Zero Day Vulnerability in Microsoft Office

On 13 July, 2009, we alerted LiveSecurity subscribers about a zero day vulnerability in the Office Web Components ActiveX control that ships with most versions of Microsoft Office.

When we first reported this issue, attackers were already exploiting this serious vulnerability in the wild. We promised to update our alert when Microsoft released a patch to fix this vulnerability. They released those patches today as part of their monthly Patch Day.

In today's security bulletin, Microsoft describes the four Office Web Components (OWC) ActiveX control vulnerabilities in more detail. They warn that these OWC vulnerabilities also affect: Microsoft Internet Security and Acceleration (ISA) Server, Microsoft Biztalk Server, Microsoft Visual Studio .NET, and Microsoft Office Small Business Accounting.

At a high level, the vulnerabilities all involve how the OWC ActiveX control handles memory or system state in certain situations. While the flaws differ technically, they all share the same scope and impact. If an attacker can entice one of your Office users into visiting a specially crafted website, he can exploit this vulnerability to execute code on that user's computer, with that user's privileges. If your user has local administrator privileges, as most Windows users do, the attacker would gain complete control of the user's computer.

With attackers actively exploiting this vulnerability in the wild since 13 July, it poses a significant threat to most Microsoft Office users. You should download, test, and deploy the updates below immediately.

Solution: Microsoft has released patches that correct these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately.

This post was excerpted from the WatchGuard LiveSecurity Alert, Zero Day Vulnerability in Microsoft Office, by Corey Nachreiner, CISSP, August 11th, 2009.

Marines Ban Facebook, MySpace

The U.S. Marine Corps has slapped an immediate ban on the use of social networking sites on its network, warning that sites like Facebook, MySpace and Twitter are a “proven haven for malicious hackers and content.”

The ban, contained in an order issued Monday, will last for a year. It specifically mentions Facebook, Twitter and MySpace although it applies to what is described as “Web-based services that allows communities of people to share common interests.”

A few choice quotes from the Marine Corps order:
“These internet sites in general are a proven haven for malicious actors and content and are particularly high risk due to information exposure, user generated content and targeting by adversaries…”

“The very nature of SNS [social network sites] creates a larger attack and exploitation window, exposes unnecessary information to adversaries and provides an easy conduit for information leakage that puts OPSEC [operational security], COMSEC [communications security], [and] personnel… at an elevated risk of compromise.”

CNN reports that the ban was drawn up in response to a late July warning from U.S. Strategic Command, which told the rest of the military it was considering a Defense Department-wide ban on the Web 2.0 sites, due to network security concerns.

Facebook, MySpace and Twitter have been constant targets for malware attacks that exploit the trusted nature of social networks to lure users into clicking on links to malicious sites.

This post contains excerpts from the CNN article, Marines ban Twitter, Facebook and other sites, by Noah Shactman, August 4th, 2009, and the ZDNet article, U.S. Marines ban Facebook, MySpace, Twitter, by Bryan Naraine, August 4th, 2009.

Greetings From Stargate

Very similar to the Delta Airlines Scamming from earlier in the year [Airline Ticket Confirmation Is Trojan], the UPS Delivery Problem takes advantage of the same delivery method--email.

The email comes from what looks to be perfectly legitimate addresses, with exceptions, of course. The email below happened to come from Stargate, no less.

Really. Stargate. I can't make this kind of stuff up.

Here's the email:

From: Leroy Amos [mailto:gulfsljb28@stargate-hb.de]
Sent: Thursday, July 23, 2009 10:31 AM
To: Kevin DeMott
Subject: UPS Delivery problem

Hello!

We failed to deliver the postal package which was sent on the 16th of May in time because the addressee's address is incorrect.

Please print out the invoice copy attached and collect the package at our office.

Your United Parcel Service of America

So, as usual, don't open any attachments included with the message. Don't click on any links inbedded in the message. And, although you may yearn to reply with a witty and sarcastic response, resist the urge. When you reply, all you've done is successfully confirmed to the maniacal, although eerily methodical, "bots" that you are indeed a legitimate email address from a legitimate domain, to which they can now--and will--send more spam, trojans, viruses, and malware.

Just delete it.

As always, don't click "yes" before calling DTS.

Zero Day: Adobe Flash Player and PDF

Severity: Medium

Summary:
This vulnerability affects: Adobe Flash Player version 9 and 10, running on Windows, Mac, and Linux computers. How an attacker exploits it: By enticing your users into viewing a malicious PDF document (or viewing malicious Flash content). Impact: An attacker can potentially gain complete control of your computer. What to do: Adobe plans to patch on July 30 and 31.

Exposure:
Adobe Flash Player is a multimedia player that plugs into your web browser and allows you to view Flash content. While Flash isn't always installed by default, most users install it in order to view certain dynamic web pages.

In a security advisory released today, Adobe describes a critical vulnerability that affects Adobe Flash Player version 9 and 10, running on Windows, Macintosh, and Linux computers.

Adobe released this advisory in response to zero day exploit code researchers recently discovered attackers exploiting in the wild. The exploit currently circulating arrives as a malicious PDF file. However, the vulnerability actually resides in specially crafted Flash content embedded into that PDF file.

While exploits seen in the wild currently only arrive as malicious PDF files, we assume attackers could also exploit this Flash vulnerability by hosting malicious Flash content.

Adobe's advisory doesn't describe the flaw in much technical detail. If an attacker can lure one of your users into downloading and viewing a malicious PDF file, or into viewing specially crafted Flash content, he could exploit this unspecified vulnerability to potentially execute code on your user's computer, with that user's privileges.

As usual, if your users have local administrator or root privileges, this sort of attack gives the attacker full control of your users' computers.

Since researchers first discovered this vulnerability from attackers exploiting it in the wild, it poses a serious risk to Adobe Flash and Reader users. Some reports even suggest that attackers have hijacked legitimate web sites, and booby-trapped them with this zero day exploit.

Cybercriminals have been e-mailing PDF files with corrupted Flash video clips and hacking into websites to implant them since early July. When activated, these clips enable attackers to quickly install malicious programs on the user's computer.

Criminals typically take control of PCs, turning them into obedient "bots." They can use bot networks to steal data, siphon cash from online financial accounts, spread spam and trigger promotions to sell fake anti-virus programs.

Adobe is scrambling to develop an emergency patch by Friday. The company recently began issuing security patches once a quarter, with the next update scheduled on Sept. 8.

But even that might not solve the problem. Adobe alerts computer users every seven days about software updates that can include security patches, but users often defer installing such updates. Some 43% of the 1,500 cyberattacks identified by security firm F-Secure in the first six months of 2009 were directed at Acrobat Reader, up from nearly 29% last year.

That puts Acrobat Reader ahead of Microsoft Word, targeted in 40% of this year's attacks.

This post contains excerpts from the USAToday article, Hackers may slip through hole found in Adobe, by Byron Acohido, July 27th, 2009, and the Watchguard LiveSecurity article, Malicious PDF Documents Trigger Zero Day Adobe Flash Flaw, by Corey Nachreiner, CISSP, July 23rd, 2009.

Crouching Java, Hidden Antivirus

Be mindful when your running your next Java update.

No kidding. If you don't read the “I Agree,” you will breeze right by it, and be quickly rewarded with the installation of McAfee Antivirus. So, if you're like me, and run through a Java update faster than a morning espresso, you're going to miss it.

Here's where you run into trouble. If you already have an antivirus solution installed on your system, installing another one is going to hose you. Antivirus applications are pretty much mutually exclusive--you can have one or another. You can't have both.

If you try to run more than one, its going to muck up your system's works, but good. Symptoms like your system slowing down to a crawl, error messages left, right and sideways, and sometimes turning your system into an unuseable brick because the antivirus applications are engaged in an eternal struggle of good versus evil.

Best bet? Read before you click the "I Agree."

As always, don't click "Yes" before calling DTS!