Security Hero Rotating Header Image

February, 2009:

Adobe Reader / Acrobat Memory Corruption Vulnerability

Adobe Reader / Acrobat Memory Corruption Vulnerability

Summary:

Fortinet’s FortiGuard Global Security Research Team protects against a memory corruption vulnerability in Adobe Reader / Acrobat.

Impact:

Remote code execution.

Risk:

  • Critical

Affected Software:

  • Adobe Reader 9 and earlier versions
  • Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions

Solutions:

Fortinet customers who subscribe to Fortinetˇ¦s intrusion prevention (IPS) service should be protected against this memory corruption vulnerability. Fortinetˇ¦s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

URL: http://www.fortiguardcenter.com/advisory/FGA-2009-09.html

Threatscape Report – February 2009 Edition

Threatscape Report – February 2009 Edition

The following statistics are compiled from Fortinet’s FortiGate network security appliances and intelligence systems for the period January 21st – February 20th, 2009.

Table of Contents:


FortiGuard Global Threat Research

Exploits and Intrusion Prevention

Top 10 Exploitations & Regions

Top 10 exploitation attempts detected for this period, ranked by vulnerability traffic. Percentage indicates the portion of activity the vulnerability accounted for out of all attacks reported in this edition. Severity indicates the general risk factor involved with the exploitation of the vulnerability, rated from low to critical. Critical issues are outlined in bold:

Rank Vulnerability Percentage Severity
1 Trojan.Storm.Worm.Krackin.Detection 62.7 High
2 MS.IIS.Web.Application.SourceCode.Disclosure 3.0 Medium
3 SSLv3.SessionID.Overflow 2.2 High
4 MS.DCERPC.NETAPI32.Buffer.Overflow 2.0 Critical
5 MS.Exchange.Mail.Calender.Buffer.Overflow 1.5 High
6 SSH.Client.Buffer.Overflow 1.2 High
7 MS.SMB.DCERPC.SRVSVC.PathCanonicalize.Overflow 1.2 High
8 MS.IE.HTML.Attribute.Buffer.Overflow 1.1 High
9 MS.Windows.NAT.Helper.DNS.Query.DoS 0.9 High
10 Squid.NTLM.Authentication.Buffer.Overflow 0.5 Critical


Figure 1a: Top 5 regions by detected exploit attempts

New Vulnerability Coverage

There were a total of 117 vulnerabilities added to FortiGuard IPS coverage this period.
Of these added vulnerabilities, 30 were reported to be actively exploited (25.6%).

Figure 1b breaks down added vulnerabilities by severity, coverage and active exploitation in the wild.

For more information, observe the detailed reports for this period at:


Figure 1b: New vulnerability coverage for this edition, categorized by severity

Malware Today

Top 10 Variants

Top 10 malware activity by individual variant. Percentage indicates the portion of activity the malware variant accounted for out of all malware threats reported in this edition. Top 100 shifts indicate positional changes compared to last edition’s Top 100 ranking, with “new” highlighting the malware’s debut in the Top 100. Figure 2 below shows the detected volume for the malware variants listed within the Top 5:

Rank Malware Variant Percentage Top 100 Shift
1 W32/Netsky!similar 9.3 +1
2 W32/Virut.A 7.8 +1
3 HTML/Iframe_CID!exploit 7.8 +2
4 HTML/Iframe.DN!tr.dldr 6.3
5 Spy/OnLineGames 6.0 -4
6 W32/MyTob.fam@mm 3.5 +5
7 W32/MyTob.BH.fam@mm 2.5
8 W32/PWS.Y!tr 2.2 +29
9 W32/Basine.C!tr.dldr 2.1 +1
10 W32/MyTob.AQ@mm 2.0 -1
<img align=middle src=

URL: http://www.fortiguardcenter.com/reports/roundup_feb_2009.html

Cisco Unified MeetingPlace Stored Cross-Site Scripting Vulnerability

Cisco Unified MeetingPlace Stored Cross-Site Scripting Vulnerability

This is the Cisco PSIRT response to an issue discovered and reported to Cisco by the National Australia Bank Security Assurance team regarding a cross-site scripting vulnerability in Cisco Unified MeetingPlace Web Conferencing.

URL: http://www.cisco.com/en/US/products/products_security_response09186a0080a7bc61.html

Microsoft Excel Invalid Object Remote Code Execution Vulnerability

Microsoft Excel Invalid Object Remote Code Execution Vulnerability

Summary:

Fortinet’s FortiGuard Global Security Research Team protects against an invalid object error in Microsoft Excel.

Impact:

Remote code execution.

Risk:

  • Critical

Affected Software:

  • Microsoft Office Excel 2000 Service Pack 3
  • Microsoft Office Excel 2002 Service Pack 3
  • Microsoft Office Excel 2003 Service Pack 3
  • Microsoft Office Excel 2007 Service Pack 1
  • Microsoft Office Excel Viewer 2003
  • Microsoft Office Excel Viewer 2003 Service Pack 3
  • Microsoft Office Excel Viewer
  • Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
  • Microsoft Office 2004 for Mac
  • Microsoft Office 2008 for Mac
  • Open XML File Format Converter for Mac

Solutions:

Fortinet customers who subscribe to Fortinetˇ¦s intrusion prevention (IPS) service should be protected against this invalid object vulnerability. Fortinetˇ¦s IPS service is one component of FortiGuard Subscription Services, which also offer comprehensive solutions such as antivirus, Web content filtering and antispam capabilities. These services enable protection against threats on both application and network layers. FortiGuard Services are continuously updated by the FortiGuard Global Security Research Team, which enables Fortinet to deliver a combination of multi-layered security intelligence and true zero-day protection from new and emerging threats. These updates are delivered to all FortiGate, FortiMail and FortiClient products. Fortinet strictly follows responsible disclosure guidelines to ensure optimum protection during a threat’s lifecycle.

References:

URL: http://www.fortiguardcenter.com/advisory/FGA-2009-08.html

eWeek Web Site Leads Users to Rogue Anti-Virus (AV) Application

Malicious Web Site / Malicious Code: eWeek Web Site Leads Users to Rogue Anti-Virus (AV) Application

Websense Security Labs™ ThreatSeeker™ Network has discovered that the eWeek.com Web site is serving malicious advertisements (malvertisements) to visitors.

Update 2/24/09 – eWeek has informed us that the problem has been rectified. We have verified that the Web site is now safe.

eWeek.com is the online version of the popular business computing magazine.

When users browse to the home page of eWeek, a malvertisement hosted on the DoubleClick advertisement network performs a redirect to a malicious Web site through a series of iframes. This causes a redirect to one of two files on hxxp://[removed]inside.com/

Either a pdf document containing exploit code is served, or index.php redirects to the rogue ad-server.

With no user interaction, a file named “winratit.exe” (MD5: A12DA1D62B7335CBE6D6EA270247BBC1) is installed in the user’s temporary files folder. Two additional files are dropped onto the user’s machine and are bound to startup. The host file is also modified so that if the user tries to browse to popular software download sites to remedy the infected machine, s/he is instead directed to a malicious Web site offering further rogue AV downloads.

The name of the rogue AV application is Anti-Virus-1. If the user chooses to register the rogue AV, a connection is made to hxxp://[removed]-site.info/ which has been setup to collect payment details. 

Websense® Security Labs has let eWeek know about the problem and they are working to fix it.

Screenshot of the rogue Anti-Virus application: 

Comprehensive health care security with ISO 27001

Comprehensive health care security with ISO 27001

Now that that the stimulus package has passed, health care information security moves from an objection to a requirement. There is growing acceptance that, like it or not, electronic medical records will play a more important role in health-care service delivery.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/_eGjCehg3Zo/

Update for Windows Autorun – 2/24/2009

Microsoft Security Advisory (967940): Update for Windows Autorun – 2/24/2009

Revision Note: Advisory published Advisory Summary:Microsoft is announcing the availability of an update that corrects a functionality feature that can help customers in keeping their systems protected. The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected.

URL: http://www.microsoft.com/technet/security/advisory/967940.mspx

New Infoblox Tools Raise the Bar on IP Address Management for the Enterprise

New Infoblox Tools Raise the Bar on IP Address Management for the Enterprise

Pioneering the next-generation approach to IP address management (IPAM) for the enterprise, Infoblox Inc. today announced availability of several new groundbreaking IP address management tools.

URL: http://feedproxy.google.com/~r/InfobloxNewsFeed/~3/YFo_0mKl8sw/release.cfm

Mass Securities Phishing Scam in China

Phishing Alert: Mass Securities Phishing Scam in China

Websense® Security Labs™ ThreatSeeker™ Network has discovered that numerous newly-registered fake securities Web sites have started to appear in China.

These phishing sites host a large amount of false information about stock and negotiable securities under the names of some of the big securities Web sites, trying to deceive people into paying for the information or registering for their stock analysis service. They then collect personal information such as social insurance number, full name, address, date of birth, mother’s maiden name, and credit card information.

Here are some screen shots of the phishing site:

Websense® Messaging and Websense Web Security customers are protected against this attack.

URL: http://securitylabs.websense.com/content/Alerts/3308.aspx

Who owns the problem?

Who owns the problem?

After interviewing a few folks, including me, last week, Mary E. Shacklett posted a nice piece at Internet Evolution about the difficult issue of how to effectively get malicious websites taken down.

As noted in the article, I’ll be moderating what promises to be a lively and fascinating panel discussion on this topic at the Anti-Spyware Coalition conference in Washington, DC on May 19. Stay tuned for details.

URL: http://blog.stopbadware.org/2009/02/19/who-owns-the-problem

Yxes.A

Fortinet Investigates a New SMS Mobile Worm: Yxes.A

The FortiGuard Global Security Research Team has investigated the case of a new mobile worm resorting to a breakthrough propagation strategy, which leverages SMS messages and Internet access.

This new worm, deemed SymbOS/Yxes.A!worm (also known as “Sexy View”), is targeting mobile devices running SymbianOS S60 3rd Edition (eg: Nokia 3250), but may run on a wider range of devices, as it has been reported to function on phones operating SymbianOS S60 3rd edition FP 1 (eg: Nokia N73). It bears a valid certificate signed by Symbian, and installs as a valid application on factory mobile devices running S60 3rd Edition.

It gathers phone numbers from the infected device’s file system, and repeatedly attempts to send SMS messages to those. The messages feature a malicious Web address (URL); upon “clicking” on the address in the received message, the recipients will download a copy of the worm (provided their phones/subscriptions allow for internet browsing).

Beyond propagating to as many users as possible via the strategy mentioned above, the worm’s aim is to gather intelligence on the infected victim (such as serial number of the phone, subscription number) and post it to a remote server likely controlled by cyber criminals. Whatever the latter may do with such information is unknown as of writing.

It must be noted that due to its propagation strategy relying on the worm copy being hosted on a web server, the worm can mutate easily. According to Guillaume Lovet, senior manager of Fortinet’s Threat Research Team, “As far as our analysis goes, the worm currently does not take commands from the remote servers it contacts. However, since the copies hosted on the malicious servers are controlled by the cyber criminals, they may update them whenever they want, thereby effectively mutating the worm, adding or removing functionality. We’re really at the edge of a mobile botnet here.”

The Yxes mobile worm is reported to be currently spreading in the wild. It is recommended for mobile users to have a valid security solution in place, such as Fortinet’s FortiClient Mobile, to protect against threats. Caution should always be taken when opening attachments and following URL’s received through messages (SMS/MMS). In the case of an infection, please contact your service provider.

Update:

Our investigation confirms that the worm executes on Nokia 3250 handsets, but again is likely not limited to this. Once installed, no program icon or related information could be found in the system menu. On launch, the worm executes as the process “EConServer.exe”, which is likely meant to camouflage alongside the existing legitimate system process “EComServer.exe”. The worm will also automatically run every time the device is rebooted / power cycled. Further, it bears a destructive nature and will kill certain processes such as the application manager (AppMgr). The following is a list of processes sought to destroy: AppMgr, TaskSpy, Y-Tasks, ActiveFile and TaskMan.

Fortinet’s FortiGuard Global Security Research Team protects against additional variants of SymbOS/Yxes.A, namely B, C, and D. Subscribers to Fortinet’s FortiClient Mobile should be protected against these variants.

Action:

  • Fortinet’s FortiGuard Antivirus Definitions protecting against Yxes have been available since February 8, 2009
  • Fortinet’s FortiGuard Global Security Research Team collaborates with carriers to provide additional protection against mobile threats
  • Symbian’s SDN has been notified
  • Registrars of domains hosting copies of the worm have been notified

URL: http://www.fortiguardcenter.com/advisory/FGA-2009-07.html

Security threat to your company?

Web 2.0: Security threat to your company?

Web 2.0 tools can boost employee morale and increase productivity, but there’s resistance from top executive suites through middle managers and IT departments.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/ww5a0oryN1k/

CanSecWest 2009 Speakers and Dojo courses (Mar 14-20)

CanSecWest 2009 Speakers and Dojo courses (Mar 14-20)

Posted by Dragos Ruiu on Feb 15

Final Speaker Lineup for CanSecWest 2009 (March 18-20):
===============================================

The Smart-Phones Nightmare – Sergio ‘shadown’ Alvarez

Getting into the SMRAM: SMM Reloaded – LoĂ­c Duflot

Network design for effective HTTP traffic filtering – Jeff "rfp"

URL: http://seclists.org/honeypots/2009/q1/0017.html

Honeyd Scripts IP Information Script

Honeyd Scripts IP Information Script

Posted by Joshua Gimer on Feb 14

I forgot to include the IP Information script that is linked to in the
database search output page.

Here it is, just make sure to read the README and place the contents
of the tarball in the same directory as the other scripts.

URL: http://seclists.org/honeypots/2009/q1/0016.html

Stock Yards Bank & Trust

CASE STUDY: Stock Yards Bank & Trust

A biometric solution helps Stock Yards Bank & Trust manage passwords and aids in compliance efforts.

URL: http://feedproxy.google.com/~r/SCMagazineHome/~3/I2PVSs4tjKE/