 |
 |
 |
 |
 |
 |
|
 |
| Last change: |
| 22:43 ET Fri 18 Sep 09 |
416 hits since 18 Sep 09 |
Happy Friday!
Hope you all got your Windows updates done this week, there are some critical ones. Those still using Windows XP should consider strongly moving on to Windows 7 soon, as one of the critical things fixed in Windows Vista and Windows 7 was NOT fixed in Windows 2000 or Windows XP; Microsoft is claiming they can't fix it. I suspect it's just Microsoft's way of forcing us to spend money with them, but what can you do?
- Windows Updates -- problems with XP, 2000
- Spyware Updates since last newsletter
- Exploits "in the wild" for IIS/FTP flaw
- Vista, Server 2008 vulnerable to remote takeover
- What to do when scareware strikes
- Firefox updated to 3.5.3 or 3.0.14
- Windows autoplay behavior updated
- Apple updates
- Other software updates
- Banking Online? Read this
- Data transfer by Carrier Pigeon
1. Windows Updates -- problems with XP, 2000
September 8:
Security Fix - Microsoft Fixes Eight Security Flaws
Microsoft today pushed out software updates to plug at least eight critical security holes in computers powered by its various Windows operating systems. The patches are available through Windows Update or via Automatic Updates. The flaws were addressed in a bundle of five patches, each of which earned Microsoft's most dire "critical" rating, meaning they are serious enough that attackers could break into systems without any help from users. One particularly dangerous flaw covered by this month's patch batch is a problem with the way Windows handles Javascript. While this flaw stems from a faulty component of the Windows operating system, it would most likely be exploitable through Internet Explorer versions 6, 7 and 8, said Wolfgang Kandek, chief technology officer at software security provider Qualys. The flaw resides in every version of Windows except Windows 7. In fact, none of the vulnerabilities patched today affect Windows 7, Kandek said.See also:
Microsoft September 2009 Black Tuesday Overview
One thing that concerns me is that MS is NOT fixing in XP and 2000 part of the
TCP/IP flaws it fixed in Vista and Win7. This means that XP is no longer safe
to run on the Internet unless you're behind a separate hardware firewall. A
discussion of this on Windows 2000, including Windows 2000 Server, can be read
here:
Microsoft: Patching Windows 2000 'infeasible' - Network World
Microsoft took the unusual step today and skipped patching one of the vulnerabilities addressed in its monthly security update, saying that crafting a fix was "infeasible." The omission leaves users running Windows 2000 Server Service Pack 4 (SP4) vulnerable to attack. ...Note that Windows 2000 support is in its last year anyway:
Extended Support for Windows 2000 Server will end on July 13, 2010. At this time, Windows 2000 Server will no longer be publicly supported. You will be able to continue using "Self-Help Online Support"Back to Top
2. Spyware Updates since last newsletter
Some of these are free for home use only, others are free for everyone. Even if your anti-virus provides some anti-spyware, think of the free ones as "suspenders" to your belt.
- Spybot S&D - last update: 02 Sep 2009
- SpywareBlaster - last update: 28 Aug 2009
- SUPERAntiSpyware - last update: 02 Sep 2009
- Spybot S&D - last update: 09 Sep 2009
- SpywareBlaster - last update: 12 Sep 2009
- Spybot S&D - last update: 16 Sep 2009
3. Exploits "in the wild" for IIS/FTP flaw
This will primarily affect business users, but it may also affect people with websites hosted on Microsoft IIS. It won't affect people with websites hosted on Apache, most of which run on Linux or Unix. Anyone running a FTP server on a Microsoft Windows platform should pay close attention to this one:
Microsoft Security Advisory 975191 Revised
We wrote about the new IIS FTP service vulnerabilities when the exploit code became public in diary 7039 and when Microsoft published their advisory some time afterwards in diary 7063. Not surprisingly Microsoft have revised their security advisory letting us know that there have been reports of incidents where this exploit was used to compromise systems. This might seem counter intuitive as the exploit code was public prior to the advisory coming out. It is more likely that there were few reports, however the exploit was being actively used. There are not all that many IIS servers running FTP on the Internet, in fact there are fewer public FTP servers than in the past. Where this exploit may have been used is attacking internal FTP servers.Back to TopMicrosoft have also reminded admins that version 7.5 of their FTP service is available for download (although only for Windows Server 2008), and is not vulnerable to these attacks. Hopefully a patch will be out shortly.
4. Vista, Server 2008 vulnerable to remote takeover
If you are running Windows Vista or Server 2008, anyone inside your network perimeter (including fellow Starbucks users, when you're using public WiFi) can now take over your computer if you have SMB2.0 enabled. File-sharing works fine without this, so disable SMB2 until this is fixed. Instructions are in the Microsoft KB article referenced below.
Last week Guy posted a diary (http://isc.sans.org/diary.html?storyid=7093) about a 0- day vulnerability in SMB2 on Windows Vista and Server 2008 operating systems. Back then the exploit only crashed affected systems.More info here:This is already bad enough; however, it just got worse. Yesterday a well known security company added a module for their exploitation product. The module contains the remote exploit for this vulnerability - in other words, any user running this tool can get full access to affected machines.
If the exploit is stable enough, it can _very easily_ be used in a worm, so it can potentially be devastating. So, if you are running a Windows Vista or Server 2008 machine (Windows 7 RTM is not affected, RC *is*), be sure you apply one of workarounds listed by Microsoft (they are not perfect, but they can help), available here: ...
The Microsoft Security Response Center (MSRC) : Microsoft Security Advisory 975497 Released
We've just released Microsoft released Security Advisory 975497 that provides information about a new, irresponsibly reported vulnerability in SMB 2.0. Our investigation has shown that Windows Vista, Windows Server 2008 and Windows 7 RC are affected by this vulnerability. Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000 are not affected by this vulnerability.Back to TopThe Security Advisory outlines steps that Windows Vista and Windows Server 2008 customers can take to help protect themselves while we work on a security update for this issue.
http://www.microsoft.com/technet/security/advisory/975497.mspx
5. What To Do When Scareware Strikes
If you were one of the people who got caught by the NYTimes.com advertising
hack, you should read below. For background info on this:
New York Times pwned to serve scareware pop-ups
Gray Lady gets goosed
By John Leyden
Posted 14th September 2009 10:17 GMT
The New York Times was co-opted into pushing fake anti-virus malvertisements after hackers broke into its banner ad feed over the weekend.\ New York Times warns readers of website virus by AFP: Yahoo! Tech
The New York Times warned readers of its website on Monday to beware of a virus masquerading as an advertisement.More stories: http://www.google.com/search?q=nytimes+scarewareThe newspaper said some users of NYTimes.com had encountered a pop-up box that warned them about a virus and directed them to go to a site that claims to offer anti-virus software. ...
Here's some help if you get hit with antyhing like this:
Security Fix - What To Do When Scareware StrikesThe final paragraph of the above article has some excellent advice:
-Change your browsing habits: Microsoft Windows users can dramatically reduce their chances of having to deal with scareware-laced sites by browsing the Web with Mozilla Firefox, instead of the default Internet Explorer. Put simply, most of these scareware attacks rely on tiny scripts that try to silently redirect your browser to pull code from another site. There are several add-ons available for Firefox -- such as noscript, request policy, and adblock plus -- that block scripts and ads by default, and let you decide which sites should be able to load them.Here's another good read for home users.
The ultimate guide to scareware protection | Zero Day | ZDNet.comBack to Top
6. Firefox updated to 3.5.3 or 3.0.14
If you run Firefox, you should upgrade to either 3.5.3 (or 3.0.14 if you're staying on the older 3.0 version). Security patches have been issued. Firefox 3.5.3 now monitors your Flash version for updates automatically, alerting you if it has been updated. Get it here: http://mozilla.com/
Write up of changes here:
Firefox 3.5.3 and 3.0.14 has been releasedBack to TopThere are 3 critical security fixes in the 3.5.3 advisory. Mozilla have the details of the fixes contained in their security advisory located here.
There are 3 critical and 1 moderate security fixes in the 3.0.14 advisory. Mozilla have the details of the fixes contained in their security advisory located here.
7. Windows autoplay behavior updated
One of the ways viruses and trojans spread is through "autoplay", a Windows "feature" which has been exploited in many subtle ways. Microsoft changed Autoplay in Windows 7 to make it more secure, and they have now made that change available for XP and Vista users. If you run XP or Vista, these changes will NOT show up in Windows Updates, you'll have to make them manually by following the instructions in the linked pages below.
Windows autoplay behavior updated (improved)Back to TopMicrosoft has delivered on their promise to backport the improved autoplay behavior in Win7 to older versions of Windows. This is definitely a good thing and I for one am going to be implementing this on every system I have any sort of control over. I'd encourage y'all to do the same. http://support.microsoft.com/kb/971029
8. Apple updates
If you run Mac OS X, run Software Update Manager. If you have recently upgraded to Snow Leopard (OS X 10.6), you need to update to 10.6.1 ASAP. See the following pages for more:
Apple fixes Flash snafu in Snow Leopard, patches 33 bugs in LeopardBack to Top
Mac users get third and fourth updates this week, but Safari may be next, says researcher
By Gregg Keizer , Computerworld , 09/11/2009Less than two weeks after Apple launched Snow Leopard, the company today issued the new operating system's first security update. In a separate upgrade, Apple patched 33 vulnerabilities in 2007's Leopard, and about half as many in the even older Tiger.
Today's updates were the third and fourth from Apple in the last two days. Wednesday, Apple delivered security fixes for the iPhone and iPod Touch, as well as another upgrade for its QuickTime media player. Getting the Right Foundation: Unified Communications: Download now
"It's another sneak attack," said Andrew Storms, director of security operations at nCircle Network Security, referring to the string of updates. "Actually, it's almost what we've come to expect from Apple," he added. Unlike rival OS maker Microsoft, which releases most of its security upgrades on a pre-set monthly schedule, Apple ships its patches whenever they're ready to go out the door. The Snow Leopard 10.6.1 update's security content consisted solely of an upgrade for Adobe's Flash Player, which was bumped to the up-to-date version 10.0.32.18.
9. Other software updates
CCleaner 2.23.999
3 September 2009
A new Version 2.23.999 of the free CCleaner system cleaning utility has been released. This version improves Opera 10 support, and fixes a 'no disk' exception error along with a 64-bit registry scanning bug.Foxit Reader 3.1Use CCleaner Portable, get it here.
3 September 2009
The free Foxit PDF Reader has been updated to Version 3.1.1.0901. This is a bug fix release.QuickTime 7.6.4Get it here
More info here:
Foxit Software - Downloads - Foxit Reader 3.0 Build 1506
10 September 2009
Apple has released a new Version 7.6.4 of the QuickTime media player. This version improves reliability, security, and compatibliity with iTunes 9.AutoRuns 9.54More info here:
Four Critical Holes in QuickTime ClosedApple has released QuickTime version 7.6.4 for Mac OS X 10.4.11, Mac OS X 10.5.8, Windows 7, Vista and Windows XP SP3. The update closes four security holes through which an attacker could infect a systems. Viewing a crafted file in H.264, MPEG-4 or FlashPix format by, for example, downloading the file through a movie portal, was sufficient for infection.The update for Mac OS X 10.4.11 and Mac OS X 10.5.8 is 57MB, while the Windows 7, Vista and Windows XP SP3 version is 31MB in size.
18 September 2009
Microsoft has released AutoRuns 9.54, updating this free startup software identification utility. This version includes several bug fixes and interface improvements, additional 32-bit autostart locations for 64-bit Windows, and reintroduces compatibility with .ARN files created by older versions.Process Monitor 2.7http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx
18 September 2009
Microsoft has updated the free Process Monitor system monitoring utility to Version 2.7. This version adds a new option to the process tree dialog that direct it to show just the timeline for displayed events, has performance improvements in Windows Vista and 7, and has a range of fixes and enhancements.The PC Decrapifierhttp://technet.microsoft.com/en-us/sysinternals/bb896645.aspx
The PC Decrapifier is Free for personal use. Others may purchase commercial use subscriptionRecuva - Undelete, Unerase, File Recovery
PC Decrapifier v2.0.3
Windows XP and Vista Compatible
Updated 2009-09-16
http://www.pcdecrapifier.com/download
Version 1.30.435 (3,727kb)iTunes 9.0
http://www.recuva.com/download
10 September 2009
Apple has released a new Version 9.0 of the iTunes software. This version comes with several new features including Genius Mixes and Genius DJ, and improved syncing and sorting functionality.Back to Top
Get it here
10. Banking Online? Read this
More and more stories of small business who use online banking services losing tens of thousands to hundreds of thousands of dollars are surfacing. If you are a home user, you have 60 days to dispute hacking charges. If you are a business user, you have TWO days to dispute transfers. If I were a small-business owner or accountant doing online banking, I would set up a dedicated computer using a "LiveCD" distribution of Linux for online banking.
If you go to a bank or credit card site and there is a new popup window asking for your account info, be VERY careful.
Here's a video demonstrating just such a new popup. It would fool most of us.
Live Demo: Banking Trojan on Vimeo
This story documents money stolen from a school district and from a dental office, with links to many more incidents:
Security Fix - Clamping Down on the 'Clampi' Trojan
... SecureWorks' advice comes very close to the tips I gave readers in a related blog post earlier this week. Their advice?Another story here:Security Fix - Cyber Thieves Steal $447,000 From Wrecking FirmFor Businesses:
Most major anti-virus engines should be able to detect Clampi variants; however, there is always a delay between a new Trojan release and the detection time. Given the prevalence and seriousness of the Clampi Trojan, it is recommended that businesses adopt a strategy to isolate workstations where banking/financial transactions are carried out from possible Clampi or other data-stealing Trojan infections.. For Home Users:This may include using a dedicated workstation for accessing financial accounts which is isolated from the rest of the local network and the Internet except for the specific financial sites required to be accessed. Since Trojans can also be spread using removable drives, systems should be hardened against auto run-type threats. Businesses may even consider using an alternative operating system for workstations accessing sensitive or financial accounts
SecureWorks recommends that home computer users use a computer dedicated only to doing their online banking and bill pay. They should not use that computer to surf the web and send and receive e-mail, since web exploits and malicious e-mail are two of the key malware infection vectors. Further reading: ...
...Back to TopThe exact type of malicious software that was used in the attack is unknown (Ferrari said the affected computer's hard drive is currently in possession of the FBI). But Ferma manager Rich Parodi said the company's security software found a banking Trojan horse program on the internal system, which had been hacked by the fraudsters and used to initiate the bogus transfers.
...
Over the past few days, I have interviewed nearly two dozen companies, universities and school districts that have been attacked in the same fashion. While their stories were remarkably similar, each seemed to highlight a different weakness in the modern online commerical banking environment. I will be writing about their experiences in the coming days and weeks, but in the meantime I'd like to offer a few basic security tips for companies that bank online.
11. Data transfer by Carrier Pigeon
And finally, if you have read down this far, here's something you will enjoy:
Bayou Renaissance Man: When technology lets you down
"I was amazed to read of a South African company that's resorted to an ancient technique for the transfer of modern digital data. A company is to start using a carrier pigeon to transfer data between its offices - because bosses believe it will be quicker than broadband."Back to Top
