Security and Privacy

The Microsoft Security Response Center (MSRC) : Investigating a new win32hlp and Internet Explorer issue:

http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Hi everyone,
On Friday 2/26/2010, an issue was posted publicly that could allow an attacker to host a maliciously crafted web page and run arbitrary code if they could convince a user to visit the web page and then get them to press the F1 key in response to a pop up dialog box. We are not aware of any attacks seeking to exploit this issue at this time and in the current state of our investigation, we have determined that users running Windows 7, Windows Server 2008 R2, Windows Server 2008, and Windows Vista, are not affected by this issue. Continue reading…

Security Advisory 979682 Released

Today we released Security Advisory 979682 to address an Elevation of Privilege (EoP) vulnerability in the Windows kernel, affecting all currently supported versions of 32-bit Windows. 64-bit versions of Windows, including Windows Server 2008 R2, are not affected. The advisory provides customers with actionable guidance to help with protections against exploit of this vulnerability.

To exploit this vulnerability, an attacker must already have valid logon credentials and be able to log on to a system locally, meaning they must already have an account on the system. An attacker could then elevate their privileges to the administrative level and run programs of their choice on the system.

To help mitigate exploit of this vulnerability, customers who do not require NT Virtual DOS Mode (NTVDM) or support for 16-bit applications, can disable the NTVDM subsystem. Information on this workaround can be found in the Advisory.

We are not currently aware of any active attacks against this vulnerability and believe risk to customers, at this time, is limited. We continue to recommend customers review the mitigations and workarounds detailed in the Security Advisory.

We are also working with our Microsoft Active Protections Program (MAPP) partners to help provide broader protections for customers.

Our teams are continuing to work on an update and we will take appropriate action to protect customers when the update has met the quality bar for broad distribution. That may include releasing the update out-of-band.

The Security Advisory will be updated with any new developments so if you are not already subscribed to our comprehensive alerts, please do so in order to be alerted by email when new information is added.

We will also keep customers apprised of any additional details and updates through the MSRC Blog.

Thanks,

Jerry Bryant

via http://blogs.technet.com/msrc/archive/2010/01/20/security-advisory-979682-released.aspx

http://siblog.mcafee.com/cto/operation-%E2%80%9Caurora%E2%80%9D-hit-google-others/

http://www.avertlabs.com/research/blog/index.php/2010/01/14/more-details-on-operation-aurora/

http://www.microsoft.com/technet/security/advisory/979352.mspx

I will  keep you posted when I hear more

best advice at this time is make sure antivirus is updated to protect, watch where you surf & consider an alternative browser or set IE protection to high

However bear in mind these have all been targeted attacks against specific companies & institutions so less likely to affect the average user, at least until the skiddies get their hands on the exploit

OK if you are still using IE 6 or 7 on any version of windows

use the fixit Microsoft have issued http://support.microsoft.com/kb/979352

You do not need this fix if you are using Internet Explorer 8 on Windows XP Service Pack 3 (SP3) or on Windows Vista SP1 or later versions ( including Windows 7 ) . This is because Internet Explorer 8 opts-in to DEP by default on these platforms.

I was notified of a google advert for a fake wowmatrix site. The original genuine wowmatrix is seen by many games players as not completely within the rules of the games
Wowmatrix is an addon that makes it easier to update and install other tweaks and addons to your game. Obviously using a fake version that downloads false addons & tweaks and installs them leaves you open to a lot of problems.

The advert on google looks like a search listing and it is only apparant that it is a sponsored listing or advert on close inspection

Continue reading…

We seem to have a new batch of the Microsoft lottery spam emails again

These have a @live.com email address with what at first glance looks like it could be a proper microsoft or MSN email address ( they of course are not genuine Microsoft or associated with Microsoft in any way)

DO NOT fall for the scam & try to ring the 070240****** number . it is a premium rate number that will have along recorded message on it and cost you £0.50 per minute

You won’t get any money from these scammers but they will get money from you

I have blanked out the full email address and phone number from the image to save the unwary

Microsoft Security Advisory 977544 Released

Today Microsoft released Security Advisory 977544 to provide information, including customer guidance, on a publicly reported Denial-of-Service (DoS) vulnerability affecting Server Messaging Block (SMB) Protocol. This vulnerability, in SMBv1 and SMBv2, affects  Windows 7 and Windows Server 2008 R2. Windows Vista, Windows Server 2008, Windows XP, Windows Server 2003 and Windows 2000 are not affected.

It needs to be made  clear that this is a DoS vulnerability that is unrelated to Microsoft Security Bulletin MS09-050 which addressed a remote code execution vulnerability in the SMBv2 protocol. This vulnerability would not allow an attacker to take control or install malware on a user’s system, but could cause the affected system to stop responding until manually restarted.

http://blogs.technet.com/msrc/archive/2009/11/13/microsoft-security-advisory-977544-released.aspx

I mentioned previously HERE that the criminals doing these phishing attacks are changing tactics to make it harder for the antiphishing measures to block them

We are seeing many more phishing attempts using the same technique of sending an HTML page as an attachment to an email and asking you, the victim, to fill in the form

Many people are falling for this, even more than those who click on  link in an email. Continue reading…

 Affected: Adobe Shockwave Player versions 11.x

Description: Adobe Shockwave Player, with over 450 million users, is a multimedia player that allows Adobe Director applications to be published and viewed by a browser that is installed with a Shockwave plug-in.

 Multiple vulnerabilities have been reported in Adobe Shockwave Player, which be triggered by a specially crafted Shockwave content.  There is a error in the way the invalid index is used.  There are also a couple of issues caused by the inappropriate use of the invalid pointer.  And the last issue is a memory corruption error when processing string lengths.

 In all the cases successful exploitation might allow an attacker to execute arbitrary code in the context of the logged on user.

There is not enough public information about these vulnerabilities.

Status: Vendor confirmed, updates available.

References:

 Adobe Security Bulletin (APSB09-16)  http://www.adobe.com/support/security/bulletins/apsb09-16.html

Wikipedia Article on Adobe Shockwave  http://en.wikipedia.org/wiki/

Adobe_Shockwave Product Home Page  http://www.adobe.com/products/shockwaveplayer/

 SecurityFocus BID http://www.securityfocus.com/bid/36905

Adobe recommends Shockwave Player users install Shockwave Player version 11.5.2.602 available here: http://get.adobe.com/shockwave/
Remember: You need to install shockwave in Every Browser you use separately, if you wish to use it in your browser

I am getting concerned at the latest phishing attacks aimed at UK citizens who have to submit tax returns by November

The Anti-phishing sites are unable to block the sites or warn you that you are on a phishing site  because the html is a web page on your computer so NEVER checked

Even if you press submit, it bounces immediately to the genuine HMRC site so isn’t blocked Continue reading…

S!ri is well known in the anti-malware community for his SmitfraudFix program that removes rogue softwares and for his tireless work in tracking down and keeping us all up to date with the ever increasing number of fake AV programs & rogue software

If it wasn’t so serious for the poor infected victim who falls for the scam from a lot of website owners who push certain anti-malware programs ( for high commissions)  that tend not to fix what they say they do , this would be very funny

Read the full story of how S!ri got his own back on them and exposed them for the fraudsters they are

 S!Ri.URZ: Secure Shield fake rogue.