Adware.com Alert Archive

2009-09-11

Critial Security Patches

A few days ago Microsoft released five patches to close newly discovered critical security vulnerabilities. These vulnerabilities exist in most Windows operating systems, including Windows 2000, XP, Vista, Server 2003, and Server 2008.

The vulnerabilities allow your computer to be infected with malware by simply visiting a malicious web site, or opening an infected media file, or connecting to the internet without proper firewall protection.

Vulnerability 971961 in JScript that allows an attacker to take complete control of an affected system.

Vulnerability 970710 in wireless LAN configuration that allows remote code execution if a computer with a wireless network interface enabled receives specially crafted wireless frames.

Vulnerability 973812 in Windows Media Format that allows remote code execution if a user opened a specially crafted media file.

Vulnerability 967723 in Windows TCP/IP (internet protocol) processing that allows remote code execution if if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from these attacks. If you do not use a firewall you need the patch. Vulnerability 956844 in the DHTML Editing Component ActiveX control that permits allow remote code execution, when you visit a specially crafted web page.

2009-06-09

Adobe PDF Vulnerability

Adobe has discovered a new vulnerability in Adobe Reader and Acrobat, when a user opens an infected PDF. There are two JavaScript functions that can be exploited by a remote attacker to execute arbitrary code on your computer when you visit a web site containing an infected PDF. Adobe security bulletin APSB09-06 describes the problem and offers updates to protect against the attack.

Relevant Security Information

USCert recommends the following options to protect yourself from these new PDF vulnerabilities

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of the Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences... option.
Choose the JavaScript section.
Uncheck the Enable Acrobat JavaScript check box.

Disabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00 [HKEY_CLASSES_ROOT\AcroExch.Document.7] "EditFlags"=hex:00,00,00,00

Disable the display of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of the Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the preferences option.
Choose the Internet section.

Un-check the "Display PDF in browser" check box.

Rename or remove Annots.api

To disable the vulnerable getAnnots() method, rename or remove the Annots.api file. This will disable some Annotation functionality, however annotations can still be viewed. This does not protect against the customDictionaryOpen() vulnerability.

On Windows, Annots.api is typically located here:

"%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins"

Example location on GNU/Linux:

/opt/Adobe/Reader8/Reader/intellinux/plug_ins/Annots.api

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments.

2009-04-20

Conficker Worm Protection

The Conficker worm (also known as Downadup) infects computers by sending a specially formed request to your computer over an internet connection. The request in the form of a remote procedure call exploits a vulnerability in unpatched versions of software in Microsoft Windows. Once the worm gains access to a computer it creates autorun.inf files on available network shares and removable media (such as USB sticks). Any computer that subsequently references the infected media or network share in a manner that activates the autorun file becomes infected.

The RPC vulnerability was solved by Microsoft last October with security update 958644, as described in security bulletin MS08-067.

If you have this update on your computer the netapi32.dll file in your windows system32 folder will have a modification date in mid-October, 2008.

However, even if you have the security update in place, your computer can be infected directly from infected removable media or shares, unless you restrict the autorun feature of Windows.

Relevant Security Information

Detection and Removal of Conficker Worm

One sign of a conficker infection is presence of a randomly named service in the netsvcs list in your windows registry. In a typical infection the "netsvcs" value under the "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost"
registry subkey will contain a randomly composed service name, such as "gzqmiijz", and there will be a subkey with that same random name under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\" subkey.

Furthermore, if you look in the ServiceDLL value under the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\gzqmiijz" (example) subkey, you will find the path to a malware file, and there will likely be an autorun registry entry that starts that file running using rundll32 from a "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" or "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry entry.

Another sign of infection is presence of an autorun.inf file at the root of any of your disk drives (e.g. c:\autorun.inf).

Microsoft provides extensive technical information on how to detect and manually remove the conficker worm, and also provides tools that will automatically remove at least part of the infection.

Automated removal with a good anti-spyware program, plus relevant security updates and tightening your computer security, are the best approaches to countering this infection.

2009-03-24

Update your Adobe Reader and Acrobat Now

Critical vulnerabilities were identified in Adobe Reader 9 and Acrobat 9 and earlier versions. We described these vulnerabilities in our security alert dated 2009-02-26.

Adobe has just released product updates to address these vulnerabilities. You should obtain these updates to protect your computer from attack.

Adobe recommends users of Adobe Reader and Acrobat 9 update to version 9.1.

Users of Adobe Acrobat 8 should update to 8.1.4.

Users of Adobe Acrobat 7 should update to 7.1.1.

These updates resolve the issue from Security Advisory APSA09-01 and Security Bulletin APSB09-03.

If you previously updated to Adobe Reader 9.1 and Acrobat 9.1 no action is required.

For more information on this subject see Adobe Security Bulletin APSB09-04.

2009-03-13

FTC Warns Consumers of
Economic Stimulus Scams

The scams say they can help you qualify for a payment from the recent government economic stimulus package.

They try to gather personal and financial information by asking for a small fee to pay for their services. They can then use this information for identity theft and card fraud.

E-mail messages might ask you for banking information, so the operators can deposit your share of the stimulus directly into your bank account. Then the scammers drain your accounts and disappear!

Also, e-mail might say it is from a government agency, and ask for information to "verify" that you qualify for a payment. The scammers use the information to commit identity theft.

Some e-mail scams provide links to malicious web sites where you can "find out how to qualify for funds". By clicking the link spyware downloads to your computer that can be used for identity theft.

Some malicious web sites suggest that for as little as $1.99 you can obtain a list of economic stimulus grants for which to apply. But your card number used to pay the fee can fall into the hands of scam artists, or the $1.99 can be the down payment on a "negative option" agreement that may cost you thousands of dollars if you do not cancel.

Forewarned is forearmed. Do not fall victim to these scams.

To file a complaint about a scam with the Federal Trade Commission call 1-877-FTC-HELP (1-877-382-4357), or go to their web site at www.ftccomplaintassistant.gov.

2009-02-26

Adobe Acrobat & Reader
PDF Vulnerability

Adobe Security Bulletin APSB09-01 describes a vulnerability in Adobe Reader and Acrobat (versions 9 and earlier).

Your system can be attacked by simply viewing a web page containing a PDF document that exploits the vulnerability.

There are several ways to protect your system:

• Disable JavaScript in Adobe Reader and Acrobat using the Preferences menu

• Prevent Internet Explorer from automatically opening PDF documents by setting HKEY_CLASSES_ROOT
AcroExch.Document.7
"editFlags"=hex:00,00,00,00
in your Windows registry

• Disable display of PDF documents in the web browser in Acrobat Reader Preferences

• Do not visit untrusted web sites and do not open email from unknown senders.

2009-02-18

Internet Explorer 7 CSS Memory Corruption Vulnerability

This vulnerability allows remote code execution if you view a specially crafted Web page with Internet Explorer.

This security update is rated Critical for Internet Explorer 7 running on supported editions of Windows XP and Vista.

A patch is available from Microsoft.

Details: in Microsoft Internet Explorer 7, when XHTML strict mode is used, remote attackers can execute arbitrary code via the zoom style directive in conjunction with unspecified other directives in a malformed Cascading Style Sheets (CSS) stylesheet in a crafted HTML document, aka "CSS Memory Corruption Vulnerability."

2009-02-06

IRS Stimulus Package Phishing Scam

US-CERT has indications that phishing scams are circulating via fraudulent U.S. Internal Revenue Service emails.

The emails offer stimulus package payments. These emails attempt to convince you to follow a link to a website or to complete an attached document, where you provide personal information.

If you receive the fraudulent email you should send the email message and the website URL to the U.S. Internal Revenue Service at phishing@irs.gov.

To avoid this and other phishing risks do not follow unsolicited web links received in email messages.

2009-01-11

US-CERT is aware of public reports of malicious code circulating via spam email messages related to the Israel/Hamas conflict in Gaza.

These messages may contain factual information about the conflict and appear to come from CNN. Additionally, the messages indicate that additional news coverage of the conflict can be viewed by following a link provided in the email body.

If users click on this link, they are redirected to a bogus CNN website that appears to contain a video. Users who attempt to view this video will be prompted to update to a new version of Adobe Flash Player in order to view the video. This update is not a legitimate Adobe Flash Player update; it is malicious code.

If users download this executable file, malicious code may be installed on their systems.

2008-12-31

Keyloggers can be used to intercept passwords and other confidential information typed with your keyboard.

Keyloggers with phishing and social engineering ploys are a commonly used method in cyber fraud, and there has been a steady increase in malicious keyloggers using rootkit technologies to evade detection.

A keylogger can be installed on your PC if you open a malicious file attached to an email, when a malicious file is launched from a file sharing network, when you visit a malicious web page, and by another program already present on your PC, such as a trojan downloader.

The best defense against keyloggers is to practice safe habits. Never open email from an unknown sender, and never visit unknown web sites without first at least checking if they are safe at McAfee's siteadvisor.com.

December, 2008

Microsoft has discovered a critical vulnerability in most versions of Internet Explorer.

The vulnerability allows code to be executed from xml in a viewed web page.

This provides a way for adware and spyware to enter your computer, when you visit a malicious web site.

Internet Explorer security update 960714, described in security bulletin MS08-078, addresses the vulnerability by modifying the way Internet Explorer validates data binding parameters and handles the error resulting in the exploitable condition.

You can download the updates for your home computer or laptop from the Microsoft Update Web site: update.microsoft.com/microsoftupdate

For more information about the security update go to: support.microsoft.com/kb/960714