DP's Security Bits

Someone used an eBay Inc. discussion forum on Tuesday to post confidential information about eBay users along with what may be their credit card numbers.

The incident, which was first reported by AuctionBytes.com, a technology news site that focuses on e-commerce, led the e-commerce giant to shut down the forum, which ironically is devoted to the discussion of security issues.

Nichola Sharpe, an eBay spokeswoman, confirmed that on Tuesday morning someone the vendor describes as "a malicious fraudster" posted the names and contact information of 1,200 eBay members on the company's Trust & Safety discussion forum.

Full Story at computerworld.com 

Top-level employees of publicly listed companies are being targeted by cybercriminals using malware-infected RTF documents disguised as recruitment letters.

Security company MessageLabs reported that 1,100 e-mails containing malware-infected RTF (rich text file) attachments were recorded over a 16-hour period this month. Four separate waves appeared between September 13 and 14, the company said.

Full Story at news.com 

Anti-botnet software company FireEye is diving into the fray in the battle against malicious software by releasing a product that combines a global analysis network with an appliance.

The FireEye Botwall Network and the FireEye Botwall appliances are tied together in what FireEye is offering as software-as-a-service focused on major enterprises and ISPs. The software is designed to detect attacks coming from botnets, as well as give users an image of bots positioned around the world.

Full Story at informationweek.com 

Issued: September 19, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-053 - Important
  * MS07-052 - Important
  * MS07-047 - Important

Bulletin Information:

* MS07-053 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-053.mspx
  - Reason for Revision: V1.1 (September 19, 2007): Bulletin revised
    to correct table information for the SMS detection and
    deployment summary for this security update. SMS 2003
    Software Update Services (SUS) can detect this security
    update with EST. If a previous version of the Extended
    Security Update Inventory Tool has been installed on SMS, it
    will need to be upgraded with the current version of the tool
    to enable detection of this security update.  
  - Originally posted: September 11, 2007
  - Updated: September 19, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS07-052 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-052.mspx
  - Reason for Revision: Bulletin Updated: The executable filename
    for Visual Studio 2003 Service Pack 1 has been correctly
    updated to VS7.1sp1-KB937059-x86-INTL in the corresponding
    Reference Table under "Security Update Deployment". 
  - Originally posted: September 11, 2007
  - Updated: September 19, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS07-047 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-047.mspx
  - Reason for Revision: V1.2 (September 19, 2007): Bulletin revised
    to correct file information when installing without user
    intervention, installing without restarting, and removal
    Information for Windows Media Player  7.1, 9, 10, and 11 on
    supported editions of Windows 2000 Service Pack 4, Windows
    Server 2003 Service Pack 1, Windows Server 2003 Service Pack
    2, Windows XP Service Pack 2 and x64 Editions. 
  - Originally posted: August 14, 2007
  - Updated: September 19, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.2
 

Description

On his blog Petko D. Petkov reported that QuickTime Media-Link files contain a qtnext attribute that could be used on Windows systems to launch the default browser with arbitrary command-line options. When the default browser is Firefox 2.0.0.6 or earlier use of the -chrome option allowed a remote attacker to run script commands with the full privileges of the user. This could be used to install malware, steal local data, or otherwise corrupt the victim's computer.

The fix for MFSA 2007-23 was intended to prevent this type of attack but QuickTime calls the browser in an unexpected way that bypasses that fix. To protect Firefox users from this problem we have now eliminated the ability to run arbitrary script from the command-line. Other command-line options remain, however, and QuickTime Media-link files could still be used to annoy users with popup windows and dialogs until this issue is fixed in QuickTime.

This QuickTime issue appears to be the one described by CVE-2006-4965 but the fix Apple applied in QuickTime 7.1.5 does not prevent this version of the problem.

NOTE:Gran Paradiso Alpha 8 does not contain the fix for this vulnerability.

Workaround

Disabling JavaScript in the browser does not protect against this attack; in vulnerable versions scripts passed through the -chrome option would be executed regardless of the JavaScript setting for web content, much as interpreters for languages such as perl and Python execute scripts passed on the command line. The NoScript add-on, however, has provided protection against this class of attack since the cross-browser vulnerabilities described by MFSA 2007-23 were discovered.

http://www.mozilla.org/security/announce/2007/mfsa2007-28.html 

The Web site started the first phase of its "interest targeting" experiment in July, culling likes and dislikes from its users' pages to sell ads in 10 broad categories such as finance, autos, fashion and music.

MySpace advertisers can now get much more than the basic demographic data contained in site registration forms, Peter Levinsohn, who heads Fox Interactive Media, told an investor conference.

The site has more than 3 million users in each category and can place ads based on responses to questions about users' likes and dislikes, favorite movies and music. Data is even extracted from blog entries, where users write at length about their lives.

Targeting ads well can be lucrative for MySpace and its corporate parent, but it can also backfire if users believe their personal expressions are being misused. 

http://www.physorg.com/news109399530.html 

There's no need to warn the anti-spam researchers at the Spamhaus Project about the Storm worm authors' ability to launch massive denial-of-service attacks. They've been fending them off for several months. And they've lived -- or at least stayed online -- to tell the tale.

"It's been a pretty constant battle to stay online," Vincent Hanna, an investigator for the non-profit Spamhaus Project, told InformationWeek. "It's an arms race. They try something. We block it. They try something else. We block it. It goes on and on. Sometimes it's fine and sometimes we spend hours a day on this."

Full Story at informationweek.com 

Description:
Some vulnerabilities have been reported in OpenOffice, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to integer overflows when processing certain tags within TIFF images. This can be exploited to cause heap-based buffer overflows by e.g. tricking a user into opening a specially crafted document.

Successful exploitation may allow the execution of arbitrary code.

The vulnerabilities are reported in versions prior to 2.3.

Solution:
Update to version 2.3.

http://secunia.com/advisories/26816/ 

German authorities arrested 10 people last week for computer intrusion and financial crimes following an 18 month investigation into an international phishing group.

The suspects, who varied in age from 20- to 36-years-old, allegedly used a Trojan horse program to infect victims' machines and log their bank activity, racking up hundred of thousands of Euros in profits, according to a Federal Criminal Investigation Office (BKA) press release (in German).

http://www.securityfocus.com/brief/590 

Online brokerage TD Ameritrade Holding Corp. announced today that a hacker broke into one of its databases and stole personally identifying information for some of its 6.3 million customers.

An online advisory and letters to account holders disclosed that names, e-mail addresses, phone numbers and home addresses were taken in the data breach. Client assets, along with user IDs, personal identification numbers and passwords, were not stored in the compromised database.

Full Story at informationweek.com 

Grisoft’s AVG has recently gained another two awards to add to its ever growing collection. Firstly, AVG Internet Security Home Edition was awarded the ‘Recommended Product’ by the UK review site IT Reviews due to its reliability, regular definitions and the degree of customization available for advanced users aswell as the ease of use for more novice users.

On top of this, AVG Antispyware has been awarded "PC Advisor Recommended" by PC Advisor following its recent review. Factors that contributed to this included not only AVG Antispyware's easy to use and sleek interface, but PC Advisor also noted that on average it detected the largest percentage of threats, with the strongest signature database among the software tested.

September 13, 2007

Issued: September 12, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-054 - Important
  * MS07-051 - Critical

Bulletin Information:

* MS07-054 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-054.mspx
  - Reason for Revision: Download center links added to Affected
    Software table for upgrading to Windows Live Messenger 8.1 
  - Originally posted: September 11, 2007
  - Updated: September 12, 2007
  - Bulletin Severity Rating: Important
  - Version: 1.1
   
* MS07-051 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-051.mspx
  - Reason for Revision: Bulletin updated to include FAQ as to why
    up-level platforms are not affected by this vulnerability. 
  - Originally posted: September 11, 2007
  - Updated: September 12, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1 

An instant-messaging worm has started spreading to PCs running Windows by using Skype to chat up potential victims in an attempt to convince them to download and run the malicious software.

The worm, described in a blog post written by eBay's Skype subsidiary, can converse with victims in at least three different languages: Latvian, Russian, and English. Antivirus firms and eBay have already assigned a plethora of names to the digital pest, including Ramex (Skype), Pykspa (Symantec), Skipi (F-Secure), and Pykse (McAfee and others).

http://www.securityfocus.com/brief/586 

September 11, 2007

Today Microsoft released the following Security Bulletin(s).

September Bulletin Summary

Critical

MS07-051 -  Vulnerability in Microsoft Agent Could Allow Remote Code Execution (938827)

MS07-052 - Vulnerability in Crystal Reports for Visual Studio Could Allow Remote Code Execution (941522)
MS07-053 - Vulnerability in Windows Services for UNIX Could Allow Elevation of Privilege (939778)
MS07-054 -  Vulnerability in MSN Messenger and Windows Live Messenger could allow Remote Code Execution (942099)

This represents our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.
 

Pfizer Inc. last week confirmed that the personal data of as many as 34,000 people may have been illegally accessed and downloaded from a company computer system by a former employee.

The compromised information includes names, Social Security numbers, dates of birth, phone numbers, and bank and credit card information of employees, former employees and health care workers, the New York-based drug maker said.

A spokeswoman for Pfizer said the incident, discovered on July 10, occurred sometime late last year.

Full Story at computerworld.com 

Issued: September 6, 2007
Updated: September 7, 2007

This is an advance notification of four security bulletins that
Microsoft is intending to release on September 11, 2007.

With the frequency of employee and customer information put at risk because a computer was stolen right out of an office, car, or home, a disk-drive maker decided to try to tackle the problem.

Seagate Technology announced that it's working on a drive for desktop PCs that will use embedded chips to encrypt the information on the drive -- all of the information. Then if the machine is stolen, the thief would have to come up with a password at minimum and two- or three-factor authentication at best.

Full Story at informationweek.com 

Issued: September 6, 2007

This is an advance notification of five security bulletins that
Microsoft is intending to release on September 11, 2007.

Critical Security Bulletins

Microsoft Security Bulletin 1

  - Affected Software:
    - Microsoft Windows 2000 Service Pack 4

    - Impact: Remote Code Execution
    - Version Number: 1.0

Important Security Bulletins

Microsoft Security Bulletin 2

  - Affected Software:
    - Visual Studio .NET 2002 Service Pack 1 (KB937057)
    - Visual Studio .NET 2003(KB937058)
    - Visual Studio .NET 2003 Service Pack 1 (KB937059)
    - Visual Studio 2005 (KB937060)
    - Visual Studio 2005 Service Pack 1 (KB937061)

    - Impact: Remote Code Execution
    - Version Number: 1.0

Microsoft Security Bulletin 3

  - Affected Software:
    - Windows Services for UNIX 3.0 on Windows 2000 Service Pack 4
    - Windows Services for UNIX 3.5 on Windows 2000 Service Pack 4
    - Windows Services for UNIX 3.0 on Windows XP Service Pack 2
    - Windows Services for UNIX 3.5 on Windows XP Service Pack 2
    - Windows Services for UNIX 3.0 on Windows Server 2003 Service
      Pack 1 and Windows Server 2003 Service Pack 2
    - Windows Services for UNIX 3.5 on Windows Server 2003 Service
      Pack 1 and Windows Server 2003 Service Pack 2
    - Subsystem for UNIX-based Applications on Windows Server 2003
      Service Pack 1 and Windows Server 2003 Service Pack 2
    - Subsystem for UNIX-based Applications on Windows Server 2003
      x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
    - Subsystem for UNIX-based Applications on Windows Vista
    - Subsystem for UNIX-based Applications on Windows Vista x64
      Edition

    - Impact: Elevation of Privilege
    - Version Number: 1.0

Microsoft Security Bulletin 4

  - Affected Software:
    - MSN Messenger 6.2
    - MSN Messenger 7.0
    - MSN Messenger 7.5
    - Windows Live Messenger 8.0

    - Impact: Remote Code Execution
    - Version Number: 1.0

Microsoft Security Bulletin 5

  - Affected Software:
    - Microsoft Windows SharePoint Services 3.0 on Windows Server
      2003 Service Pack 1 (KB934525)
    - Microsoft Windows SharePoint Services 3.0 on Windows Server
      2003 Service Pack 2 (KB934525)
    - Microsoft Windows SharePoint Services 3.0 on Windows Server
      2003 x64 Edition (KB934525)
    - Microsoft Windows SharePoint Services 3.0 on Windows Server
      2003 x64 Edition Service Pack 2 (KB934525)
    - Microsoft Office SharePoint Server 2007 (KB937832)

    - Impact: Elevation of Privilege
    - Version Number: 1.0


Other Information

Microsoft Windows Malicious Software Removal Tool:

Microsoft will release an updated version of the Microsoft Windows
Malicious Software Removal Tool on Windows Update, Microsoft Update,
Windows Server Update Services, and the Download Center.

Non-Security, High-Priority Updates on MU, WU, and WSUS:

For this month:

* Microsoft is planning to release one non-security,
  high-priority update on Microsoft Update (MU) and
  Windows Server Update Services (WSUS).

* Microsoft is planning to release zero non-security,
  high-priority updates for Windows on Windows Update (WU).

Note that this information pertains only to non-security,
high-priority updates on Microsoft Update, Windows Update, and
Windows Server Update Services, and released on the same day as the
Security Bulletin Summary. Information will not be provided about
non-security updates released on other days. 

The federal government's cyberdefense arm today warned users of the popular QuickBooks small-business accounting software that they risk losing data and control of their PCs to hackers.

According to two advisories published by the U.S. Computer Emergency Readiness Team (US-CERT), the ActiveX control that enables Intuit Inc.'s QuickBooks Online Edition contains flaws that attackers can exploit simply by getting users to view an HTML e-mail message or visit a malicious Web site.

Story continues at computerworld.com 

Zango, an online media company, came up short in its attempt to force an anti-virus company to reclassify its "spyware" tag for the company's adware.

The U.S. District Court for the Western District of Washington ruled in favor of Kaspersky Lab, granting the security company immunity from liability in a suit filed by Zango. According to Kaspersky, Zango sued them to force the company to reclassify Zango's programs as "non-threatening" and to prevent Kaspersky's security software from blocking Zango's programs.

Full Story at informationweek.com