General discussion

NEWS - October 08, 2010

Microsoft plans colossal Patch Tuesday next week

" 'Daunting' patch day to fix 49 flaws in IE, Windows, Office and SharePoint"

Microsoft today said it will deliver a record 16 security updates next week to patch a whopping 49 vulnerabilities in Windows, Internet Explorer (IE), Office and SharePoint.

Andrew Storms, director of security operations for nCircle Security, called the massive update "daunting, again."

Four of the 16 updates were tagged with Microsoft's "critical" label, the highest threat ranking in its four-step scoring system. Another 10 were marked "important," the second-highest rating, while the remaining pair were labeled as "moderate."

Nine of the updates could be exploited by attackers to inject malicious code into vulnerable PCs, Microsoft said in its usual bare-bones advance notification of the updates scheduled for release Oct. 12. Microsoft often labels remote code executable bugs -- the most dangerous -- as important when the vulnerable components are not switched on by default or when other mitigating factors, such as defensive measures like ASLR and DEP, may protect some users.

Next week's Patch Tuesday is a record on almost every count.

The 16 updates -- Microsoft dubs them "bulletins" -- are a record, beating the count from August 2010 by two. The 49 individual patches easily exceeds the single-month record of 34, which was first set in October 2009 and repeated in this past June and August.

Also : Microsoft planning record Patch Tuesday

Discussion is locked

Reply to: NEWS - October 08, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 08, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Spam blacklist snafu prompts global gnashing of teeth

"Legit IPs blocked in SORBS cockup"

Many email users around the world have been unable to send messages because of ongoing technical problems with a popular service designed to prevent spam from reaching its intended destination.

The problems at SORBS - short for the Spam and Open Relay Blocking System - began on Wednesday and continued into much of Thursday, said Michelle Sullivan, who founded the real-time blacklisting service in 2002 and sold it to GFI Software last year. As a result, messages sent from a huge number of legitimate mail servers were labeled as junkmail and returned to sender.

The widespread outage caused migraines for sales and support staff around the world, as this ongoing Twitter feed demonstrates.

The snafu was the result of a transition from one SORBS system to another that corrupted a database containing potentially millions of IP addresses, Sullivan told The Register. SORBS admins have responded by temporarily clearing out the entire table of faulty listings under the theory that it's better to let through spam than to block real email. They are in the process of rebuilding the database and populating it to user servers around the world, a process that could take up to 24 hours.

Prior (Related) Post : Controversial email blocklist SORBS sold

- Collapse -
Adobe Details Proposed Reader 'Sandbox' Security

If you read enough security vulnerability reports you'll notice some patterns. Often, through some sort of software bug a malicious data file takes control of the program parsing it and uses that program context to do evil things.

Obviously it would be best if no vulnerabilities existed to be exploited, but that's a lot to ask of any large program. Some systemic measures, like ASLR and DEP, attempt to prevent any vulnerabilities from being exploitable, but they often miss things.

Another approach, which Adobe announced in July, was that they would implement a sandbox architecture in Reader for Windows. All the same vulnerabilities affect Acrobat and most of them affect other operating systems, but Reader for Windows was chosen because it's the overwhelming majority of the installed base and therefore the overwhelming majority of the systems attacked. Remove the ability to attack Reader and attackers will look elsewhere.

A new blog entry from Adobe goes into more detail about their sandbox implementation .

Prior (Related) Post : Why a "Sandbox" Makes Adobe Reader More Secure

- Collapse -
Bill Would Give Cities, Towns and Schools Same e-Banking

"Bill Would Give Cities, Towns and Schools Same e-Banking Security Guarantees as Consumers"

In response to a series of costly online banking heists perpetrated against towns, cities and school districts, Sen. Charles Schumer (D-NY) has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud.

Under "Regulation E" of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud - including account takeovers due to lost or stolen usernames and passwords - as long as they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI.

On Sept. 29, computer crooks stole $600,000 from the coastal town of Brigantine, N.J.; seven months earlier, computer crooks stole $100,000 from Egg Harbor Township just 20 miles away. In late December 2009, an organized cyber gang took $3.8 million from the Duanesburg Central School District in Schumer's home state. In that attack, the bank managed to retrieve some of the money, but the district is still missing roughly $500,000.

Also : New Bill Seeks Fraud Reimbursement for Municipalities and Schools

- Collapse -
Former FTC Employee Files Complaint Over Google Privacy

A former Federal Trade Commission employee has filed a complaint (pdf) with the agency accusing Google Inc. of not adequately protecting the privacy of consumers' search queries.

The complaint was filed September 6 by Christopher Soghoian, who worked until August as a technologist with the FTC's Division of Privacy and Identity Protection. It calls on the agency to investigate Google and to "compel Google to take proactive steps to protect the privacy of individual users' search terms." The complaint alleges Google shares with third parties users' search queries, including those that contain personal information.

In an emailed statement, Google said its passing of search-query data to third parties "is a standard practice across all search engines" and that "webmasters use this to see what searches bring visitors to their websites." The statement added, "Google does not pass any personal information about the source of the query to the destination website."

Also : Privacy Advocate Asks FTC to Force Google to Change Privacy Practices

At Christopher Soghoian's Blog : My FTC complaint about Google's private search query leakage

- Collapse -
London Stock Exchange hit by glitch after Linux launch

"Turquoise big bang suffers networking issues"

The London Stock Exchange experienced a glitch today on its Turquoise service, 24 hours after the high profile relaunch of the dark pool on open source based systems.

The problem was a networking issue, the LSE told Computerworld UK, and stopped trading between 08.15 and 09.15 today.

The exchange has not given more details on the glitch, but said that Turquoise worked successfully for the rest of the day.

The problem came 24 hours after it switched from the Cinnober platform over to Linux and Unix based systems from supplier MillenniumIT, which it acquired last year. It is not known whether the new systems were the direct source of the issue.

- Collapse -
10/10/10 internet virus rumour debunked

Rumours have spread across the internet that a computer virus will strike computers at 10:10am on 10 October 2010 (or, if you prefer, 10:10 10/10/10).

It's just the kind of scare that people love to murmur about, and share with their online friends, but I'm afraid it has no basis in fact.

As I explain in The Daily Telegraph today, focusing on particular dates is not the way to keep your computer protected against malware attack.

The truth is that there is malicious software which triggers every day of the year - so worrying about one particular date or time is actually counter-productive, as it implies that you should take less care on other dates.

The reason why the 10th October has received a little more attention is because of the cute quirk of the numbers reading 10/10/10. But even that's not a new idea. For instance, in the run-up to March 3 2003, I had to debunk rumours that the internet would stop working at 03/03/03.

The 10/10/10 rumour, just like the 03/03/03 one, is utter codswallop.


- Collapse -
Links Between PE_LICAT and ZeuS Confirmed

Analysis of the PE_LICAT.A file infector has revealed further information on this emerging threat.

We have been able to isolate a copy of the main file infector, which we detect as PE_LICAT.A-O. (A main file infector is a file infector which triggers the process of infecting files, but is not infected itself.) It injects itself into the Explorer.exe process, which has two effects. First, it becomes memory resident. Secondly, any file executed afterwards becomes infected with malicious code and is detected as PE_LICAT.A.

We have looked into the pseudorandom domains that LICAT uses to download files from. Every time PE_LICAT.A is executed it attempts to download files from these domains, trying to do so a maximum of 800 times.

The following top-level domains are used by these created domains:

* biz
* com
* info
* org
* net

Our monitoring indicates that most of these domains have not been registered. A small number have been registered, and although some of the sites these actually lead to are currently inaccessible, some are still alive and active. As a precaution, all related sites have now been classified as malicious and blocked by Trend Micro.

Continued @ TrendLabs Malware Blog

- Collapse -
6 big names impersonated to spread malware

Google, Facebook, Twitter, Hi5, Amazon and Hallmark are 6 companies impersonated in the malware campaign this time. This is a new variant of the malware we analyzed.

Taking advantage of these companies' reputation, hacker distributes bogus emails with malicious code. Many people fall victim to this kind of phishing, because in fact, these established companies do regularly email their users. Let's say, such companies providing social networking service like Facebook, Twitter or Hi5, or those e-commerce companies like Amazon, Hallmark or Google which often send recruitment emails to their candidates. Thus, users are easily tricked into opening such emails.

So, this is still "fertile land" for bad guys to spread virus via spam emails. They keep changing the spam's content with view to enticing users to open the attached file which in fact, is a virus.

Continued (with screenshots) @ the Bkis Global Task Force Blog

- Collapse -
Facebook new groups feature rife with abuse

Facebook's newly announced groups feature may not be the boon for privacy some have predicted. Although only a small percentage of Facebook's users are upgraded to the new features it would appear people are exploring the possibilities in a rather aggressive way.

When the feature is added to your account you will see the image at right. Underneath groups in your left-hand navigation you see a new "Create Group" button. The idea behind this is that you can very quickly create a group like "Family" or "Friends from the pub" and have group chats, share pictures, etc.

The problem of course is that you can create a group with any name you want, and add any friends you want without any confirmation that they wish to be a member of said group. It would seem obvious that this is a terrible idea because when you are added to a group it will post a status update saying you joined it... And it didn't take long before someone used it on Zuck. [Screenshot]

To prove a point someone created a new group called NAMBLA. I won't describe it here, but suffice it to say it is a very offensive group which is frequently made fun of on "The Daily Show" and "South Park". Within a few hours someone had added Michael Arrington without his permission, and it appears to show Mark the power of the new Facebook he added Mr. Zuckerberg.

Below you can see an example of the status message from a friend who was added to another unfortunate group.... [Screenshot]

Prior (Related) Post : Facebook: Giving You More Control?

- Collapse -
Grocery terminals slurped payment card data

"Two months undetected"

Grocery chain Aldi Inc. has warned customers in 11 states that their payment card data may have been slurped up by point-of-sale terminals that were illegally planted by identity thieves.

The tampered terminals were in use from June 1 to August 31 in an undisclosed number of stores, the company disclosed in a press release (PDF) that appeared on a Friday, a favorite day of the week for releasing bad news. As many as 1,000 Aldi shoppers in Illinois and Indianapolis have already reported fraudulent charges, according to Computer World.

The breach is noteworthy for the breadth of the affected geography, which spanned from New York state to Georgia to as far west as Illinois. Presumably, those responsible would have had to travel to each store to physically plant the hardware used to siphon personal identification numbers, card numbers and names.

PINs are generally encrypted as they pass from the terminal to the payment processor, so they have to be captured using cameras or keyboard overlays that capture the secret code before it's encrypted.

- Collapse -
BitDefender Offers Free Removal Tool for Stuxnet

BitDefender has just released a free removal tool that allows users infected with Win32.Worm.Stuxnet.

This tool is capable of removing all known variants of Win32.Worm.Stuxnet, as well as the rootkit drivers that are used to conceal critical components of the worm.

Win32.Worm.Stuxnet is a new breed of e-threats that emerged around mid-July. Although it infects all Windows-based systems alike, it primarily targets supervisory control and data acquisition (SCADA) systems which run the Siemens WinCC software.

The worm spreads by taking advantage of a multitude of 0-day exploits in the current versions of Windows. Moreover, it can execute itself from an infected removable medium as soon as the .lnk file on the drive has been read by the operating system.

Successful exploitation of this vulnerability results in the injection of a backdoor, as well as the installation of two rootkits that will conceal both the .lnk files and the accompanying .tmp files.

BitDefender has added generic detection covering all variants of Stuxnet as of July 19, thus protecting its customers since day zero. Computer users that are not running a BitDefender security solution can now eliminate Stuxnet from the infected systems by running the attached removal tool. The tool can be run on both 32- and 64-bit installations and will eliminate both the rootkit drivers and the worm.

- Collapse -
Web traffic redirected to China still a mystery

Six months after Web traffic involving popular U.S. sites and e-mail from computers around the globe was re-directed to Chinese servers unnecessarily, Internet watchers are trying to figure out why it happened and how to prevent future mishaps.

In at least two instances since mid-March, large amounts of traffic on the Internet have been routed to China in circumstances still shrouded in mystery, Rodney Joffe, senior technologist at DNS (Domain Name System) registry Neustar, told CNET in an interview this week.

The first situation happened on March 24, when workers at network operation centers in various parts of the world noticed that traffic to popular sites like Facebook, Twitter, YouTube, and about 20 or 30 others was being redirected to servers in China as a result of traffic interception via one of the main DNS root servers. This had the result of giving Web surfers in western countries a glimpse of what Chinese Internet users see when they try to access sites that are blocked - error messages indicating that the sites don't exist or censored Chinese-language versions of the sites. It's unknown how long the situation lasted, according to Joffe.

- Collapse -
Gamers are 'fair game' for infected websites

* Monthly "Most Wanted" list points to gaming websites as consumers now spend more time playing games online than checking their email.

* Because gaming is popular, it is a more attractive target for cybercriminals.

* Gamers are particularly vulnerable due to unsafe behavior such as turning off their antivirus protection for greater computer performance.

* AVAST experts say gamers need an antivirus program with a low impact on computer resources and a silent mode for uninterrupted, safe gaming.

Continued with a sampling of this month's most infected gaming-related websites:

CNET Forums

Forum Info