April 02, 2008 - Current Activity

PayPal Phishing Attack

US-CERT has seen reports of a phishing attack that targets PayPal users. The attack arrives via an unsolicited email message containing an HTML attachment. The message indicates that the attachment is a verification form intended to offer the user protection from fraudulent activity. Users who open the attachment are instructed to enter their email address and PayPal password. This information is then sent to an attacker.

US-CERT encourages users to do the following to help mitigate the risks:

• Install anti-virus software and keep virus signatures up to date.
• Do not open unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Macrovision InstallShield ActiveX Vulnerability

US-CERT has seen reports of a vulnerability in Macrovision InstallShield. This vulnerability is due to an error in the One-Click Install ActiveX control for InstallScript projects. This ActiveX control is used for loading DLL files. If a user visits a specially crafted website, a maliciously crafted DLL file may be loaded onto the user's system, allowing an attacker to execute arbitrary code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review Macrovision Knowledge Base article Q113640 and apply the appropriate hotfix.
• Set the kill bit for CLSID {53D40FAA-4E21-459f-AA87-E4D97FC3245A}.
• Disable ActiveX as described in the Securing Your Web Browser document.

Internal Revenue Service Scams

US-CERT is aware of a series of email scams circulating that are related to the United States Internal Revenue Service. Attacks have been observed that use email to convince users to perform the following actions:

• open an email attachment containing bogus tax documents that are embedded with malicious code
  
• follow a link to an unofficial tax website that contains malicious code
  
• follow a link to an unofficial tax website that requests personal information from the users as part of a phishing attack
  
• call an unofficial phone number that requests personal information from the user as part of a phishing attack
  

• Install anti-virus software and keep virus signature files up to date.
• Do not follow unsolicited links.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Refer to the Internal Revenue Service Suspicious e-Mails and Identity Theft website for more information on current scams.
  

Storm Worm Activity Related to April Fools Day

US-CERT is aware of a recent increase in Storm Worm activity. The latest activity is related to April Fools Day (April 1). This Trojan is spread via unsolicited email messages that attempt to convince users to follow a link to a malicious website. If a user follows this link, the Trojan may attempt to download and install itself on the user's system.

Currently, this variant of the Storm Worm Trojan is being observed as having the following file names:

• aromis.exe
• foolsday.exe
• funny.exe
• kickme.exe

• All Fools' Day
• Doh! All's Fool
• Doh! April's Fool
• Gotcha!
• Gotcha! All Fool!
• Gotcha! April Fool!
• Happy All Fool's Day
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fool's Day
• Happy April Fools Day!
• Happy Fools Day!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• Just You
• One who is sportively imposed upon by others on the first day of April
• Surprise!
• Surprise! The joke's on you
• Today You Can Officially Act Foolish
• Today's Joke!

• Install anti-virus software and keep virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Do not open unsolicited email.
• Do not follow unsolicited links.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Mozilla Releases Firefox 2.0.0.13

Mozilla has released Firefox 2.0.0.13. This version addresses multiple vulnerabilities that may allow an attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information, or conduct cross-site scripting or phishing attacks.  As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect Thunderbird and SeaMonkey.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the Mozilla Foundation Security Advisories.
• Update to Firefox 2.0.0.13.
• Update to SeaMonkey 1.1.9.
• Disable JavaScript in Thunderbird mail until a fixed version is available.
  

Cisco Releases Security Advisories

Cisco has released five security advisories to address multiple vulnerabilities in Cisco IOS. These vulnerabilities may allow a remote, unauthenticated attacker to cause a denial-of-service condition on the affected device.

US-CERT encourages users to review the Cisco Security Advisories and apply the appropriate updates or workarounds.

Novell eDirectory Vulnerability

Novell has released Security Vulnerability document 3382120 to address a vulnerability in eDirectory. This vulnerability is caused by improper handling of large LDAP Extended Request messages. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Novell document 3382120 and update to eDirectory 8.8.2.

VLC Media Player Vulnerability

VLC has released a patch to address an integer overflow vulnerability in VLC Media Player. By convincing a user to open an MP4 file with a specially crafted RDRF atom, a remote attacker may be able to execute arbitrary code.

For users who compile VLC Media Player from source, VLC has provided a patch to address this issue.

US-CERT will provide more information as it becomes available.

Microsoft Jet Database Engine Vulnerability

Microsoft has released a Security Advisory to address a vulnerability in Microsoft Jet Database Engine. This vulnerability is due to a buffer overflow condition in msjet40.dll. By convincing a user to open a Word document that is designed to load a specially crafted database file using msjet40.dll, an attacker may be able execute arbitrary code.

US-CERT encourages users to review Microsoft Security Advisory 950627 and apply the suggested workarounds.

US-CERT will provide more information as it becomes available.

Apple Aperture and iPhoto Vulnerability

Apple has released Digital Camera RAW Compatibility Update 2.0 to address a vulnerability in Apple Aperture and iPhoto. This vulnerability is due to a boundary error that occurs when processing DNG image files. By convincing a user to open a specially crafted image file, a remote attacker may be able to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Apple knowledgebase article HT1232 and apply any necessary updates.

US-CERT will provide more information as it becomes available.