• http://www.opera.com/docs/changelogs/windows/1054/

Apple Quietly Includes Anti-Malware in latest OS X update While Apple products have had a reputation for eluding malware and virus threats, time might be catching up with them. Apple quietly added some Anti-Malware functionality to the latest update for Mac OS X 10.6.4. This is a proactive move by Apple to help maintain their reputation in being safe from malware.

• http://www.notebooks.com/2010/06/21/apple-alters-mac-os-x-malware-protection/
• http://www.sophos.com/blogs/gc/g/2010/06/18/apple-secretly-updates-mac-malware-protection/
• http://www.9to5mac.com/apples_secret_security_patch

Week In Review for June 14 – June 20, 2010 AlertCon Lowered For MS Windows Help Alert The Threat Level, raised to AlertCon 2 to draw awareness to the Microsoft Windows Help Center Protocol Handler vulnerability, has been lowered to AlertCon 1. Although exploitation continues, our analysts are seeing minimal traffic associated with that vulnerability. We assert that vigilance should be maintained and advise continued monitoring for attacks that exploit this weaknesses.

• http://xforce.iss.net/XpuDetails.do?xpu=75&ver=XPU%2030.061
•  http://www.iss.net/security_center/reference/vuln/HTML_MS_HelpCenter_CMD_Exec.htm
• http://www.sophos.com/blogs/sophoslabs/?p=10045
• http://www.sophos.com/blogs/gc/g/2010/06/15/tavis-ormandy-pleased-website-exploits-microsoft-zeroday/
•  http://www.microsoft.com/technet/security/advisory/2219475.mspx
•  http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx
•  http://blogs.technet.com/b/srd/archive/2010/06/10/help-and-support-center-vulnerability-full-disclosure-posting.aspx
•  http://seclists.org/fulldisclosure/2010/Jun/205
• https://www.metasploit.com/redmine/projects/framework/repository/revisions/9483/entry/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb

Sophisticated Flash Player Attack in Circulation IBM X-Force has received a report of a sophisticated attack occurring in the wild targeting a vulnerability in Flash Player (CVE-2010-1297). This issue was disclosed earlier this month and the current attack involves placing a specially-crafted Flash file within a PDF file. The IBM signature PDF_Swf_Detected is detecting this attack. As a conservative measure, customers may want to set this signature to blocking. While this change may also block legitimate traffic, this type of traffic (a Flash file embedded in a PDF file) is not commonly seen.

Apple iTunes 9.2 Released, Addresses Several Security Issues Apple has released iTunes 9.2 in preparation for the release of iPhone 4 next week. This updated release also addresses three security issues all of which have the potential to be exploited to allow arbitrary code execution. This update is available through Apple’s website or through the update tool provided in iTunes itself.

• http://support.apple.com/kb/HT4220

Remote Root Level Vulnerability Found in Samba The Samba team has announced a new memory vulnerability that allows remote root level access. This only impacts older versions of Samba (Versions 3.0.x – 3.3.12), with versions higher then 3.4.0 not being vulnerable. We are advising customers using Samba to verify which version(s) are in production and updating accordingly.

http://www.samba.org/samba/security/CVE-2010-2063

New IBM XPU Addresses Latest MS Vulnerability (CVE-2010-1885) IBM has released an XPU and a Protection Alert to address the Microsoft Windows Help Center vulnerability that currently has the AlertCon raised to Level 2. Due to the ease of exploitability we urge customers to upgrade to this XPU as soon as possible to detect this latest threat.

• https://portal.mss.iss.net/mss/xftas/alertAdvisory/details.mss?alertAdvisoryId=3407
•  http://xforce.iss.net/XpuDetails.do?xpu=75&ver=XPU%2030.061
•  http://www.iss.net/security_center/reference/vuln/HTML_MS_HelpCenter_CMD_Exec.htm

Writeups on Facebook Password Reset Spam Spammers are starting to leverage the pervasiveness of social networking and social media forums. There have been several writeups on the use of spam in the form of e-mails that look like they are coming from Facebook notifying users to reset their passwords. Links in these emails often contain malware in various forms. The best defense comes in the form of user education and the use of updated Anti-Virus/Anti-Malware software.

• http://www.sophos.com/blogs/gc/g/2010/06/15/reset-facebook-password-spam-promotes-pharmacy-websites/
•  http://www.zdnet.com/blog/security/facebook-password-reset-spam-is-bredolab-botnet-attack/4724
•  http://www.pcworld.com/businesscenter/article/191847/facebook_users_targeted_in_massive_spam_run.html

 Apple Releases Security Update Bundle for Mac OS X 10.6 Apple has released a security update for Mac OS X 10.6 that addresses 23 separate vulnerabilities, many of which allow remote execution capability. This update is available through the Apple Downloads site or through the Software Update tool. PLEASE NOTE: This update includes an older version of Adobe’s Flash Player that has some security vulnerabilities. If users have already upgraded to the latest version, then the older version will not be installed. We encourage customers running on this platform to apply these updates and verify their version of Adobe Flash Players soon as possible.

http://support.apple.com/kb/HT4188

http://support.apple.com/downloads/

 http://blogs.adobe.com/psirt/2010/06/apple_security_update_2010-004.html

 PHP 0day Vulnerability A presentation at the SyScan conference has made a PHP vulnerability public that allows remote attackers to execute arbitrary code via unserialized user input. Few details are currently available outside of the conference presentation. The PHP vulnerability is currently unpatched. We will continue investigating and provide more information as it becomes available.

http://twitter.com/i0n1c/status/16447867829

https://bugzilla.redhat.com/show_bug.cgi?id=605641

US Supreme Court Rules on Employer/Employee privacy case In a case where a local police department searched an employee’s text messages, the court ruled that the employee’s work provided phone and the data associated with it did not have an expectation to privacy. The unanimous ruling provides some clarity on the issue of privacy in the workplace with regards to electronic communications. We advise customers to review their corporate policies with legal counsel to verify their privacy statements are current with this ruling. http://www.latimes.com/news/nationworld/nation/la-na-court-worker-texting-20100618,0,7772406.story http://www.infolawgroup.com/2010/06/articles/workplace-privacy/quon-us-supreme-court-rules-against-privacy-on-employerissued-devices/

Mobile Malware
Reports have surfaced this week indicating that Samsung’s S8500 Wave handsets were shipped with a malware-infected microSD card. Reportedly, some German models of this device are affected. Once the device is connected to the computer, it automatically installs a Trojan using a file called “slmvsrv.exe.”

While this is an example of a mobile device being shipped with malware, there are ways that attackers can utilize different functionality to distribute their malware. For instance, the Multimedia Message Service (MMS) can be used as a vector for sending malware to unsuspecting victims. Many mobile phones and PDAs available today are capable of communicating via Bluetooth, a protocol designed for short range communication between electronic devices. Simple social engineering attacks have effectively convinced Bluetooth users to pair their devices with complete strangers, giving them unrestricted access to data on the victim’s phone. Additionally, many modern mobile phones and PDAs now run robust, feature-rich operating systems and offer the same or similar applications as PCs. Individuals increasingly use them to store personal data and conduct financial transactions which gives attackers more incentive to find and exploit vulnerabilities in the software.

Several major security vendors now provide security applications and anti-virus software for mobile users. Cellular service providers also offer some protection to their customers automatically by scanning for specific types of malicious code as data traverses the network. Bluetooth should be disabled while not in use and should never respond to unsolicited connection attempts. Although the level of mobile attacks is currently relatively low, it is still important for organizations to be aware of the potential threat.
http://www.engadget.com/2010/06/02/samsung-wave-shipping-with-infected-microsd-card/
http://www.f-secure.com/weblog/archives/00001959.html

The issue appears to affect all major browsers, though results vary between browsers and operating systems. The remediation for this issue would be to completely disable Javascript in the browser. The Raff demo is notable in that it can work against Firefox, even with the popular Noscript add-on installed. We do suggest readers familiarize themselves with this issue.
http://krebsonsecurity.com/2010/05/devious-new-phishing-tactic-targets-tabs/
http://avivraff.com/research/phish/article.php?406707075

Wardriving and Open Wireless Networks
Stories about the number of unprotected wireless networks used to be common place but it has been some years now since WPA and then WPA2 have become prevalent. WPA2 is relatively easy to setup and provides a good level of encryption and authentication. So, we were somewhat surprised to read the results of a wardriving exercise conducted by the state police in various regional centers across Queensland, Australia. The results have led to the police estimating that some fifty percent of the wireless internet connections in Queensland of having no or minimal security settings enabled, no password, or still have the default password on their wireless device. Perhaps more disturbing is a comment from Detective Superintendent Brian Hay of the Queensland state police, “We know that the crooks are out there, scanning the environment and identifying these vulnerable networks, plotting them and then selling the information.”

Open wireless systems present many dangers and while we consider the results of the wardriving exercise would reflect largely on domestic wireless systems, these same systems may well be used by corporate employees when working from home. While we would expect most remote access systems to be encrypted or utilize a VPN for access, corporate resources or information might still be exposed. We suggest that at the business level, staff are made aware of the dangers of using open wireless systems and we urge all people who have wireless access points in their homes or businesses to verify that their systems are configured to operate in a secure manner.
http://www.couriermail.com.au/news/technology/half-of-wireless-networks-unsecured-in-queensland/story-e6frep1o-1225870268562

http://www.microsoft.com/technet/security/bulletin/MS10-024.mspx

2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
Microsoft Windows is vulnerable to a stack-based buffer overflow, caused by improper bounds checking by the MPEG Layer-3 audio codecs when handling malicious files. The vulnerable MPEG Layer-3 audio codecs are the MPEG Layer-3 Audio Codec for Microsoft DirectShow. Successful exploitation of this issue would provide an attacker with complete control over the endpoint target. The use of malicious media files like images and movies has been prevalent in the past years.

http://www.microsoft.com/technet/security/bulletin/MS10-026.mspx

Adobe Reader and Acrobat Security Update
Adobe has addressed multiple critical vulnerabilities affecting Adobe Reader 9.3.1 (and earlier versions) for Windows, Macintosh, and UNIX, Adobe Acrobat 9.3.1 (and earlier versions) for Windows and Macintosh, and Adobe Reader 8.2.1 (and earlier versions) and Adobe Acrobat 8.2.1 (and earlier versions) for Windows and Macintosh. The most severe of these issues could allow a remote attacker to execute arbitrary code on a vulnerable system. Refer to the “Solution” section of the Adobe Security Bulletin for information on remediating these issues.
http://www.adobe.com/support/security/bulletins/apsb10-09.html

Microsoft April 2010 Security Release
Microsoft released eleven security bulletins today. There are five rated Critical, five rated Important and one rated Moderate. We encourage our customers to apply the patches and IBM product coverage where applicable. Please, review the break-down below.
http://www.microsoft.com/technet/security/bulletin/ms10-apr.mspx

Microsoft Maximum Severity Rating: Critical
Microsoft Security Bulletin MS10-019: Vulnerabilities in Windows Could Allow Remote Code Execution (981210)
Vulnerabilities in Windows Authenticode Verification could allow a remote attacker execute arbitrary code on a vulnerable system.
CVE-2010-0486
CVE-2010-0487
http://www.microsoft.com/technet/security/bulletin/ms10-019.mspx

Microsoft Security Bulletin MS10-020: Vulnerabilities in SMB Client Could Allow Remote Code Execution (980232)
Multiple vulnerabilities affecting Microsoft Windows could allow remote code execution. Successful exploitation can occur if an attacker can convince a user to initiate an SMB connection to a specially crafted SMB server.
CVE-2009-3676
CVE-2010-0269
CVE-2010-0270
CVE-2010-0476
CVE-2010-0477
http://www.microsoft.com/technet/security/bulletin/ms10-020.mspx

Microsoft Security Bulletin MS10-025: Vulnerability in Microsoft Windows Media Services Could Allow Remote Code Execution (980858)
A remote code execution vulnerability affects Windows Media Services running on Microsoft Windows 2000 Server. The Windows Media Unicast Service fails to properly handle specially crafted transport information packets. On Microsoft Windows 2000 Server Service Pack 4, Windows Media Services is an optional component and is not installed by default.
CVE-2010-0478
http://www.microsoft.com/technet/security/bulletin/ms10-025.mspx

Microsoft Security Bulletin MS10-026: Vulnerability in Microsoft MPEG Layer-3 Codecs Could Allow Remote Code Execution (977816)
2. Microsoft DirectShow Remote Code Execution (MS10-026 CVE-2010-0480)
http://www.microsoft.com/technet/security/bulletin/ms10-026.mspx

Microsoft Security Bulletin MS10-027: Vulnerability in Windows Media Player Could Allow Remote Code Execution (979402)
The Windows Media Player ActiveX control is affected by a remote code execution vulnerability.
CVE-2010-0268
http://www.microsoft.com/technet/security/bulletin/ms10-027.mspx

Microsoft Maximum Severity Rating: Important
Microsoft Security Bulletin MS10-021: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (979683)
This bulletin addresses two vulnerabilities in Microsoft Windows, the most severe of which could allow elevation of privilege. In order to exploit these vulnerabilities, an attacker must have valid logon credentials and be able to log on locally.
CVE-2010-0236
CVE-2010-0237
http://www.microsoft.com/technet/security/bulletin/ms10-021.mspx

Microsoft Security Bulletin MS10-022: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
A vulnerability affecting VBScript on Microsoft Windows could allow remote code execution. This vulnerability requires user interaction and cannot be exploited on Windows Vista, Windows Server 2008, Windows 7, or Windows Server 2008 R2.
CVE-2010-0483
http://www.microsoft.com/technet/security/bulletin/ms10-022.mspx

Microsoft Security Bulletin MS10-023: Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution (981160)
Microsoft Office Publisher is vulnerable to a remote code execution issue. An attacker could exploit this issue by creating a specially crafted Publisher file and sending it in an email or hosting it on a Web site.
CVE-2010-0479; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-023.mspx

Microsoft Security Bulletin MS10-024: Vulnerabilities in Microsoft Exchange and Windows SMTP Service Could Allow Denial of Service (981832)
1. Denial of Service Conditions in Microsoft Exchange and Microsoft SMTP Service
http://www.microsoft.com/technet/security/bulletin/ms10-024.mspx

Microsoft Security Bulletin MS10-028: Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (980094)
Vulnerabilities in Microsoft Office Visio could allow remote code execution if a user opens a specially crafted Visio file.
CVE-2010-0254; IBM Product Coverage: CompoundFile_Shellcode_Detected
CVE-2010-0256; IBM Product Coverage: CompoundFile_Shellcode_Detected
http://www.microsoft.com/technet/security/bulletin/ms10-028.mspx

Microsoft Maximum Severity Rating: Moderate
Microsoft Security Bulletin MS10-029: Vulnerability in Windows ISATAP Component Could Allow Spoofing (978338)
A spoofing vulnerability exists in the Microsoft Windows IPv6 stack which could allow an attacker to impersonate an address to bypass edge or host firewalls. CVE-2010-0812
http://www.microsoft.com/technet/security/bulletin/ms10-029.mspx

http://www.metasploit.com/redmine/projects/framework/repository/revisions/9018/entry/modules/exploits/windows/browser/ms10_018_ie_tabular_activex.rb

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02048471

http://secunia.com/advisories/39003/

Spamassassin Milter Plugin Remote Root Exploit
An exploit has been published to the mailing list “Full Disclosure” for a 0-day attack against the Spamassassin Milter Plugin. Spamassassin is a popular OpenSource spam filtering system. Successful exploitation results in remote root access to vulnerable systems. A preliminary patch for the flaw has been published to the project site. Mitigation recommendations include not running the milter (mail filter) plugin as root and not using the -x option. Users should implement the mitigations and patch vulnerable systems as soon as possible. Upgrades should be preformed as soon as official updates are made available.

http://isc.sans.org/diary.html?storyid=8434

http://www.securityfocus.com/bid/38578/info

http://seclists.org/fulldisclosure/2010/Mar/140

http://savannah.nongnu.org/bugs/index.php?29136

Proof of concept code exploiting a vulnerability (CVE-2010-0425) in the Apache HTTP server version 2.2.14, mod_isapi, was published to a well known Web site. Notes in the code state that the exploit may need to be run several times to achieve successful spawning of a shell however – a success rate of 70% is reported. Also mentioned in the code is that, if DEP is enabled (Windows platforms) for the Apache process, the result may be a denial of service condition. As CVE-2010-0425 is one of those noted as addressed in the above 2.2.15 release, we again suggest updating as soon as possible.
http://www.exploit-db.com/exploits/11650
http://securityreason.com/wlb_show/WLB-2010030028