DP's Security Bits

The Federal Trade Commission, which has declared war on Internet scams, warned consumers on Monday not to open a bogus e-mail that appears to come from its fraud department because it carries an attachment that can download a virus.

The e-mail says it is from "frauddep@ftc.gov" and has the FTC's government seal.

But it was not issued by the agency and has attachments and links that will download a virus that could steal passwords and account numbers, the agency said.

Full Story at news.com 

Websense® Security Labs(TM) has discovered a new Trojan Horse information stealer that is being emailed out as a Halloween Greeting Card in Mexico.

To date we have seen four unique sites being spammed out all with the same binary file. They were in Korea, Brazil, and Russia, and were all up and running at the time of this alert. The file is called "hallowenDay.exe" and has an MD5 of (65cd5a35bc70075f86cb6404f54d67b8). It is also poorly detected by anti-virus signatures.

Assuming users access the site and select to run the file a Trojan Horse is downloaded onto their machine which is designed to steal banking information from users, the file appears to also be packed with a unique custom packer.

We expect to see additional email lures and malicious websites on our radar with Halloween night quickly approaching. The email is written in HTML and has a variety of subject lines.

Email screenshot available within full alert.

Details
 

The U.S. remains the world's biggest spammer, according to security firm Sophos, which on Friday released its quarterly report on the world's top spam-offending countries--dubbed the "Dirty Dozen."

The U.S. came in well ahead of its rivals, according to the report, being responsible for 28.4 percent of all spam. South Korea was second (5.2 percent), followed by China (4.9 percent), Russia (4.4 percent) and Brazil (3.7 percent).

Full Story at news.com 

Security Advisory Updated Today

DirectRevenue, a company that made tens of millions of dollars pushing ads onto compromised computers, closed its doors this week, nearly four months after the Federal Trade Commission levied a $1.5 million fine against the firm.

According to a message posted to its Web site, DirectRevenue and its subsidiary Best Offers "have ceased operations." The company left behind a single page of instructions to allow victims to uninstall its software and an e-mail address that appeared not to be valid. The company gave no reason for its closure.

http://www.securityfocus.com/brief/615 

Summary

The following bulletin has undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS06-067

Bulletin Information:

* MS06-067

  - http://www.microsoft.com/technet/security/bulletin/ms06-067.mspx
  - Reason for Revision: Revised to include MS06-065 as a bulletin
    that is replaced by this bulletin. 
  - Originally posted: November 14, 2006
  - Updated: October 24, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
 

Antivirus specialist Symantec has joined a security organization alongside Microsoft, despite having previously come to very public blows with the software giant over its willingness to share security information on Vista.

Symantec and Microsoft announced Tuesday at the RSA Conference Europe 2007 that they will join the Software Assurance Forum for Excellence in Code (SafeCode), a not-for-profit organization aimed at increasing trust around IT. Other members include EMC, SAP and Juniper Networks.

Full Story at news.com 

Description:
A vulnerability has been reported in Sun JRE, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified error within the handling of Java applets. This can be exploited by malicious, untrusted applets to read and write local files, or to execute local applications.

The vulnerability is reported in the following products:
* JDK and JRE 6 Update 2 and earlier
* JDK and JRE 5.0 Update 12 and earlier
* SDK and JRE 1.4.2_15 and earlier
* SDK and JRE 1.3.1_20 and earlier

Solution:
Update to the latest versions or apply patches:

See Secunia Advisory for update links.

Release date: October 22, 2007

Platform: Windows XP (Vista users are not affected) with Internet Explorer 7 installed

Affected Software Versions: Adobe Reader 8.1 and earlier, Adobe Reader 7.0.9 and earlier
Adobe Acrobat Professional, 3D and Standard 8.1 and earlier versions, Adobe Acrobat Professional, Standard, 3D and Elements 7.0.9 and earlier

Critical vulnerabilities have been identified in Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. This issue only affects customers on Windows XP with Internet Explorer 7 installed. A malicious file must be loaded in Adobe Reader or Acrobat by the end user for an attacker to exploit these vulnerabilities. It is recommended that affected users update to Adobe Reader 8.1.1 or Acrobat 8.1.1. This is an update to resolve the issue previously reported in Security Advisory APSA07-04.

Solution

Adobe strongly recommends upgrading to Adobe Reader 8.1.1 or Acrobat 8.1.1.

http://www.adobe.com/support/security/bulletins/apsb07-18.html 

Experts at SophosLabs™, Sophos's global network of virus, spyware and spam analysis centers, have intercepted an attempt by spammers to hijack Halloween festivities to grab personal information from innocent internet users.

Sophos has identitied a spam email campaign that tries to lure recipients into handing over a wide range of personal information with the promise of a $250 gift card. The email uses a variety of painful puns associated with the spooky celebrations on 31 October.

Details 

Mozilla Foundation Security Advisories

Fixed in Firefox 2.0.0.8

MFSA 2007-36 - URIs with invalid %-encoding mishandled by Windows

MFSA 2007-35 - XPCNativeWrapper pollution using Script object

MFSA 2007-34 - Possible file stealing through sftp protocol

MFSA 2007-33 - XUL pages can hide the window titlebar

MFSA 2007-32 - File input focus stealing vulnerability

MFSA 2007-31 - Browser digest authentication request splitting

MFSA 2007-30 - onUnload Tailgating

MFSA 2007-29 - Crashes with evidence of memory corruption (rv:1.8.1.8)

Advisory: External news readers and e-mail clients can be used to execute arbitrary code

External news readers and e-mail clients can be used to execute arbitrary code.

Severity: Highly Severe

Affected Versions

All versions of Opera for Desktop prior to Opera 9.24.

Problem Description

If a user has configured Opera to use an external newsgroup client or e-mail application, specially crafted Web pages can cause Opera to run that application incorrectly. In some cases this can lead to execution of arbitrary code.

Opera's Response

Opera Software has released Opera 9.24, where this issue has been fixed.

http://www.opera.com/support/search/view/866/ 

.. and ..

Advisory: Scripts can overwrite functions on pages from other domains

Scripts can overwrite functions on pages from other domains.

Severity: Highly Severe

Affected Versions

All versions of Opera for Desktop prior to Opera 9.24.

Problem Description

When accesing frames from different Web sites, specially crafted scripts can bypass the same-origin policy, and overwrite functions from those frames. If scripts on the page then run those functions, this can cause the script of the attacker's choice to run in the context of the target Web site.

Opera's Response

Opera Software has released Opera 9.24, where this issue has been fixed.

http://www.opera.com/support/search/view/867/ 

Issued: October 17, 2007

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-055 - Critical
  * MS07-060 - Critical

Bulletin Information:

  
* MS07-055 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-055.mspx
  - Reason for Revision: Bulletin updated to include Windows XP x64
    Edition among non-affected software. 
  - Originally posted: October 9, 2007
  - Updated: October 17, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.1
       

* MS07-060 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-060.mspx
  - Reason for Revision: Bulletin updated: Vulnerability FAQ updated
    to explain the nature of the update and plans for addressing
    similar stability issues. 
  - Originally posted: October 9, 2007
  - Updated: October 17, 2007
  - Bulletin Severity Rating: Critical
  - Version: 1.2

Websense® Security Labs(TM) has discovered a new Trojan Horse being distributed via spam email in Latin America. The email message is written in Spanish, and includes the subject line:

"Espero que te guste"

The email acts as a lure, attempting to get users to click a link and download a greeting card. There are several versions of the spam message, but the main difference is the location where the malicious code is stored. In all versions discovered to date, the file name is always "mexico.exe", and the MD5 is "ce073c460ec25d7e40efe3f717f75

Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see (http://www.websense.com/securitylabs/blog/blog.php?BlogID=141).

This site poses as a new piece of software called "Krackin v1.2" and advertises:

* Easy to install
* Auto-Virus scanning
* Mobile Source Downloading
* IP Blocking to Prevent Tracking
* Unwanted User Blocking

Users with unpatched computers are automatically exploited. Users with patched computers are prompted to download and run a file called "kracking.exe" This file contains the Storm payload code.

Sample email text:

All the new movies music and more. In one place. The Krackin network.
http://<removed

Details .. 

Description:
Secunia Research has discovered a vulnerability in IrfanView, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when importing palette (*.pal) files. This can be exploited to cause a stack-based buffer overflow by tricking a user into importing a specially crafted palette (*.pal) file.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 4.00. Other versions may also be affected.

Solution:
Update to version 4.10.

Secunia Advisory 

Oracle said on Friday that it plans to release a critical patch update for its enterprise software next week.

The Oracle Critical Patch Update for October 2007 is scheduled for release on Tuesday, October 16. Its 51 security fixes address issues across hundreds of Oracle products.

Oracle rates the severity of vulnerabilities using version 2 of the Common Vulnerability Scoring System. CVSS 2.0 ratings range from 1 to 10. The highest CVSS 2.0 base score of vulnerabilities across all products is 6.8, according to Oracle.

Full Story at informationweek.com 

Websense® Security Labs™ has received several reports of a new Web site that is being distributed in spam sent out by those running the Storm attacks. For more details on the Storm attack, see (http://www.websense.com/securitylabs/blog/blog.php?BlogID=141).

This site poses as a free Ecard Web site. No exploit is on the site itself. However, when users click any of the URLs, they are prompted to download and run a file called "SuperLaugh.exe." This file contains the Storm payload code.

Sample email text:

View your Kitty Card now! (URL REMOVED)

Details 

Summary

The following bulletin has undergone a major revision increment.
Please see the bulletin for more detail.

  * MS07-056 - Critical

Bulletin Information:

* MS07-056 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-056.mspx
 - Reason for Revision: Revised to include Windows XP Professional
    x64 Edition in the Affected Software section; Known Issues
    set to none; Corrected missing file information to the
    bulletin text for Outlook Express 6.0 Service Pack 1 on
    Windows 2000 Service pack 4 and Outlook Express 5.5 Service
    Pack 2 on Windows 2000 Service pack 4. 
 - Originally posted: October 9, 2007
 - Updated: October 10, 2007
 - Bulletin Severity Rating: Critical
 - Version: 2.0 

Spammers are exploiting YouTube's "invite your friends" function to send spam containing a variant of the "Storm worm."

Bradley Anstis, director of product management at security firm Marshal, said that spammers are taking advantage of the YouTube function that lets people invite friends to view videos that they have viewed or posted. The function allows someone to e-mail any address from an account.

Full Story at news.com