Archive for December, 2009
Malicious Code Circulating via Social Security Administration Phishing Messages
by IDF Agent on Dec.03, 2009, under Uncategorized
There are public reports of malicious code circulating via
phishing email messages that appear to come from the Social Security
Administration. The messages indicate that the users’ annual Social
Security statements may contain errors and instruct users to follow a
link to review their Social Security statement. If users click this
link, they will be redirected to a seemingly legitimate website that
prompts them for their Social Security number. If users enter their
Social Security number and continue to the next page, they will be
given an option to generate a statement. If users attempt to generate
a statement, malicious code may be installed on their systems. This
malicious code attempts to collect online banking traffic to gain
access to the users’ bank accounts.
US-CERT encourages users and administrators to take the following
preventative measures to help mitigate the security risks:
* Install antivirus software, and keep the virus signatures up to
date.
* Do not follow unsolicited links and do not open unsolicited email
messages.
* Use caution when visiting untrusted websites.
* Use caution when entering personal information online.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.
Users are encouraged to contact the Social Security Administration to
verify the authenticity of any messages. Additional information will
be provided as it becomes available.
Latest high risk vulnerabilities for the last week of November, 2009
by IDF Agent on Dec.03, 2009, under Uncategorized
| Primary Vendor — Product |
Description | Published | CVSS Score | |
|---|---|---|---|---|
| 2wire — 1700hg 2wire — 1701hg 2wire — 1800hw 2wire — 2071 2wire — 2700hg 2wire — 2701hg-t |
The management interface on the 2wire Gateway 1700HG, 1701HG, 1800HW, 2071, 2700HG, and 2701HG-T with software before 5.29.52 allows remote attackers to cause a denial of service (reboot) via a %0d%0a sequence in the page parameter to the xslt program on TCP port 50001, a related issue to CVE-2006-4523. | 2009-11-17 | 7.8 | |
| arcadetradescript — arcade_trade_script | Arcade Trade Script 1.0 allows remote attackers to bypass authentication and gain administrative access by setting the adminLoggedIn cookie to true. | 2009-11-18 | 7.5 | |
| ed_charkow — supercharged_linking | SQL injection vulnerability in browse.php in Ed Charkow SuperCharged Linking allows remote attackers to execute arbitrary SQL commands via the id parameter. | 2009-11-18 | 7.5 | |
| faslo — faslo_player | Stack-based buffer overflow in Faslo Player 7.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long string in a .m3u playlist file. | 2009-11-18 | 9.3 | |
| gimp — gimp | Integer overflow in the read_channel_data function in plug-ins/file-psd/psd-load.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a crafted PSD file that triggers a heap-based buffer overflow. | 2009-11-18 | 9.3 | |
| hp — discovery&dependency_mapping_
inventory |
Unspecified vulnerability in HP Discovery & Dependency Mapping Inventory (DDMI) 2.5x, 7.5x, and 7.60 on Windows allows remote authenticated users to execute arbitrary code via unknown vectors. | 2009-11-17 | 9.0 | |
| invisionpower — invision_power_board | Multiple SQL injection vulnerabilities in Invision Power Board (IPB or IP.Board) 3.0.0, 3.0.1, and 3.0.2 allow remote attackers to execute arbitrary SQL commands via the (1) search_term parameter to admin/applications/core/modules_public/search/search.php and (2) aid parameter to admin/applications/core/modules_public/global/lostpass.php. NOTE: on 20090818, the vendor patched 3.0.2 without changing the version number. | 2009-11-18 | 7.5 | |
| itechscripts — itechbids | Multiple SQL injection vulnerabilities in ITechBids 8.0 allow remote attackers to execute arbitrary SQL commands via the (1) user_id parameter to feedback.php, (2) cate_id parameter to category.php, (3) id parameter to news.php, and (4) productid parameter to itechd.php. NOTE: the sellers_othersitem.php, classifieds.php, and shop.php vectors are already covered by CVE-2008-3238. | 2009-11-18 | 7.5 | |
| jos_de_ruijter — superseriousstats | SQL injection vulnerability in user.php in Super Serious Stats (aka superseriousstats) before 1.1.2p1 allows remote attackers to execute arbitrary SQL commands via the uid parameter, related to an “incorrect regexp.” NOTE: some of these details are obtained from third party information. | 2009-11-17 | 7.5 | |
| jtips — jtips | SQL injection vulnerability in the jTips (com_jtips) component 1.0.7 and 1.0.9 for Joomla! allows remote attackers to execute arbitrary SQL commands via the season parameter in a ladder action to index.php. | 2009-11-18 | 7.5 | |
| linux — kernel linux — kernel |
Buffer overflow in the kvm_vcpu_ioctl_x86_setup_mce function in arch/x86/kvm/x86.c in the KVM subsystem in the Linux kernel before 2.6.32-rc7 allows local users to cause a denial of service (memory corruption) or possibly gain privileges via a KVM_X86_SETUP_MCE IOCTL request that specifies a large number of Machine Check Exception (MCE) banks. | 2009-11-19 | 7.2 | |
| linux — kernel linux — kernel |
The collect_rx_frame function in drivers/isdn/hisax/hfc_usb.c in the Linux kernel before 2.6.32-rc7 allows attackers to have an unspecified impact via a crafted HDLC packet that arrives over ISDN and triggers a buffer under-read. | 2009-11-19 | 7.2 | |
| linux — kernel | Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request. | 2009-11-20 | 7.2 | |
| maniacomputer — new5starrating | SQL injection vulnerability in rating.php in New 5 star Rating 1.0 allows remote attackers to execute arbitrary SQL commands via the det parameter. | 2009-11-18 | 7.5 | |
| microsoft — windows_7 microsoft — windows_server_2008 |
The kernel in Microsoft Windows Server 2008 R2 and Windows 7 allows remote SMB servers to cause a denial of service (infinite loop and system hang) via a (1) SMBv1 or (2) SMBv2 response packet that contains a NetBIOS header with an incorrect length value, which triggers an assertion failure in the KeAccumulateTicks function. | 2009-11-13 | 7.1 | |
| ninjaforge — ninjamonials | SQL injection vulnerability in the NinjaMonials (com_ninjacentral) component 1.1.0 for Joomla! allows remote attackers to execute arbitrary SQL commands via the testimID parameter in a display action to index.php. | 2009-11-18 | 7.5 | |
| qproje — siirler_bileseni | SQL injection vulnerability in the Q-Proje Siirler Bileseni (com_siirler) component 1.2 RC for Joomla! allows remote attackers to execute arbitrary SQL commands via the sid parameter in an sdetay action to index.php. | 2009-11-18 | 7.5 | |
| rhinosoft — serv-u | Stack-based buffer overflow in the TEA decoding algorithm in RhinoSoft Serv-U FTP server before 9.1.0.0 allows remote attackers to execute arbitrary code via a long hexidecimal string. | 2009-11-20 | 9.0 | |
| tandberg — tandberg_mxp_endpoints | Buffer overflow in the FTP service on the Tandberg MXP F7.0 allows remote attackers to cause a denial of service (process crash or device reboot) or possibly execute arbitrary code via a long USER command, as demonstrated by a command ending with many space characters. | 2009-11-16 | 9.3 | |
| turnkeyarcade — turnkey_arcade_script | SQL injection vulnerability in index.php in Turnkey Arcade Script allows remote attackers to execute arbitrary SQL commands via the id parameter in a browse action, a different vector than CVE-2008-5629. | 2009-11-18 | 7.5 | |
| vivaprograms — infinity_script | cp/profile.php in VivaPrograms Infinity 2.0.5 and earlier does not require administrative authentication for the donewauthor action, which allows remote attackers to create administrative accounts via the name, password, and conf_password parameters. | 2009-11-16 | 7.5 | |
| xoops — xoops | Multiple unspecified vulnerabilities in XOOPS before 2.4.0 Final have unknown impact and attack vectors. | 2009-11-17 | 7.5 |
Recognizing and Avoiding Spyware
by IDF Agent on Dec.03, 2009, under Uncategorized
Because of its popularity, the internet has become an ideal target for
advertising. As a result, spyware, or adware, has become increasingly
prevalent. When troubleshooting problems with your computer, you may
discover that the source of the problem is spyware software that has been
installed on your machine without your knowledge.
What is spyware?
Despite its name, the term “spyware” doesn’t refer to something used by
undercover operatives, but rather by the advertising industry. In fact,
spyware is also known as “adware.” It refers to a category of software that,
when installed on your computer, may send you pop-up ads, redirect your
browser to certain web sites, or monitor the web sites that you visit. Some
extreme, invasive versions of spyware may track exactly what keys you type.
Attackers may also use spyware for malicious purposes.
Because of the extra processing, spyware may cause your computer to become
slow or sluggish. There are also privacy implications:
* What information is being gathered?
* Who is receiving it?
* How is it being used?
How do you know if there is spyware on your computer?
The following symptoms may indicate that spyware is installed on your
computer:
* you are subjected to endless pop-up windows
* you are redirected to web sites other than the one you typed into your
browser
* new, unexpected toolbars appear in your web browser
* new, unexpected icons appear in the task tray at the bottom of your
screen
* your browser’s home page suddenly changed
* the search engine your browser opens when you click “search” has been
changed
* certain keys fail to work in your browser (e.g., the tab key doesn’t
work when you are moving to the next field within a form)
* random Windows error messages begin to appear
* your computer suddenly seems very slow when opening programs or
processing tasks (saving files, etc.)
How can you prevent spyware from installing on your computer?
To avoid unintentionally installing it yourself, follow these good security
practices:
* Don’t click on links within pop-up windows – Because pop-up windows are
often a product of spyware, clicking on the window may install spyware
software on your computer. To close the pop-up window, click on the “X”
icon in the titlebar instead of a “close” link within the window.
* Choose “no” when asked unexpected questions – Be wary of unexpected
dialog boxes asking whether you want to run a particular program or
perform another type of task. Always select “no” or “cancel,” or close
the dialog box by clicking the “X” icon in the titlebar.
* Be wary of free downloadable software – There are many sites that offer
customized toolbars or other features that appeal to users. Don’t
download programs from sites you don’t trust, and realize that you may
be exposing your computer to spyware by downloading some of these
programs.
* Don’t follow email links claiming to offer anti-spyware software – Like
email viruses, the links may serve the opposite purpose and actually
install the spyware it claims to be eliminating.
As an additional good security practice, especially if you are concerned
that you might have spyware on your machine and want to minimize the impact,
consider taking the following action:
* Adjust your browser preferences to limit pop-up windows and cookies -
Pop-up windows are often generated by some kind of scripting or active
content. Adjusting the settings within your browser to reduce or prevent
scripting or active content may reduce the number of pop-up windows that
appear. Some browsers offer a specific option to block or limit pop-up
windows. Certain types of cookies are sometimes considered spyware
because they reveal what web pages you have visited. You can adjust your
privacy settings to only allow cookies for the web site you are visiting
(see Browsing Safely: Understanding Active Content and Cookies and
Evaluating Your Web Browser’s Security Settings for more information).
How do you remove spyware?
* Run a full scan on your computer with your anti-virus software – Some
anti-virus software will find and remove spyware, but it may not find
the spyware when it is monitoring your computer in real time. Set your
anti-virus software to prompt you to run a full scan periodically (see
Understanding Anti-Virus Software for more information).
* Run a legitimate product specifically designed to remove spyware – Many
vendors offer products that will scan your computer for spyware and
remove any spyware software. Popular products include Lavasoft’s
Ad-Aware, Microsoft’s Window Defender, Webroot’s SpySweeper, and Spybot
Search and Destroy.
* Make sure that your anti-virus and anti-spyware software are compatible
- Take a phased approach to installing the software to ensure that you
don’t unintentionally introduce problems (see Coordinating Virus and
Spyware Defense for more information).
_________________________________________________________________
Authors: Mindi McDowell, Matt Lytle
Please, visit computer repair site for more information on how to remove the spyware