IE Zero-Day Vulnerability

Microsoft Security Advisory 2963983 – Vulnerability in Internet Explorer Could Allow Remote Code Execution – TechNet

General Information

Executive Summary

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Mitigating Factors:

  • By default, Internet Explorer on Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2 runs in a restricted mode that is known as Enhanced Security Configuration. This mode mitigates this vulnerability.

  • By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML email messages in the Restricted sites zone. The Restricted sites zone, which disables script and ActiveX controls, helps reduce the risk of an attacker being able to use this vulnerability to execute malicious code. If a user clicks a link in an email message, the user could still be vulnerable to exploitation of this vulnerability through the web-based attack scenario.

  • An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

  • In a web-based attack scenario, an attacker could host a website that contains a webpage that is used to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these websites. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

More information in the full article. There is no patch. But Microsoft has given some recommendations which are easier to understand at Security Garden’s posting:

Recommendations

As illustrated in the “Security Research and Defense Blog” reference below, users of IE 10 and 11 should ensure they haven’t disabled Enhanced Protection Mode.

Another option is to install the Enhanced Mitigation Experience Toolkit (EMET). The recommended setting for EMET 4.1, available from KB Article 2458544, is automatically configured to help protect Internet Explorer. No additional steps are required.

See the Tech Net Advisory for instructions on changing the following settings to help protect against exploitation of this vulnerability:

  • Change your settings for the Internet security zone to high to block ActiveX controls and Active Scripting

  • Change your settings to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone.

 

Those still using Windows XP on the Internet, please be aware:

VERY IMPORTANT FOR ANY HOLD OUT WINDOWS XP USERS

This is the first of the security vulnerabilities that DOES NOT include workarounds  for Windows XP. The oldest Windows noted as being affected are: Windows Server 2003 SP2 and Vista SP2.

IMPORTANT NOTE: Once a Microsoft product’s support has expired — as is true now about Windows XP SP3 since April 8, 2014 — Microsoft no longer lists it as affected by the vulnerabilities being patched. Microsoft only list Windows versions which are still under Mainstream Support or Extended Support. This has always been the case.

If anyone is still using Windows XP on the Internet (UNWISE!!), it would be strongly recommended to disallow IE (Internet Explorer) access to the Internet through your software firewall*, and use another browser like Firefox and Google Chrome which will still be getting updates for a time.

* Any Windows XP users still on the Internet should at least have:

  • a hardware router with Stateful Packet Firewall
  • should be using a ‘real’ software firewall as well as a good AV program. Just one good choice that will continue to support Windows XP is ESET’s Smart Security which is a very good antivirus and firewall. It is the one I use. It is not free. There are several free antivirus programs but not many free security suites.
  • block Internet Explorer through the ESET or other software firewall.
  • should be using a 3rd party browser like Mozilla Firefox with NoScript, Adblock Plus and WOT to help sort out safer search results on search engines, or Google Chrome with ScriptSafe, Adblock Plus and WOT Extension.
  • uninstall Java entirely, keep Adobe Flash religiously updated for Firefox as long as Adobe continues to provide them. Google Chrome updates Flash within itself. Might want to switch from Adobe Reader to Sumatra PDF reader which is a simple PDF viewer.
  • need to be even more careful than ever before about where you go. The bad guys will be looking with great anticipation for computers with expired Windows XP.
  • no risky behavior
  • no banking … note very soon banks will be disallowing expired Windows XP entirely anyway.

IMPORTANT: You can not block a program from getting out to the Internet with the Windows XP Firewall. It is only a one way firewall. It only monitors incoming Internet requests, instead of both ways as any real firewall including Windows 7 and Windows 8 built-in software firewalls do.

Here’s a quote from a ZDNet article:

To those planning to stick resolutely with the aged Windows XP operating system even after Microsoft ends support next year, the advice from experts is simple: Don’t do it.

Again: I would strongly suggest you get a new computer, upgrade your computer if it can be upgraded to a modern/still supported Windows such as Windows 7 or Windows 8, or get a Mac, or you could  convert/upgrade the computer to Linux or use a Linux LiveCD to visit the Internet and still use Windows XP as a standalone NOT CONNECTED TO THE INTERNET computer.

If you need help with any of this, please contact your computer guru, join a forums like Scot’s Newsletter Forums – BATL (Bruno’s All Things Linux) to ask questions, or you can use the contact info on my website  to contact me for some help.

Advertisements

MS Word users warned of ongoing attacks exploiting unpatched bug

Microsoft warns Word users of ongoing attacks exploiting unpatched bug – Computerworld

Biggest worry, says expert, is that exploits are triggered just by previewing malicious messages in Outlook 2007, 2010 and 2013

Microsoft today warned users of Word 2010 that in-the-wild attacks are exploiting an unpatched vulnerability in the software.

The company also published an automated tool to protect customers until it issues a patch.

An attacker could cause remote code execution if someone was convinced to open a specially-crafted Rich Text Format (RTF) file or a specially-crafted mail in Microsoft Outlook while using Microsoft Word as the email viewer,” said Dustin Childs, group manager and spokesman for Microsoft’s Trustworthy Computing group in a blog Monday.

BOLD in the quote is mine.

Microsoft put out a Security Advisory 2953095 as Corrine noted on her Security Garden Blog including Fix it buttons for enabling and disabling reading email messages in plain text format.

This is one of the things for which both Microsoft in Outlook and Apple in Mail have massively fallen down on the job. This would not be happening if you could easily toggle various view options such as HTML or Plain Text for reading emails, as well as allowing and disallowing images inline.

This is something that I am very thankful that Mozilla Thunderbird got right from the very beginning. Mozilla Thunderbird gives very granular control regarding the various ways to Display email messages such as in PLAIN TEXT, SIMPLE HTML (simple html with javascripting disabled), or ORIGINAL HTML.

You also have control over how images are displayed or not in several ways and differentiating between attached images and remote images.

You can also close to enable do not track in emails. There are Security Add-ons like Adblock PlusEnigmail (OpenPGP), more. As well as lots of specialized Add=ons. One of these that I like is QuickText and a few others. It works on Windows, Mac and Linux.

There is also a pay to play $9.95 I think, but also has a free trial. It was originally for Macs and now there is a Windows version as well. It was created by the original developers of Thunderbird called Postbox. It has some but not all the Add-ons that Thunderbird has.

/rant on

I am not saying everyone should move to Mozilla Thunderbird. What I am saying is that Microsoft Outlook and Apple Mail should give their users these types of granular control so people can choose how they wish emails to be viewed. Both do some things but they stop way short of what is really needed in this day and age with emails.

HTML is like a venetian blind. It hides what is behind it. You can’t see what is behind all that HTML. You can’t decide to see HTML only if you trust the email after viewing what is in that email. This makes it way too easy for phishing emails to look like your bank, PayPal, your credit card company, etc. It also allows companies to track you with web beacons, transparent gif images and other remotely loaded images so they know if and when you view their email.

Something needs to be done about all this. Mozilla Thunderbird makes it so easy for folks to be able to toggle images so they can’t track you, use SIMPLE HTML to keep the ‘form’ of an email message without the more dangerous javascripting. Or allows you to totally view the email in plain text so you can see that that link that appears to be going to your bank actually goes to some strange URL that has nothing to do with your bank or a store you may or may not do business with.

People need these tools. Some may or may not realize it, but they really do.

I have heard so many people say that the email look just like it was from their bank and they fell for it. Or a store they frequent and gave up their login credentials by clicking on the link rather than going to the website because it looked like it was the store’s promotion.

Sure, no one should click on links in email, but if it looks legit, many do. Sure, if you like something in a promotion for a store, it might be better to just go to the store’s website but some stores really don’t have a page on their website that is clickable to get you there, unless you click on the link in an email. Also, the links are often obfuscated by third party trackers and campaign tracking sites, etc. This all makes life very difficult for email users to know what’s good and what’s not.

OK, I will get off my soap box now.

/rant off

 

Java flaws already included in Blackhole exploit kit within 12 hours

Java flaws already included in Blackhole exploit kit, Oracle was informed of vulnerabilities in April – Sophos Naked Security

It took less than 12 hours from the time the proof of concept for the latest Java zero-day vulnerabilities went public for exploits of those vulnerabilities to be included in a commercial crimeware kit.

Brian Krebs was first to mention having heard that CVE 2012-4681 was being added to the Blackhole exploit kit, and SophosLabs confirmed seeing it in the wild a few hours later.

And this about Macs in particular:

Some have asked if Mac users are at risk from the CVE 2012-4681 exploit and the answer is “Maybe.” The version officially distributed by Apple is Java 6, which is not vulnerable.

Interesting that an older version is not vulnerable to this particular zero day exploit. But if users of Lion and Mountain Lion have installed Java 7 directly from  Oracle’s Java.com site (which is the only way to even get Java on Lion and Mountain Lion), then they are vulnerable.

And of course, Windows and Linux/UNIX/BSD are all vulnerable as well if Java 7 has been installed.

Soon Twitter users were tweeting that Mac users were being attacked, but that the malware apparently on the blackhole server is serving Windows malware. Gives Mac users a reprieve to get their Java updated … if they installed it at all.

What is really sad is that Oracle was made aware of this vulnerability back in April and didn’t fix it in a timely manner.

Thankfully Firefox and Google Chrome will disable or at least not automatically run Java if it’s outdated. Other browsers (Internet Explorer, Opera, etc.) should be doing the same thing.

Java 7 ‘super dangerous’ vulnerability

There is a recently discovered ‘super dangerous’ vulnerability in Java 7.

This vulnerability affects all Java 7 users; whether they run a version of Windows, or using a Mac, or an Opensource Linux operating system:

Macs at risk from ‘super dangerous’ Java zero-day – Computerworld:

Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.

The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.

I think the reason they have singled out Mac users in the article is that most Windows users if they have a recent version of Java installed will get upgrade notifications from Oracle’s Java. Where many Mac users until Lion had Java being updated (albeit late) by Apple. Now they are responsible to keep it updated on Lion IF they decide to install Java manually themselves. Lion and Mountain Lion do not come with Java installed by default. But if you do have it installed on your Mac:

Maynor said he was able to trigger the vulnerability with the Metasploit code in both Firefox 14 and Safari 6 on OS X 10.8, better known as Mountain Lion.

These exploits are mainly aimed at Windows users, but Macs are becoming more and more popular because overall they have less issues than Windows for viruses, etc.

But browser exploits are a bain for all computer users. And we have to keep our plugins updated to stay one step ahead.

If you are using Firefox, there is a page you can go to where you can check to see if your plugins can be checked to make sure you are up to date:

Firefox Check Plugins page

Interestingly that Check Plugins page also seems to work pretty well on Google Chrome’s browser as well. Just remember that if it tells you Flash is outdated, Google Chrome will be updating that for you on their next update.

Looks like I am off for a new Flash update… see ya next time.

Certificate Authoritities, DigiNotar, GlobalSign, OSes, Browsers, Adobe, more

[tweetmeme source=”franscomputerservices” only_single=false]DigiNotar Breach Affected 531 Certificates (Tom’s Hardware):

The break-in in Certificate Authority (CA) DigiNotar back in July was much worse than previously thought.

A preliminary analysis of the incident now claims that there have been 531 fraudulent certificates. The hackers may have explored DigiNotar’s servers for the first time in early June and gained control on June 17. The company detected the hack on June 19, but failed to prevent the creation of the first rogue certificate on July 2. The hacker activity apparently ended on July 22.

As a Aryeh Goretsky stated at Scot’s Newsletter Forums noted so succinctly:

DigiNotar, a company which issues digital certificates used to establish cryptographically-secure connections to web sites, was hacked, and over 500 certificates were acquired for high-profile web sites. Amongst other things, this would allow someone* to monitor what would otherwise be secure, private connections to those sites. Passwords, emails, personally-identifiable information and other sensitive data could be viewed by someone* who would otherwise not be able to see that information.

*Such as a government, ISP, or government-owned ISP.

Aryeh, I couldn’t have said it better myself.

And highlighting the fact that it could be a government, ISP, or government-owned ISP is spot on to the concerns.

There was recently an article that suggested that this has already happened in Iran.

Hackers steal SSL certificates for CIA, MI6, Mossad (Computerworld):

Criminals acquired over 500 DigiNotar digital certificates; Mozilla and Google issue ‘death sentence’

Among the affected domains, said Markham, are those for the CIA, MI6, Mossad, Microsoft, Yahoo, Skype, Facebook, Twitter and Microsoft’s Windows Update service.

Google has pointed fingers at Iran, saying that attacks using an ill-gotten certificate for google.com had targeted Iranian users.

Much more in this two page article where a link to Markham’s blog details more about this:

On Monday August 29th at 6.30pm BST Mozilla was informed by Google about a misissued certificate for *.google.com which was being used in active attacks on users in Iran. This certificate was chained to the root of the Dutch CA “DigiNotar”. Since that notification, I have been part of the Mozilla team working on our response.

The CNs concerned were as follows:

*.10million.org
*.balatarin.com
*.google.com
*.logmein.com
*.microsoft.com
*.mossad.gov.il
*.skype.com
*.torproject.org
*.walla.co.il
*.wordpress.com
addons.mozilla.org
azadegi.com
DigiCert Root CA
Equifax Root CA
friends.walla.co.il
login.yahoo.com
Thawte Root CA
twitter.com
VeriSign Root CA
wordpress.com
http://www.cia.gov
http://www.facebook.com
http://www.sis.gov.uk

So much more in Markham’s blog posting.

Delay in disclosing SSL theft put Iranian activists at risk, says researcher (Computerworld)

The delay in disclosing a theft of the digital certificates for some of the Web’s biggest sites, including Google, Skype, Microsoft and Yahoo, put Iranian activists’ lives at risk, a researcher argued Wednesday.

But I think EFF explains the issues best.

Iranian Man-in-the-Middle Attack Against Google Demonstrates Dangerous Weakness of Certificate Authorities (EFF)

What’s worse than finding a worm in your apple? Finding half a worm.

What’s worse than discovering that someone has launched a man-in-the-middle attack against Iranian Google users, silently intercepting everything from email to search results and possibly putting Iranian activists in danger? Discovering that this attack has been active for two months.

People all over the world use Google services for sensitive or private communications every day. Google enables encrypted connections to these services in order to protect users from spying by those who control the network, such as ISPs and governments. Today, the security of this encryption relies entirely on certificates issued by certificate authorities (CAs), which continue to prove vulnerable to attack. When an attacker obtains a fraudulent certificate, he can use it to eavesdrop on the traffic between a user and a website even while the user believes that the connection is secure.

The certificate authority system was created decades ago in an era when the biggest on-line security concern was thought to be protecting users from having their credit card numbers intercepted by petty criminals. Today Internet users rely on this system to protect their privacy against nation-states. We doubt it can bear this burden.

This latest attack was reportedly caught by a user running the Google Chrome browser in Iran who noticed a warning produced by the “public key pinning” feature which Google introduced in May of this year. Basically, Google hard-coded the fingerprints for its own sites’ encryption keys into Chrome, and told the browser to simply ignore contrary information from certificate authorities. That meant that even if an attacker got a hold of a fake certificate for a Google site—as this attacker did—newer versions of the Chrome browser would not be fooled.

Certificate authorities have been caught issuing fraudulent certificates in at least half a dozen high-profile cases in the past two years and EFF has voiced concerns that the problem may be even more widespread. But this is the first time that a fake certificate is known to have been successfully used in the wild. Even worse, the certificate in this attack was issued on July 10th 2011, almost two months ago, and may well have been used to spy on an unknown number of Internet users in Iran from the moment of its issuance until it was revoked earlier today. To be effective, fraudulent certificates do not need to have been issued by the same authority that issued the legitimate certificates. For example, the certificate in question here was issued by a Dutch certificate authority with which Google had no business relationship at all; that didn’t make it any less acceptable to web browsers.

Much more in the article…

This problem is not only related to issues of privacy related to people who’s lives would be in danger, but also, victims of malware purveyors as well.

Cryptographic keys for SSL sites are only as good as the honesty of the holder and issuer of those keys, as well as the honesty and security diligence of the issuer, in this case DigiNotar.

They would like us to think that SSL is extremely safe, but it’s not as safe as those who issue them would like us to believe either. Anyone with money can purchase a SSL certificate, and there have been malware purveyors that have also bought them so folks would ‘feel’ secure. If you see the lock, you think, “Safe”. That’s what they want you to think.

However, just like anyone can purchase what is considered a ‘legitimate’ SSL certificate, good, bad or indifferent, there are worse things.

‘Legitimate’ SSL certificates can be created by site owners as well, good, bad, or indifferent.

The companies that sell SSL certificates and browser makers put out root certificates for their browers and show green or gold with the lock for those obtained by big name sellers of these certificates. So if you are legitimate site owner who creates their own to save money, you are automatically assumed to be ‘not legitimate’ by browsers and it shows as red/dangerous to users.

I don’t see what the solution is, but it really doesn’t matter whether you make your own, or if you buy one, you are still playing craps with SSL certificates in many ways these days.

As Corrine noted in the same topic at Scot’s Newsletter Forums:

Microsoft Security Advisory 2607712 has been updated to revoke the trust of the DigiNotar root certificates by placing them into the Microsoft Untrusted Certificate Store.

The update is available via Automatic Update and applies to all supported releases of Microsoft Windows, including Windows XP, Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2.

Within short order, Mozilla sent out updates to their products including Firefox, Thunderbird, et. revoking the certificates.

Opera has done the same thing yesterday, disabling the root store for DigiNotar.

Because Apple was slow to act, one researcher (thanks Corrine) rapped Apple for not blocking the stolen SSL certificates, and various places on the Internet were trying to help Mac users to take care of disabling and removing the DigiNotar certificates from the KeyChain so Safari and other browsers would be safer online on the Mac. Since then, Apple released an update to revoke DigiNotar from their trusted list:

If you are running an older Mac you can still protect yourself, but you will need to do it manually. You can follow the excellent instructions posted over at the ps | Enable blog.

And most recently, Adobe has posted instructions on how to remove DigiNotar from the Adobe Approved Trust List (AATL) for Adobe Reader.

And here we go again (thanks zlim)…

GlobalSign Stops Issuing Digital Certificates After Hack (PCWorld)

Second firms stops issuing digital certificates (CNET)

How many more will have fallen before it’s all said and done? I am beginning to wonder if we wouldn’t be better off just generating our own SSL certificates, it would likely be as safe as this fiasco has become…

Race Conditions aka TOCTOU and now KHOBE

[tweetmeme source=”franscomputerservices” only_single=false]There is a ‘supposedly new’ threat on the horizon for Windows XP users, and more so on multi-core systems called KHOBE (Kernel HOok Bypassing Engine).

Although this is a threat, it is not a new threat — in fact, this type of thing has been a threat to computing since 1998 when it was written about in PDF format: RaceConditions.pdf, and in 1996 in this PDF: racecond.pdf and many times since then in articles online about TOCTOU (noted below in this posting).

It definitely sounds pretty bad when it is reported that this ‘new’ KHOBE can bypass EVERY Windows security product in an article by the respected Adrian Kingsley-Hughes at ZDNet Blogs and as reported and tested by MATOUSEC here. And it certainly isn’t a non-issue…

However, let’s look at this objectively. First this is not the first, last or only situation that has or will arise. Race Conditions as noted above have been created by TOCTOU (Time of check to time of use) situations since the dawn of computing and yes, they are not easy to test for in all situations/hardware prior to release of software/Operating Systems, but these types of conditions have been a potential threat for a very long time in all kinds of software.

A time-of-check-to-time-of-use bug (TOCTTOU − pronounced “TOCK too”) is a software bug caused by changes in a system between the checking of a condition (such as a security credential) and the use of the results of that check. It is a kind of race condition.

Before Windows was capable of true multi-tasking/multi-threading, it was possible to create these conditions on UNIX machines as noted in this 2001 article at InformationWorld.

So, why the fuss now? Windows 7 is basically claimed to be immune — by its omission in the ‘affected Windows Operating Systems’ list. Apparently only Windows XP (ONLY about 60% of Windows users –eeek! — per Adrian Kingsley-Hughes article above), or earlier Windows OSes are affected and in this particular case, and then only by security software that use the KHOBE (Kernel HOok Bypassing Engine).

Graham Cluely at his Sophos Blog notes,

Because KHOBE is not really a way that hackers can avoid detection and get their malware installed on your computer. What Matousec describes is a way of “doing something extra” if the bad guys’ malicious code manages to get past your anti-virus software in the first place.

In other words, KHOBE is only an issue if anti-virus products such as Sophos (and many others) miss the malware. And that’s one of the reasons, of course, why we – and to their credit other vendors – offer a layered approach using a variety of protection technologies.

In addition, Paul Ducklin’s Sophos blog notes,

The security panic of the week is the widely-reported story of a “vulnerability” called KHOBE. One news headline goes so far as to announce that this “new attack bypasses virtually all AV protection”.

I disagree.

The sample “attack”, which claims to be an 8.0 earthquake for desktop security software, describes a way in which the tamper protection implemented by some anti-malware products might potentially be bypassed. Assuming you can get your malicious code past the anti-malware product in the first place, of course.

Much more in his blog entry. All of these links are must read if you wish to understand as much as is possible what the real threat is.

So, given all this, is the game over on security software because this is now disclosed to be possible (READ: it was always possible) — at least till they figure out how to prevent Race Conditions in security software?

Hardly. But due to the release of the information, this situation may make life interesting security-wise for Windows XP users (earlier Windows OSes like Win2K, Win98, WinME, WinNT shouldn’t even be on the net at this point for many reasons, the least of which is this situation).

So, if you are a Windows user what can you do in the meantime?

  • Keep your systems up to date
  • Make sure you have a hardware NAT or SPI Firewall/Router on your local network, and a software firewall in place and working properly and updated (if it’s a third party firewall – Windows Firewall is updated with your Windows Updates)
  • Keep your browsers up to date
  • Keep your browser plugins (Adobe products, Apple products, Java, etc.) and extensions (like Firefox’s AdBlock Plus, etc.) up to date
  • Keep all Internet facing programs (Adobe, Microsoft, etc.) up to date
  • Run your CCleaner (or other Temporary Files/Temporary Internet Files cleaner program) frequently (I actually run mine several times a day) – Fully close any browsers before running your ‘cleaner’ and then re-open it as needed after you run the ‘cleaner’
  • Make sure your antivirus software is updating as it should and doing its scheduled scans
  • Update and Run any cleaner software and secondary anti-malware programs (like Malwarebytes Anti-malware) at least once a week or more often and immediately if something seems odd on your computer
  • Don’t open suspicious emails, even from known senders
  • Be careful where you go on the Internet. Even some legitimate sites have been hacked
  • Be careful about links and friends on Facebook (if you haven’t deactivated your account yet), Twitter, LinkedIn, and other Web 2.0/dynamic Social Networking sites.

In short, do what you should always be doing to keep yourself safe. Because this isn’t over. It was always a possibility whether we were aware or not, and it will likely be a possibility for a long time to come.

You might also consider installing a preventative program like BillP’s WinPatrol on your system to make you aware of potential changes to your system. *See EDIT below for a note from BillP about WinPatrol and kernel hooks.

And as I noted earlier, the focus of this issue, at this time, is apparently Windows XP, but any operating system is vulnerable to this type of attack and always has been — and that is not likely going to change any time soon.

EDIT: Added the following comment from BillP who developed WinPatrol:

* Thanks! I’m honored by the mention.
It’s a great topic and mentioning WinPatrol is appropriate since I don’t use any kernel hooking to detect changes. Thumbs Up!

Bill

Embedded PDF executable hack

[tweetmeme source=”franscomputerservices” only_single=false]Embedded PDF executable hack goes live in Zeus malware attacks (Ryan Naraine at ZDNet)

Yes, there has been a lot of coverage on Adobe Reader vulnerabilities, and this is no exception, and with good reason since this is being actively exploited.

This one is the same /launch vulnerability built into Adobe Reader that was being exploited to run malicious code. This one also comes via email, and the PDF has an embedded attachment within the document. The file is executable and if you run it, it will install the Zeus bot on your computer.

It’s no longer good enough to disable Javascripting alone. There is more needed to thwart this attack.

From the article:

Here are the instructions for mitigating a potential attack:

* Users can also turn off this functionality in the Adobe Reader and Adobe Acrobat Preferences by selecting > Edit > Preferences > Categories > Trust Manager > PDF File Attachments and clearing (unchecking) the box “Allow opening of non-PDF file attachments with external applications”

It is important to download PDF files from email rather than opening them directly from email, as with any attachment, so you can virus scan the file prior to opening it.

While you are in the Preferences, you might want to make sure Javascripting is turned off. And you might want to disable viewing PDF files in browser windows. There are times when that may be inconvenient, but it will keep you safer at least for now.

One way to keep PDF files from opening in browsers if you are using Firefox is to install the PDF Download Extension which allows you to download rather than open a PDF file in the browser. It also gives you a chance to determine if this is really what you want to do.