Monday 08/24/09

August 2009 Security Bulletin Webcast Video and Customer Q and A

It is apparent that there is still a bit of confusion around the Active Template Library (ATL) issue and how current updates relate to work we have already done to provide mitigations, protections and guidance to customers. To try and provide some clarity:

Security Advisory 972890: This advisory was released in response to active attacks against the Microsoft Video ActiveX Control in order to provide guidance and mitigations (including a Microsoft Fix it solution) to customers while we worked towards an update for the underlying issue.

MS09-032 – Cumulative Update of ActiveX Kill Bits (973346): This bulletin provided an official kill bit update to replace the Microsoft Fix it solution provided by Security Advisory 972890. The update addresses additional kill bits and is also available through Microsoft update technologies such as Windows Update, Microsoft Update, and Windows Software Update Services (WSUS). This kill bit blocked the ability to instantiate the Microsoft Video ActiveX Control in Internet Explorer to mitigate against known attacks.

MS09-034 – Cumulative Security Update for Internet Explorer (972260): This bulletin provided a defense-in-depth update that helps mitigate known attack vectors within Internet Explorer. To be clear, Internet Explorer is not vulnerable to these attacks but the vulnerable components can be reached through Internet Explorer. Installing this update mitigates that threat.

MS09-035 – Vulnerabilities in Visual Studio Active Template Library Could Allow Remote Code Execution (969706): This update is specifically geared towards developers of components and controls who use ATL. The update addresses the underlying issue in our Visual Studio development tools. Developers who use ATL should install this update and recompile their components and controls following the guidance in this MSDN article.

MS09-037 – Vulnerabilities in Microsoft Active Template Library (ATL) Could Allow Remote Code Execution (973908): This bulletin provides updates for vulnerable components and controls that shipped with Windows products. These are Microsoft components and controls were built using ATL. Among the updates in this bulletin is a binary level update that addresses the vulnerability in the Microsoft Video ActiveX Control that has seen some active attacks. So we previously released a kill bit update to provide immediate protection for customers and are addressing the underlying vulnerability with this update.

Security Advisory 973882: This advisory provides information on our ongoing investigation in to the ATL issue and serves as a single source for all related information.

To be even clearer, not every ActiveX control is vulnerable and we have an ongoing investigation into this issue. We will continue to provide updates via Security Advisory 973882 and Security Bulletins as necessary.

----------

Malware Writers: Will That Be OS X, or W?
Permalink
Security researchers increasingly are finding that sites designed to trick the visitor into installing malicious software will serve different malware depending on whether the visitor arrives at the page using a Microsoft Windows PC or a Mac.

Trend Micro researcher Ivan Macalintal recently found a new variant of the dreaded DNS changer Trojan that checks to see which operating system the visitor's Web browser appears to be riding on, and then offers the appropriate Windows- or Mac-based installer. The malware was masquerading as a pirated version of Foxit Reader and several anti-virus applications.

This follows a similar finding last month by McAfee, which spotted the same tactic being used at sites that try to trick the user into installing a browser plug-in supposedly needed to view online videos: The bogus plug-in was offered as a ".exe" file for Windows visitors, and a ".dmg" installer file for those who browsed the site with a Mac.

Meanwhile, Symantec warned last week that it had detected several blogs that were advertising free, streaming online copies of movies that were just released in the theaters. The lure is once again a fake video plug-in, followed by either a Mac- or Windows-based version of the DNS Changer Trojan.

----------

Virus infects development environment
Anti-virus software vendor Kaspersky has discovered a new type of virus which infects and compromises systems running the Delphi development environment more…

----------

Radisson Hotels report significant data breach
Ryan Naraine: In an open letter to guests, Radisson chief operating officer Fredrik Korallus said the hotel chain's computer system was hacked between November 2008 and May 2009 and customer data, including credit and debit card numbers, was stolen.

----------

Swedish Court Get The Pirate Bay Taken Down
When the original ruling came out against The Pirate Bay's founders, one odd part was that there was no injunction forcing the site to stop doing anything. The entertainment industry quickly filed for one -- which seemed a bit odd, considering that the case was under appeal. The latest, however, is that a judge has ordered one of the main ISPs servicing The Pirate Bay to stop, making the site largely inaccessible. In the meantime, the gov't agency that was responsible for getting the founders to pay up has basically found that they can't find any money to collect, which aligns with what the four guys have been saying all along (that they don't own the site and don't make money from it).

----------

Just wondering who represents these guys:

Retired Football Players FileClass Action Against NFL
By TIM HULL
(CN) - Retired NFL players filed a federal class action against the league in Minneapolis, saying the NFL profits from the reputations they made before the era of multimillion-dollar salaries, while paying nothing to the retirees, many of whom are permanently injured. The six named plaintiffs include Hall-of-Famer Elvin Bethea and quarterback Dan Pastorini.

----------

Researcher details Facebook CSRF flaw
Dan Kaplan August 21, 2009
Facebook has closed a hole that enabled an attacker to retrieve personal information of users without their interacting with the site.

----------

Identity fraud ring busted in New York
Chuck Miller August 24, 2009
Members of an alleged fraud ring have been arraigned in New York, charged with stealing identities and obtaining $22 million of wireless phone equipment and services.

----------

Swiss privacy commissioner says "nein" to Google Street View
August 24, 4:04 a.m. UTC - by Eric Bangeman Posted in: Law & Disorder
Google launched Street View in Switzerland last week, and the Swiss Privacy Commissioner isn't satisfied that it will safeguard the privacy of Swiss citizens.

----------

Is Your PC Bot-Infested? Here's How to Tell As fireworks boomed on the Fourth of July, thousands of compromised computers attacked U.S. government Web sites. A botnet of more than 200,000 computers, infected with a strain of 2004's MyDoom virus, attempted to deny legitimate access to sites such as those of the Federal Trade Commission and the White House. The assault was a bold reminder that botnets continue to be a massive problem. Read more...

----------

The Art of Creating Strong Passwords

----------

U.S. Says SQL Injection Caused Major Breaches

----------

Court shuts down sites promising free government grants

----------

Lawsuit seeks to pry information from banks on account breaches

----------

Could Google be tricked into talking to botnets?

----------