Security

Microsoft said Tuesday that its investigation has turned up no evidence that anything in its November security updates should be causing users to encounter a so-called "black screen of death."

"Microsoft has investigated reports that its November security updates made changes to permissions in the registry that that are resulting in system issues for some customers," Microsoft security response communications lead Christopher Budd said in a statement. "The company has found those reports to be inaccurate and our comprehensive investigation has shown that none of the recently released updates are related to the behavior described in the reports."

Microsoft said it was not contacted by British security firm Prevx before that company went public with its claims. Microsoft said it has reached out to them to let them know the results of its investigation.

The company said on Monday that it would look into the matter, but issued an update later in the day saying it could not verify any issues.

"Our support organization is also not seeing this as an issue," Budd said on Tuesday. "The claims also do not match any known issues that have been documented in the security bulletins or (knowledge base) articles.

Update, 3:15 p.m. PT: Prevx posted an updated blog saying that it has done additional testing.

"Having narrowed down a specific trigger for this condition we've done quite a bit of testing and re-testing on the recent Windows patches," the comapny said. "Since more specifically narrowing down the cause we have been able to exonerate these patches from being a contributory factor."

The company also offered up a mea culpa to Redmond and said it also recommends users keep patching their systems promptly. "We apologize to Microsoft for any inconvenience our blog may have caused."

Updated 5:10 p.m. PST with information about later versions of the e-mail campaign directing to a landing page with hidden code that uses an Adobe exploit to try to download malware onto the system.

The e-mail appears to be from the CDC but directs people to a fake CDC site that serves up a Trojan.

(Credit: AppRiver)

You can ignore that e-mail that looks like it comes from the U.S. Centers for Disease Control and Prevention about creating a profile for an H1N1 vaccination program. It's a malware scam, according to security provider AppRiver.

The fake alert informs recipients that as part of a "State Vaccination H1N1 Program" they need to create a profile on the CDC Web site. The link in the e-mail goes to a fake CDC page where the visitor is assigned a temporary ID and a link to a vaccination profile that is actually an an executable file containing a copy of the Kryptik Trojan targeting Windows, according to an AppRiver blog post on Tuesday.

Once installed, "this Trojan will create a security-free gateway on your system and will proceed to download and install additional malware without your authorization," the post warns. "It also enables a remote hacker to take complete control of your computer. This malware can log your typed keystrokes and send confidential personal and financial data (including banking information, credit card numbers, and website passwords) to a remote hacker."

AppRiver said it was seeing the fake CDC e-mails at a rate of nearly 18,000 messages per minute, reaching more than 1 million in the first hour alone.

The malware campaign apparently got more dangerous as the day wore on. In later iterations of the fake CDC e-mail, the landing page that the link led to contained a hidden iFrame that pointed to a site hosted in Ukraine, according to Symantec. In the background, the iFrame checks to see if the system is running an unpatched version of Adobe Reader, Acrobat or Flash Player and if so it uses an exploit to download a file to the system, the company said.

"During testing, our detections picked up the Adobe exploitation attempts using generic IPS and AV signatures," a Symantec spokesperson said.

This screen shot shows the fake CDC Web page that is distributing the Trojan.

(Credit: AppRiver)

Microsoft on Monday said it is investigating a possible vulnerability in Internet Explorer after exploit code that allegedly can be used to take control of computers, if they visit a Web site hosting the code, was posted to a security mailing list.

Microsoft confirmed that the exploit code affects IE 6 and IE 7, but not IE 8, and it said it is "currently unaware of any attacks trying to use the claimed vulnerability or of customer impact," according to a statement.

The exploit code was published to the BugTraq mailing list on Friday with no explanation.

"The exploit targets a vulnerability in the way Internet Explorer uses Cascading Style Sheet (CSS) information. CSS is used in many Web pages to define the presentation of the sites' content," Symantec wrote in a blog post this weekend.

"The exploit currently exhibits signs of poor reliability, but we expect that a fully functional, reliable exploit will be available in the near future," Symantec said. Symantec urges IE users to keep their antivirus software up-to-date, disable JavaScript, and visit only trusted Web sites, until Microsoft issues a patch for the hole.

Anyone believed to have been affected can visit Microsoft's Consumer Security Support Center, report it to the Internet Crime Complaint Center, and contact the FBI or law enforcement in the particular country, Microsoft said. U.S. residents can also call Microsoft's PC Safety Customer Service and Support number at 1-866-727-2338.

In July, critical holes in IE prompted Microsoft to issue a rare out-of-cycle (in other words, pre-Patch Tuesday) fix.

Retailers aren't the only ones gearing up for the holiday season. Criminals are also out in force.

To highlight the increased crime during the holidays, security company McAfee has come up with the "12 Scams of Christmas" ranging from bogus electronic greeting cards that deliver malware instead of cheer to fake charities that steal your money and your identity.

It's especially important to be extra careful this time of year, says McAfee's David Marcus. "The bad guys know people are spending more time online, they're paying more bills online so [the criminals] stand a chance of being a bit more successful this time of year.

In a podcast interview (scroll down to listen), Marcus counted down the 12 scams of Christmas starting with:

1. Charitable phishing scams: Marcus warns consumers to be wary of e-mails that appear to be from legitimate charities. Not only will they take your money and deprive charities of needed funds, but they will also steal your credit card information and identity.


2. Fake invoices from delivery services: During this period, scammers will send out fake invoices and delivery notifications appearing to come from Federal Express, UPS, the U.S. Postal Service or even the U.S. Customs Service saying that they were unable to deliver a package to your address. They ask you to confirm your address and give them credit card information to pay for delivery.


3. Social networking friend requests: Bad guys take advantage of this social time of year by sending out authentic looking friend requests via e-mail. Marcus recommends that you not click on those links but sign into Facebook and other services and look for friend requests from the site itself. Clicking on a link could install malware on your computer or trick you into revealing your password.


4. Holiday e-cards: Be careful before clicking on a holiday e-card, especially if it's from a site you haven't heard of. This is a way to deliver malware, pop-ups, and other forms of unwanted advertising. Some fake e-cards will look like they come from Hallmark or other legitimate companies, so pay close attention and make sure it's from someone you know. If you're going to send an e-card, be sure you're dealing with a reputable service lest you risk infecting yourself and your friends.


5. Fake "luxury" jewelry: If you see an offer for luxury gifts from companies like Cartier, Gucci, and Tag Heuer at a price that's too good to be true, it probably isn't true. These links could lead you to malware and take your money or merchandise that will probably never arrive (or be fake if it does). Some of these sites, according to McAfee, even display the logos of the Better Business Bureau.


6. Practice safe holiday shopping. Make sure your wireless network is secure and be sure you're shopping on sites that are secure. Though it isn't an iron clad guarantee, you should look for the lock icon in the lower right corner of your browser and make sure the Web page starts with https. The "s" stands for "secure."


7. Christmas carol lyrics can be dangerous: Bad guys know that people are searching for holiday related sites for music, holiday graphics, and other festive media. During this time, they create fraudulent holiday related sites.


8. Job search related scams: With the unemployment rate at 10.2 percent, there are plenty of job seekers looking for work. Beware of online offers for high paying jobs or at-home money making schemes. Some of these sites ask for money up front, which is a good way for criminals not only to steal your "set up fee" but misuse your credit card too. Marcus said that some "get rich quick" sites are all about money laundering, asking you to accept an inbound financial transfer and pay them.


9. Auction site fraud: McAfee has observed a rise in fake auction sites during the holidays. Make sure you're actually going to eBay or whatever site you plan to deal with.


10. Password stealing scams: Criminals use low-cost tools to uncover passwords, in some cases planting key logger software to record keystrokes. Once they get your passwords, they gain access to bank accounts and credit card accounts and send spam from your e-mail accounts.


11. E-mail banking scams: A common type of phishing scam is sending out official looking e-mails that appear to come from your bank. Don't click on any links but type in your bank's Web address manually if you need to access your account.


12. Files for ransom: Hackers use malware to gain control of your computer and lock your data files. To access your own data you have to pay them ransom.

Listen to Larry's interview with McAfee's David Marcus

Listen now: Download today's podcast

Countries armed with "cyberweapons," according to McAfee.

(Credit: McAfee)

In particular, countries gearing up for cyberoffensives are the U.S., Israel, Russia, China, and France, the says the report, compiled by former White House Homeland Security adviser Paul Kurtz and based on interviews with more than 20 experts in international relations, national security and Internet security.

"We don't believe we've seen cases of cyberwarfare," said Dmitri Alperovitch, vice president of threat research at McAfee. "Nations have been reluctant to use those capabilities because of the likelihood that [a big cyberattack] could do harm to their own country. The world is so interconnected these days."

Threats of cyberwarfare have been hyped for decades. There have been unauthorized penetrations into government systems since the early ARPANET days and it has long been known that the U.S. critical infrastructure is vulnerable.

However, experts are putting dots together and seeing patterns that indicate that there is increasing intelligence gathering and building of sophisticated cyberattack capabilities, according to the report titled "Virtually Here: The Age of Cyber Warfare."

"While we have not yet seen a 'hot' cyberwar between major powers, the efforts of nation-states to build increasingly sophisticated cyberattack capabilities, and in some cases demonstrate a willingness to use them, suggest that a 'Cyber Cold War' may have already begun," the report says.

Because pinpointing the source of cyberattacks is usually difficult if not impossible, the motivations can only be speculated upon, making the whole cyberwar debate an intellectual exercise at this point. But the report offers some theories.

For instance, Alperovitch speculates that the July 4 attacks denial-of-service on Web sites in the U.S. and South Korea could have been a test by an foreign entity to see if flooding South Korean networks and the transcontinental communications between the U.S. and South Korea would disrupt the ability of the U.S. military in South Korea to communicate with military leaders in Washington, D.C., and the Pacific Command in Hawaii.

"The ability of the North Koreans to disable cybercommunications between the U.S. and South Korea would give them a huge strategic advantage" if they were to attack South Korea, he said.

There have been earlier attacks that smack of cyberwarfare too. Estonian government and commercial sites suffered debilitating denial-of-service attacks in 2007, and last year sites in Georgia were attacked during the South Ossetia war, orchestrated by civilian attackers, the report says.

The report concludes that if we aren't seeing it already, cyberwarfare will be a reality soon enough.

"Over the next 20 to 30 years, cyberattacks will increasingly become a component of war," William Crowell, a former NSA deputy director, is quoted as saying. "What I can't foresee is whether networks will be so pervasive and unprotected that cyberwar operations will stand alone."

VeriSign, which runs the master database for such domains as .com and .net, says a significant Internet security vulnerability will be closed by 2011, after delays caused by technical aspects of the implementation.

The problem is that DNS, the Domain Name System that translates Internet addresses into numerical values, can be seeded with false values and used to misdirect users. VeriSign told ZDNet on Friday that it will put in place DNSSEC, a protocol that will guarantee the origin and integrity of DNS data for the .com and .net domains, by the first quarter of 2011.

Read more of "VeriSign: Major internet security update by 2011" at ZDNet UK.

Microsoft on Friday said it is working on a fix for a vulnerability in the Server Message Block file-sharing protocol in Windows 7 and Windows Server 2008 Release 2 that could be used to remotely crash a computer.

The software giant had said on Wednesday that it was looking at the bug, discovered by researcher Laurent Gaffié, who published proof-of-concept code on a blog.

"Microsoft is aware of public, detailed exploit code that would cause a system to stop functioning or become unreliable. If exploited, this [denial-of-service] vulnerability would not allow an attacker to take control of, or install malware on, the customer's system but could cause the affected system to stop responding until manually restarted," Dave Forstrom, group manager for public relations at Microsoft Trustworthy Computing, said in a statement. "It is important to note that the default firewall settings on Windows 7 will help block attempts to exploit this issue."

Microsoft is not aware of attacks to exploit the hole at this time, he said.

In an advisory, Microsoft criticized the way Gaffié handled the discovery.

"Microsoft is concerned that this new report of a vulnerability was not responsibly disclosed, potentially putting computer users at risk," the advisory said. "We continue to encourage responsible disclosure of vulnerabilities."

The advisory suggests that customers block Transmission Control Protocol, or TCP, ports 139 and 445 at the firewall, as a workaround until a patch is ready.

Updated 1:49 p.m. PST to clarify that Gmail issue was fixed and any attack would be theoretically possible but extremely difficult to accomplish.

A lax security policy in Adobe Flash puts visitors to user-generated content sites at risk, says a researcher who has found a technique exploiting the way browsers handle Flash files.

The problem stems from the origin policy of Adobe Flash, Mike Bailey, a senior security researcher at Foreground Security, said in an interview on Wednesday. "Adobe should change the way Flash Player handles the security policy so it doesn't allow arbitrary content to access the application without permission."

By default, Flash Player trusts anything, but it should only trust what is allowed," he said, providing more technical discussion in a blog post.

For example, someone could upload what appears to be a picture to a social-networking site but which is actually a Flash file designed to execute malicious code in the browser when the file is opened. Anyone who views that picture could be compromised, said Mike Murray, chief information security officer at Foreground Security.

Bailey said that as far as he knows the technique has not been used in the wild as an attack, but that a "huge number of sites are vulnerable." (Gmail previously had an issue that could allow for this type of attack, but that has been fixed. Flash payload could "theoretically" still be executed, but it would be incredibly difficult to do, Baily wrote in his post.)

Adobe has known about the issue for a while but says it can't fix it or risk breaking a lot of existing Flash content and applications around the Web, he said.

Administrators make configuration changes to each Web site to mitigate the risk, Bailey said.

Meanwhile, users should disable Flash completely or use NoScript, a browser plug-in that blocks Flash and Java from untrusted sites, he said.

Asked to comment, an Adobe representative provided this statement:

"Generally speaking, by nature, Flash (SWF) content is powerful, active content and should be handled with the same care as other active content technologies, such as JavaScript, to ensure a site's design does not become vulnerable to abuse scenarios. Adobe has always advised that allowing arbitrary uploads or attachments of Flash (SWF) content to trusted domains should not be performed due to potential abuse scenarios, such as the ones outlined by Mike Bailey. Adobe has published several best practice advisories and blog posts for developers and site owners on how to safely host Flash content. For example, our Flash Player security white paper describes our model in great detail."

This screenshot shows an e-mail attachment executed in the context of a Squirrelmail client session, which leads to compromise of the Web-based e-mail account.

(Credit: Foreground Security)

Microsoft said on Wednesday it is looking into a report of a vulnerability in Windows 7 and Server 2008 Release 2 that could be used by an attacker to remotely crash the computer.

The company is investigating claims of a "possible denial-of-service vulnerability in Windows Server Message Block (SMB)," the Microsoft spokesperson said, adding that the company was unaware of any attacks trying to exploit the hole.

The bug triggers an infinite loop on the Server Message Block (SMB) protocol used for sharing files in Windows, researcher Laurent Gaffié wrote in a posting on the Full-Disclosure mailing list and on a blog.

"Whatever your firewall is set to, you can get remotely smashed via IE or even via some broadcasting NBNS [NetBIOS Naming Service] tricks," Gaffié wrote.

Gaffié also posted proof-of-concept code for the "Windows 7, Server 2008R2 Remote Kernel Crash."

On Tuesday, Microsoft issued six patches to fix 15 vulnerabilities, including a critical hole in the Windows kernel, as part of November's Patch Tuesday.