ESET Threat Blog

I recently got a new MacBook Pro and set up Windows 7 and ESET Smart Security on it. This morning when I started the computer ESET Smart Security notified me that my operating system wasn’t up to date. This was a bit of a surprise because I updated everything when I installed the operating system. It turns out that ESET Smart Security detected that Windows Defender’s definitions were out of date before Windows even knew about it! Was it a simple timing fluke? I’ll have to wait and see if that happens more often. It may be that ESET Smart Security makes Microsoft’s Windows Defender better

Randy Abrams
Director of Technical Education

[Update: I notice that at about the same time that I posted this, Sophos also flagged a blog reporting a somewhat similar fake update for Microsoft Outlook/Outlook Express (KB910721). The message is a lot different and links to a different site pretending to be Microsoft's update site, but is clearly not to be trusted. So the take-home messages are (1) don't trust links in a message if you can't be dead certain it comes from the source it seems to come from: go to a known authentic URL, or use the update mechanism within Windows itself (2) Check the link below on how Microsoft really disseminates update information.]

[Update 2: Spanish speakers might like to check out ESET Latin-America's version of this blog, now at http://blogs.eset-la.com/laboratorio/2009/10/22/falsos-correos-de-microsoft-propagan-malware/. Nice that we can give them something to write about occasionally rather than vice versa!}

A trusted source (thanks, Steve!) has just sent us (among other security organizations) an example of a fake windows update. It claims to be an out-of-cycle security update sent from Microsoft, but redirects to an executable on a site which has, of course, nothing to do with Microsoft, and which ESET products detect as Win32/Injector.ACX.

For information on what Microsoft really does when it sends information on security updates, see http://www.microsoft.com/protect/yourself/phishing/msemail.mspx?wt_svl=10233EWNa1&mg_id=10233EWNb1
 

From: Microsoft [mailto:team@microsoft.com] [This is spoofed, of course]
Sent: 22 October 2009 11:49
Subject: Update : DNCSKEUPXR [I'd presume that this is a randomized string, meant to foil simple filtering by subject]
Importance: High

Security update

When necessary, Microsoft provides a new security update on the second Tuesday of each month and publishes a bulletin to announce the update.
Occasionally, updates are released more often.[This is true, of course. However...]
The links below go to the latest update download.[...the link, which I've removed, is not to a Microsoft site.]

(Privat secured new link)
[removed]

Each bulletin includes links to the security updates.Microsoft has submitted a new update for all Windows OS web browsers, which brings a more stable and secure application, Internet Explorer version 7.0.195.24.
The new version has no new functionality but fixes one security vulnerability that has been classified as "high", the highest level.
Vulnerability refers to the possibility of external attacks through Internet Explorer and Outlook Express . We recommend installing the update to keep you and your system safe .[Obviously, it would be a mistake to take any of this af face value!]

Thank you, Adrian King Director of Security Assurance Microsoft Corp. [There was an Adrian King at Microsoft who was Director of Operating Systems Products: he left many years ago. Messages like this commonly cite the same job title with different names.]
 
IHSOHKWZMNFOKEXCNRKOOGUBQZDDJQBIOTCRIL [Presumably randomized, probably as a simple "hashbuster".] 

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

This is a quick follow-up to the earlier blog about Adobe updates.

I’ve just received notification that the Adobe Flash Player updates bulletin released yesterday has been updated: it now contains information about (and links to) the promised Adobe Reader and Acrobat patches.

Adobe states that it categorizes these updates as critical and recommends that you apply the patches (as indeed do I).

 The update for Adobe Flash Player v9 and v10 for Solaris is still pending, and there’s no indication of time scale on that for the present.

The next quarterly security update for Adobe Reader and Acrobat has now been rescheduled for Tuesday, October 13.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

ESET Threatblog (TinyURL with preview enabled): http://preview.tinyurl.com/esetblog
ESET Threatblog notifications on Twitter: http://twitter.com/esetresearch
ESET White Papers Page: http://www.eset.com/download/whitepapers.php

Securing Our eCity community initiative: http://www.securingourecity.org/

Yes, it is true. Airbags in cars save a whole bunch more lives than they end of costing, but sometimes, on rare occasions, they may take a life that otherwise would have been saved. Almost anyone, except the airbag instigators of the story, below understand the trade offs.

The TechnologyBUFOON.com, I mean Technologyreview.com published the following irresponsible headline with an obviously un-researched story.

Researcher: Update and You’re Owned

http://www.technologyreview.com/blog/unsafebits/23904/?nlid=2211

The premise is that many companies update their products using the http, rather than the https protocol. HTTPS is about encryption AKA privacy, not security.

There are attacks against https as well as http. It doesn’t matter what gets downloaded if it is not executed.

If a program requires a cryptographically strong signature before it executes the file then it is far more secure than a program relying only upon https for a sense of false security.

You are magnitudes more likely to get “owned” for not updating than for using a program that updates via http, rather than https.

Shame on TechnologyReview for such an irresponsible headline.

Randy Abrams
Director of Technical Education

So Patch Tuesday has been and gone, and many of you will already have updated automatically. If you haven’t, do. there seems to be a curious complacency in some quarters about Powerpoint clientside exploits and targeted attacks, but a lot of dross gets passed around as slide-decks. For example, many an old hoax has been given a new lease of life by distribution as a PPT or PDF, and most malware distribution feeds on credulity. Hmm. That almost sounds like a paper I’m writing.

Talking of PDFs, Adobe yesterday published a new security bulletin. addressing the vulnerabilities labeled as CVE-2009-1492 and CVE-2009-1493 by http://cve.mitre.org. This update is described by Adobe as critical, and as Adobe auto-updating is not very consistent, Adobe users need to check that page. (And the other links, if you want more information: the bulletin isn’t very detailed and is a bit sparse on links.)

Well, Adobe are still not speaking to me: I’ve had no information about updates to address the recent Acrobat vulnerability/exploits to either of the addresses I subscribed to its Security Notification Service. (See PPPS below.)

However, something positive is happening out there in the old clay homestead: updates have arrived for a machine on which I have Acrobat 8, though not for the machine next to it, which still runs 7 (I’ll have to look at that issue in a minute).

In case Adobe aren’t speaking to you either, here’s what it recommends:

• Acrobat Reader users: if you can, upgrade to Reader 9.1. If you can’t, go to 8.1.4 or 7.1.1. Adobe Reader for Unix 9.1 isn’t available yet, but is expected to be by the 24th March.
• Acrobat users:
  • 9.x users should go to 9.1 (NB, there are different download links according to which version of Acrobat 9 you own (and, not unreasonably, which platform you run it on).
  • 8.x users should go to 8.1.4 (again, mind you use the right link)
  • 7.x users should go to 7.1.1 (several links)

PS: that Acrobat 7 issue… Updates were disabled on that machine because I wasn’t logged on as an administrator, and even when I did change logins, I had to download manually, only to find that 7.1.1 isn’t there yet.  Let’s hope Adobe catch up with themselves sooner rather than later.

I can see the point of disabling updates for unprivileged users in the business world (the principle of least privilege!), in that many IT teams would be unhappy about end users installing updates they hadn’t tested in the corporate environment. But what about home/SOHO (Small Office/Home Office) users who don’t have an IT team and don’t normally run as administrator (which is an entirely sensible practice that we often advocate)? It might be civil at least to let them know that there’s a problem and an update to fix it, in case they don’t happen to read The Register or blogs by those nice people from ESET.

PPS: updating re-enables Acrobat JavaScript. While the update presumably (hopefully) fixes the recent vulnerabilities, I’m not sure I’d care to assume that no further vulnerabilities will be found. You might want to consider our earlier advice to disable it unless you really have a need for it. If you don’t know if you need it, you probably don’t. (Though the "Getting Started" document that was also re-enabled to show at startup may not run properly without JavaScript.)

PPPS: there is, it seems, another way of getting information pushed  from Adobe. The Adobe Product Security Incident Response Team blog here  has an RSS feed here.