGrabber.dll
IEFaker.dll
CertGrabber.dll
PSGrabber.dll

Websense Alert 

Issued: February 21, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-016
  * MS07-013
  * MS07-012
  * MS07-011
  * MS06-078

Bulletin Information:

MS07-016

Bulletin revised to correct installation verification keys for Windows Internet Explorer 7. Removal information for Windows Server 2003 updated with correct folder  

Originally posted: February 13, 2007
Updated: February 21, 2007
Bulletin Severity Rating: Critical
Version: 1.1
    
MS07-013

Bulletin Updated: additional clarification has been added to the e-mail attack vector. An attacker could also attempt to exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text e-mail message  

Originally posted: February 13, 2007
Updated: February 21, 2007
Bulletin Severity Rating: Important
Version: 1.1
    
MS07-012

Bulletin Updated: additional clarification has been added to the e-mail attack vector. An attacker could also attempt to exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text e-mail message  

Originally posted: February 13, 2007
Updated: February 21, 2007
Bulletin Severity Rating: Important
Version: 1.1
    
MS07-011

BulletinUpdated: additional clarification has been added to the e-mail attack vector. An attacker could also attempt to exploit this vulnerability when a user interacts with a malformed embedded OLE object within a Rich Text e-mail message  

Originally posted: February 13, 2007
Updated: February 21, 2007
Bulletin Severity Rating: Important
Version: 1.1
    
MS06-078

Bulletin updated to provide additional clarity around known issues customers may experience when they install this security update: See Microsoft Knowledge Base Article 933065 : Error message when you install the original version of security update 923689 on Korean Windows 2000 and Microsoft Knowledge Base Article 933066 :Error dialog when you install the security update 923689 on Windows XP SP2.  

Originally posted: December 12, 2006
Updated: February 21, 2007
Bulletin Severity Rating: Critical
Version: 2.2
        
Support:

Technical support resources can be found at:
http://go.microsoft.com/fwlink/?LinkId=21131

Mozilla Corp. will delay the next security update for Firefox so it can test a fix for a flaw that could be used by attackers by skirt security restrictions.

The flaw, disclosed Feb. 14 by Polish researcher Michal Zalewski on the Full-Disclosure security mailing list, could let a malicious site manipulate the authentication cookies for other sites' pages. It is present in the most recent version of the open-source browser, 2.0.0.1.

According to Zalewski, the bug might allow hackers to "tamper with the way these [third-party] sites are displayed or how they work."

Computerworld 

A potentially devastating hole in Google Inc.'s prevalent desktop search product could have exposed personal files on users' computers to data thieves. Google fixed the defect within weeks of being informed about it and says it has no evidence the vulnerability was exploited.

The flaw was uncovered late last year by Watchfire Corp., a security-analysis provider. While the vulnerability exists in roughly 80 percent of Web applications, this problem appeared far more extreme "given the sensitive nature of what Google Desktop is doing," said Danny Allan, a researcher at Waltham, Mass.-based Watchfire.

http://www.physorg.com/news91257785.html 

Adware distributor Direct Revenue LLC has agreed to pay $1.5 million to settle charges filed by the U.S. Federal Trade Commission (FTC).

The deal, announced Friday, is the second such agreement struck by the FTC with an adware vendor in the last four months. In November, Zango Inc. -- also known as 180solutions -- agreed to pay $3 million to settle similar allegations.

According to the FTC's charges, Direct Revenue and its affiliates installed adware, including programs that produced pop-up ads, on users' machines without properly disclosing what the software would do. In some cases, Direct Revenue affiliates exploited browser security flaws to install adware. The result, said the FTC, was "unfair and deceptive methods to download adware onto consumers' computers and then obstruct them from removing it."

Computerworld 

As of February 18th, 2007, AVG 7.1 Free Edition is no longer supported. If you are still using AVG 7.1 Free Edition, please take action now to remain safe by downloading the new AVG 7.5 Free Edition.

If you haven't changed the default password on your home router, let this recent threat serve as a reminder.

Attackers could change the configuration of home routers using JavaScript code, security researchers at Indiana University and Symantec have discovered. The researchers first published their work in December, but Symantec publicized the findings on Thursday.

The researchers found that it is possible to change the DNS, or Domain Name System, settings of a router if the owner uses a connected PC to view a Web page with the JavaScript code. This DNS change lets the attacker divert all the Net traffic going through the router. For example, if the victim types in "www.mybank.com," the request could be sent to a similar-looking fake page created to steal sensitive data.

Story continues at news.com.com

Description:
Sun has acknowledged some vulnerabilities in Mozilla 1.7 for Sun Solaris, which can be exploited by malicious people to bypass certain security restrictions or potentially compromise a user's system.

For more information:
SA20376
SA23422

The vulnerabilities are reported in Mozilla 1.7 for Sun Solaris 8, 9, and 10 for both the x86 and SPARC platform. Mozilla 1.4 may also be affected.

Solution:
The vendor recommends disabling JavaScript as a workaround for one of the issues.

Secunia 

Symantec Corp. researchers said that the "Storm Trojan," aka "Peacomm," is now spreading via AOL Instant Messenger (AIM), Google Talk and Yahoo Messenger.

Computerworld 

Michael Barrett, chief information security officer at PayPal, knows exactly why his company is often targeted by phishers: It has 133 million customers moving around a lot of money. He talked about how PayPal is fighting back

Story continues 

"Computer users should keep a wary eye on any romantic messages received by e-mail, as many of them could contain malicious code," said US security firm PandaLabs after detecting an increase in a worm it dubbed Nurech.A.

The worm hides in e-mails with subjects like: "Together You and I," "Til the End of Time Heart of Mine."

People who open an attached file such as postcard.exe can end up infecting their computers.

Security firm Symantec said it had detected "large-scale spamming" of e-mails including a Trojan horse, a program that contains or installs a malicious program.

Symantec said the malware was a new version of Trojan.Peacomm or the "Storm Trojan."

"With Valentine's Day approaching, this time around the authors are attempting to tug on the heartstrings of unsuspecting users with romantic subject lines such as 'My Heart belongs to you,' said Symantec's Orla Cox.

http://www.physorg.com/news90265851.html