February 2007 - Posts
On February 20, NIST (National Institute of Standards and Technology) announced the release of the following final publications:
- SP 800-45 Version 2, Guidelines on Electronic Mail Security
- SP 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS)
- SP 800-97, Establishing Wireless Robust Security Networks: A Guide to IEEE 802.11i
Source: CSD (Computer Security Division)
On February 23, Mozilla released version 2.0.0.2 of Firefox. Several security issues were fixed and many enhancements and fixes for Windows Vista. The following lists of security issues have been fixed:
- MFSA 2007-07 Embedded nulls in location.hostname confuse same-domain checks
- MFSA 2007-06 Mozilla Network Security Services (NSS) SSLv2 buffer overflow
- MFSA 2007-05 XSS and local file access by opening blocked popups
- MFSA 2007-04 Spoofing using custom cursor and CSS3 hotspot
- MFSA 2007-03 Information disclosure through cache collisions
- MFSA 2007-02 Improvements to help protect against Cross-Site Scripting attacks
- MFSA 2007-01 Crashes with evidence of memory corruption (rv:1.8.0.10/1.8.1.2)
Two important things before you download and install this new release:
- Installing Firefox 2 will overwrite your existing installation of Firefox. You won't lose any of your bookmarks or browsing history, but some of your extensions and other add-ons might not work until updates for them are made available.
- When you install Firefox 2 all of your Extensions and Themes will be disabled until Firefox 2 determines that either a) they are compatible with the Firefox 2 release or b) there are newer versions available that are compatible.
For more detailed information see the release notes.
It's strongly recommended that you upgrade to this latest version. You can download your (language) version here.
Remote Access Trojans (RATs) are malicious software programs that criminals can use to control your computer through your Internet connection.
A RAT can let a criminal view and change your computer's files and functions, monitor and record your activities, and use your computer to attack other computers without your knowledge.
Learn how RATs can get to your computer, what a RAT can do and more important how to help keep the RATs away in this Microsoft article: RATs: Remote Access Trojans and how to help avoid them.
This is a virus written in MS VisualBasic that modifies the C:\Boot.ini file to display a Spanish message at boot time:
Upon execution, it can also be displaying a Wizard animation "speaking" in the Spanish language:
W32/BootMerlin can make copies of itself bearing the MS Word icon, in the following location(s):
-
%Windir%\System\csrss.exe
-
%Windir%\System32\dllcache\G-Vulcan-III.exe
-
X:\Recuerda que te quiero.exe
-
X:\LINEAS TELEFONICAS SIJIN VIEJA.exe
-
X:\PODER SALDARRIAGA1.exe
-
X:\SOLICITUD A MI GENERAL.exe
-
X:\SEGURO BTA EQUIPOS.exe
-
X:\CURSO CONSTITUCIONAL.copia.exe
(Where X: are the drive letter(s) used on the infected machine; %Windir% is the Windows folder, e.g. C:\Windows. A legitimate copy of csrss.exe may reside in %Windir%\System32 which is a part of the Windows operating system)
It installs the following registry key(s) to start at Windows boot up:
The C:\Boot.ini should be restored manually to the original settings (see removal section).
Method of infection: W32/BootMerlin is a worm that can make copies of itself over mounted network drives. It may infected other systems using the same network drives.
Removal: This virus can C:\boot.ini to display anti-MS Windows messages in Spanish. These messages can be removed using a text editor, for example:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="AUN Usas Windows..?"/fastdetect
edit it to become:
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="{your original operating system name}" /fastdetect {your original boot up options where applicable}
Do not modify any other parts of the C:\boot.ini file. Also check under My Computer->Properties->Advanced->Startup and Recovery Settings that It is pointing to the default operating system that was originally configured for.
Source: McAfee Virus Library
REDMOND, Wash. — Feb. 22, 2007 — In the wake of the largest product launch in the company’s history, that of the Windows Vista™ operating system, the 2007 Microsoft® Office system and Exchange Server 2007, Microsoft Corp. will host the 2007 MVP Global Summit. The annual event recognizes the value that Microsoft-designated Most Valuable Professionals (MVPs) around the world provide in helping to make the company’s products successful, while honoring their contributions to the objective exchange of knowledge and their dedication to enriching the technology user experience.
Scheduled for March 12 to 15, the 2007 MVP Global Summit will be held at the Washington State Convention and Trade Center in Seattle and at Microsoft’s headquarters in Redmond, Wash. The event will kick off with a keynote address by Microsoft Chairman Bill Gates. More information can be found at http://mvp.support.microsoft.com/MVPsummit.
Source: Microsoft PressPass.
Related web site: MVP Web site.
A few days ago, Microsoft released a very nice tool that finds and determine if computers on a network are ready to run Windows Vista. The good news is that this tool does not require deployement of agent software on computers being inventoried and accessed. The tool can scan computers on a network that are running an operating system that supports Windows Management Instrumentation (WMI). This includes the following operating systems:
- Windows Vista
- Windows XP® Professional (SP2)
- Windows Server 2003™ or Windows Server 2003 R2
- Windows 2000 Professional or Windows 2000 Server
Read the documentation first because it also installs, if necessary, the SQL Server 2005 Express edition.
More information at: TechNet and you can download it at: Download Center.
SQL Server 2005 SP2 available for download at: Download Center.
- Supported Operating Systems: Windows 2000 Service Pack 4; Windows Server 2003 Service Pack 1; Windows Vista; Windows XP Service Pack 1
Microsoft Baseline Security Analyzer (MBSA) is an easy-to-use tool designed for the IT professional that helps small- and medium-sized businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance.
In order to ensure compatibility with Windows Vista, MBSA 2.1 Beta 1 is now available. Beta 1 maintains the current MBSA 2.0.x functionality but adds Windows Vista support.More information at: MBSA 2.1 page.
You can download the MBSA 2.1 installer from the Microsoft Download Center.
Even though McAfee says it's Vista ready it's actually not ready too. If you look at the "System Requirements" for their 3 in 1 Protection suite then it only says:
Microsoft® Windows 2000 Service Pack 4, Windows XP, Windows VISTA
There are customers who have been able to install previous versions of VS10 and lower, on server OS software but that was not really supported either. VirusScan version 11 will not even install on server software. With W2K they only mean the W2K Professional version.
Worse is even for the XP and Vista users because it only supports the 32-bit version and not the 64-bit Operating System.
At the McAfee Support Forum there have been many complaints about this, but after talking with McAfee people you come to the conclusion that it is easier to change the US Constitution than adding a few characters to the McAfee web site.
So, where to find the correct information? So far I have been able to find one document, very well hidden, at the Technical Support site: Is McAfee compatible with Windows Vista? which says: "Yes, McAfee is compatible with all 32-bit versions of Microsoft Windows Vista."
This information should be up front at the McAfee Consumer site and not in one of the technical articles well hidden with all the others.
Conclusion: if you have, or get a x64 OS then have a look at other antivirus vendors like TrendMicro, NOD32, Panda or Windows Live OneCare. However, the x64-based version of XP and Vista are not yet supported by OneCare either. See: Installation requirements. But at least they tell you what you should know before installing any product.
Microsoft is investigating new public reports of very limited, targeted attacks against Microsoft Word “zero-day” using a vulnerability in Microsoft Office 2000 and Microsoft Office XP.
In order for this attack to be carried out, a user must first open a malicious Office file attached to an e-mail or otherwise provided to them by an attacker.
More information: TechNet, MSRC Blog and SSIRP.
Since this year you can also get the Microsoft Security updates as ISO-9660 CD image.
These ISO-9660 CD image files contain the security updates for Windows released on Windows Update on February 13th, 2007. These do not contain security updates for other Microsoft products. These CD images are intended for corporate administrators who manage large multinational organizations, who need to download multiple individual language versions of each security update and who do not use an automated solution such as WSUS. Use these images to download multiple updates in all languages at the same time.
These CD images contain the following updates:
Caution: Be sure to check the individual security bulletins at http://www.microsoft.com/technet/security prior to deployment of these updates to ensure that the files have not been updated at a later date.
Source: Download Center
Just a few weeks after I got my own smartphone, the HTC S620, Windows Mobile 6 was released:
With Windows Mobile 6 mobile workers can:
- Access the company address list and add contacts via Outlook, have mail sent directly by Microsoft Direct Push Technology, and manage multiple e-mail accounts and mail folders - just like Outlook on the PC.
- View and edit Office attachments and now get access to files on your corporate file shares and Sharepoint sites.
- Enjoy the advantages of Windows Live, including single sign-on to Windows Live services, Windows Live Messenger, Windows Live Mail, Hotmail, and Windows Live Search.
- Get increased control, security, and greater interoperability with Exchange Server and other IT infrastructure that helps businesses efficiently deploy, manage and secure Windows Mobile devices.
MVP Jaap van Ekris wrote a very nice review and is published at: Modern Nomads.
See the Windows Mobile web site.
On February 12th, Microsoft released a number of updates. There are "critical" and "important" updates.
Critical:
- MS07-008 - Vulnerability in HTML Help ActiveX Control Could Allow Remote Code Execution (928843)
- MS07-009 - Vulnerability in Microsoft Data Access Components Could Allow Remote Code Execution(927779)
- MS07-010 - Vulnerability in Microsoft Malware Protection Engine Could Allow Remote Code Execution (932135)
- MS07-014 - Vulnerabilities in Microsoft Word Could Allow Remote Code Execution (929434)
- MS07-015 - Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (932554)
- MS07-016 - Cumulative Security Update for Internet Explorer (928090)
Important:
- MS07-005 - Vulnerability in Step-by-Step Interactive Training Could Allow Remote Code Execution (923723)
- MS07-006 - Vulnerability in Windows Shell Could Allow Elevation of Privilege (928255)
- MS07-007 - Vulnerability in Windows Image Acquisition Service Could Allow Elevation of Privilege (927802)
- MS07-011 - Vulnerability in Microsoft OLE Dialog Could Allow Remote Code Execution (926436)
- MS07-012 - Vulnerability in Microsoft MFC Could Allow Remote Code Execution (924667)
- MS07-013 - Vulnerability in Microsoft RichEdit Could Allow Remote Code Execution (918118)
A more technical version of the Security Bulletin can be found at TechNet and an end-user version is available at Microsoft's Security At Home site.
Support:
So, if you haven't done the update routine yet then it's time to move your mouse to: Windows Update or Microsoft Update and for Office products to: Office Update.
In my time zone it's still Valentine's Day so you know the drill... Next month I'll do my usual computer maintenance when I'm on my US Coast-to-Coast Tour. More about that later... 
More information at: MSRC Blog.
At RSA2007 McAfee was honered for their SiteAdvisor technology by the U.S. Department of Commerce with its “Recognition of Excellence in Innovation” honor.
The award was presented by the Honorable Robert Cresanti, U.S. Under Secretary of Commerce for Technology, for the technology’s innovative approach to making the Internet a safer place to search and surf for consumers.
See: McAfee Avert Labs Blog and Huliq.
If you receive emails with variable subjects such as: "Together You and I, Everyone Needs Someone or Cyber Love, then delete them immediately. They're ususally sent by a female using different names. The attached file that contains the worm is an executable file with names such as flash postcard.exe or greeting postcard.exe.
According to Pandalabs, this virus is spreading rapidly and they have named it: Nurech.A. Other malicious codes currently infecting users include Nuwar.D. This worm arrives in messages with subjects like “5 reasons I love you” or “A kiss for you”.
See for more information: ORANGE VIRUS ALERT The Nurech.A worm spreads rapidly, infecting hundreds of computers and Valentine’s Day: a powerful lure for spreading malware.
Symantec calls it: Trojan.Peacomm, aka "Storm Trojan".
I think I just stick with AmericanGreetings...
On 13 February, 2007, yes guys, the pre-Valentine Day - remember or raise your personal security level, Microsoft is planning to release a number of security updates:
- Five Microsoft Security Bulletins affecting Microsoft Windows.
- Two Microsoft Security Bulletins affecting Microsoft Office.
- One Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Visual Studio.
- One Microsoft Security Bulletin affecting Microsoft Windows and Microsoft Office.
- One Microsoft Security Bulletin affecting Step-by-Step Interactive Training.
- One Microsoft Security Bulletin affecting Microsoft Data Access Components.
- One Microsoft Security Bulletin affecting Windows Live OneCare, Microsoft Antigen, Microsoft Windows Defender, Microsoft Forefront Security for Exchange Server and Microsoft Forefront Security for SharePoint.
Apart from that, there will be a few other non-security updates:
- Microsoft will release two NON-SECURITY High-Priority Updates for Windows on Windows Update (WU) and Software Update Services (SUS).
- Microsoft will release eight NON-SECURITY High-Priority Updates on Microsoft Update (MU) and Windows Server Update Services (WSUS).
Source: TechNet.
...and remember, the next day you patch and update your sweetheart's computer...
This marks the first year that Avert Labs has a direct presense at RSA. We will be running some very cool demos at the McAfee booth and answering questions about our research happenings. Some of the demos include password-stealing trojans, a botnet in action, and the coolest drive-by rootkit installation ever!!! Make sure you stop by booth 1730 and say “Sup Dawgs!”
We also know how hard it can be to try and catch a cab around the Moscone Center, so on Tuesday and Wednesday we will be offering free rides from RSA to any nearby location in San Francisco. Just look for the black Mini Coopers displaying the McAfee logo!
Source: McAfee Avert Labs at RSA.
And if you don't see these lightning black Mini Coopers then I would just ask for a McAfee t-shirt (black) with a red logo!
Microsoft has released a Security Advisory regarding a Microsoft Excel “zero-day” attacks using a vulnerability in Microsoft Office 2000, Microsoft Office XP, Microsoft Office 2003, and Microsoft Office 2004 for Mac. It involves an issue currently being exploited using Excel documents. But can affect all other Office documents.
In order for this attack to be carried out, a user must first open a malicious Office document file attached to an email or otherwise provided to them by an attacker. So don't open any Office document in an email from people you don't know. Keep your antivirus protection updated. If you're not sure you can always do an online scan at the Windows Live OneCare safety scanner.
Source: Microsoft Security Advisory (932553).
See also: Microsoft Security Response Center Security Blog.