March 19, 2009 - Current Activity

Adobe Releases Security Bulletin

Adobe has released security bulletin APSB09-04 to address multiple vulnerabilities, one of which is the JBIG2 vulnerability originally addressed in security advisory APSA09-01 and security bulletin APSB09-03. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users to review Adobe security bulletin APSB09-04 and apply any necessary updates. Additional information regarding the JBIG2 vulnerability can be found in the Vulnerability Notes Database.

Autonomy KeyView SDK Vulnerability

US-CERT is aware of reports of a vulnerability that affects the Autonomy KeyView SDK wp6sr.dll library. This library is used by certain products, including Lotus Notes and Symantec, to support the handling of Word Perfect documents. By convincing a user to open a specially crafted Word Perfect document with an application using the affected Autonomy KeyView SDK library, a remote attacker may be able to execute arbitrary code.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• IBM Lotus Notes users should review the IBM Flash Alert and implement the listed fixes or workarounds.
• Symantec users should review Symantec Security Advisory SYM09-004 and implement the listed fixes or workarounds.
• Registered Autonomy Users should review the related Autonomy alert (login required).

Waledac Trojan Horse Spam Campaign Circulating

US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient's local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to "breaking news." Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user's IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video. If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.

US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:

• Install antivirus software, and keep the virus signatures up to date.
• Do not follow unsolicited links and do not open unsolicited email messages.
• Use caution when visiting untrusted websites.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor's website.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Adobe Releases Security Updates for Reader 9 and Acrobat 9

Adobe has released Reader 9.1 and Acrobat 9.1 to address a vulnerability. This vulnerability is due to a buffer overflow condition that exists in the way Adobe Acrobat Reader handles JBIG2 streams. Exploitation of this vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Adobe has indicated that it is aware of reports of active exploitation.

US-CERT encourages users to review Adobe security bulletin APSB09-03 and update to Adobe Reader 9.1 and Acrobat 9.1. Additional information regarding this vulnerability is available in the Vulnerability Notes Database.

New Attack Vectors for Adobe JBIG2 Vulnerability

US-CERT is aware of public reports of two new attack vectors for a vulnerability affecting Adobe Reader and Acrobat. This vulnerability is due to a buffer overflow condition that exists in the way Adobe Acrobat Reader handles JBIG2 Streams.

When Adobe Reader is installed on a system, it adds an IFilter that allows applications such as the Windows Indexing Service to index PDF files. If the Windows Indexing Service processes a malicious PDF file stored on the system, the vulnerability can be exploited. Exploitation using this technique can require little to no user interaction.

In addition to adding an IFilter, the Adobe Acrobat and Reader installation process adds a Windows Explorer Shell Extension. If Windows Explorer displays a folder that contains a malicious PDF file, the vulnerability can be exploited. Exploitation using this technique also requires little to no user interaction.

US-CERT encourages users and administrators to incorporate the following workarounds to help mitigate the risks:

• Locate and unregister the Adobe Reader IFilter using: regsvr32 /u AcroRdIF.dll
• Locate and unregister the Adobe Acrobat IFilter using: regsvr32 /u AcroIF.dll
  
• Disable Adobe Acrobat Windows Shell integration to help mitigate the risk. This can be disabled by executing the following command: regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"
  

Microsoft Releases March Security Bulletin Summary

Microsoft has released updates to address vulnerabilities in Microsoft Windows as part of the Microsoft Security Bulletin Summary for March 2009. These vulnerabilities may allow an attacker to execute arbitrary code, redirect network traffic, or allow spoofing.

US-CERT encourages users and administrators to review the bulletins and follow best-practice security policies to determine which updates should be applied.

Economic Stimulus Email and Website Scams

US-CERT is aware of reports of economic stimulus scams circulating. These scams are being conducted through both email and malicious websites.

Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users' bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users' accounts.

The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms.

US-CERT encourages users to do the following to help mitigate the risks:

• Review the Federal Trade Commission alert about economic stimulus scams.
• Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.

Microsoft Releases Advanced Notification for March Security Bulletin

Microsoft has issued a Security Bulletin Advanced Notification indicating that the March release cycle will contain three bulletins, one of which will have a severity rating of Critical. The notification states that these Critical bulletins are for Microsoft Windows. There will also be two Important bulletins for Microsoft Windows. Release of these bulletins is scheduled for Tuesday, March 10.

US-CERT will provide additional information as it becomes available.

Mozilla Foundation Releases Firefox 3.0.7

Mozilla Foundation has released Firefox 3.0.7 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. The Mozilla Foundation Security Advisories also indicate that these vulnerabilities affect Thunderbird and SeaMonkey.

US-CERT encourages users to review the following Mozilla Foundation Security Advisories and update to Firefox 3.0.7 to help mitigate the risks.

• Mozilla Foundation Security Advisory 2009-07
• Mozilla Foundation Security Advisory 2009-08
• Mozilla Foundation Security Advisory 2009-09
• Mozilla Foundation Security Advisory 2009-10
• Mozilla Foundation Security Advisory 2009-11

Malicious Code Targeting Social Networking Site Users

US-CERT is aware of public reports of malicious code spreading via popular social networking sites including myspace.com, facebook.com, hi5.com, friendster.com, myyearbook.com, bebo.com, and livejournal.com. The reports indicate that the malware, named Koobface, is spreading through invitations from a user's contact that include a link to view a video. If the users click on the link in this invitation, they are prompted to update Adobe Flash Player. This update is not a legitimate Adobe Flash Player update, it is malicious code.

Additionally, some of the reports indicate that there are multiple bogus Facebook applications being used to obtain users' private information.

US-CERT encourages users and administrators to do the following to help mitigate the risks:

• Install antivirus software and keep the virus signature files up to date.
• Do not follow unsolicited links.
• Use caution when downloading and installing applications.
• Obtain software applications and updates directly from the vendor's website.
• Refer to the Staying Safe on Social Networking Sites document for more information on safe use of social networking sites.
• Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.