April 03, 2008 - Current Activity

Microsoft Releases Advance Notification for April Security Bulletin

Microsoft has issued a Security Bulletin Advance Notification indicating that its April release cycle will contain eight bulletins, five of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows, Office, and Internet Explorer. There will also be three important bulletins for Microsoft Windows and Office. The release is scheduled for Tuesday, April 8.

US-CERT will provide additional information as it becomes available.

Opera 9.27 Released

Opera Software has released Opera 9.27 to address multiple vulnerabilities. These vulnerabilities are cause by errors that occur when the user is prompted to add newsfeeds and by issues in the processing of HTML CANVAS elements. These vulnerabilities could allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Opera knowledgebase advisories 881 and 882 and upgrade to Opera 9.27 to help mitigate the risks.

Apple Releases QuickTime 7.4.5

Apple has released QuickTime 7.4.5 to address multiple vulnerabilities. These vulnerabilities may allow a remote attacker to execute arbitrary code or obtain sensitive information.

US-CERT encourages users to review Apple knowledgebase article HT1241 and upgrade to Quicktime 7.4.5 to help mitigate the risks.

PayPal Phishing Attack

US-CERT has seen reports of a phishing attack that targets PayPal users. The attack arrives via an unsolicited email message containing an HTML attachment. The message indicates that the attachment is a verification form intended to offer the user protection from fraudulent activity. Users who open the attachment are instructed to enter their email address and PayPal password. This information is then sent to an attacker.

US-CERT encourages users to do the following to help mitigate the risks:

• Install anti-virus software and keep virus signatures up to date.
• Do not open unsolicited email messages.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Macrovision InstallShield ActiveX Vulnerability

US-CERT has seen reports of a vulnerability in Macrovision InstallShield. This vulnerability is due to an error in the One-Click Install ActiveX control for InstallScript projects. This ActiveX control is used for loading DLL files. If a user visits a specially crafted website, a maliciously crafted DLL file may be loaded onto the user's system, allowing an attacker to execute arbitrary code.

US-CERT encourages users to do the following to help mitigate the risks:

• Review Macrovision Knowledge Base article Q113640 and apply the appropriate hotfix.
• Set the kill bit for CLSID {53D40FAA-4E21-459f-AA87-E4D97FC3245A}.
• Disable ActiveX as described in the Securing Your Web Browser document.

Internal Revenue Service Scams

US-CERT is aware of a series of email scams circulating that are related to the United States Internal Revenue Service. Attacks have been observed that use email to convince users to perform the following actions:

• open an email attachment containing bogus tax documents that are embedded with malicious code
  
• follow a link to an unofficial tax website that contains malicious code
  
• follow a link to an unofficial tax website that requests personal information from the users as part of a phishing attack
  
• call an unofficial phone number that requests personal information from the user as part of a phishing attack
  

• Install anti-virus software and keep virus signature files up to date.
• Do not follow unsolicited links.
• Block executable and unknown file types at the email gateway.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
• Refer to the Internal Revenue Service Suspicious e-Mails and Identity Theft website for more information on current scams.
  

Storm Worm Activity Related to April Fools Day

US-CERT is aware of a recent increase in Storm Worm activity. The latest activity is related to April Fools Day (April 1). This Trojan is spread via unsolicited email messages that attempt to convince users to follow a link to a malicious website. If a user follows this link, the Trojan may attempt to download and install itself on the user's system.

Currently, this variant of the Storm Worm Trojan is being observed as having the following file names:

• aromis.exe
• foolsday.exe
• funny.exe
• kickme.exe

• All Fools' Day
• Doh! All's Fool
• Doh! April's Fool
• Gotcha!
• Gotcha! All Fool!
• Gotcha! April Fool!
• Happy All Fool's Day
• Happy All Fools Day!
• Happy All Fools!
• Happy April Fool's Day
• Happy April Fools Day!
• Happy Fools Day!
• I am a Fool for your Love
• Join the Laugh-A-Lot!
• Just You
• One who is sportively imposed upon by others on the first day of April
• Surprise!
• Surprise! The joke's on you
• Today You Can Officially Act Foolish
• Today's Joke!

• Install anti-virus software and keep virus signature files up-to-date.
• Block executable and unknown file types at the email gateway.
• Do not open unsolicited email.
• Do not follow unsolicited links.
• Refer to the Recognizing and Avoiding Email Scams document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Mozilla Releases Firefox 2.0.0.13

Mozilla has released Firefox 2.0.0.13. This version addresses multiple vulnerabilities that may allow an attacker to execute arbitrary code, bypass security restrictions, obtain sensitive information, or conduct cross-site scripting or phishing attacks.  As described in the Mozilla Foundation Security Advisories, some of these vulnerabilities may also affect Thunderbird and SeaMonkey.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the Mozilla Foundation Security Advisories.
• Update to Firefox 2.0.0.13.
• Update to SeaMonkey 1.1.9.
• Disable JavaScript in Thunderbird mail until a fixed version is available.
  

Cisco Releases Security Advisories

Cisco has released five security advisories to address multiple vulnerabilities in Cisco IOS. These vulnerabilities may allow a remote, unauthenticated attacker to cause a denial-of-service condition on the affected device.

US-CERT encourages users to review the Cisco Security Advisories and apply the appropriate updates or workarounds.

Novell eDirectory Vulnerability

Novell has released Security Vulnerability document 3382120 to address a vulnerability in eDirectory. This vulnerability is caused by improper handling of large LDAP Extended Request messages. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Novell document 3382120 and update to eDirectory 8.8.2.