14 total posts
Multiple Organizations Targeted by Zero-Day Exploit
Posted by Eric Chien
We have received some additional Word documents that exploit an unpatched Microsoft Word vulnerability. These documents are detected as Trojan.Mdropper.X. We believe this is a new vulnerability, making it the fifth currently unpatched Office file format vulnerability. While these documents are being used in a targeted attack consistent with previous cases, we have received different documents that use this same exploit from multiple organizations. The documents have been each designed specifically for the targeted organization in both language and content.
The vulnerability could be a slight variation or may be covered by the existing CVEs and we are awaiting confirmation from Microsoft Security Response Center. Nevertheless, no patches appear to be available, so, as always, be careful opening unsolicited Word documents.
Virus emails soar by a factor of 20
Experts warn of 'explosive growth' in cyber-fraud, theft, spam and viruses
Robert Jaques, vnunet.com 31 Jan 2007
Hackers and spammers have "raised their onslaught" with two global email-borne virus attacks launched in December and January.
The attacks were so large that they drove up the level of viruses up by a factor of 20 compared with usual activity, according to data from security firm Postini.
The January attack became known as the Storm worm because the original email subject line was '230 dead as storm batters Europe'. At the time of the email, there was a heavy storm occurring in Europe.
Phishing and spam continue to rise
Messaging firms warn of continued rise in phishing and spam mails
Phil Muncaster, IT Week, 31 Jan 2007
MessageLabs has warned that the spam and phishing epidemics could spread, as its latest monthly intelligence report found levels of unsolicited mail continued to rise while viruses dropped in volume.
Chief security analyst at the firm Mark Sunner explained that spam levels have been driven by the activity of more robust botnets that are capable ? thanks to Trojans such as SpamThru ? of sending out a larger volume of spam.
"Few people realise that spam traffic levels are not linear, they're very spiky, so these botnets are not being used to capacity ? all the evidence we have would indicate that we're looking at the thin end of the wedge in terms of volumes," he said.
Vivio Lure Spreading Crimeware
Last Updated: 2007-01-31 15:57:36 UTC
by Deborah Hale (Version: 1)
Websense Security Labs reports that they have discovered another information stealing, malicious code attack that appears to be a coordinated effort of the Russian and Brazilian bad boys. The program is spreading via email by email receivers clicking on a link included in an email. The page attempts to infect the PC by downloading and running a program called stylecss.exe. (If your computer is properly patched the program will not run.) Once infected the program is designed to steal banking information from banking websites.
For more information see the write at:
New? Microsoft word vulnerability used as vector in targeted
Last Updated: 2007-01-31 09:45:21 UTC
by Swa Frantzen (Version: 1)
Symantec is reporting on what might possibly be yet another unpatched vulnerability being exploited by the bad guys out there. It seems to be used in targeted attacks. We're seeking samples, confirmation, CVE name etc. at this point.
Even though it appears there might be little gain in once again trying to convince people not to email office documents, not to open them, etc. some renewed attention might be required.
If five unpatched vulnerabilities is the risk level you need before being allowed to act and start to filter, you might have your "go" at this point. The oldest of the 5 vulnerabilities is publicly known since December 5th, 2006.
Microsoft Tailors Vista to Meet EU Requirements
Company says new OS was changed after discussion with the European Commission; more revisions to be released in the first service pack.
Paul Meller, IDG News Service
As Windows Vista appeared in computer stores worldwide, Microsoft said today that part of the design of the new operating system is the work of the European Commission.
"Following discussions with European Commission, Microsoft committed to make a number of changes to the Windows Vista operating system prior to release," the software maker said in a statement, pointing to three functions of the operating system: security, search, and fixed document formats.
Is there a fifth zero-day vulnerability in Microsoft Word?
Eric Chien reported late Tuesday on the Symantec Security Response weblog that the anti-virus firm has received new Word documents containing a zero-day exploit being used in targeted attacks against several organizations.
However, the Cupertino, Calif. firm was trying to determine whether the vulnerability was simply a variation of one of four recently disclosed unpatched Office flaws, three of which were reported in December. Indeed it was, according to a Microsoft spokesman.
"Microsoft's intitial investigation shows that this is not a new vulnerability but a duplicate of an already known public issue," the spokesman said, referring to CVE-2006-6456, reported Dec. 10.
A fourth Word bug came to light last week and is being used in limited attacks, according to Microsoft.
Vista pranks possible via voice commands
"PC, root thyself."
It may not be that easy, but users of Windows Vista may have to watch out for malicious audio files.
Prompted by a posting on a security mailing list, security experts investigated and confirmed that a computer running Microsoft's latest operating system, Windows Vista, could have system commands activated by audio files running on a Web site. While Microsoft implementation of least privilege settings for users mean that most harmful commands would have to somehow bypass Vista's User Account Control, basic commands could still delete documents on a user's PC without requiring a password, according to ZDNet information-technology blogger George Ou.
Solaris 10 ICMP induced panic
Last Updated: 2007-01-31 22:52:57 UTC
by Swa Frantzen (Version: 1)
For those of you who remember the Ping of Death issues, there's a recent twist to the story.
Sun has released patches for Solaris 10. It fixes an issue where a single ICMP packet could panic a host. Sun did not make available details on the required ICMP packets.
Blocking .exe attachments
Last Updated: 2007-01-31 20:38:08 UTC
by Johannes Ullrich (Version: 1)
"Storm Worm" and a recent rash of simple .exe attachments showed how easy it is to still trick users into clicking on executables that arrive via e-mail. On the other hand: Why do users still receive attachments which they are not supposed to click on. In this diary, we are trying to summarize some simple recipes to block attachments with given extensions for different mail transport agents (MTA). Feel free to submit your own. We will keep adding amending. The start is from a quick google search and consulting with our handlers. Also, we should mention that for some of us, this sort of a default allow stance (allow anything not explictly denied) grates a little. We'd prefer to explicitly whitelist those attachments that must be allowed for business purposes and deny everything else, but for the rest of this story, we'll assume the default allow stance most of us have inherited.
Watch the Exploit: A Targeted Attack Video
We've been getting a lot of requests from people asking what it looks like when your computer is compromised by one of these very limited targeted attacks that involves any of the recent MS Word zero-day vulnerabilities. A targeted attack begins with an incoming email that has a .DOC file attached; a very common event that happens to almost everyone every day. The email sender looks legitimate (it's spoofed of course!) and the document name is selected to appeal to the recipient. For example, if the targeted user is an accountant, then the document would look like a tax certificate or an invoice. For members of governments, it could appear to be an important communication from a Minister. For finance brokers, a stocks analysis and so on...
In Praise of Phish Fighters
By Brian Krebs | January 31, 2007
"It isn't often that the public is afforded a peek into federal law enforcement efforts to combat "phishing" scams, fraudulent e-mail lures for Web sites created to assume the look of trusted online brands and steal personal information. But February marks the 5th anniversary of CastleCops.com -- an all-volunteer led forum that has morphed from a place where people can diagnose security problems with their PCs into one of the most active phish fighting forums -- and the group is releasing some interesting data to highlight its accomplishments..."