April 30, 2009 - Current Activity

Symantec Releases Security Advisories

Symantec has released three security advisories to address multiple vulnerabilities in Symantec Alert Management System, Log Viewer, and Reporting Server. These vulnerabilities may allow an attacker to execute arbitrary code, bypass security mechanisms, or leverage phishing attacks.

US-CERT encourages users and administrators to review the following Symantec Security Advisories and apply any necessary updates or workarounds to help mitigate the risks:

• Symantec Alert Management System 2 Multiple Vulnerabilities
• Symantec Log Viewer JavaScript Injection Vulnerabilities
• Symantec Reporting Server Improper URL Handling Exposure

Adobe Reader and Acrobat JavaScript Vulnerabilities

US-CERT is aware of public reports of two vulnerabilities affecting Adobe Reader and Acrobat. The JavaScript methods customDictionaryOpen() and getAnnots() do not safely handle specially crafted arguments and can be manipulated to execute arbitrary code.

US-CERT encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk:

1. Open the General Preferences dialog box
2. From the Edit menu, select Preferences and then choose JavaScript
   
3. Un-check Enable Acrobat JavaScript

Swine Flu Phishing Attacks and Email Scams

US-CERT is aware of public reports of email scams circulating related to the Swine Flu. The attacks arrive via an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or exposed to malicious code.

US-CERT encourages users to take the following measures to protect themselves:

• Do not follow unsolicited web links or attachments in email messages.
• Maintain up-to-date antivirus software.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Mozilla Foundation Releases Firefox 3.0.10

Mozilla Foundation has released Firefox 3.0.10 to address a memory corruption vulnerability. Exploitation of this vulnerability may result in a denial-of-service condition.

US-CERT encourages users and administrators to review Mozilla Foundation Security Advisory MFSA 2009-23 and update to Firefox 3.0.10 to help mitigate the risk.

Mozilla Foundation Releases Firefox 3.0.9

Mozilla Foundation has released Firefox 3.0.9 to address multiple vulnerabilities. Exploitation of these vulnerabilities may allow an attacker to execute arbitrary code, leverage additional attacks, or obtain sensitive information. The Mozilla Foundation security advisories indicate that many of these vulnerabilities also affect SeaMonkey and Thunderbird.

US-CERT encourages users and administrators to review the Mozilla Foundation Security Advisories website for more information about the vulnerabilities and upgrade to Firefox 3.0.9 to help mitigate the risks.

Research In Motion Releases Advisory for BlackBerry PDF Distiller Vulnerabilities

Research In Motion has released a security advisory to address multiple vulnerabilities in the PDF distiller of some released versions of the BlackBerry Attachment Service. The advisory lists the affected versions as BlackBerry Enterprise Server 4.1.3 through 4.1.6 and BlackBerry Professional Software 4.1.4.  By convincing a user to view a specially crafted PDF file, an attacker may be able to execute arbitrary code on the system that hosts the Blackberry Attachment Service.

US-CERT encourages users to review BlackBerry security advisory KB17953 and apply any necessary updates.

Additional information is available in the Vulnerability Notes Database.

Oracle Releases Critical Patch Update for April 2009

Oracle has released their Critical Patch Update for April 2009 to address 43 vulnerabilities across several products. This update contains the following security fixes:

• 16 updates for Oracle Database Server
• 12 updates for Oracle Application Server
• 3 updates for Oracle Applications
• 4 updates for Oracle PeopleSoft and JDEdwards Suite
• 8 updates for BEA Products Suite

US Tax Season and Phishing Scams

In the past, US-CERT has received reports of an increased number of phishing scams that take advantage of the United States tax season. Due to the upcoming tax deadline, US-CERT would like to remind users to remain cautious when receiving unsolicited email that could be a potential phishing scam.

Phishing scams may appear as a tax refund, an offer to assist in filing for a refund, or contain details about fake e-file websites. These messages may appear to be from the IRS and directly ask users for personal information. These messages may also contain a link and instruct the user to follow the link to a website that requests personal information or contains malicious code.

US-CERT encourages users to take the following measures to protect themselves from this type of phishing scam:

• Do not follow unsolicited web links in email messages.
• Maintain up-to-date antivirus software.
• Refer to the IRS website related to phishing, email, and bogus website scams for scam samples and reporting information.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Microsoft Releases April Security Bulletin Summary

Microsoft has released updates to address vulnerabilities in Microsoft Windows, Office, Internet Explorer, and Forefront Edge Security as part of the Microsoft Security Bulletin Summary for April 2009. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Conficker Worm Targets Microsoft Windows Systems

UPDATE: Researchers have discovered a new variant of the Conficker Worm on April 9, 2009. This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links.

US-CERT is aware of public reports indicating a widespread infection of the Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:

Symantec:

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:

http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

UPDATED: US-CERT encourages users to take the following preventative measures to help prevent a Conficker/Downadup infection:

• Ensure all systems have the MS08-067 patch.
• Disable AutoRun functionality. See US-CERT Technical Cyber Security Alert TA09-020A.
• Maintain up-to-date antivirus software.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor's website.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.