December 2008 Archives

Microsoft has just released a out-of-band critical patch for Internet Explorer
it is highly recommended from Microsoft that all Microsoft Product Users apply this update to avoid 0 day exploits to their local workstations and Terminal Servers.

Apparently MS08-78 does not replace MS08-73 that was released early this month so if you want to make sure the browser is completely up to date you will need to load this as well. - MS08-073 although if you downloaded the last Windows Security it was probably included. But it never hurts to make sure.

McAffee Advert Labs
- Warns of Microsoft Word docs being sent to users as attachments that have embedded Active X controls. The control once loaded calls a web site that is hosting the IE7 exploit and executed without the user even knowing this has happened

For the time being even after the update (one never knows) it might be easier to change your Internet Security Settings to "High" for at least the Internet Zone and then add your trusted sites. For other work arounds including disabling XML Island functionality and the use of OLEDB32.dll see:

IE-Security.Setting

MS TECHNET

Also See:

Microsoft Bulletin

CVE: 2008-4844 - "Use-after-free vulnerability in mshtml.dll in Microsoft Internet Explorer 7 on Windows XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, and Server 2008 allows remote attackers to execute arbitrary code via a crafted XML document containing nested SPAN elements."

Ref: ZDNET 0 Day Blog

The German eMagazine wiwo.de published an article concerning an operation named "gold donkey" where investigators were able to obtain 1.2 million bank accounts and other personal information on German Citizens from about 21 million accounts that were offered for sale by a black market information group. The account information is also matched with T-mobile personal data information about the users bank accounts and T-mobile phone data. A correlation of Bank Account PAN, name, address, birthdate, phone numbers etc... It is suspected the data might have been obtained by outsourced call centers and marketing strategists performed over the years by vendors like Vodaphone, German Telekom, Kabel or even Banking institutions.

The magazine goes on later to state that today there is not enough uniformity in call center operations with data protection standards. Each enterprise decides which technical safety measures are met and how much money is invested into IT infrastructure to protect against abuse. IT Security Standards for Call Center Operations was not regulated by the legislature. It is also suspected the attackers armed with certain information from call centers or marketing databases could have made fake call center calls and obtained bank account information via subscription renewals scams for Lotto etc...

Also in Germany this week Stripes.com (Stars and Stripes) reported thousands of U.S. Army hospital patient records were reported missing when a laptop containing the data was lost. The laptop was reported missing on Oct 4th and the victims were not notified until Nov. 24th that their data might be compromised. The U.S. Army reports the data on the laptop was encrypted.

Digital organized crime is trying to data mine as much information as possible about individuals, and is gathering it or buying stolen information to feed data mining applications and databases that can correlate various disparate information across the world about who you are and your personal profile of Bank Accounts, buying habits, relatives, relationships, present and past residences, where you make your purchases, and even when you're at home.

These correlated databases on your historical digital and related physical history is extremely valuable not only to those who may want to wire transfer 20.00 dollars anonymously out of 21 million bank accounts crossing multiple international jurisdictions, but also to those who want to completely assume your identity and make it their own.

English Reference: PC World .

In the beginning of Dec. 2008, Europol - The EU Police Office held a "High Tech Crime Experts Meeting." The meeting was primarily about an effective approach on fighting cyber-crime at an EU level. Besides EU member states, attending delegations from Canada, Norway, Russian Federation, Switzerland, USA and Turkey, as well as from the European Commission, Eurojust, and Interpol. Europol handles criminal intelligence for cyber-crimes co-ordinating efforts of investigations across EU member states besides handling terrorism, and other international serious forms of organized crime.

Meet Cloud - A new small Operating System that is browser based for cloud computing: http://www.thinkgos.com/

Available for free for download it is about 679mb will fit and run on a DVD.

Yesterday at the Netbook World Summit in Paris, France, it was announced that gOS would be available on Gigabyte Touch Netbooks: http://officialgosblog.blogspot.com/.

Netbooks according to Gartner could reach up to 50 million units by 2010.

Cloud, for now, will ship with Windows and you switch to Cloud or toggle back and forth. It is integrated with a compressed Linux operating system kernel based on Ubuntu Linux.

With its low cost operating system and integration with Google, Microsoft, and Yahoo Apps cool, sleek Netbook hardware, you could be seeing alot of these showing up as end user laptop replacements next year.

See the new gOS 3 Gaget Applications - that will ship with netbooks and netTops.

Desinformado has a new review: http://www.desinformado.com/index.php/2008/12/02/new-gos-cloud-operating-system-installation-features-and-more/

I have not had the chance to test drive the new gOS as of yet but I hope for end users that at least the OS firewall comes enabled by default and there is an antivirus or malware detection bulit-in that has profiled how the OS, Applications, and Gadgets are supposed to work. If this becomes as end user popular as OSX or XP/Vista, I am sure that it will come under heavy bombardment. With that I hope that the OS and application engineers will have this in mind so there is no mass worldwide worm attacks that we have seen with the other Network Operating Systems that have been introduced to the internet computing in the last decade. What do you do when the sky is filled with rain clouds? Bring an umbrella, and a trench coat and hope the wind does not kick up too much.

On Nov. 26th, Computer World Security published an article on the new variants of the MS08-67 Windows Server Service Exploit. The variants called "Conflicker" by Microsoft and "Downadup" by Symantec have spread outside Asia to the U.S. and other countries: http://www.microsoft.com/security/portalEntry.aspx?Name=Worm%3aWin32%2fConficker.A
The new variants apparently also attempt to connect to several urls: getmyip.org, getmyip.co.uk and checkip.dynsdns.org. The another interesting piece is that the worm has been reported to reset the computers restore point.

CVE Reference: CVE-2008-4250

Symantec has written some removal procedures on: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3

On Nov. 25th, Microsoft Malware Protection Center also published an update
concerning a Backdoor IRC Bot exploits that exploit systems that are not updated: http://www.microsoft.com/security/portal/Entry.aspx?Name=Backdoor%3aWin32%2fIRCbot.BH

The trojan connects to a predefined remote IRC server named '0x90.devtech.us'
The trojan can also send Clip Board Entries from the infected computer.

Win32/IRCBot.worm.Gen (AhnLab)
Win32/IRCBot!generic (CA)
WIN.IRC.WORM.Virus (Dr.Web)
Exploit-DcomRpc.gen (McAfee)
Mal/IRCBot-B (Sophos)
Purple Exploit (other)

Don't know how many more variants will continue to be released and as always we don't always know if the patch fixes all the issues involved.

Over the weekend Paul Szabo wrote on Full Disclosure http://archives.neohapsis.com/archives/fulldisclosure/2008-11/, an entry about group-utmp-to-root escalation vulnerability in /bin/login with a link to the bug he reported to Debian bug tracker #505271, http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505271. The Bug goes on to demonstrate that writing a suitable utmp entry would trick the login(1) process into changing the ownership of any file on the system. In the Bug Track he asked that this issue be sent to other Linux distributions so the fix could be added to their distributions.
Paul Szabo had been attempting to get this issue addressed since the beginning of the month before publishing this issue.