Microsoft has released security advisory 969136 to address reports of a vulnerability in Microsoft Office PowerPoint. By convincing a user to open a specially crafted Office file, a remote attacker may be able to gain access to the affected system with the same rights as the user running PowerPoint.
US-CERT encourages users and administrators to review Microsoft Security Advisory 969136 and implement the suggested workarounds listed in the advisory to help mitigate the risks.
by NIST
When you type www.irs.gov—or the Web address of your bank or an e-commerce site—into your web browser, you want to be sure that no one is hijacking your request and sending you to a bogus look-alike page. You’re relying on the integrity of the Internet’s “phone book,” the Domain Name System (DNS). Computer scientists at the National Institute of Standards and Technology (NIST) are playing a major role in making sure that what you type is what you get by providing standards, guidance and testing necessary to bolster the trustworthiness of the global DNS. A draft update of NIST’s guidelines for DNS security is now available for public comment.
Most recently, NIST computer scientists provided technical assistance to the General Services Administration to meet the end-of-February deadline to secure the top-level .gov (“dot-gov”) domain, the first major step of a new government-wide DNS security upgrade. NIST researchers develop the standards, specifications and operational procedures used by federal civilian agencies to safeguard their information systems. The Internet relies on the DNS system that converts the user-friendly names (www.nist.gov) into a unique Internet Protocol address (129.6.13.45) necessary to route data to its destination.
The DNS as currently deployed lacks the ability to authenticate the source or integrity of responses returned from the system, and as a result it is easy to spoof responses and redirect users to fake or look-alike destinations. NIST and others are working to add “steel doors and locks” to enhance DNS security. NIST computer scientists led the development of new Internet Engineering Task Force (IETF) standards to add digital signatures and associated key management procedures to DNS protocols. These additions, called DNSSEC, allow users to validate the authenticity and integrity of the data and will provide the basis for a new trust infrastructure for the DNS and protocols and systems that rely on it.
“We hope that the dot-gov deployment of DNSSEC will encourage rapid deployment in other sectors, including government contractors, trading partners and general e-commerce sites,” said Scott Rose, one of the NIST computer researchers.
In addition to developing the standards and deployment protocol guidance for DNSSEC, NIST researchers have developed the Secure Naming Infrastructure Pilot (SNIP) distributed testbed (www.dnsops.gov) to assist agencies and vendors in experimenting with and evaluating specific DNSSEC solutions. NIST is a member of an industry-government DNSSEC-Deployment Initiative, coordinated by the Department of Homeland Security, to foster adoption and implementation of DNSSEC specifications across Internet domains.
The NIST team also has drafted updated recommendations for the “Secure Domain Name System (DNS) Deployment Guide” (NIST Special Publication 800-81 Rev 1), the key DNS security guidance document for civilian agencies, (Available on the Web at http://csrc.nist.gov/publications/drafts/800-81-rev1/NIST_SP-800-81-Rev1_draft.pdf.)
This first revision of the guidance proposes stronger cryptographic algorithms and keys to provide more resilience against attack. The revised publication incorporates comments from the Internet Engineering Task Force that are to update best practices and checklists in the document. The latest version of the deployment guide includes cookbook configuration instructions for two commonly deployed DNS server implementations.
The public is invited to review the draft NIST SP-800-81 revision 1 guidelines and submit comments to SecureDNS@nist.gov before March 31, 2009.
This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.
The capabilities of GhostNet are far-reaching. The report reveals that Tibetan computer systems were compromised giving attackers access to potentially sensitive information, including documents from the private office of the Dalai Lama. The report presents evidence showing that numerous computer systems were compromised in ways that circumstantially point to China as the culprit. But the report is careful not to draw conclusions about the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. The report argues that attribution can be obscured.
The report concludes that who is in control of GhostNet is less important than the opportunity for generating strategic intelligence that it represents. The report underscores the growing capabilities of computer network exploitation, the ease by which cyberspace can be used as a vector for new do-it-yourself form of signals intelligence. It ends with warning to policy makers that information security requires serious attention.
US-CERT is aware of public reports indicating a widespread infection of the Conficker worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across the network if the host is not patched with MS08-067.
The presence of a Conficker infection may be detected if a user is unable to navigate to the following websites:
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp+link_conficker_worm
http://www.mcafee.com
If a user is unable to reach either of these websites, the Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them). If a Conficker infection is suspected, the infected system should be removed from the network. Major anti-virus vendors and Microsoft have released several free tools that can verify the presence of a Conficker infection and remove the worm. Instructions for manually removing a Conficker infection from a system have been published by Microsoft in Knowledgebase Article 962007.
US-CERT encourages users to prevent a Conficker infection by ensuring all systems have the MS08-067 patch (part of Security Update KB958644, which was published by Microsoft in October 2008), disabling AutoRun functionality (see US-CERT Technical Cyber Security Alert TA09-020A), and maintaining up-to-date antivirus software.
US-CERT will provide additional information as it becomes available.
Sun Releases Updates for Java SE
added March 26, 2009 at 08:54 am
Sun has released updates for Java SE to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or operate with escalated privileges.
US-CERT encourages users to review the Sun Java SE 6 Update Release Notes and upgrade to Java SE version 1.6.0_13 to help mitigate the risks.
Source: US-CERT
As part of the Microsoft Security Bulletin Summary for March 2009, Microsoft released updates to address vulnerabilities that affect Microsoft Windows and Windows Server.
A remote, unauthenticated attacker could gain elevated privileges, poison the DNS cache, execute arbitrary code, or cause a vulnerable application to crash.
Solution
Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for March 2009. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS).
(NAPS) — Hackers and spammers may be using your computer right now. They invade secretly and hide software to get access to the information on your computer, including your e-mail program. Once on your computer, they can spy on your Internet surfing, steal your personal information and use your computer to send spam to other computers without your knowledge.
Computers taken over this way often become part of a robot network, known as a “botnet” for short. A botnet, also known as a “zombie army,” is made up of tens or hundreds of thousands of home computers sending e-mails by the millions. Fortunately, botnets are not inevitable.
You can protect yourself from botnets, hackers and spam. To help you reduce your chances of becoming part of a bot, the Federal Trade Commission encourages you to secure your computer by:
• Using anti-virus and anti-spyware software and keeping it up to date.
• Being cautious about opening attachments or downloading files from e-mails you receive.
• Using a firewall to protect your computer from hacking attacks while it is connected to the Internet.
• Disconnecting from the Internet when you are away from your computer.
• Checking your “sent items” file or “outgoing” mailbox for messages you did not intend to send.
To learn more, visit OnGuardOnline.gov/botnet.html.
US-CERT is aware of public reports of malicious code circulating via spam email messages related to bogus terror attacks in the recipient’s local area. These messages use subject lines implying that a fatal bomb attack has occurred near the recipient and contain a link to “breaking news.” Users who click on the link will be taken to a site posing as a Reuters news article that contains a bogus news story about the fatal bomb attack. The systems serving the bogus news story check a visiting user’s IP address to obtain a geographical location to insert a nearby placename into the bogus article. The articles also contain links to video content, claiming that the latest Flash Player is required to view the video. If users attempt to update or install the Flash Player from the link provided in the article, their systems may become infected with malicious code.
US-CERT encourages users and administrators to take the following preventative measures to help mitigate the security risks:
Install antivirus software, and keep the virus signatures up to date.
Do not follow unsolicited links and do not open unsolicited email messages.
Use caution when visiting untrusted websites.
Use caution when downloading and installing applications.
Obtain software applications and updates directly from the vendor’s website.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
US-CERT is aware of reports of economic stimulus scams circulating. These scams are being conducted through both email and malicious websites.
Some of the email scam messages request personal information, which can then be used for identity theft. Other email scam messages offer to deposit the stimulus funds directly into users’ bank accounts. If users provide their banking information, the attackers may be able to withdraw funds from the users’ accounts.
The website scams entice users by claiming that they can help them get money from the stimulus fund. These websites typically request payment for their services. If users provide their credit card information, the attackers running the malicious sites may make unauthorized charges to the card, or charge users more than the agreed upon terms.
US-CERT encourages users to do the following to help mitigate the risks:
Review the Federal Trade Commission alert about economic stimulus scams.
Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
Mozilla Foundation has released Firefox 3.0.7 to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, obtain sensitive information, or spoof the location bar. The Mozilla Foundation Security Advisories also indicate that these vulnerabilities affect Thunderbird and SeaMonkey.
US-CERT encourages users to review the following Mozilla Foundation Security Advisories and update to Firefox 3.0.7 to help mitigate the risks.
BugTraq Security Tip Of The Day Computer And Internet Security News Current Security Alerts Network Vulnerability Notes Homeland Security