General discussion

NEWS - April 28, 2010

McAfee offers security review to compensate companies for bad update

"Will also craft custom packages of products, services and support to appease enterprise customers"

McAfee today announced it would offer business customers affected by last week's flawed update a free one-year subscription to its automated security assessment service.

The company, which has faced a firestorm of criticism for letting the faulty update slip through testing, added that it would throw in other services, products and support packages on a case-by-base basis. "McAfee and McAfee channel partners will be offering a customer commitment package that may contain a combination or selection of services, support and products tailored to each customer situation," the company said on a page dedicated to businesses .

McAfee told its corporate customers it would contact them with details of the compensation program, and urged them to get on the list by connecting with technical support if they had been affected.

Customers are certain to key on the part of today's statement that spells out the free year's subscription to McAfee's security review services. "All affected customers will be offered a free one-year subscription to our automated security health check platform which provides an assessment of the security of an organization or enterprise based on McAfee's best practices," the company said.

Continued here:

Discussion is locked

Reply to: NEWS - April 28, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - April 28, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
S.F. Admin Guilty of Hijacking City Passwords

After a six-month trial, a San Francisco city admin was found guilty Tuesday of a sole felony count of hijacking the city?s computer system.

Terry Childs, 45, was guilty of one count of locking out the city from its FiberWAN network containing city e-mails, payroll, police records, information on jail inmates and more ? virtually an all-access pass to City Hall.

Childs was arrested in July 2008 after refusing to hand over passwords to the Wide Area Network system he was accused of taking control of illegally. A San Francisco jury deliberated a week before reaching a verdict.

Childs? $5 million bail was set five times higher than most murder defendants? because the authorities feared that, if released, he might permanently lock the system and erase records.

The FiberWAN network system is the major backbone of the consolidated city-and-county government?s computing infrastructure, connecting hundreds of different departments and buildings to a central data center, and to each other. The FiberWAN system carries more than 60 percent of the network traffic for San Francisco?s government.

Continued here:

- Collapse -
Infamous Storm Worm Stages a Comeback

The ?Storm Worm,? a strain of malicious software once responsible for blasting out 20 percent of spam sent worldwide before it died an ignominious death roughly 18 months ago, was resurrected this week. Researchers familiar with former strains of the worm say telltale fingerprints in the new version strongly suggest that it was either rebuilt by its original creators or was sold to another criminal malware gang.

The Storm Worm first surfaced in January 2007, disguising itself as videos supposedly depicting the carnage wrought by unusually violent storms that swept through Europe at the time. But as security researchers began delving into the code that powered the worm, they quickly realized they were up against an adversary that was significantly more sophisticated and resilient than any other threat in recent memory.

Storm spread by forcing infected systems to communicate via the same peer-to-peer file sharing systems used by millions of people to share movies and music online. These highly decentralized networks were thought to be appealing to the malware authors because they lacked a single command and control center, a critical piece of infrastructure common to most such large, remotely controlled collections of hacked PCs that were routinely targeted for dismantlement by security researchers.

Continued here:

See Prior Post: The come back of ?Storm Worm?

- Collapse -
A Breeze of Storm

The Honeynet Project Blog:

Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I did some work on how to take down Storm back then, so the rumors about a new version caught our interest. Mark, Tillmann, and me started to take the sample apart, and it looks very much like Storm indeed. It even uses the same configuration file, stored under C:\WINDOWS\herjek.config (the same filename as used by the last Storm version), but as the command-and-control channel has been replaced with an HTTP based version, there is no peer list included anymmore. When we looked at it, just contained two lines:


This ID is also stored in the registry under HKLM/SOFTWARE/Microsoft/Windows/ITStorage/Find, together with a mutex name that prevents execution of multiple instances of the malware on one machine. [...]

Just like Storm, this new malware decompresses itself into a heap section and jumps to the unpacked code. We just dumped the heap section to a file and fixed the imports to get an executable we can analyze conveniently.

Continued here:

- Collapse -
Revised patch for Windows 2000 Server claims to finally plug

Microsoft has released a new version of its patch MS10-025, which aims to finally fix the vulnerability in Windows Media Services under Windows 2000 Server. Last week, the company was forced to withdraw the patch when it turned out that it failed to fix a remotely exploitable buffer overflow.

However, there is no easy way for users to test that the patch actually does what it says on the tin ? illustrating the issues examined in the recently reignited discussion on full disclosure. Adherents of full disclosure generally publish demo exploits alongside information on vulnerabilities in order to demonstrate the problem in question. Such exploits allow users to determine whether a vendor patch actually fixes the vulnerability and whether workarounds work as promised.

Continued here:

See: Re-Release Available: Microsoft Security Bulletin MS10-025

- Collapse -
Hackers crack Ubisoft always-online DRM controls

"Game on"

Hackers have overcome Ubisoft's controversial DRM system that relied on constant connection to the internet for games to function.

A crack for Ubisoft?s anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls for games such as Assassin's Creed II. A message from the group on a gamers' forum sets out the group's agenda: allowing legitimate copies of PC games to be played without an internet connection, rather than facilitating piracy. Skid Row cheekily thanks Ubisoft for posing an interesting intellectual challenge.

Thank you Ubisoft, this was quiete a challenge for us, but nothing stops the leading force from doing what we do. Next time focus on the game and not on the DRM. It was probably horrible for all legit users. We just make their lifes easier.
This release is an accomplishment of weeks of investigating, experimenting, testing and lots of hard work. We know that there is a server emulator out in the open, which makes the game playable, but when you look at our cracked content, you will know that it can't be compared to that. Our work does not construct any program deviation or any kind of host file paradox solutions. Install game and copy the cracked content, it's that simple.

Chris Boyd (AKA PaperGhost), a security researcher at Sunbelt Software and a long-time gamer, Told The Register that Ubisoft's controls were fundamentally misconceived.

Continued here:

- Collapse -
The malware exploiting the true nature of PDF /Launch vuln..
The malware exploiting the true nature of PDF /Launch vulnerability has appeared

From the Bkis Blog:

On April 27, 2010, Bkis? Honeypot system has discovered a new wave of attacks exploiting PDF /Launch vulnerability via spam emails. [...]

As analyzed in previous entry (Will there be new viruses exploiting /Launch vulnerability in PDF?), Zeus only takes advantage of an exploit code with limited function available on Metasploit. However, the malware, this time, has exploited the true nature of /Launch vulnerability with a much more sophisticated method. Up to now, Adobe has not patched this vulnerability yet. [...]

This malware has two main characteristics that help exploit /Launch vulnerability more effectively than Zeus when users open the malicious PDF:

1. It does not require tricking users to save the malware to disk-drive.

2. Acrobat Reader?s warning message is faked. [...]

So, we can see that what Zeus has not been able to do is now fulfilled by this new malware, taking advantage of the true nature of /Launch vulnerability.

Continued here:
- Collapse -
PDF Exploit Becomes a Little More Sophisticated

From the TrendLabs Malware Blog:

.PDF files?or their inherent features?have been used by cybercriminals in some of the most noteworthy attacks we have encountered. Modified versions of this file type have been especially notorious these past few months since they are capable of attacking user systems by initially exploiting inherent vulnerabilities found in Adobe Reader and Acrobat. TrendLabs has documented a number of these attacks:

More Adobe Exploits in the Wild
Shanghai Expo Spam Carries Backdoor
Spam Attack Against the U.S. Defense Department Exploits an Adobe Vulnerability

A newly spotted malformed .PDF was found to also attack flaws found in the aforementioned Adobe software products; however, this kind of .PDF contained an object that was embedded within itself using FlateDecode and ASCII85Decode, two common filters used in .PDF files to filter images before compressing them. This object turned out to be an Extensible Markup Language (XML) file bearing a malicious Tagged Image File Format (TIFF) file.

Trend Micro detects the .PDF file as TROJ_PIDIEF.AAL. It can exploit the following vulnerabilities:

Continued here:

- Collapse -
Senators tell Facebook: tighten privacy policy

U.S. lawmakers told Facebook on Tuesday they were concerned about changes in its privacy policy that would allow personal information to be viewed by more than friends, and options on other websites that would allow third parties to save information about Facebook users and friends.

In a letter to Facebook Chief Executive Officer Mark Zuckerberg dated April 27, Senators Charles Schumer, Michael Bennet, Mark Begich and Al Franken objected to changes that made a user's current city, hometown, likes, interests and friends publicly available, where they were previously only seen by friends.

They protested changes that would allow Facebook's third-party advertisers to store users' data for more than 24 hours, and a Facebook "like" button on websites such as, Pandora and ESPN to share the information with Facebook friends.

"We are concerned ... that this feature will now allow certain third-party partners to have access not only to a user's publicly available profile information, but also to the user's friend list and that publicly available information about those friends," the senators' wrote.

Continued here:

- Collapse -
Three critical vulnerabilities in Google Chrome fixed

Google has released version of its Chrome browser for Windows to correct three critical vulnerabilities. The company had fixed seven vulnerabilities in its WebKit-based browser just a week ago.

According to reports, the new problems relate to a bug in the GURL library which allows attackers to circumvent the same origin policy. It's also possible to provoke a memory error using prepared fonts, or when processing HTML5 media data. The vulnerabilities might allow an exploit to inject and execute code.

As part of its Chromium Security Reward programme, Google paid out $1,000 for notification of the vulnerability in the GURL library. The new version is available for Windows 7, Vista and XP. The automatic update mechanism should install the update, alternatively installation can be initiated manually. However, the old version may, for a short period, still be distributed by download servers.

Continued here:

Details in Vulnerabilities & Fixes: Google Chrome Multiple Vulnerabilities

CNET Forums

Forum Info