This is in continuation to my yesterday’s blog.

Microsoft’s advisory has confirmed that the attacks exploit a weakness in the way programs load associated libraries. The binary files can be located in a variety of directories, including those on networks controlled by a malicious hacker.

According to Microsoft the vulnerability exists in Windows applications made by third-party developers however it is still investigating whether any Microsoft programs are susceptible to the “binary planting” or “DLL preloading attacks".

According to Microsoft Security Response Center blog, this issue cannot be directly addressed in Windows without breaking expected functionality. Instead, it requires developers to ensure they code secure library loads. The attack works because many applications ignore best security practices and search for the library based only on the file name, rather than the full directory path. When the current working directory is set to one controlled by the attacker, it's possible to load a malicious file.

Microsoft suggests that admins disable WebDAV and block outgoing SMB connections on ports 445 and 139. Additionally it has also released a software tool that changes the way Windows searches for DLL files. There are different versions of tool depending upon the Windows versions you use. You can download the tool from here.

About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files on Windows OS (at least XP, Vista and Windows 7).

According to Mitja Kolsek, CEO of Acros Security, the critical vulnerability, which has already been patched in Apple's iTunes media player for Windows and VMware Tools, will be difficult to fix, because each application will ultimately need to receive its own patch.

Security experts from Acros have found that about 200 of the 220 applications they've tested so far suffer from this “binary-planting bug”. The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file.

Until a fix is released users can reduce their exposure by blocking outbound SMB connections on ports 445 and 139 and on WebDAV. This will not prevent attacks originating from the local networks which can be a problem in large organizations, where compromised machines infect other PCs in the network.

A detailed advisory can be found here.

"I am part of the 98.0% of people that are NEVER gonna drink Coca Cola again after this HORRIFIC video --> http://www.[deleted_link_to_video]".

What will you do, if you get such post on your Facebook via your friend? Obviously you will be tempted to click the link. If you click on the link, you'll be asked to share the video seven times. But you will realise that you are not making any progress. So eventually you'll be tempted to click on a link that says "Cant Be Bothered To Wait? --> Click Here To Skip This.". This link takes you to a poll, which asks you for personal information.

Needless to say, you must not provide your personal information.











So Facebook users, beware! Please do not click on any suspicious links. And avoid providing your personal information, unless you're absolutely sure who you're giving it to.

July's patch release (blogged by Basant) marks the end of patching support for both Windows 2000 and Windows XP Service Pack 2. So, from now on there'll be no security updates, hotfixes and other updates for Windows XP SP2, regardless of how serious a threat and newly discovered vulnerability may pose to users of this OS.

Apart from the base OS itself, Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components have also seen their last patches.

However, support for Windows Embedded XP SP2 (which is frequently used in ATMs and point of sale terminals) will extend until January 2011.

Microsoft advises all Windows XP SP2 users to upgrade to either Windows XP SP3 or preferably Windows 7. Win XP SP3 was released in April 2008 and will be supported until April 2014.

Adobe has released an emergency update that patches at least 17 holes in its Reader and Acrobat applications. Adobe was to release patches on July 13, but since the critical vulnerabilities were actively being exploited, the company released the fixes ahead of time.

The fixes address a vulnerability in Windows, Mac, and Linux versions of the reader that allows hackers to remotely install malware on end-users' machines by tricking them into opening a booby-trapped document. The flaw resided in the authplay.dll, AuthPlayLib.bundle, or libauthplay.so.0.0.0 files on Windows, Mac, and Linux machines respectively.

Researcher Didier Stevens had shown that by misusing a feature in the PDF specification, hackers could embed a malicious payload in a document and trick Adobe's Reader and Acrobat applications (as well as the competing FoxIT Reader) into executing it.

Rajesh had blogged about the “/Launch” attack here. Adobe said it has added code to block any attempts to launch an executable file by default. Moreover they have also altered the way the existing warning dialog appears so as to foil known social-engineering attacks.

Microsoft has warned users of vulnerability in 64-bit Windows 7 and Windows Server 2008 R2.

According to Microsoft’s Jerry Bryant they are investigating into a vulnerability in the Windows Canonical Display Driver (cdd.dll) that enables applications to use graphics and formatted text on the video display and printer. The vulnerability is due to the driver’s failure in properly parsing the information copied from user mode to kernel mode.

The bug would most likely only make the vulnerable machines to reboot. But if the attacker would bypass the Windows’s memory randomization protections (ASLR), which prevents code execution attacks, it could allow a hacker to silently install a malware. The malware can be installed by tricking the victim into viewing a malicious image file on a website or in email.

According to Microsoft, they are working on a security update to address the vulnerability. In the meantime, users can prevent attacks by disabling the Windows Aero Theme. To turn it off, choose Start->Control Panel->Click on Appearance and Personalization->Click on Change the Theme->Select one of the Basic and High Contrast Themes.

Microsoft Security Advisory can be read here.

Like everyone, I keep on getting such stupid/funny mails. Yesterday, I received one such mail (shown above) on my Windows Live ID.

The Subject is “ACCOUNT ALERT” which will make anyone to open the mail and so did I. The From field displays the name “Windows Live Team” but the email-id shown is totally irrelevant unless Microsoft would have been in scooter spares business. The mail body tries to explain that congestion due to “anonymous” registration is the reason why “genuine” accounts (like the one I have) will be deleted……Wow…….Superb! Next, it asks for Username, Password and other personal information. Lastly it displays a warning, which is enough for many of the users to make them reply with their personal information.

No genuine email service asks you for your personal information in the way the mail does.

So the first thing to do after reading such mail is……….DELETE IT.

Time and again we have seen how good the email scammers are at exploiting the latest news to concoct mails intended to empty your pockets. This time they are intending to deceive the passengers stranded due to the Icelandic Eyjafjallajokull volcanic eruption.

The (above) email comes from a fake Frank Adam at the Civil Aviation Authority and invites the recipients to apply for compensation. Anyone replying with the personal information will be asked for an administration fee to release the payment or will be sent a fake cheque and be asked to send the fee by wire transfer once the cheque is deposited in the account.

Such frauds are called as advance-fee fraud and are intended to part you from your cash and yes, in some cases, also your personal information.

I received this mail yesterday. Few points to note about the mail are:
The From field (which is blackened out) tries to portray a genuine name.
The To field suggests that the mail may not be directed to me alone which is contradictory to the mail body which proposes the deal to me.
The Subject field prompts me to reply urgently.
The mail body is well composed. The first paragraph tries to prove the genuineness of the sender by providing a legitimate link to the merger news. The second paragraph sets up a background again by providing a legitimate link to the plane crash news. The third and the final paragraph lures by offering a percentage partnership but at the cost of personal information (full name, address, age, occupation, telephone and fax numbers).

So, ignore such mails and don’t reveal your personal information.

Of late, one of the most talked about gadgets is iPad. It is estimated that over a million iPads are already sold till date. With such a huge customer base in short span coupled with ever increasing craze for the gadget, malware writers couldn’t have asked for better targets.

Malware writers are sending emails claiming that the iPad needs iTunes software update to be installed on their PC for best performance, newer features and security. The email contains malicious link which directs victim to a fake but perfect imitation of iTunes software download page. Once downloaded and run the malware injects itself into the explorer.exe process, to steal passwords and other valuable data.

Ironically, it's the Windows PCs that are being targeted and not the iPad.

Hackers are up at it again and blackhat Search Engine Optimization (SEO) is again being employed to exploit the breaking news. This time hackers are exploiting an issue with McAfee's anti-virus product that has caused thousands of computers around the world to reboot repeatedly. If you search McAfee issue, cybercriminals have managed to get poisoned webpages high in the search rankings.

Earlier, McAfee had released an update causing its anti-virus product to detect a genuine Windows file, svchost.exe, as "W32/Wecorl.a" which caused computers to reboot repeatedly. McAfee has already apologised and withdrawn the buggy update but malicious hackers continue to exploit this situation.

Clicking on the links listed in the search may infect your computer by fake anti-virus which attempts to trick you to provide your credit card details or install malicious software on your computer.

This is not the first time that the hackers have exploited such news. Few of the examples in the past were related to the news like "Michael Jackson Dead", “Obama Nobel Peace Prize”, “Tsunami in Asia”, etc.

Search engines (like Google, Bing, etc) always do their bit to remove such malicious links as fast as they can. But as a user be aware that such breaking news are exploited and will be exploited in future as well. So it’s better to avoid visiting unknown websites!!

Microsoft is working on a fix to get rid of Internet Explorer 8 vulnerability that can enable serious security attacks against websites that are otherwise safe. Ironically, the flaw resides in XSS (Cross-site scripting) filter, a protection feature in Internet Explorer 8 that's designed to prevent XSS attacks against sites.

XSS exploits allow attackers to inject malicious code into trusted websites by convincing victims to click on booby-trapped links. Microsoft's XSS filter (which was introduced in Internet Explorer 8), or Mozilla Firefox’s NoScript add-on are designed to prevent such attacks.

The fix which will be introduced in June is the third such fix after the one in January and another in March.

David Ross of Microsoft Security Response Center has something to say on it here.

If you are using an older version of Internet Explorer (IE 6 or IE 7), you have a strong reason to upgrade to Internet Explorer 8.

Attackers are exploiting a security bug in the older versions of Internet Explorer that allows them to remotely execute a malicious code. The vulnerability exists due to an invalid pointer reference being used within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

Microsoft said "At this time, we are aware of targeted attacks attempting to use this vulnerability." The vulnerability exists in Internet Explorer 6 and Internet Explorer 7 and not in Internet Explorer 8.

This Internet Explorer vulnerability is different from the one which I had blogged last week under Internet Explorer .HLP vulnerability on Windows XP.

Quick Heal's Browsing Protection feature protects Quick Heal users from the attacks exploiting this vulnerability.

Moreover, we still recommend all the Internet Explorer 6 and Internet Explorer 7 users to upgrade to Internet Explorer 8.

Microsoft Security Advisory is at the following link:
http://www.microsoft.com/technet/security/advisory/981374.mspx

Microsoft's security team is investigating a security vulnerability reported at http://isec.pl/ by Maurycy Prodeus.

The vulnerability is observed on operating system older than Windows Vista (i.e. Windows XP). In this, the attacker hosting a malicious website can remotely run arbitrary code by convincing the user to press the computer's F1 key in response to a popup window.

The vulnerability is the result of the passing a samba share as a helpfile parameter along with a stack based buffer overflow in the winhelp32.exe file when parameters are too long.

There are no reports of attacks exploiting the weakness. Microsoft plans to issue guidance once its investigation is completed.

Microsoft’s Jerry Bryant says more on it, here:
http://blogs.technet.com/msrc/archive/2010/02/28/investigating-a-new-win32hlp-and-internet-explorer-issue.aspx

Microsoft has warned Windows users to be cautious against a rogueware (fake software) which calls itself Security Essentials 2010 as opposed to Microsoft Security Essentials which is a genuine security product from Microsoft.

Security essentials 2010 installs a fake virus scanner on your machine and blocks some processes. It also blocks access to the websites of some of the antivirus companies. It does this by downloading a Win32/Alureon component and another Layered Service Provider (LSP) component which monitors the TCP traffic sent by various Web browsers and blocking any traffic to certain domains.

Moreover, Security essentials 2010 charges you to scan and remove files on your machine, claiming the version you will have initially downloaded as a trial edition. This is contrary to Microsoft Security Essentials which is free for genuine Windows users.

Microsoft has blogged it here:
http://blogs.technet.com/mmpc/archive/2010/02/24/if-it-calls-itself-security-essentials-2010-then-it-s-possibly-fake-innit.aspx