Active Exploitation of Microsoft Internet Explorer 7 Vulnerability
US-CERT is aware of a public report indicating active exploitation of a previously patched vulnerability in Microsoft Internet Explorer 7. This vulnerability was addressed in Microsoft Security Advisory MS09-002. Additional information is available in US-CERT Technical Cyber Security Alert TA09-041A.
US-CERT encourages users to apply the update or workarounds as specified in Microsoft Security Advisory MS09-002. Additional information can be found in Microsoft Knowledge Base Article 961260.
Microsoft Updates for Multiple Vulnerabilities
Systems Affected:
* Microsoft Internet Explorer
* Microsoft Office Visio
* Microsoft Exchange and SQL Server
Overview
Microsoft has released updates that address vulnerabilities in Microsoft Windows and Windows Server.
I. Description
As part of the Microsoft Security Bulletin Summary for February 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows, Internet Explorer, Exchange Server, SQL Server, Office, and other related components.
II. Impact
A remote, unauthenticated attacker could gain elevated privileges, execute arbitrary code or cause a vulnerable application to crash.
III. Solution
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for February 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).
BlackBerry Security Advisory
Research In Motion has released a Security Advisory to address a vulnerability in the BlackBerry Application Web Loader ActiveX control. By convincing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user. The attacker could also cause Internet Explorer to crash.
US-CERT encourages users to review BlackBerry Security Advisory KB16248 and apply the resolution or implement the workaround listed in the document to help mitigate the risk.
IRS Stimulus Package Phishing Scam
US-CERT is aware of public reports indicating that phishing scams are circulating via fraudulent U.S. Internal Revenue Service emails offering users stimulus package payments. These emails include text that attempts to convince users to follow a link to a website or to complete an attached document. The website and document request the user to provide personal information.
Users receiving the fraudulent email messages are encouraged to send the email message and the website URL to the IRS at phishing@irs.gov.
US-CERT encourages users to do the following to help mitigate the risks:
* Do not follow unsolicited web links received in email messages.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks (pdf) document for more information on social engineering attacks.
* Review the How to Report and Identify Phishing, E-mail Scams and Bogus IRS Web Sites document on the IRS website.
Google’s Latitude Tracks Your Every Move
Google has released a new application called Latitude. The service allows a user to share their physical location with friends and family. Using cell phones towers and WIFI connections, Google creates a map that shows your location and movements. Though they claim your privacy is protected, many people are concerned.
Here is how Google describes the service:
Share locations
Location sharing starts only when both you and a friend agree. Invite friends via email or easily add them from your Gmail contacts.
Share status
Create a status message and upload your photo within Latitude. It also syncs directly with Google Talk. Check your friends’ status messages to see what your friends are up to.
Contact your friends
Quickly contact your friends with an SMS, IM, or phone call. You can also get directions to lead you to your friends.
Control privacy
You can share, set, or hide your location – or turn off Google Latitude – from the privacy menu. You can also hide your location or share only a city-level location with certain friends.
The Privacy FAQs:
The Google Privacy Policy and our various product-specific privacy notices describe how we treat personal information when you use Google’s products and services, including any of Google’s mobile products and services. In addition, the following describes our mobile privacy practices.
Mobile-specific information we collect
* Most of the personally identifying information we collect is what you tell us about yourself. For example, certain of our products and services allow you to interact and share personal information and data with others. You choose what you want to share and how you want to share it.
* Sometimes, we record your phone number. We record your phone number when you send it to us; ask us to remember it; or make a call or send a text message or SMS to or from Google. If you ask us to remember your phone number, we will associate your phone number with your Google Account, or, if you do not have a Google Account, with some other similar account ID. We often generate this account ID based on your device and hardware IDs, so if you change your device or hardware, you will have to re-associate this new device or hardware with your account before we can authenticate you.
* Most of the other information we collect for mobile, such as your device and hardware IDs and device type, the request type, your carrier, your carrier user ID, and the content of your request, does not by itself identify you to Google, though it may be unique or consist of or contain information that you consider personal.
* If you use location-enabled products and services, such as Google Maps for mobile, you may be sending us location information. This information may reveal your actual location, such as GPS data, or it may not, such as when you submit a partial address to look at a map of the area.
* Certain of our products and services allow you to personalize the content you receive from us. For these products and services, we will record your preferences and any information you provide about yourself or your interests (such as a list of your stocks to personalize your stock listings).
* If you use Google to transcode, or format, non-mobile pages to display properly on your device, we need to send your request to Google’s servers for formatting. That means that we will record these requests, which are generally for material beyond Google’s sites.
* For products and services with voice recognition capabilities, we collect and store a copy of the voice commands you make to the product or service. To improve processing of your voice commands, we may also continuously record in temporary memory a few seconds of ambient background noise. This recording stays only temporarily on the device and is not sent to Google.
Uses
* We use your information to process and personalize your requests. We also use the information for support, to develop new features, and to improve the overall quality of Google’s products and services.
* We may also use the information to show you a history of your activity, to provide you with statistics about you or your use of our product or service, or to provide you with a better user experience.
* If you purchase something through Google, we may also use your information to bill you and to handle billing disputes.
Information sharing and onward transfer
* All requests must be sent through your mobile carrier’s network and your carrier may have access to it. For information regarding your carrier’s treatment of your information, please consult your carrier’s privacy policies.
* We may share your information with certain third parties we use to perform certain functions, such as billing and text message or SMS delivery. These third parties will be contractually bound to treat your information in accordance with the applicable Google privacy policies.
* Certain of our products and services allow you to interact and share your information with others. Please consider carefully before disclosing any personal information or data that might be accessible to others.
Your choices
* Certain of our products and services allow you to opt-out of certain information gathering and sharing or to opt-out of certain products, services, or features. Each product has a help page which describes these and other options.
Privacy: Location privacy
Print
Google does not share an individual person’s location with third parties without explicit permission. Before someone can view your location, you must either send a location request by adding them as a friend or accept their location request and choose to share back your location. Your location is only shared with your chosen contacts when you have enabled Latitude and have it open or have allowed it to share location in the background on your device. To see who can view your location at any time, simply open the Latitude list view to see all contacts with whom you’re sharing.
For more privacy info, please see our Mobile Privacy Policy.
Note: My Location (beta) and Latitude are two separate features for Google Maps for mobile and can be enabled or disabled independently. My Location provides Google Maps for mobile with your approximate location so that you can zoom in on your current location or search for nearby businesses easily. While Latitude associates your location with a Google Account and shares it with your selected friends, My Location does not associate your location with an account or phone number. You can disable Latitude at any time from its privacy menu and still continue to use My Location without sharing your location with your friends.
Malicious Code Spreading Via Valentine’s Day Spam
US-CERT is aware of public reports of malicious code circulating via spam email messages related to Valentine’s Day. These messages contain a link to a website that contains several images of hearts and instructs users to choose one image. If users click on one of the images, they will be prompted to download an executable file. Reports indicate that the executable files could be named: youandme.exe, onlyyou.exe, you.exe, and meandyou.exe (please note that these file names may change at any time). If users accept the download, malicious code may be installed onto their systems.
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
* Install antivirus software, and keep virus signatures up to date.
* Do not follow unsolicited links and do not open unsolicited email messages.
* Use caution when visiting untrusted websites.
* Use caution when downloading and installing applications.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
Protecting Portable Devices: Data Security
National Cyber Alert System
Cyber Security Tip ST04-020
Why do you need another layer of protection?
Although there are ways to physically protect your laptop, PDA, or other portable device (see Protecting Portable Devices: Physical Security for more information), there is no guarantee that it won’t be stolen. After all, as the name suggests, portable devices are designed to be easily transported. The theft itself is, at the very least, frustrating, inconvenient, and unnerving, but the exposure of information on the device could have serious consequences. Also, remember that any devices that are connected to the internet, especially if it is a wireless connection, are also susceptible to network attacks (see Securing Wireless Networks for more information).
What can you do?
* Use passwords correctly – In the process of getting to the information on your portable device, you probably encounter multiple prompts for passwords. Take advantage of this security. Don’t choose options that allow your computer to remember passwords, don’t choose passwords that thieves could easily guess, use different passwords for different programs, and take advantage of additional authentication methods (see Choosing and Protecting Passwords and Supplementing Passwords for more information).
* Consider storing important data separately – There are many forms of storage media, including floppy disks, zip disks, CDs, DVDs, and removable flash drives (also known as USB drives or thumb drives). By saving your data on removable media and keeping it in a different location (e.g., in your suitcase instead of your laptop bag), you can protect your data even if your laptop is stolen. You should make sure to secure the location where you keep your data to prevent easy access.
* Encrypt files – By encrypting files, you ensure that unauthorized people can’t view data even if they can physically access it. You may also want to consider options for full disk encryption, which prevents a thief from even starting your laptop without a passphrase. When you use encryption, it is important to remember your passwords and passphrases; if you forget or lose them, you may lose your data.
* Install and maintain anti-virus software – Protect laptops and PDAs from viruses the same way you protect your desktop computer. Make sure to keep your virus definitions up to date (see Understanding Anti-Virus Software for more information).
* Install and maintain a firewall – While always important for restricting traffic coming into and leaving your computer, firewalls are especially important if you are traveling and utilizing different networks. Firewalls can help prevent outsiders from gaining unwanted access (see Understanding Firewalls for more information).
* Back up your data – Make sure to back up any data you have on your computer onto a CD-ROM, DVD-ROM, or network (see Good Security Habits and Real-World Warnings Keep You Safe Online for more information). Not only will this ensure that you will still have access to the information if your device is stolen, but it could help you identify exactly which information a thief may be able to access. You may be able to take measures to reduce the amount of damage that exposure could cause.
Before You Connect a New Computer to the Internet
by United States Emergency Readiness Team
I. Motivating Factors
The CERT/CC has composed this Tech Tip to address a growing risk to Internet users without dedicated IT support. In recent months, we have observed a trend toward exploitation of new or otherwise unprotected computers in increasingly shorter periods of time. This problem is exacerbated by a number of issues, including:
* Many computers’ default configurations are insecure.
* New security vulnerabilities may have been discovered between the time the computer was built and configured by the manufacturer and the user setting up the computer for the first time.
* When upgrading software from commercially packaged media (e.g., CD-ROM, DVD-ROM), new vulnerabilities may have been discovered since the disc was manufactured.
* Attackers know the common broadband and dial-up IP address ranges, and scan them regularly.
* Numerous worms are already circulating on the Internet continuously scanning for new computers to exploit.
As a result, the average time-to-exploitation on some networks for an unprotected computer is measured in minutes. This is especially true in the address ranges used by cable modem, DSL, and dial-up providers.
Standard advice to home users has been to download and install software patches as soon as possible after connecting a new computer to the Internet. However, since the background intruder scanning activity is pervasive, it may not be possible for the user to complete the download and installation of software patches before the vulnerabilities they are trying to fix are exploited. This Tech Tip offers advice on how to protect computers before connecting them to the Internet so that users can complete the patching process without incident.
II. Recommendations
The remainder of this document is divided into two major sections: General Guidance and Operating-System-specific steps.
1. General Guidance
The goal of this document is to provide sufficient protection to a new computer so a user can complete the download and installation of any software patches that have been released since the computer was built or the software media (e.g., CD-ROM or DVD-ROM) being installed was manufactured. Note that these steps are not intended to be a complete guide to securely maintaining a computer once the initial download and installation of patches is completed. Additional tips and references about securely maintaining a computer are at the end of this document.
Notes:
* We recommend following the steps below when upgrading to a new operating system from disc(s) as well as when connecting a new computer to the Internet for the first time.
* Perform these steps before connecting to the Internet for the first time.
Following are the general steps we recommend:
1. If possible, connect the new computer behind a network (hardware-based) firewall or firewall router.
A network firewall or firewall router is a hardware device that users can install between the computers on their Local Area Network (LAN) and their broadband device (cable/DSL modem). By blocking inbound access to the computers on the LAN from the Internet at large (yet still allowing the LAN computers’ outbound access), a hardware-based firewall can often provide sufficient protection for a user to complete the downloading and installation of necessary software patches. A hardware-based firewall provides a high degree of protection for new computers being brought online.
If you are connecting your computer behind a firewall or router that provides Network Address Translation (NAT), and if either of the following are true: (a) the new machine is the only computer connected to the LAN behind the firewall, or (b) all other machines connected to the LAN behind the firewall are up to date on patches and are known to be free of viruses, worms, or other malicious code, you may not need to additionally enable a software firewall.
2. Turn on the software firewall included with the computer, if available.
If your operating system includes a built-in software firewall, we recommend that you enable it in order to block incoming connections from other computers on the Internet.
As mentioned above, if your computer is going to be connected to a local network behind a hardware-based firewall and all other computers (if any) on that local network are known to be fully patched and free of malicious code, this step is optional. However, as part of a “defense-in-depth” strategy, we recommend enabling the built-in firewall software included with your operating system regardless.
If your operating system does not include a built-in software firewall, you may wish to install a third-party firewall application. Many such applications are available at relatively little (or sometimes no) cost. However, given that the issue we’re trying to address is the relatively short lifespan of an unprotected computer on the open Internet, we recommend that any third-party firewall application be installed from media (CD-ROM, DVD-ROM, or floppy disc) before connecting to a network rather than downloaded directly to the unprotected computer. Otherwise, it may be possible for the computer to be exploited before the download and installation of such software is complete.
3. Disable nonessential services, such as file and print sharing.
Most operating systems are not configured with file and print sharing enabled by default, so this shouldn’t be an issue for most users. However, if you are upgrading a computer to a new operating system and that computer had file or print-sharing enabled, it is likely that the new operating system will have file and print sharing enabled as well. Since the new operating system may have vulnerabilities that were not present in the older version being upgraded, disable file and print sharing in the older version before beginning the upgrade process. After the upgrade is complete and all relevant patches have been installed, file sharing can be re-enabled if needed.
4. Download and install software patches as needed.
Once the computer has been protected from imminent attack through the use of either a hardware or software-based firewall and the disabling of file and print sharing, it should be relatively safe to connect to the network in order to download and install any software patches necessary. It is important not to skip this step since otherwise the computer could be exposed to exploitation if the firewall were to be disabled or file/print sharing turned back on at some later date.
Download software patches from known, trusted sites (i.e., the software vendors’ own sites), in order to minimize the possibility of an intruder gaining access through the use of Trojan horse software.
2. Operating System-Specific Guidance
The previous section outlined the CERT/CC’s general guidance for installing new computers. However, the specific implementation of those recommendations depends on the operating system in use. This section contains specific guidance for users of Microsoft Windows XP and Apple Macintosh OSX, as well as some pointers for other operating system users.
1. Microsoft Windows XP
In order to complete these steps, you will need to be logged into an account with local administrator privileges.
1. Review General Guidance above.
2. Connect behind a hardware-based firewall if available.
This step is covered in the General Guidance section above.
3. Enable the Internet Connection Firewall.
Microsoft has provided both detailed and summarized instructions for enabling the built-in Internet Connection Firewall on Windows XP.
4. Disable shares if enabled.
1. Go to Start -> Control Panel.
2. Open “Network and Internet Connections”.
3. Open “Network Connections”.
4. Right-click on the network connection you wish to change (e.g., “Local Area Connection”).
5. Select “Properties”.
6. Make sure “File and Printer Sharing for Microsoft Networking” is unchecked.
5. Connect to the network.
6. Go to http://windowsupdate.microsoft.com.
7. Follow the instructions there to install all Critical Updates.
8. Review Staying Secure below.
Additional Windows References can be found at the end of this document.
2. Apple Macintosh OSX
1. Review General Guidance above.
2. Connect behind a hardware-based firewall if available.
3. Enable the software firewall.
1. Open “System Preferences”.
2. Select “Sharing”.
3. Select the “Firewall” Tab.
4. Click “Start”.
5. Select the “Services” Tab.
6. Verify that all services are unchecked (default).
4. Connect to the network (plug in or dial-up).
5. Update installed software.
1. Open “System Preferences”.
2. Select “Software Updates”.
3. Turn on automatic updates (checkbox: “Automatically check for updates when you have a network connection”.)
4. Select an appropriate update frequency (daily is recommended).
5. Click “Check Now”.
6. Install any recommended updates.
6. Review Staying Secure below.
Additional OSX References can be found at the end of this document.
3. Other Operating Systems
Users of other operating systems should review the General Guidance above, then consult their respective software vendors’ sites for specific instructions (where available). Additionally, Linux or Unix users may wish to review our Unix Security Checklist or the summarized Unix Security Checklist Essentials.
Additional Linux References can be found at the end of this document.
III. Staying Secure
1. Read our Home Network Security document.
2. Install and use antivirus software
While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available.
3. Enable automatic software updates if available
Vendors will usually release patches for their software when a vulnerability has been discovered. Most product documentation offers a method to get updates and patches. You should be able to obtain updates from the vendor’s web site. Read the manuals or browse the vendor’s web site for more information.
Some applications will automatically check for available updates, and many vendors offer automatic notification of updates via a mailing list. Look on your vendor’s web site for information about automatic notification. If no mailing list or other automated notification mechanism is offered you may need to check the vendor’s website periodically for updates.
4. Avoid unsafe behavior
Additional information on this topic can be found in our Home Network Security Tech Tip.
* Use caution when opening email attachments or when using peer-to-peer file sharing, instant messaging, or chatrooms.
* Don’t enable file sharing on network interfaces exposed directly to the Internet.
5. Follow the principle of least privilege — don’t enable it if you don’t need it.
Consider using an account with only ‘user’ privileges instead of an ‘administrator’ or ‘root’ level account for everyday tasks. Depending on the OS, you only need to use administrator level access when installing new software, changing system configurations, and the like. Many vulnerability exploits (e.g., viruses, Trojan horses) are executed with the privileges of the user that runs them — making it far more risky to be logged in as an administrator all the time.
References
1. CERT/CC References
* Home Network Security — http://www.us-cert.gov/reading_room/home-network-security/
* IN-2003-01 Malicious Code Propagation and Antivirus Software Updates — http://www.cert.org/incident_notes/IN-2003-01.html
* CERT/CC Malicious Web Scripts FAQ — http://www.cert.org/tech_tips/malicious_code_FAQ.html
* Unix Security Checklist — http://www.cert.org/tech_tips/unix_security_checklist2.0.html
* Unix Security Checklist Essentials — http://www.cert.org/tech_tips/usc20_essentials.html
2. Microsoft Windows XP References
* Protect Your PC — http://www.microsoft.com/security/protect/default.asp
* Using the Internet Connection Firewall — http://www.microsoft.com/windowsxp/home/using/howto/homenet/icf.asp
* How to Enable Internet Connection Firewall (ICF) on Windows XP — http://www.microsoft.com/security/incident/icf.asp
* Microsoft Windows XP Baseline Security Checklist — http://www.microsoft.com/technet/security/chklist/xpcl.asp
3. Apple Macintosh OSX References
* How to Keep Network Computers Secure — http://docs.info.apple.com/article.html?artnum=61534
* Apple Product Security — http://www.info.apple.com/usen/security/index.html
* OSX Security Features Overview — http://www.apple.com/macosx/features/security/
* Apple Security Updates — http://docs.info.apple.com/article.html?artnum=61798
4. Linux References
* Debian Security Information — http://www.debian.org/security/
* Lindows.com — http://www.lindows.com/
* MandrakeSecure — http://www.mandrakesecure.net/en/index.php
* RedHat Security Resource Center — http://www.redhat.com/solutions/security/
* RedHat Security and Errata — http://www.redhat.com/apps/support/errata/
* Slackware Security Advisories — http://www.slackware.com/security/
* SUSE Security (US/Canada) — http://www.suse.com/us/private/support/security/
White House (.gov) Email Down Due to Microsoft
The new White House team found out there email systems were down for most of the day on Monday. Press Secretary Robert Gibbs mad the announcement of the technical difficulties at his 1:30 p.m. briefing. He apologized for the e-mail silence and blamed it on a Mircrosoft Outlook server.
Both incoming and outgoing email were not working. They resorted to making photocopies of the executive orders that President Obama signed.
Mr. Gibbs said, “Our apologies if you’ve e-mailed any of us in the last two-and-a-half hours. Our e-mail system is not working so well. So our apologies on that, and we’ll endeavor to get you information from earlier in the day, hopefully in a little bit more of a timely manner, if we can get the e-mail to work.”
When questioned further he replied, “We don’t comment on security issues.”
Apple QuickTime Updates for Multiple Vulnerabilities
National Cyber Alert System
Technical Cyber Security Alert TA09-022A
Apple QuickTime Updates for Multiple Vulnerabilities
Original release date: January 22, 2009
Source: US-CERT
Systems Affected
Apple QuickTime 7.5 for Windows and Mac OS X
Overview
Apple has released QuickTime 7.6 to correct multiple vulnerabilities affecting QuickTime for Mac OS X and Windows. Attackers may be able to exploit these vulnerabilities to execute arbitrary code or cause a denial of service.
I. Description
Apple QuickTime 7.6 addresses a number of vulnerabilities affecting QuickTime. An attacker could exploit these vulnerabilities by convincing a user to access a specially crafted media or movie file. This file could be hosted on a web page or sent via email.
II. Impact
The impacts of these vulnerabilities vary. Potential consequences include arbitrary code execution and denial of service.
III. Solution
Upgrade to QuickTime 7.6. This and other updates are available via Software Update or via Apple Downloads.
