Microsoft has released updates to address vulnerabilities in Microsoft Windows and Microsoft Office.
Microsoft has released security bulletins for multiple vulnerabilities in Microsoft Movie Maker, Microsoft Office Producer 2003, and Microsoft Office Excel. These bulletins are described in the Microsoft Security Bulletin Summary for March 2010. Microsoft notes that affected versions of Microsoft Movie Maker were either included with Microsoft Windows or available as an optional download.
A remote, unauthenticated attacker could execute arbitrary code or cause a vulnerable application to crash.
Apply updates from Microsoft
Microsoft has
provided updates for these vulnerabilities in the Microsoft
Security Bulletin Summary for March 2010. The security bulletin describes
any known issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects. Administrators should
consider using an automated update distribution system such as Windows
Server Update Services (WSUS).
Microsoft notes that there is no security update available for Microsoft Producer 2003 at this time of this writing. Users can mitigate the impact to systems with Microsoft Producer 2003 by applying the automated solution to remove the Microsoft Producer file associations using the Fix it found in Microsoft Knowledge Base Article 975561, and by applying the workarounds in Microsoft Security Bulletin MS10-016.
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
March 09, 2010: Initial release
Malicious activity detected in mid-December targeted at least 20 organizations representing multiple industries including chemical, finance, information technology, and media. Investigation into this activity revealed that third parties routinely accessed the personal email accounts of dozens of users based in the United States, China, and Europe. Further analysis revealed these users were victims of previous phishing scams through which threat actors successfully gained access to their email accounts.
Through analysis of the malware used in this incident, McAfee discovered one of the malware samples exploited a vulnerability in Microsoft Internet Explorer (IE). The vulnerability exists as an invalid pointer reference within IE and, if successfully exploited, allows for remote code execution.
Microsoft has released Security Bulletin MS10-002, which provides updates for Internet Explorer that address this and other vulnerabilities.
US-CERT is providing technical indicators that can be incorporated into an organization's security posture to detect and mitigate any malicious activity.
In addition to the discovery of the IE exploit, the following malicious domains were identified as associated with this incident:
| Domain | IP Resolution as of 15 January | Notes |
|---|---|---|
| blogspot[dot]blogsite[dot]org | 209[dot]200[dot]236[dot]253 | IP address hosts at least 4 domains |
| voanews[dot] ath[dot]cx | 200[dot]55[dot]186[dot]66 | |
| ymail[dot]ath[dot]cx | 59[dot]36[dot]101[dot]217 | IP address hosts at least 3 domains |
| tyuqwer[dot]dyndns[dot]org | 75[dot]101[dot]212[dot]55 | |
| google[dot]homeunix[dot]com | 173[dot]201[dot]21[dot]161 | |
| ftp2[dot]homeunix[dot]com | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file AppMgmt.dll |
| 360[dot]homeunix[dot]com | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status. Call-back domain discovered through analysis of malware file rasmon.dll |
| update[dot]ourhobby[dot]com | 127[dot]0[dot]0[dot]1 | Domain resolution indicative of offline site status. Call-back discovered through analysis of malware file securmon.dll |
| demo1[dot]ftpaccess[dot]cc/demo/ad[dot]jpg | 127[dot]0[dot]0[dot]2 | Domain resolution indicative of offline site status |
| 360[dot]homeunix[dot]com | ||
| ad01[dot]homelinux[dot]com | ||
| ads1[dot]homelinux[dot]org | ||
| ads1[dot]webhop[dot]org | ||
| Aep[dot]homelinux[dot]com | ||
| Aka[dot]homeunix[dot]net | ||
| alt1[dot]homelinux[dot]com | ||
| Amd[dot]homeunix[dot]com | ||
| amt1[dot]homelinux[dot]com | ||
| amt1[dot]homeunix[dot]org | ||
| aop01[dot]homeunix[dot]com | ||
| aop1[dot]homelinux[dot]com | ||
| app1[dot]homelinux[dot]com | ||
| asic1[dot]homeunix[dot]com | ||
| Bbsnewss[dot]ath[dot]cx | ||
| Bdc[dot]homeunix[dot]com | ||
| blog1[dot]servebeer[dot]com | ||
| Connectproxy[dot]3322[dot]org | ||
| Corel[dot]ftpaccess[dot]cc | ||
| Csport[dot]2288[dot]org | ||
| ddd1[dot]homelinux[dot]com | ||
| demo1[dot]ftpaccess[dot]cc | ||
| du1[dot]homeunix[dot]com | ||
| Filoups[dot]info | ||
| fl12[dot]ftpaccess[dot]cc | ||
| ftp1[dot]ftpaccess[dot]cc | ||
| ftp2[dot]homeunix[dot]com | ||
| Ftpaccess[dot]cc | ||
| hho1[dot]homeunix[dot]com | ||
| hp1[dot]homelinux[dot]org | ||
| i1024[dot]homelinux[dot]com | ||
| i1024[dot]homeunix[dot]org | ||
| Ice[dot]game-host[dot]org | ||
| il01[dot]homeunix[dot]com | ||
| il01[dot]servebbs[dot]com | ||
| il02[dot]servebbs[dot]com | ||
| il03[dot]servebbs[dot]com | ||
| Jlop[dot]homeunix[dot]com | ||
| li107-40[dot]members[dot]linode[dot]com | ||
| lih001[dot]webhop[dot]net | ||
| lih002[dot]webhop[dot]net | ||
| lih003[dot]webhop[dot]net | ||
| list1[dot]homelinux[dot]org | ||
| live1[dot]webhop[dot]org | ||
| Members[dot]linode[dot]com | ||
| on1[dot]homeunix[dot]com | ||
| Patch[dot]homeunix[dot]org | ||
| patch1[dot]ath[dot]cx | ||
| patch1[dot]gotdns[dot]org | ||
| patch1[dot]homelinux[dot]org | ||
| ppp1[dot]ftpaccess[dot]cc | ||
| sc01[dot]webhop[dot]biz | ||
| sl1[dot]homelinux[dot]org | ||
| temp1[dot]homeunix[dot]com | ||
| Tor[dot]homeunix[dot]com | ||
| ttt1[dot]homelinux[dot]org | ||
| up01[dot]homelinux[dot]com | ||
| up1[dot]homelinux[dot]org | ||
| up1[dot]mine[dot]nu | ||
| up1[dot]serveftp[dot]net | ||
| up2[dot]mine[dot]nu | ||
| Update[dot]ourhobby[dot]com | ||
| update1[dot]homelinux[dot]org | ||
| update1[dot]merseine[dot]nu | ||
| vm01[dot]homeunix[dot]com | ||
| Voanews[dot]ath[dot]cx | ||
| Vvpatch[dot]homelinux[dot]org | ||
| war1[dot]game-host[dot]org | ||
| Webswan[dot]33iqst[dot]com | ||
| Xil[dot]homeunix[dot]com | ||
| Yahoo[dot]8866[dot]org | ||
| Yahoo[dot]8866[dot]org |
McAfee provided several IP addresses involved in the incident:
69[dot]164[dot]192[dot]46 -- Call-back IP address discovered in file
rasmon.dll.
69[dot]164[dot]192[dot]0/24
72[dot]32[dot]6[dot]235
203[dot]69[dot]40[dot]128/27
203[dot]69[dot]41[dot]0/26
203[dot]69[dot]41[dot]64/27
203[dot]69[dot]66[dot]0/27
203[dot]69[dot]68[dot]96/27
203[dot]69[dot]68[dot]128/25
168[dot]95[dot]1[dot]1
The table below contains the file characteristics of the malware analyzed:
| File Name | IPs/Domains | File Details | Description |
|---|---|---|---|
| uploaded_data | MD5: 1AEA206AA64EBEABB07237F1E2230D0F Byte Size: 17310 | ASCII text, with very long lines, with CRLF line terminators | |
| securmon.dll | call-back: update[dot]ourhobby[dot]com:443 | MD5: E3798C71D25816611A4CAB031AE3C27A Byte Size: 62464 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit |
| Rasmon.dll | call-backs: 360[dot]homeunix[dot]com:443, 168.95.1.1:DNS | MD5: 0F9C5408335833E72FE73E6166B5A01B Byte Size: 90112 | Path: C:Windows\system32\Rasmon.dll Type: MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit Installs as service that begins with "UPS", followed by a random string. Example: Upskvk command-line: C:\WINDOWS\System32\svchost.exe -k SysIns |
| ad_1_.jpg | MD5: CD36A3071A315C3BE6AC3366D80BB59C Byte Size: 34816 | Appears to be packed executable. Significant portion of file is XOR'd 0x95 | |
| b.exe | MD5: 9F880AC607CBD7CDFFFA609C5883C708 Byte Size: 34816 | MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit, UPX compressed Drops: Rasmon.dll | |
| cdef | MD5: 29F52213E171C3D4B4418939D9E466C3 Byte Size: 41984 | MS-DOS executable PE for MS Windows (GUI) Intel 80386 32-bit Drops: AppMgmt.dll | |
| AppMgmt.dll | call-backs: ftp2[dot]homeunix[dot]com:443 | MD5: 6A89FBE7B0D526E3D97B0DA8418BF851 Byte Size: 31744 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit. Installs as service "Application Management" |
| A0029670.dll | MD5: 3A33013A47C5DD8D1B92A4CFDCDA3765 Byte Size: 90112 | MS-DOS executable PE for MS Windows (DLL) (GUI) Intel 80386 32-bit | |
| msconfig32.sys | MD5: 7A62295F70642FEDF0D5A5637FEB7986 | ||
| VedioDriver.dll | MD5: 467EEF090DEB3517F05A48310FCFD4EE | ||
| acelpvc.dll | MD5: 4A47404FC21FFF4A1BC492F9CD23139C | ||
| wuauclt.exe | MD5: 69BAF3C6D3A8D41B789526BA72C79C2D | ||
| jucheck.exe | MD5: 79ABBA920201031147566F5418E45F34 | ||
| AdobeUpdateManager.exe | MD5: 9A7FCEE7FF6035B141390204613209DA | ||
| zf32.dll | MD5: EB4ECA9943DA94E09D22134EA20DC602 |
The following signatures can be deployed to assist in detecting malicious activity associated with this incident:
Primary Malware Beacon
alert tcp any any -> any
any (msg:"Targeted Malware Communication Beacon Detected";
flow:to_server,established; dsize:20; content:"|ff ff ff ff ff ff 00 00 fe
ff ff ff ff ff ff ff ff ff 88 ff|"; depth:20; sid:7777777;
rev:1;)
Secondary Malware Beacon
alert tcp
any any <> any any (msg:"ORC:DIS:BEACON_380DFF";
content:"|38 0d ff 0a d7 ee 9d d7 ec 59 13 56|"; sid:99980060;
rev:1;)
Note: US-CERT has not verified or tested these signatures and recommends proper testing prior to deployment.
By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.
The Internet Explorer vulnerability used in these attacks is addressed with the updates provided in Microsoft Security Bulletin MS10-002.
Other recommendations include:
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
February 24, 2010: Initial release
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office.
Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. These bulletins are described in the Microsoft Security Bulletin Summary for February 2010.
A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application or system to crash.
Apply updates from Microsoft
Microsoft has
provided updates for these vulnerabilities in the Microsoft
Security Bulletin Summary for February 2010. The security bulletin describes
any known issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects. Administrators should
consider using an automated update distribution system such as Windows
Server Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
February 09, 2010: Initial release
Microsoft has released out-of-band updates to address critical vulnerabilities in Internet Explorer.
Microsoft has released updates for multiple vulnerabilities in Internet Explorer, including the vulnerability detailed in Microsoft Security Advisory 979352 and US-CERT Vulnerability Note VU#49251.
By convincing a user to view a specially crafted HTML document or Microsoft Office document, an attacker may be able to execute arbitrary code with the privileges of the user.
Apply updates
Microsoft has released updates to address these vulnerabilities. Please see Microsoft Security Bulletin MS10-002 for more information.
Apply workarounds
Microsoft has provided workarounds for some of the vulnerabilities in MS10-002.
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
January 21, 2010: Initial release
Adobe has released Security bulletin APSB10-02, which describes multiple vulnerabilities affecting Adobe Reader and Acrobat.
Adobe Security Advisory APSB10-02 describes a number of vulnerabilities affecting Adobe Reader and Acrobat. These vulnerabilities affect Reader 9.2 and earlier 9.x versions and 8.1.7 and earlier 8.x versions. Further details are available in the US-CERT Vulnerability Notes Database.
An attacker could exploit these vulnerabilities by convincing a user to open a specially crafted PDF file. The Adobe Reader browser plug-in is available for multiple web browsers and operating systems, which can automatically open PDF documents hosted on a website.
Some of these vulnerabilities are being actively exploited.
These vulnerabilities could allow a remote attacker to execute arbitrary code, write arbitrary files or folders to the file system, escalate local privileges, or cause a denial of service on an affected system as the result of a user opening a malicious PDF document.
Update
Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB10-02 and update vulnerable versions of Adobe Reader and Acrobat.
Disable JavaScript in Adobe Reader and Acrobat
Disabling JavaScript may
prevent some exploits from resulting in code execution. Acrobat JavaScript can
be disabled using the Preferences menu (Edit -> Preferences
-> JavaScript; un-check Enable Acrobat JavaScript).
Prevent Internet Explorer from automatically opening PDF
documents
The installer for Adobe Reader and Acrobat configures
Internet Explorer to automatically open PDF files without any user interaction.
This behavior can be reverted to a safer option that prompts the user by
importing the following as a .REG file:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00
Disable the display of PDF
documents in the web browser
Preventing PDF documents from
opening inside a web browser will partially mitigate this vulnerability. If this
workaround is applied it may also mitigate future vulnerabilities.
To prevent PDF documents from automatically being opened in a web browser, do
the following:
1. Open Adobe Acrobat Reader.
2. Open the
Edit menu.
3. Choose the preferences option.
4.
Choose the Internet section.
5. Un-check the "Display
PDF in browser" check box.
Do not access PDF documents
from untrusted sources
Do not open unfamiliar or unexpected PDF
documents, particularly those hosted on websites or delivered as email
attachments. Please see Cyber Security Tip ST04-010.
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
January 13, 2010: Initial release
Microsoft has released updates to address a vulnerability in the Windows Embedded Open Type (EOT) font engine. Microsoft has also published an Advisory about multiple vulnerabilities in Adobe (Macromedia) Flash Player 6 that is included with Windows XP.
Microsoft Security Bulletin MS10-001 describes a vulnerability in the Embedded Open Type (EOT) font engine in Windows. Microsoft Security Advisory (979267) recommends that Windows XP users remove or upgrade Adobe Flash Player 6 (formerly Macromedia Flash Player) that is included with Windows XP. Vulnerability Note VU#204889 discusses one vulnerability in Flash Player 6 and provides several workarounds.
These vulnerabilities could be exploited by loading specially crafted fonts or Flash content via Internet Explorer.
Microsoft assigns the EOT font vulnerability a "low" severity rating in most current versions of Windows and notes that reliable code execution is unlikely. The severity rating for Windows 2000, however, is "critical."
A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash.
Apply updates from Microsoft
Microsoft Security
Bulletin MS10-001
provides updates for the EOT font vulnerability. The security bulletin describes
any known issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects. Administrators should
consider using an automated update distribution system such as Windows
Server Update Services (WSUS).
Upgrade, Remove, or Disable Adobe Flash Player 6
Adobe Flash Player 6 is included with Windows XP. Adobe has addresssed these vulnerabilities in newer versions of Flash Player. Upgrade to a more recent version of Flash Player (such as Flash Player 10). Alternatively, uninstall Flash Player or set the kill bit for the Flash Player ActiveX control as described in Microsoft Security Advisory (979267) and Vulnerability Note VU#204889.
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
January 12, 2010: Initial release
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
The Oracle Critical Patch Update Advisory - January 2010 addresses 24 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.
Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.
The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.
Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - January 2010. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.
Feedback can be directed to US-CERT.
Produced 2010 by US-CERT, a government organization. Terms of use
January 12, 2010: Initial release
Adobe has released Security bulletin APSB09-19, which describes vulnerabilities affecting Adobe Flash Player and Adobe AIR.
Adobe Security Bulletin APSB09-19 describes vulnerabilities affecting Adobe Flash Player and Adobe AIR. Flash Player version 10.0.32.18 and earlier versions as well as Adobe AIR versions 1.5.2 and earlier are affected.
An attacker could exploit this vulnerability by convincing a user to visit a website that hosts a specially crafted SWF file. The Adobe Flash browser plugin is available for multiple web browsers and operating systems, any of which could be affected.
This vulnerability allows a remote attacker to execute arbitrary code as the result of a user viewing a web page.
Users are encouraged to update Flash Player 10.0.32.18 and earlier versions as well as Adobe AIR 1.5.2 and earlier versions to the latest version.
These vulnerabilities can be mitigated by disabling the Flash plugin or by using the NoScript extension for Mozilla Firefox or SeaMonkey to whitelist websites that can access the Flash plugin. For more information about securely configuring web browsers, please see the Securing Your Web Browser document.
Feedback can be directed to US-CERT.
Produced 2009 by US-CERT, a government organization. Terms of use
December 09, 2009: Initial release
Microsoft has released updates to address vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office.
Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows, Windows Server, Internet Explorer, and Microsoft Office. These bulletins are described in the Microsoft Security Bulletin Summary for December 2009.
A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash.
Apply updates from Microsoft
Microsoft has
provided updates for these vulnerabilities in the Microsoft
Security Bulletin Summary for December 2009. The security bulletin describes
any known issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects. Administrators should
consider using an automated update distribution system such as Windows
Server Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2009 by US-CERT, a government organization. Terms of use
December 08, 2009: Initial release
Microsoft has released updates to address vulnerabilities in Microsoft Windows and Windows Server and Office Word and Excel.
Microsoft has released multiple security bulletins for critical vulnerabilities in Microsoft Windows and Windows Server and Office Word and Excel. These bulletins are described in the Microsoft Security Bulletin Summary for November 2009.
A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a vulnerable application to crash.
Apply updates from Microsoft
Microsoft has
provided updates for these vulnerabilities in the Microsoft
Security Bulletin Summary for November 2009. The security bulletin describes
any known issues related to the updates. Administrators are encouraged to note
these issues and test for any potentially adverse effects. Administrators should
consider using an automated update distribution system such as Windows
Server Update Services (WSUS).
Feedback can be directed to US-CERT.
Produced 2009 by US-CERT, a government organization. Terms of use
November 10, 2009: Initial release