New Office vulnerability used in targeted attacks is in the wild.
Microsoft has confirmed the existence by releasing a Security Advisory #969136.
The CVE entry for this vulnerability is CVE-2009-0556.
The affected Office versions are Microsoft Office PowerPoint 2003 SP3, 2002 SP3, 2000 SP3, and Office 2004 for Mac.
Microsoft uses name Exploit:Win32/Apptom.gen for .PPT documents exploiting the 0-day issue.
The update for critical JBIG2 code execution vulnerability affecting Adobe Acrobat and Reader products has been released recently. The advisory is located here and as expected there is no patch for older 8.x versions yet.
The newest version knows the version number Acrobat 9.1.
If you are using Adobe Reader visit the address get.adobe.com/reader ASAP.
Additionally, OS X's Preview and several Linux PDF viewers are waiting for the patch still.
From the article pointing to German language Spiegel.de article:
It's February again and this Tuesday is Safer Internet Day - again.
According to a new research
Microsoft has released a document describing how the Secure Development Lifecycle (SDL) model maps to so-called CWE/SANS Top25 List, i.e. "25 Most Dangerous Programming Error" list released earlier in January.
Item-by-item type analysis as a Word document has been released too. The link is being included to this MSDN blog entry.
Microsoft has confirmed a code execution type vulnerability in Microsoft SQL Server affecting to following versions:
-Microsoft SQL Server 2000 SP4
-SQL Server 2005 SP2
-SQL Server 2000 Desktop Engine (MSDE 2000) SP4
-SQL Server 2000 Desktop Engine (WMSDE), and
-Windows Internal Database (WYukon) SP2.
MS Security Advisory #961040 is located here.
It appears that this sp_replwritetovarbin extended stored procedure issue is related to finding of SEC Consult.
According to FBI report
Link:
fbi.gov/hq/majorthefts/coppertheft_120308b.htm
Covered at Wired's Threat Level Blog too.
Here in Finland
Lieutenant-Commander Janne Muurinen considers this a security threat.
It really is a serious threat. There is no information about this kind of attempts during the past years.
According to news sources the police laboratory is investigating these invitation cards and fingerprints have been taken from the person reporting about the invitation.
This weblog had a birthday in October. Exactly on 6th October, three years ago (huh!) the blog was opened.
It's time to say a big Thank You, readers!
The total number of the entries is 2731 today.
I have started a new job in Finnish security company in October too. My position is Security Consultant.
The worm-type exploitation has started. More information has been released at
www.f-secure.com/weblog/archives/00001526.html.
The worm component has reportedly detection name Exploit.Win32.MS08-067.g and the kernel component Rootkit.Win32.KernelBot.dg, in turn.
Kaspersky detect the new malware wave as Exploit.Win32.MS08-067.g
and Microsoft as Exploit:Win32/MS08067.gen!A.
Windows RPC vulnerability (MS08-067) FAQ document written by the author has been updated to include these detection names.
Sophos uses name Mal/Generic-A, in turn.
The FAQ document includes the following new information (from Revision History):
1.2 26-10-2008 Major updates to Trojan section, added credits, information of non-affected dll versions and Snort rule reference
1.3 27-10-2008 Added information about the various file names and sizes, a separate Arpoc section and Nessus plugin reference
There is a FAQ type section included too.
Apple's latest Security Update 2008-007 addresses tens of vulnerabilities.
Here are some useful references:
Flaws in CUPS, QuickLook, libxslt etc. enable code execution and a patch for PHP, Tomcat etc. is being included too.
This new version fixes the Password Manager bug reported in this week's FF3.0.2 release.
Release Notes available here.
Download links to localized versions:
From Telegraph.co.uk:
The shooting at a school in Kauhajoki comes less than a year after the Scandinavian country was shocked by the murder of eight people at a school by a gun-weilding teenager.
Pekka-Eric Auvinen, 18, killed seven fellow pupils and the headmistress at Jokela High School in Tuusula, 30 miles north of the capital Helsinki and around 200 miles from Kauhajoki where the most recent shootings took place. Auvinen turned the gun on himself while surrounded by heavily armed police in November last year and died later in hospital.
He carried out the killings after uploading a film titled Jokela High School Massacre to YouTube, the video-sharing website.
www.yle.fi/news/left/id102382.html
CNN Europe:
www.cnn.com/2008/WORLD/europe/09/23/finland.school.shooting/?iref=hpmostpop
Helsingin Sanomat:
www.hs.fi/english/article/bBREAKING+NEWSb+School+shooting+in+Kauhajoki+-+Nine+dead+many+injured/1135239657999
Wikipedia article:
en.wikipedia.org/wiki/Kauhajoki_shooting_incident
YouTube profile (suspended) of Matti Juhani Saari, 22:
www.youtube.com/user/Wumpscut86
Updated: Found mirrored here.
Update #2: Nickname (deleted) from IRC-Galleria.
Update #3: Wumpscut86 mirror page
Videos from Iltalehti.fi's Netti-TV:
www.iltalehti.fi/nettitv/?28011561
It appears that YouTube videos entitled 'massacre in kauhajoki' have been deleted from YouTube.
Really, really bad UK news this week:
A police force said it was investigating the loss of a computer memory stick.
West Midlands Police said it could not comment on the contents of the device, but local media reports suggested it held "top-secret information on terror suspects".
A force spokeswoman said: "We can confirm West Midlands Police is investigating the loss of a data memory stick.
We are conducting searches in an attempt to recover the lost item.
We will not comment in relation to the contents of that memory stick....."
Google's team introduced their work with this mailing list message sent on Tuesday 19th Aug.
They are not only waiting vulnerability reports - they
will be releasing more details of the security features of the Android platform over the next several months, as well as developer documentation and guidance...
And you will find useful Android information via Google Code already.
The message of the posting is, as expected, that all possible security vulnerabilities will be reported to Android security team in a responsible way.
A new Facebook malware, assigned to Trojan category, was discovered yesterday.
It uses malicious links including the string www.google.com.id.... pointing to .cn domains, in turn.
More information at Sophos Blog here.
Mr. Max Kelly, Head of Security at Facebook states the following:
We've identified and blocked the ability to link to the malicious websites from anywhere on Facebook. Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware.
A researcher using acronym |)ruid has generated the new code with H D Moore and it was posted to unmoderated security mailing list today. The code entitled as Kaminsky DNS Cache Poisoning Flaw Exploit for Domains was released at Caughq.org Web site too.
Related to this DNS cache poisoning vulnerability US-CERT has issued a note stating that NAT/PAT affects DNS cache poisoning mitigation - link here.
If you are using non-3.x version of Firefox browser and not noticed the Auto Update notification yet the good news are that Firefox version 2.0.0.16 is out now.
There are two Critical issues fixed:
Mozilla Foundation Security Advisory 2008-34
and
Mozilla Foundation Security Advisory 2008-35.
Time to download the newest release:
mozilla.com/firefox/all-older.html
Release Notes document can be read here.
MFSA 2008-35 affects to Firefox 3.0 too, but FF3.0.1 is coming in the near future. Let's hope ASAP.
Update 17th Jul: Firefox 3.0.1 can be downloaded now - a fresh Release Notes document here.
