Vulnerability in the ActiveX Control for the Snapshot Viewer for Microsoft Access Could Allow Remote Code Execution

Microsoft has released an unscheduled security advisory warning customers that the vendor is investigating active targeted attacks that are leveraging a vulnerability affecting the Snapshot Viewer ActiveX control for Microsoft Access.

Microsoft has reported that the issue is not being widely exploited at the moment. One or more of the following CLSIDs indicates that the computer is prone to the vulnerability:
· HKEY_CLASSES_ROOTCLSID{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}
· HKEY_CLASSES_ROOTCLSID{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}
· HKEY_CLASSES_ROOTCLSID{F2175210-368C-11D0-AD81-00A0C90DC8D9}

As an emergency workaround, customers are advised to set the kill bit on the following ActiveX controls:
· F0E42D50-368C-11D0-AD81-00A0C90DC8D9
· F0E42D60-368C-11D0-AD81-00A0C90DC8D9
· F2175210-368C-11D0-AD81-00A0C90DC8D9

For instructions on setting the kill bit, please see the following Microsoft support document:
How to stop an ActiveX control from running in Internet Explorer -
http://support.microsoft.com/kb/240797

For more information about this vulnerability, see the following Microsoft advisory and blog entry:
Microsoft Security Advisory (955179) -
http://www.microsoft.com/technet/security/advisory/955179.mspx

Infected Spam - UPS Invoice, Airlines, Customs and Tax Bill ZBot Spam Scam

If you use UPS and send parcels on a regular basis, or book your flight travel online you must be more diligent then ever.  Spammers have changed their MO and are now sending out malicious messages that claim to be from the US Customs office, UPS and Commercial Airlines attempting to trick users into executing malicious code.  

Malicious messages have been identified with the following subject lines:

• Customs – We have received a parcel for you
• Customs, please read
• Parcel requires declaration
• You parcel is at the customs office
• Your order [number]
• Online order for ticket [number]
• Online order for airplane ticket [number]
• Your ticket from {airlines} [number]
• Your ticket from {airlines}
• Your airplane ticket
• [RE] UPS Tracking Number [number]
• Contract of settlements
• Contract of retirements
• Permit for retirement
• Loan contract
  

"Each campaign will catch out a few people, even computer literate people, because it just happens to resemble something they were expecting. Also remember that some spam campaigns are more professional than others. Some phishes are almost indistinguishable from legitimate emails. Sometimes one will slip through a spam filter, and sometimes the bank targeted will be your bank. Sometimes a random name will resemble someone you know, or the subject will coincide with something you were expecting," says a representative from Sophos.

Attachment Examples:

• UPS_INVOICE_[number].zip
• invoice_[number].zip
• Bill_Tax.zip
• E-ticket_[number].zip
• Tax_Invoice.zip

Recommendations:  Preventative actions include blocking or quarantining .zip files at your mail gateway, or at minimum, filter out mail which contains the subject lines or attachment names mentioned above.    

Although detection of these variants varies, as of July 29th common detections are:

McAfee            Spy-Agent.bw (new variant)       F-Secure        Trojan-Spy:W32/Zbot.QH

Kaspersky       Trojan-Spy.Win32.Zbot.dji         Sophos            Troj/Invo-Zip

Symantec        Backdoor.Paproxy                   Webwasher-Gateway    Trojan.Spy.ZBot.DB

Microsoft has released four security bulletins for the September 2008 patch release to address several critical vulnerabilities. These issues affect the following Microsoft products and Windows components:
   Microsoft GDI+
   Microsoft Windows Media Player 11
   Microsoft Office
   Microsoft Windows Media Encoder 9

For more information, please see the following Microsoft security bulletins:
Microsoft Security Bulletin MS08-052 – Critical
Vulnerabilities in GDI+ Could Allow Remote Code Execution (954593)
http://www.microsoft.com/technet/security/Bulletin/MS08-052.mspx

Microsoft Security Bulletin MS08-053 – Critical
Vulnerability in Windows Media Encoder 9 Could Allow Remote Code Execution (954156)
http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx

Microsoft Security Bulletin MS08-054 – Critical
Vulnerability in Windows Media Player Could Allow Remote Code Execution (954154)
http://www.microsoft.com/technet/security/Bulletin/MS08-054.mspx

Microsoft Security Bulletin MS08-055 – Critical
Vulnerability in Microsoft Office Could Allow Remote Code Execution (955047)
http://www.microsoft.com/technet/security/Bulletin/MS08-055.mspx
http://www.microsoft.com/technet/security/Bulletin/MS08-053.mspx

Microsoft Windows Server Service Vulnerability MS08-067

Release date:  October 23, 2008
Risk:  Highly Critical (4 of 5)

A vulnerability has been reported in Microsoft Windows, which can be exploited by malicious people to compromise a vulnerable system.  The vulnerability is caused due to an error in the Server Service component when processing RPC requests and can be exploited via specially-crafted RPC requests. 
Successful exploitation allows execution of arbitrary code, but requires authenticated access on Windows Vista and Windows Server 2008.
According to Microsoft, the vulnerability is currently being actively exploited.

Affects:
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
Microsoft Windows 2000 Professional
Microsoft Windows 2000 Server
Microsoft Windows Server 2003 Datacenter Edition
Microsoft Windows Server 2003 Enterprise Edition
Microsoft Windows Server 2003 Standard Edition
Microsoft Windows Server 2003 Web Edition
Microsoft Windows Server 2008
Microsoft Windows Storage Server 2003
Microsoft Windows Vista
Microsoft Windows XP Home Edition
Microsoft Windows XP Professional

Antivirus Heuristic Detection Available:
Symantec  (Bloodhound.Exploit.212)    Rapid Release October 23, 2008 rev 040
McAfee                                              5414 DAT released October 23, 2008

References:   
BID: 31874
CVE-2008-4250
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-102323-4508-99
http://vil.nai.com/vil/content/v_vul40728.htm

Buffer Overflow Issue in Versions 9.0 and Earlier of Adobe Reader and Acrobat

A critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system. There are reports that this issue is being exploited.

Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with antivirus vendors, including McAfee and Symantec, on this issue in order to ensure the security of our mutual customers. A security bulletin will be published on:

http://www.adobe.com/support/security as soon as product updates are available.

Vulnerability in Microsoft Office Excel Could Allow Remote Code Execution
Microsoft Security Advisory (968272)

Microsoft has confirmed a new code execution vulnerability in the following software:
Microsoft Office Excel 2000 Service Pack 3
Microsoft Office Excel 2002 Service Pack 3
Microsoft Office Excel 2003 Service Pack 3
Microsoft Office Excel 2007 Service Pack 1
Microsoft Office Excel Viewer 2003
Microsoft Office Excel Viewer 2003 Service Pack 3
Microsoft Office Excel Viewer
Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 1
Microsoft Office 2004 for Mac
Microsoft Office 2008 for Mac

Mitigating Factors:
An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.

In a web-based attack scenario, an attacker would have to host a web site that contains an Office file that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content could contain specially-crafted content that could exploit this vulnerability. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to persuade them to visit the website, typically by getting them to click a link that takes them to the attacker's site.

The vulnerability cannot be exploited automatically through email. For an attack to be successful a user must open an attachment that is sent in an email message.

Users who have installed and are using the Office Document Open Confirmation Tool for Office 2000 will be prompted with Open, Save, or Cancel before opening a document.

References:
CVE-2009-0238
http://www.microsoft.com/technet/security/advisory/968272.mspx

Also Known As:

Win32/Conficker.C (CA)
Trojan.Win32.Pakes.ngs (Kaspersky)
W32/Conficker.worm.gen.c (McAfee)
W32/Conficker.D.worm (Panda)
W32/Confick-G (Sophos)
W32.Downadup.C (Symantec)

Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Websites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker.

Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords.

Win32/Conficker.D Payload Details
Terminates Security Services such as Windows Security Center Service (wscsvc), Windows Update Auto Update Service (wuauserv), Background Intelligence Transfer Service (BITS) and Windows Defender (WinDefend).

Deletes Registry Values - Win32/Conficker.D deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.

Terminates Processes - Win32/Conficker.D polls the process list every one second for these strings and, if found, terminates them:

autoruns - "Autoruns" program
avenger - kernel-mode security program
confick - taken from the name 'Conficker'
downad - taken from the name 'Downadup' alias 'Conficker'
filemon - "File Monitor" program
gmer - rootkit detection program
hotfix - security update
kb890 - Microsoft KB article, includes MSRT
kb958 - Microsoft KB article, includes MS08-067
kido - taken from the name 'Kido', another 'Conficker' alias
klwk - Kaspersky program
mbsa. - "Microsoft Baseline Security Analyzer" program
mrt. - "Microsoft Malicious Software Removal Tool" program
mrtstub - "Microsoft Malicious Software Removal Tool" program
ms08-06 - Microsoft Security Update MS08-067
procexp - "Process Explorer" program
procmon - "Process Monitor" program
regmon - "Registry Monitor" program
scct_ - Sophos Conficker Cleanup tool
sysclean - Trend Micro tool
tcpview - tool used to view TCP connection and traffic
unlocker - tool used to unlock locked files or folders
wireshark - network protocol analyzer tool

Blocks access or causes browser time-outs to security related websites (hooks DNSAPI.DLL to prevent access to websites).

Downloads Arbitrary Files - obtains the current date/time from the following Web servers:
baidu.com
google.com
yahoo.com
ask.com
w3.org
facebook.com
imageshack.us
rapidshare.com

Once a day, Win32/Conficker.D may build one of 50,000 URLs to download files starting on April 1, 2009. The worm uses one of the following top level domains from over 100 different countries, and only visits 500 of the generated URLs within a 24-hour period:

.ac; .ae; .ag; .am; .as; .at; .be; .bo; .bz; .ca; .cd; .ch; .cl; .cn; .co.cr; .co.id; .co.il; .co.ke; .co.kr; .co.nz; .co.ug; .co.uk; .co.vi; .co.za; .com.ag; .com.ai; .com.ar; .com.bo; .com.br; .com.bs; .com.co; .com.do; .com.fj; .com.gh; .com.gl; .com.gt; .com.hn; .com.jm; .com.ki; .com.lc; .com.mt; .com.mx; .com.ng; .com.ni; .com.pa; .com.pe; .com.pr; .com.pt; .com.py; .com.sv; .com.tr; .com.tt; .com.tw; .com.ua; .com.uy; .com.ve; .cx; .cz; .dj; .dk; .dm; .ec; .es; .fm; .fr; .gd; .gr; .gs; .gy; .hk; .hn; .ht; .hu; .ie; .im; .in; .ir; .is; .kn; .kz; .la; .lc; .li; .lu; .lv; .ly; .md; .me; .mn; .ms; .mu; .mw; .my; .nf; .nl; .no; .pe; .pk; .pl; .ps; .ro; .ru; .sc; .sg; .sh; .sk; .su; .tc; .tj; .tl; .tn; .to; .tw; .us; .vc; .vn

The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern:

            http://<pseudo-random generated IP>/search?q=%d

After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Connects to Other Infected Computers via P2P Network:
Win32/Conficker.D can distribute and receive commands from other computers infected with Conficker.D via a built-in peer-to-peer (P2P) network. This mechanism could be used to distribute additional malware to and from infected machines.

To connect to other infected computers, Win32/Conficker.D opens four ports on each available network interface. It opens two TCP and two UDP ports. The port numbers of the first TCP and UDP ports are calculated based on the IP address of the network interface. The second TCP and UDP ports are calculated based on the IP address of the network interface as well as the current week, leading to this second set of ports to change on a weekly basis. In short, while the first set of ports is constant and remain open week after week, the second set changes weekly.

When computing for the current week, Win32/Conficker.D attempts to determine the time in GMT so that all port changes occur at the same time.

Both TCP listening ports behave in an identical fashion, as do both UDP listening ports. These ports are used by an infected computer to communicate with other computers also infected with Win32/Conficker.D.

Take the following steps to help prevent infection on your system:

Apply the latest computer updates for all your installed software, including Security Bulletin MS08-067.

Use up-to-date antivirus software and perform full system scans to detect infections.

Ensure that network passwords are strong to prevent Win32/Conficker variants from spreading via weak administrator passwords.

References:

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Vulnerability in Microsoft Office PowerPoint Could Allow Remote Code Execution

Microsoft is investigating new reports of a vulnerability in Microsoft Office PowerPoint that could allow remote code execution if a user opens a specially-crafted PowerPoint file. At this time, we are aware only of limited and targeted attacks that attempt to use this vulnerability.

For more information, please refer to Microsoft’s Security Bulletin 969136 located at:  http://www.microsoft.com/technet/security/advisory/969136.mspx

Adobe Flash vulnerability affects Flash Player and other Adobe products.

Adobe Flash contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Flash Player, Reader, Acrobat, and other products that include Flash support are affected.

An attacker may be able to trigger this vulnerability by convincing a user to open a specially crafted Flash (SWF) file. The SWF file could be hosted or embedded in a web page or contained in a Portable Document Format (PDF) file. If an attacker can take control of a website or web server, trusted sites may exploit this vulnerability.

This vulnerability affects Adobe Flash versions 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions. Adobe Reader 9, Acrobat 9, and other Adobe products (including Photoshop CS3, PhotoShop Lightroom, Freehand MX, Fireworks) provide Flash support independent of Flash Player. As of 2009-07-22, Adobe Reader 9.1.2 includes Flash 9.0.155.0, which is likely vulnerable to issues addressed by Flash 9.0.159.0 (APSB09-01).

This vulnerability is being actively exploited. We are currently unaware of a complete solution to this problem. Please see Adobe Product Security Advisory APSA09-03 for additional information.

It is important to apply updates and mitigations not only Flash Player, but also to Adobe Reader, Acrobat, and other products that have independent Flash support.