It's the second zero-day vulnerability in the last 60 days
By Gregg Keizer
March 9, 2010 02:11 PM ET

Computerworld - Microsoft Corp. today warned of a critical vulnerability in Internet Explorer that is already being exploited by hackers; it was the company's second such admission in the past two months.

Internet Explorer 6 and its 2006 successor, IE7, contain a vulnerability that can be used by attackers to inject malicious code into a Windows PC. The oldest and newest of Microsoft's supported browsers, IE 5.01 and IE8, respectively, are not vulnerable to such attacks.

"At this time, we are aware of targeted attacks attempting to use this vulnerability," Microsoft acknowledged in an advisory posted simultaneously with two security updates that patched eight bugs in Windows and Office. Elsewhere, Microsoft said that the vulnerability had been publicly disclosed.

"It doesn't look like an exploit has been publicly posted," noted Andrew Storms, director of security operations at nCircle Network Security Inc., who added that Microsoft might have been made aware of the vulnerability either via a customer report or from one of the security companies that partner with it in the Microsoft Active Protections Program (MAPP). A report on the bug later today from the likes of Symantec or McAfee would indicate the latter, said Storms.

This is the second time in the last 60 days that Microsoft has admitted that hackers were exploiting an unpatched bug in IE. In mid-January, Microsoft said that a flaw in IE had been used to attack several companies' networks, including Google's and Adobe's. Microsoft patched that vulnerability, and seven others, later in the month when it issued an emergency update, often dubbed an "out-of-band" update.

As is its practice, Microsoft today did not spell out a timeline for patching the latest IE vulnerability, nor did it commit to an out-of-band fix.

Storms said it was too early to say whether Microsoft would rush a patch to users. "Generally, one of the indicators is if an exploit has gone public," he said, noting that as far as he knew, none had. "That often determines how quickly they'll patch. Of course, the way the Internet moves, [an exploit] could be posted in minutes, and then the story changes completely."

If Microsoft does not go out-of-band for this IE vulnerability, it might not issue a patch for it until May, Storms said, noting that the company will have to thoroughly test the repair job. April might be possible, he added, depending on how long Microsoft has known of the vulnerability and where it is in the fix cycle. "But then they wouldn't get a full QA cycle on the patch," he said.

Microsoft's next scheduled Patch Tuesday is April 13, five weeks from today.

Microsoft listed several recommended actions that users of IE6 and IE7 can take to defend themselves in lieu of a patch. They include modifying access to the "iepeers.dll," disabling scripting in the browsers and enabling DEP (data execution prevention).

McAfee Warns Consumers Of Fake Antivirus Software

Mike Sachoff
Staff Writer
2010-03-09

McAfee issued a warning today to consumers about "scareware," or fake antivirus software calling it possibly the most costly online scam in 2010, causing significant monetary loss and damage to users' computers.

Scareware is the first scam outlined in McAfee's new Consumer Threat Alert program that warns people about the latest and most dangerous online threats.

"Even the savviest of computer users fall victim to online threats because cybercriminals have become so sophisticated," said Jeff Green, senior vice president of McAfee Labs.

More:
http://www.securitypronews.com/insiderrepo...usSoftware.html

USB battery recharger status software contains Trojan, says US-CERT
By Gregg Keizer
March 7, 2010 10:17 PM ET

Computerworld - The Energizer Bunny infects PCs with backdoor malware, the Department of Homeland Security's US-CERT said Friday.

According to researchers at US-CERT (United States Computer Emergency Readiness Team), software that accompanies the Energizer DUO USB battery charger contains a Trojan horse that gives hackers total access to a Windows PC.

The Energizer DUO, a USB-powered nickel-metal hydride battery recharger, has been discontinued, said Energizer Holdings, which late Friday confirmed that the software contains malicious code. The company has not said how the Trojan made its way into the software, however. "Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software," Energizer said in a statement.

Energizer's DUO was sold in the U.S., Latin America, Europe and Asia starting in 2007.

The Windows software included with the charger is designed to show battery-charging status. When the software is installed, it creates the file "Arucer.dll," which is actually a Trojan that listens for commands on TCP port 7777. Upon instructions, the Trojan can download and execute files, transmit files stolen from the PC, or tweak the Windows registry. The Trojan automatically executes each time the PC is turned on, and remains active, even if the Energizer charger is not connected to the machine.

US-CERT urged users who had installed the Energizer software to uninstall it, which disables the automatic execution of the Trojan. Alternately, users can remove the Arucer.dll from Windows' "system32" directory, then reboot the machine.

Both US-CERT and Symantec have published advisories about the Trojan.

Energizer said it has removed the software from its download site, and added that although it had offered similar software for Mac OS X, only the Windows version had been infected.

This isn't the first time that a hardware company has planted malware on unsuspecting customers' PCs. In 2007, Seagate Technology admitted that an unknown number of its hard drives left an Asian manufacturing plant with Trojan horses, while the year before that Apple warned iPod owners that some of the music players carried a Windows virus.

In early 2008, electronic retailer Best Buy confirmed it had sold digital picture frames with attack code that spread to connected PCs.

Opera says bug probably can't commandeer machines

By Dan Goodin in San Francisco • Get more from this author

Posted in Security, 5th March 2010 21:14 GMT

A security vulnerability identified in Opera can be exploited to crash users' browsers, but probably can't lead to the remote execution of malware, a company spokesman said.

The buffer overflow bug was disclosed by Vupen Security on Thursday, and the report has since been picked up by others, including Secunia and Sans. The advisories have said the vulnerability is critical because it can be exploited to remotely execute malicious code on end user machines.

Vupen officials didn't respond to emails seeking details. But Opera isn't so sure

More:
http://www.theregister.co.uk/2010/03/05/opera_vulnerability/

Canadian firm helps disable massive botnet
Spanish civil guard Jose Antonio Berocal, in charge of cybercrime, at a news conference in Madrid on Wed., March 3.

Three charged with running global Web ring that infected more than 15 million computers, including federal and banking systems

Omar El Akkad

From Thursday's Globe and Mail Published on Wednesday, Mar. 03, 2010 8:41PM EST Last updated on Friday, Mar. 05, 2010 3:12AM EST

A Canadian company has helped dismantle a massive computer-infiltration ring that infected more than 15 million computers around the world – including systems within Canadian banks and the federal government.

Spanish police have arrested three people charged with running a botnet – a program that infects and partly takes over victims' computers – that spanned some 190 countries. Not only is the botnet (named Mariposa, Spanish for butterfly) one of the largest of its kind, the software's operators appeared to target government and corporate computers, stealing huge amounts of sensitive data.

“Mariposa really stood out because it was growing at such a rate,” said Chris Davis, founder and CEO of Defence Intelligence, an Ottawa-based information security firm that helped track and ultimately disable Mariposa. “If you run down the list of Fortune 1,000 companies, you're talking about a 65-per-cent infection rate.”

Details:
http://www.theglobeandmail.com/news/techno...article1488838/

FBI director warns of growing cyber threat
Robert Mueller

San Francisco — Reuters Published on Friday, Mar. 05, 2010 8:46AM EST Last updated on Friday, Mar. 05, 2010 9:08AM EST

Militant groups, foreign states and criminal organizations pose a growing threat to U.S. security as they target government and private computer networks, FBI Director Robert Mueller said on Thursday.

In a speech to an Internet security conference, Mueller said militant groups like al Qaeda had primarily used the Internet to recruit members and plan attacks, but had made clear they also see it as a target.

"Terrorists have shown a clear interest in pursuing hacking skills and they will either train their own recruits or hire outsiders with an eye toward combining physical attacks with cyber attacks," Mueller said.

Details:
http://www.theglobeandmail.com/news/techno...article1490778/

Google engineer posts sample code to show how to bypass DEP in Windows
By Gregg Keizer
March 3, 2010 02:00 PM ET

Computerworld - The disclosure of a new exploit technique that bypasses an important Windows security feature may result in more successful attacks against Microsoft's newer operating systems, researchers said today.

On Monday, Berend-Jan Wever, a Google security software engineer who goes by the moniker "Skylined" when he posts exploit research, published proof-of-concept code that bypasses DEP, or data execution prevention, one of two major security enhancements Microsoft has added to Windows since 2004. The other is ASLR, for address space layout randomization.

DEP prevents malicious code from executing in sections of memory not intended for code execution and is a defense against, among other things, attacks based on buffer overflows. ASLR, meanwhile, randomly shuffles the positions of key memory areas, making it much more difficult for hackers to predict whether their exploit code will actually run.

Microsoft introduced DEP in Windows XP Service Pack 2, the security-oriented refresh launched in 2004, and it debuted ASLR in Windows Vista three years later.

"I am releasing this because I feel it helps explain why ASLR+DEP are not a mitigation to put a lot of faith in, especially on x86 platforms," said Wever in a post to his personal blog on Monday.

Wever should know about Windows: According to his LinkedIn profile, he worked for Microsoft as a security software engineer from 2006 to 2008.

In 2005, Wever helped popularize "heap spraying," a technique that made exploits, especially those against browsers, more efficient. Hackers quickly picked up on heap spraying, and have applied it in several prominent attacks, including one a year ago against a then-unpatched bug in Adobe's Reader.

"This is pretty significant," said David Sancho, a senior threat researcher at Trend Micro, when asked to peg the importance of Wever's demonstration. "This can be used to further enhance exploits, and I expect that we'll start seeing it being used within exploits fairly soon."

Ignore sites that nag to press the Help key, says zero-day bug advisory
By Gregg Keizer
March 1, 2010 08:59 PM ET

Computerworld - Microsoft told Windows XP users today not to press the F1 key when prompted by a Web site, as part of its reaction to an unpatched vulnerability that hackers could exploit to hijack PCs running Internet Explorer (IE).

In a security advisory issued late Monday, Microsoft confirmed the unpatched bug in VBScript that Polish researcher Maurycy Prodeus had revealed Friday, offered more information on the flaw and provided some advice on how to protect PCs until a patch shipped.

"The vulnerability exists in the way that VBScript interacts with Windows Help files when using Internet Explorer," read the advisory. "If a malicious Web site displayed a specially crafted dialog box and a user pressed the F1 key, arbitrary code could be executed in the security context of the currently logged-on user."

Last week, Prodeus called the bug a "logic flaw," and said attackers could exploit it by feeding users malicious code disguised as a Windows help file -- such files have a ".hlp" extension -- then convincing them to press the F1 key when a pop-up appeared. He rated the vulnerability as "medium" because of the required user interaction.

Windows 2000, Windows XP and Windows Server 2003 are impacted by the bug, said Microsoft, and any supported versions of Internet Explorer (IE) on those operating systems -- including IE6 on Windows XP -- could be leveraged by attackers. Previously, Prodeus had said that users running IE7 and IE8 were at risk, but had not called out IE6.

Until a patch is ready, users can protect themselves by not pressing the F1 key if a Web site tells them to, said Microsoft.

"As an interim workaround, users are advised to avoid pressing F1 on dialogs presented from Web pages or other Internet content," said David Ross with the Microsoft Security Response Center (MSRC) engineering staff in a blog entry on Monday.

"The prompt can appear repeatedly when dismissed, nagging the user to press the F1 key," Ross added.

The security advisory made the same recommendation: "Our analysis shows that if users do not press the F1 key on their keyboard, the vulnerability cannot be exploited."

Users can also stymie attacks by disabling Windows Help. The advisory explained how to entering a one-line command at a Windows command-line prompt to lock down the Help system.

The company took Prodeus to task for taking the bug public, something it regularly does when researchers disclose a vulnerability or post sample attack code before a patch is available.

"Microsoft is concerned that this vulnerability was not responsibly disclosed, potentially putting customers at risk," said Jerry Bryant, a senior manager with the MSRC, in an e-mail. By Prodeus' account, he notified Microsoft of the flaw Feb. 1, about four weeks before publishing his findings.

Microsoft has not set a timeline for a fix, saying only that, "Microsoft will take the appropriate action to help protect our customers." The next scheduled security patch date for the company is March 9.

Although it does not rate the severity of vulnerabilities in its advisories, Microsoft noted that hackers exploiting the VBScript flaw using Windows Help and Internet Explorer could grab complete control of a Windows system.

Customers running Windows Vista, Windows Server 2008, Windows 7 or Windows Server 2008 R2 are safe from such attacks, Microsoft said.