Megaupload Sues Universal Over ‘Sham’ YouTube Takedown

Universal Music is being hit with a federal lawsuit accusing it of abusing copyright law to force YouTube to remove a video of popular hip-hop stars — including Kanye West — singing the praises of the popular file-sharing site Megaupload.

YouTube last week dropped the 4-minute video, produced by the Hong Kong file-sharing service Megaupload, after having received two takedown notices under the Digital Millennium Copyright Act. The suit comes days ahead of a House Judiciary Committee hearing about the proposed Stop Online Piracy Act, which many complain gives rights holders too much power to censor websites that promote online infringement.

Ira Rothken, Megaupload’s attorney, said in a telephone interview Tuesday that Universal engaged in a “sham” takedown to prevent pop stars from applauding a file-sharing service that the music labels complain is a vehicle for rampant and unauthorized music downloading. The site boasts 50 million users daily.

“How can you claim a copyright in a performance of artists singing that they love Megaupload?” Rothken asked. “It doesn’t pass the giggle test. It’s a sham.”

Online service providers like YouTube lose their legal immunity for their users’ actions if they don’t remove allegedly infringing content if asked to by rights holders. If the content is not removed, the ISP could be held liable for damages under the Copyright Act, which carries penalties of up to $150,000 per violation.

Universal said the first takedown notice was intended to protect the rights of one of its musicians. Megaupload’s attorney, however, says New Zealand songwriter-singer Gin Wigmore isn’t even in the video.

“They were claiming she was in the video when she wasn’t,” Rothken said.

In a statement, Universal said:

This is an on-going dispute that surfaced several weeks ago with respect to the unauthorized use of a performance from one of our artists. We heard from a number of our other artists (and their representatives) who told us they’ve never consented to being portrayed in this video. As a result, at least one of them has already sent a takedown notice for this unauthorized use.

A second takedown notice came from will.i.am, of the Black Eyed Peas. The Hollywood Reporter, quoting the musician’s attorney, said his client had never given permission for his appearance in the video, which shows him singing: “When I’ve got to send files across the globe, I use Megaupload.”

Rothken said everybody in the video, which among others includes Ciara, Kim Kardashian and Serena Williams, provided Megaupload with written permission.

“There’s agreements signed by each of the stars,” Rothken said.

Rothken, who is seeking unspecified damages, is demanding a judge order YouTube to restore the video.

Note: The embedded video above was uploaded to YouTube by a user after the takedowns and so far seems to have escaped notice.

Microsoft Patch Tuesday – December 2011

Hello, welcome to this month’s blog on the Microsoft patch release. This is an average month—the vendor is releasing 13 bulletins covering a total of 19 vulnerabilities.

Three of this month's issues are rated ‘Critical’ and they affect Media Player, Microsoft Time ActiveX control, and the public issue regarding TrueType fonts (currently being exploited by Duqu malware). The remaining issues affect Windows, the kernel, Internet Explorer, Active Directory, Word, Excel, PowerPoint, Active Directory, Publisher, and Office.

As always, customers are advised to follow these security best practices:

  • Install vendor patches as soon as they are available.
  • Run all software with the least privileges required while still maintaining functionality.
  • Avoid handling files from unknown or questionable sources.
  • Never visit sites of unknown or questionable integrity.
  • Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the December releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms11-dec

The following is a breakdown of the issues being addressed this month:

  1. MS11-087 Vulnerability in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2639417)

    CVE-2011-3402 (BID 50462) Microsoft Windows 'Win32k.sys' TrueType Font Handling Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 9.2/10)

    A previously public (Nov 1, 2011) remote code-execution vulnerability affects Windows kernel-mode drivers when handling specially crafted TrueType fonts. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malicious file or viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the kernel. This may facilitate a complete system compromise.

  2. MS11-090 Cumulative Security Update of ActiveX Kill Bits (2618451)

    CVE-2011-3397 (BID 50970) Microsoft Windows Time Component Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 7.1/10)

    A remote code-execution vulnerability affects the Microsoft Time ActiveX control. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious web page. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

  3. MS11-092 Vulnerability in Windows Media Could Allow Remote Code Execution (2648048)

    CVE-2011-3401 (BID 50957) Microsoft Windows Media Player And Media Center '.dvr-ms' Files Remote Code Execution Vulnerability (MS Rating: Critical; Symantec Urgency Rating 7.1/10)

    A remote code-execution vulnerability affects Media Player and Media Center due to how they handle ‘.dvr-ms’ files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a malformed file. A successful exploit will result in the execution of arbitrary attacker-supplied code with system-level privileges. This may facilitate a complete system compromise.

  4. MS11-099 Cumulative Security Update for Internet Explorer (2618444)

    CVE-2011-1992 (BID 50974) Microsoft Internet Explorer XSS Filter Cross Domain Information Disclosure Vulnerability (MS Rating: Important; Symantec Urgency Rating 6.7/10)

    A cross-domain information-disclosure vulnerability affects Internet Explorer. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially crafted web page. A successful exploit will allow an attacker to gain access to potentially sensitive information across domains.

    CVE-2011-2019 (BID 50975) Microsoft Internet Explorer CVE-2011-2019 DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Important; Symantec Urgency Rating 8.5/10)

    A remote code-execution vulnerability affects Internet Explorer because of how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening a file associated with the application from a remote WebDAV or SMB share, or from the local desktop. Successful exploits will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

    CVE-2011-3404 (BID 50976) Microsoft Internet Explorer CVE-2011-3404 Cross Domain Information Disclosure Vulnerability (MS Rating: Moderate; Symantec Urgency Rating 6.7/10)

    An information-disclosure vulnerability affects Internet Explorer due to how it renders certain web pages. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a specially malformed web page. A successful exploit may result in the disclosure of potentially sensitive information across domains.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal, and to our customers through the DeepSight Threat Management System.

Google Releases Chrome 16.0.912.63

Google has released Chrome 16.0.912.63 for Linux, Mac, Windows, and Chrome Frame to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and update to Chrome 16.0.212.63.

SMS Fraud on the Android Market

Thanks to Masaki Suenaga and Andy Xies for their analysis.

Following the tweet from our @threatintel Twitter account last night about malicious applications targeting users in European countries, Symantec Security Response has identified another group of fraudulent apps on the Android market, but this time under a different publisher ID. From our analysis the 11 newly discovered apps are published under the name “Miriada Production” and are identical to the apps published under the name “Logastrod”. These apps are capitalizing on popular game titles, and masquerade as these games, but in fact they just sends two texts to premium-rate, local SMS numbers in the country where the SIM card is registered. The app also prevents notifications from being displayed if the incoming text is from certain numbers.

Once notified of these apps by Symantec, Google acted promptly and removed them from the Android Market.

The malicious content in all the apps appears to be identical. This suggests both publishers took the malicious code from the same template, or, they are the same publisher using two different names.
 

Note, as with all Android applications, users must choose to allow the permissions requested by applications before they can be installed. Permissions are displayed by the Android operating system under broad headings that summarizes the implications of the permissions requested. For example the permission to allow an application to send SMS or MMS messages is organized under the easy to understand heading of “Services that costs you money”.  Understanding these permissions can help users avoid applications which make unnecessary requests. In this particular instance, the applications ask for the permission to send SMS messages – a service that will cost you money (something users should think twice about before accepting and proceeding with the install).
 

Symantec customers are protected, since the apps are detected as Android.Rufraud.