NEWS - August 21, 2012

Apple has released version 3.6.1 of its Apple Remote Desktop (ARD) application for remotely managing Mac OS X systems to fix an information disclosure vulnerability. According to Apple, the security update addresses a serious problem when connecting to third-party VNC servers that may result in data not being encrypted when the "Encrypt all network data" setting is enabled. Additionally, when this happens no warning is produced to alert users that their connection may be insecure.

Apple Remote Desktop 3.6.1 addresses this problem by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. If this is not possible, ARD will prevent the connection. Versions 3.5.2 up to and including 3.6.0 are affected; ARD 3.5.1 and earlier are not vulnerable. Non-security related changes include better support for systems with more than one display, faster launch speed when long computer lists are present and fixes that improve ARD's overall stability.

Apple Remote Desktop 3.6.1 requires Mac OS X 10.7 Lion or later, and is available to download from the company's Support web site. Alternatively, existing users can install the update using the built-in Software Update mechanisms.

Continued : http://www.h-online.com/security/news/item/Apple-Remote-Desktop-update-fixes-VNC-security-problem-1671129.html

See Vulnerabilities / Fixes: Apple Remote Desktop Information Disclosure Security Issue

"This time, it's the Dutch electronics giant that pays for bad security practices"

Following their AMD blog hack on Sunday, the r00tbeer hacker group has hit a new target - Dutch electronics manufacturer Philips.

The group has stolen and posted online several Philips.com databases containing almost 200,000 email addresses, accompanied by a mix of customer records including names, postal addresses, birthdays, phone numbers and passwords - some of them stored in plain text.

At the time of publication, Philips had not responded to a request for comment.

Out of salt

R00tbeer seems to be a new player on the scene. The group opened a Twitter account on 18 August and had assembled 396 followers at the time of this story being published. Their first target was the user database of thebotnet.com forums, a community with over 96,000 members. After posting the database online on Sunday, r00tbeer promised their next target would be "a large company."

Continued : http://www.techweekeurope.co.uk/news/r00tbeer-hackers-hit-philips-89929

Also:
Philips hacked, plaintext passwords revealed as R00tbeer gang strikes again
r00tbeer strikes again - twice

Windows 8, set for release on 26 October, automatically deletes entries in the HOSTS file for specific domains. Try, for example, to prevent attempts to access Facebook.com, Twitter.com or ad servers such as ad.doubleclick.net by rerouting them to 127.0.0.1 by adding entries to the HOSTS file and the relevant entries will soon disappear from the HOSTS file as if by magic, leaving nothing but an empty line. The effect does not occur for other domains, such as The H's sister site heise.de, however.

The agent behind this phenomenon turns out to be the Windows Defender security program, which is preinstalled and enabled by default on new installations of Windows. The cause quickly becomes clear on inspecting Defender's history, accessed from the start menu by entering "Defender" and clicking on the history tab. Defender is convinced it's uncovered a potentially malicious modification of the HOSTS file and thus records 'SettingsModifier:Win32/PossibleHostsFileHijack'. Microsoft Security Essentials (MSE) in older versions of Windows also takes care to reset entries for these domains. This is not particularly surprising, since Windows Defender in Windows 8 is essentially just a rebranded version of MSE.

Continued : http://www.h-online.com/security/news/item/Microsoft-s-security-software-modifies-HOSTS-file-1670927.html

The Symantec Security Response Blog:

Symantec reported new malware for Mac last month that we called OSX.Crisis. Kaspersky then reported that it arrives on the compromised computer through a JAR file by using social engineering techniques.

The JAR file contains two executable files for both Mac and Windows. It checks the compromised computer's OS and drops the suitable executable file. Both these executable files open a back door on the compromised computer. However, we found two special functions in the Windows version of the threat that Symantec detects as W32.Crisis.

The threat uses three methods to spread itself: one is to copy itself and an autorun.inf file to a removable disk drive, another is to sneak onto a VMware virtual machine, and the final method is to drop modules onto a Windows Mobile device.

[Screenshot: How the Threat Spreads]

The threat searches for a VMware virtual machine image on the compromised computer and, if it finds an image, it mounts the image and then copies itself onto the image by using a VMware Player tool.

Continued : http://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines

ESET has published its statistics on malware in July. The figures are compiled from live data retrieved by ESET systems around the world, and provide an accurate reflection on what malware currently resides on people's computers.

The headline figures are surprising. Worldwide, INF/Autorun malware and Conficker take first and third position respectively. "Somehow INF/Autorun is still top of the pops, in spite of Microsoft's neutering of the Autorun vector," ESET senior research fellow David Harley told Infosecurity. "And even though the Conficker botnet is essentially dormant, there are enough residual infections for our telemetry to keep picking up their presence."

While the eye might be drawn to the headlines, ESET's researchers tend to look lower down. "The most interesting statistics aren't necessarily the big numbers (unless there's a sudden explosion of something)," said Harley. Because the infected population is so large and our detections are usually very generic, they tend to change fairly slowly. Often the interesting stories are related to comparatively low and often localized infected populations." He singled out "Dorifel/Quervar in the Netherlands", indicating that a new analysis may be published by ESET later today, and "Stuxnet and its siblings in Iran and the Middle East."

Continued : http://www.infosecurity-magazine.com/view/27703/infautorun-malware-is-most-prevalent-malware-in-july-/

Microsoft is warning customers about the availability of the ChapCrack tool that Moxie Marlinspike built to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it's not aware of any active attacks using the tool, customers can protect themselves by implementing PEAP or changing to a more secure VPN tunnel.

Marlinspike unveiled the ChapCrack tool at DEF CON last month, and it's designed to take packet captures from sessions using the MS-CHAPv2 protocol and strip out the user's credentials from the cryptographic handshake in the session. In order to decrypt the user's credentials, Marlinspike submits the packet to CloudCracker, which sends back a packet that he can put back into ChapCrack, which then will crack the password.

In its advisory, Microsoft says that while the ChapCrack tool doesn't take advantage of a security vulnerability per se, it still represents a risk to users.

"An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource," the company said in its advisory on ChapCrack.

Continued : https://threatpost.com/en_us/blogs/microsoft-warns-users-about-chapcrack-tool-availability-082012

Also: Microsoft Publishes Security Advisory to Address MS-CHAPv2 Exploit

Thousands of Android devices are thought to have been infected by a strain of Chinese malware which sends costly SMS messages to earn cash for its creators.

Some reports have claimed that over 500,000 Android devices are infected with the malware, which is detected by Sophos's free Android anti-virus as Andr/SMSZomb-A.

Users are tricked into believing that they are installing GIF wallpaper onto their Android device, and a provocative message is shown suggesting that a secondary app is installed that would allow permanent use of the images. [Screenshot]

Clearly, this threat is only likely to be successful amongst Chinese-speaking Android users. But, of course, there are plenty of them!

If you have configured your Android device to only allow installation of apps from a legitimate Android Marketplace then a warning will be displayed - giving you the opportunity to still avoid infection. [[url-http://sophosnews.files.wordpress.com/2012/08/sms-zombie-2.jpg?w=640]Screenshot]

However, if you are comfortable installing apps from unknown sources, and ignore the warning messages, the Trojan horse will request certain permissions: to read and write SMS and MMS messages, internet access, read the phone's state and identity, read system logs, restart other applications, retrieve a list of running applications, etc.

Continued : http://nakedsecurity.sophos.com/2012/08/21/nude-wallpaper-apps-infect-thousands-of-android-devices-with-malware/

Related: Resilient 'SMSZombie' Infects 500,000 Android Users in China

Adobe on Tuesday released updates that address multiple security vulnerabilities across various versions of Adobe Flash Player running on Windows, Macintosh, Linux, and Android.

The security updates address critical vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system, though Adobe said it is not aware of any exploits in the wild for any of the issues being patched as part of today's release.

Just over a week ago, Adobe issued a set of patches to address more than 20 security issues in Adobe Reader, Shockwave and Flash.

"Adobe just patched Flash on August 14th with APSB12-18 and releasing back to back updates does not bode well," said Andrew Storms, nCircle's director of security operations. "You have to ask yourself why these bug fixes were not included in last week's release. The real head scratcher is timing, what is going on with the planning and release management program at Adobe to warrant this?"

"My interpretation is that last week's release was an out-of-band emergency fix to address a specific vulnerability that was being abused in the wild and that could not be integrated with this bigger release," opined Wolfgang Kandek, CTO of Qualys. "Last week's release effectively pushed out the date for this bigger release, probably due to scheduling and resource conflicts."

Continued : http://www.securityweek.com/adobe-patches-critical-vulnerabilities-flash-player

Also:
Adobe Releases Critical Flash, AIR Update
New Adobe Flash Player Update Fixes 6 Flaws

On Friday, McAfee issued an update that resulted in disruption of Internet service and McAfee product functionality errors for some customers. We deeply regret any impact this may have had and offer our sincere apologies for any inconvenience and concern that this may have caused you.

Our first priority was and continues to be helping our customers get their PCs running reliably, confidently, and securely. We are continuing to work diligently to help customers get up and running.

Consumers experiencing Internet connectivity issues should reboot their computers in safe mode (in most cases as the computer is booting press and hold the "F8 Key"). Once in safe mode, the consumer should have Internet connectivity. In the browser, they should type http://mvt.mcafee.com, to run the McAfee Virtual Technician. Once the MVT has been run, the consumer may reboot in regular mode and the issue should be resolved.

Alternately, the issue can be resolved by uninstalling the current McAfee software, re-booting the computer, and re-installing the updated McAfee software via the instructions outlined in the Knowledge Base Article published by McAfee Technical Support at http://service.mcafee.com/FAQDocument.aspx?lc=1033&id=TS101446.

Impacted ISP customers may need to log-in to the ISP portal to access and reinstall the current McAfee software.

For users experiencing an error message when they open McAfee console, McAfee recommends running the MVT utility available for download at: mvt.mcafee.com. This tool will automatically update the user and address the error messages they see in McAfee console.

Once this process has been completed, the issues including Internet access should be restored. Please note that this knowledge base article will continue to be updated on an ongoing basis.

Again, we offer our sincere apologies and know that we are working to help our customers.