Microsoft Patch Tuesday – February 2011

Hello and welcome to this month’s blog on the Microsoft patch release. This is a fairly busy month —the vendor is releasing 12 bulletins covering a total of 22 vulnerabilities. Five of the issues are rated ‘Critical’ and they af…

Hello and welcome to this month’s blog on the Microsoft patch release. This is a fairly busy month —the vendor is releasing 12 bulletins covering a total of 22 vulnerabilities. Five of the issues are rated ‘Critical’ and they affect Internet Explorer, OpenType Fonts, and Windows Shell Graphics processing. The remaining issues are rated ‘Important’ and ‘Moderate’ and affect the Windows kernel, Visio, Active Directory, Internet Explorer, Internet Information Services, and Windows.

As always, customers are advised to follow these security best practices:

- Install vendor patches as soon as they are available.

- Run all software with the least privileges required while still maintaining functionality.

- Avoid handling files from unknown or questionable sources.

- Never visit sites of unknown or questionable integrity.

- Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft’s summary of the February releases can be found here: http://www.microsoft.com/technet/security/bulletin/ms11-feb.mspx

The following is a breakdown of some of the notable issues being addressed this month:

1. MS11-003 Cumulative Security Update for Internet Explorer (2482017)

CVE-2010-3971 (BID 45246) Microsoft Internet Explorer CSS Parsing Remote Memory Corruption Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10)

A previously public (Dec 8, 2010) remote code-execution vulnerability affects Internet Explorer when parsing Cascading Style Sheet (CSS) expressions. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0035 (BID 46157) Microsoft Internet Explorer CVE-2011-0035 Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0036 (BID 46158) Microsoft Internet Explorer CVE-2011-0036 Uninitialized Memory Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Internet Explorer due to how it handles an object that has not been properly initialized, or has been deleted. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a Web page containing malicious content. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0038 (BID 46159) Microsoft Internet Explorer DLL Loading Arbitrary Code Execution Vulnerability (MS Rating: Moderate / Symantec Rating: 8.5/10)

A remote code-execution vulnerability affects Internet Explorer due to how it loads DLL files. An attacker can exploit this issue by tricking an unsuspecting victim into opening an HTML file from a remote WebDAV or SMB share. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

2. MS11-006 Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)

CVE-2010-3970 (BID 45662) Microsoft Windows 'CreateSizedDIBSECTION()' Thumbnail View Stack Buffer Overflow Vulnerability (MS Rating: Critical / Symantec Rating: 8.5/10)

A previously public (Jan 4, 2011) remote-code execution vulnerability affects the Windows Shell graphics processor. The problem occurs in the 'CreateSizedDIBSECTION()' function of the 'shimgvw.dll' file when handling malformed thumbnails. An attacker can exploit this issue by tricking an unsuspecting victim into viewing a malicious thumbnail image. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

3. MS11-007 Vulnerability in the OpenType Compact Font Format (CFF) Driver Could Allow Remote Code Execution (2485376)

CVE-2011-0033 (BID 46106) Microsoft Windows OpenType Compact Font Format Remote Code Execution Vulnerability (MS Rating: Critical / Symantec Rating: 8.2/10)

A remote code-execution vulnerability affects the OpenType Compact Font Format (CFF) driver. An attacker can exploit this issue by hosting a specially malformed OpenType font on a remote share and tricking an unsuspecting victim into navigating to it. When the font is processed, attacker-supplied code will execute in the context of the currently logged-in user.

4. MS11-004 Vulnerability in Internet Information Services (IIS) FTP Service Could Allow Remote Code Execution (2489256)

CVE-2010-3972 (BID 45542) IIS Microsoft IIS FTP Service Remote Buffer Overflow Vulnerability (MS Rating: Important / Symantec Rating: 8.9/10)

A previously public (Dec 21, 2010) buffer-overflow vulnerability affects the Internet Information Service FTP service. The problem occurs in the 'TELNET_STREAM_CONTEXT::OnSendData()' function of the 'ftpsvc.dll' library when processing certain FTP commands. A remote attacker can exploit this issue to execute arbitrary code in the context of the affected application.

5. MS11-008 Vulnerabilities in Microsoft Visio Could Allow Remote Code Execution (2451879)

CVE-2011-0092 (BID 46137) Microsoft Visio Object Memory Corruption (CVE-2011-0092) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Visio. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Visio file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

CVE-2011-0093 (BID 46138) Microsoft Visio Data Type Memory Corruption (CVE-2011-0093) Remote Code Execution Vulnerability (MS Rating: Important / Symantec Rating: 7.1/10)

A remote code-execution vulnerability affects Visio when parsing certain structures. An attacker can exploit this issue by tricking an unsuspecting victim into opening a specially crafted Visio file. A successful exploit will result in the execution of arbitrary attacker-supplied code in the context of the currently logged-in user.

More information on the vulnerabilities being addressed this month is available at Symantec’s free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Fake Ticket Offer Targeting Cricket World Cup 2011

The most awaited tournament for cricket lovers, the ICC World Cup 2011, begins on February 19, 2011. The ICC World Cup is being played in the Indian subcontinent, and the country’s cricket-crazy population is all set to get hold of World Cup tick…

The most awaited tournament for cricket lovers, the ICC World Cup 2011, begins on February 19, 2011. The ICC World Cup is being played in the Indian subcontinent, and the country’s cricket-crazy population is all set to get hold of World Cup tickets in every possible way—all to witness and experience live international cricket in action. Since this is a hugely followed international sporting event across the world, Symantec has anticipated spam attacks and other Internet threats related to the event. As expected, we are observing World Cup spam in the Symantec Probe Network.

The spam message invites users to attend the final game of World Cup 2011 in Mumbai, India. The invite offers multiple executive club facilities such as a private table, a gourmet champagne brunch, and much more for 10 guests. This may sound like an attractive deal; however, it is simply bait for Internet users/cricket fans who are keen to be a part of the World Cup Final and experience the thrill.

Below are some examples of the spam messages:

Subject: 2011 Cricket World Cup Final

Subject: Experience Cricket World Cup Final

In the past, we have observed spam and phishing attacks targeting cricket events such as the Indian Premier League (IPL) and T20 World Cup. The countdown to this event has begun and we expect to see more sophisticated spam and phishing attacks related to the World Cup. Perhaps the sinister spam attacks will contain attachments that intend to distribute malware using fake video files purportedly showing highlights of the games.

Although World Cup tickets are in high demand, the supply should always be from a legitimate source. Users are advised to refrain from clicking on such mails and opening attachments unless they are from authorized or official sources. Websites that sell tickets and ask for financial or personal information should be protected by SSL certificates and provide visible trust marks to verify their authenticity. Offers such as these entice users to join in on the spirit of the 2011 World Cup games, but the spammers are the only winners.

3D Secure Passwords for Recharging Mobile Airtime

Phishers are known for developing different strategies with the motive of duping users into believing that the phishing site is authentic and secure. Phishing sites are now seen asking for a 3D secure number.
What is 3D secure?
A 3D secure number is a …

Phishers are known for developing different strategies with the motive of duping users into believing that the phishing site is authentic and secure. Phishing sites are now seen asking for a 3D secure number.

What is 3D secure?

A 3D secure number is a password that is only known to the bank and the buyer. In other words, during an online transaction, the merchant in question does not know this number. This number is essentially an additional password given separately to card holders specifically for the safety of online transactions.

Many online transactions typically involve the use of credit/debit card numbers and the number on the back of the card. If anyone happens to see the card and copies or writes down these numbers found on the card, the card holder would be at risk of having his or her money stolen in online transactions. The use of a 3D secure password prevents such a risk, as it is a number not present anywhere on the card. The fact that the card numbers are entered by the owner of the card helps in authenticating.

A 3D secure number reduces the risk in a situation where the card numbers are copied by other people. However, if the 3D secure number itself is given away by the user to a phishing site, the user’s money would still be at risk. Phishers are well aware of this and so prompt users to enter their 3D secure number along with other card details in phishing sites.

Recently, one such example was observed where the phishing site prompted the user for credit card details and their 3D secure number for an online transaction. The bait was mobile phone airtime purchased online. The phishing site targeted customers in Turkey and the phishing pages were in Turkish. Also, the credit card details requested were of banks based in Turkey. The required information was the mobile phone number, amount of mobile phone airtime to be recharged, name of the bank, card holder’s name, credit card number, expiration date, CVV, and 3D secure password. To increase the appeal, the phishing page offered customers of two particular banks  gifts worth $10 for every $20 purchased. Upon entering the information, the user was redirected to a page on the phishing site that asked for more user information.

The information asked in the second phishing page consisted of mother’s maiden name, card holder’s date of birth, customer or account number and password. The phishing page claimed that upon clicking the button at the bottom of the page, a password would be sent as an SMS to the user’s mobile phone. The user was warned that if incomplete information was entered, the operation would be disapproved, leading to the failure of the transaction. Below this button was a message stating that 3D secure card purchases are safe for online transactions and high encryption system provides protection against unauthorized use. This statement was obviously displayed to gain the user’s confidence.

The third page of the phishing site asks for the password previously claimed to have been sent to the user by SMS. The phishing page also notifies the user that the SMS may take one to five minutes to reach the user and requests that the page not be closed. Of course, this is just a ploy and the user wouldn’t have actually receive any password.

The phishing URL used IP domains (for example, domains like http://255.255.255.255). The phishing site was hosted on servers based in Orlando, USA.

Internet users are advised to follow best practices to avoid phishing attacks, such as:

•    Do not click on suspicious links in email messages.   

•    Avoid providing any personal information when answering an email.

•    Never enter personal information in a pop-up screen.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.

 

Thanks to the co-author of the blog, Avdhoot Patil.

FCC Net Neutrality is a Regulatory ‘Trojan Horse,’ EFF Says

The Federal Communications Commission’s net-neutrality decision opens the FCC to “boundless authority to regulate the internet for whatever it sees fit,” the Electronic Frontier Foundation is warning.
The civil rights group says the FCC’s action in December, which was based on shaky legal authority, creates a paradox of epic proportions. The EFF favors net neutrality but […]

The Federal Communications Commission’s net-neutrality decision opens the FCC to “boundless authority to regulate the internet for whatever it sees fit,” the Electronic Frontier Foundation is warning.

The civil rights group says the FCC’s action in December, which was based on shaky legal authority, creates a paradox of epic proportions. The EFF favors net neutrality but worries whether the means justify the ends.

“We’re wholly in favor of net neutrality in practice, but a finding of ancillary jurisdiction here would give the FCC pretty much boundless authority to regulate the internet for whatever it sees fit. And that kind of unrestrained authority makes us nervous about follow-on initiatives like broadcast flags and indecency campaigns,” Abigail Phillips, an EFF staff attorney, wrote on the group’s blog Thursday.

And the paradox grows.

In a Friday telephone interview, Phillips was unclear how to solve the problem. What about an act of Congress? How about reclassifying broadband to narrow the FCC’s control if it?

“I’m not sure what I think the right solution is,” she answered.

The agency’s December action has already been attacked on multiple fronts, including two lawsuits.

One side of the debate has focused on claims the FCC overstepped its authority by adopting the principle that wireline carriers treat all internet traffic the same. A chorus of others complain that the FCC wimped out and didn’t go far enough when it comes to wireless carriers.

And the entire debate is littered with competing interests, including the mobile-phone carriers, internet service providers, private enterprise, developers, Congress and, last but not least, the public.

“In general, we think arguments that regulating the internet is ‘ancillary’ to some other regulatory authority that the FCC has been granted just don’t have sufficient limitations to stop bad FCC behavior in the future and create the ‘Trojan horse’ risk we have long warned about,” Phillips said.

But who can be trusted in this debate?

The answer opens Pandora’s box.

Photo: gillianchicago/Flickr

See Also: