Security

Microsoft is investigating reports of a flaw in the WordPad Text Converter for Word 97 files, the company said on Tuesday. A Microsoft blog stated "we are aware of very limited and targeted attacks seeking to exploit this vulnerability."

On Wednesday security researchers reported finding a zero-day flaw affecting Microsoft Internet Explorer 7.

According to Microsoft Security Advisory 960906, the flaw only affects users of Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. This issue does not affect Windows XP Service Pack 3, Windows Vista, and Windows Server 2008.

When Microsoft Office Word is installed, Word 97 documents are set by default to open using Microsoft Office Word. Microsoft said Word is not affected by this vulnerability. However, an attacker could rename any malicious file to have a Windows Write (.wri) extension; the malicious file could invoke WordPad. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user.

The flaw cannot be exploited automatically through e-mail, however. For an attack to be successful, a user must open an e-mail attachment. Microsoft notes that the .wri file type can be blocked at the Internet perimeter.

Microsoft issued its standard disclaimer stating it is investigating the issue and would act upon completion of that investigation. Among the solutions, Microsoft could issue a service pack, include a bulletin in its next monthly security update, or issue an out-of-cycle security update depending on the severity of the issue.

The use of malware on Web sites to steal passwords and other sensitive information is skyrocketing, according to a new report from the Anti-Phishing Working Group.

The number of URLs with hidden code for stealing passwords nearly tripled between July 2007 and July 2008, to a record high of 9,529, while the number of malicious-application variants hit a high of 442 this May, the APWG reports in its quarterly report (PDF) issued this week.

(Credit: Anti-Phishing Working Group)

The increase is primarily due to malicious code being used in SQL injection attacks, in which a small malicious script is inserted into a database that feeds information to the Web site. Typically, the host site is legitimate such as BusinessWeek's, not a phishing site created for the sole purpose of stealing consumer data.

The financial-services industry is the most targeted sector for phishing attacks, followed by those focusing on auctions and payment services, the report found.

"Cybercriminals continue to increase their activities to levels never before seen in the five years since the APWG has been monitoring phishing and crimeware," APWG Chairman Dave Jevans said in a statement.

The recession is prompting even more malicious activity online, he said.

"The current financial crisis has also been used by phishers to create new scams that try to scare consumers into entering their usernames and passwords into sites that mimic those of well-known distressed financial institutions," Jevans said. "As the economy degrades, we are seeing a continual increase in malicious and criminal activity on the Internet."

Another report issued this week shows that IT security professionals view cybercrime and data breaches as the top security risks, followed by mobility, outsourcing, cloud computing, mobile devices, peer-to-peer file sharing, Web 2.0 services, and malware.

Meanwhile, respondents who work in IT operations listed outsourcing as the biggest risk, followed by mobile devices and cybercrime, in the 2008 Security Mega Trends Survey conducted by The Ponemon Institute on behalf of Lumension Security. In the survey, 577 respondents work in IT security, and 825 work in IT operations.

Of those surveyed, 83 percent of the IT security workers and 79 percent of IT operations professionals reported that their organization had a data breach due to customer or employee information being lost or stolen. Overall, 92 percent of the organizations have experienced a cyberattack.

Another survey, released on Thursday by CA, looks at behaviors and perceptions among American adults and teens of their safety online.

Fifty-seven percent of adults fear that they may become victims of identity fraud online within the next two years, and 90 percent worry about the security of their personal data. Meanwhile, 35 percent of teens leave their social-networking profiles open to viewing by strangers, 38 percent post their education information, 32 percent disclose their e-mail addresses, and 28 percent reveal their birth date.

Updated at 1:15 p.m. with CA study details.

One flaw not addressed in yesterday's Patch Tuesday is a heap overflow within the XML parser reported on Wednesday by Bojan Zdrnja of the SANS Internet Storm Center.

The exploit in the wild on Wednesday creates an XML tag, then waits 6 seconds in an attempt to thwart antivirus engines. The exploit could then crash the browser and run malicious code when the browser is restarted. The user must be running Windows XP or Windows Server 2003, and using Internet Explorer 7.

Zdrnja writes that "at this point in time, it does not appear to be wildly used, but as the code is publicly available, we can expect that this will happen very soon."

A Microsoft representative said the company is "investigating new public claims of a possible vulnerability in Internet Explorer. Once we're done investigating, we will take appropriate action to help protect customers. This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."

As for a workaround, Zdrnja suggests using a browser other than Internet Explorer. Microsoft says anyone who has been affected by this exploit can get help online or by calling the PC Safety hotline at 1-866-PCSAFETY.

Symantec is going to collaborate with VMware to sell its disaster-recovery products for virtual environments.

For mutual customers, VMware ESX will be integrated with Symantec's Veritas Cluster Server (VCS) disaster-recovery product. Support will be provided through TSANet, a database that participating vendors use to coordinate support responses, and exchange support information.

"VMware is pleased to see Symantec deliver solutions like VCS that integrate with and complement the value of VMware virtualization," Shekar Ayyar, vice president of infrastructure alliances at VMware, said in a statement on Tuesday.

Symantec's VCS is designed to protect applications from unplanned downtime through local fail over of virtual machines, or failover between clusters in a remote location. VCS is integrated with VMware vCenter, and is designed to supplement VMotion, used for reducing planned downtime, and Distributed Resource Scheduler, used for active workload management.

Tom Espiner of ZDNet UK reported from London.

Amid the global downturn in the economy, cybercrminals appear to be winning in the war against law enforcement. That's the sobering conclusion drawn by a panel of experts in a report from McAfee released Tuesday.

"We saw the cybercriminals take advantage of economic messaging very, very quickly," said Dave Marcus, director of security research and communications for McAfee Avert Labs. He said cybercriminals are cashing in on consumer anxiety, particularly around the holidays and noted that as more and more people go online looking for better deals, criminals are preying on their inexperience in order to lure them to bogus sites and old-fashioned "get rich quick" scams.

In the last 12 months the volume of malware has risen dramatically, according to McAfee.

(Credit: McAfee)

One scam involves online job seekers responding to ads for "international sales representatives" or "shipping managers" being recruited as "cybermules" to launder the cybercriminal profits. "It's not a 'mule' in the traditional drug sense, where they're carrying drugs across the country or across a border," Marcus said, " but they are ultimately lured into what they think is like an Internet sales marketer or an Internet sales manager position." In reality they are laundering funds, putting it through additional hands, so that law enforcement has a few more obstacles in their path toward finding the thieves themselves.

Marcus recommends online job seekers go to legitimate job finding sites such as Monster.com rather than respond to Google ads.

Unfortunately, we're on our own, he said. As governments begin to focus on internal economic hardships, the fight against cybercrime slips further in funding and support. McAfee predicts that in the fourth quarter of 2008 cybercrime will continue to escalate in severity.

Once again, McAfee found that there is a shortage of computer specialists in law enforcement. And those who are specially trained are often hired away to high-salaried jobs at private companies. Of the remaining law enforcement, they're often bound to national borders, said Marcus, with international jurisdictional disputes further slowing online investigations.

The McAfee report said Russia and China remain the largest safe havens for cybercriminals, while Brazil and Moldova have become the fastest-growing countries to be most often blamed for cybercrime.

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-070: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX Controls) Could Allow Remote Code Execution (932349)", this bulletin affects the Microsoft Visual Basic 6.0 Runtime Extended Files; all supported editions of Microsoft Visual Studio .Net 2002, Microsoft Visual Studio .Net 2003, Microsoft Visual FoxPro 8.0, Microsoft Visual FoxPro 9.0, Microsoft Office Project 2003, and Microsoft Office Project 2007. This bulletin addresses the vulnerabilities detailed in CVE-2008-4252, CVE-2008-4253, CVE-2008-4254, CVE-2008-4255, CVE-2008-4256, and CVE-2008-3704, which could allow remote code execution "if a user browsed a Web site that contains specially crafted content," Microsoft says.

MS08-071: Critical

Exploitability index: 2-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in GDI Could Allow Remote Code Execution (956802)", this bulletin is rated critical for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. This bulletin addresses the vulnerabilities detailed in CVE-2008-2249 and CVE-2008-3465. Microsoft says "exploitation of either of these vulnerabilities could allow remote code execution if a user opens a specially crafted WMF image file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

MS08-072: Critical

Exploitability index: 1-3. Microsoft recommends that customers apply this update immediately. Titled "Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (957173)," this bulletin is rated critical for supported editions of Microsoft Office Word 2000 and Microsoft Office Outlook 2007. For supported editions of Microsoft Office Word 2002, Microsoft Office Word 2003, Microsoft Office Word 2007, Microsoft Office Compatibility Pack, Microsoft Office Word Viewer 2003, Microsoft Works 8, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. This bulletin addresses the issues detailed in CVE-2008-4024, CVE-2008-4025, CVE-2008-4026, CVE-2008-4027, CVE-2008-4030,CVE-2008-4028, CVE-2008-4031, and CVE-2008-4837 . Microsoft says this bulletin resolves "eight privately reported vulnerabilities in Microsoft Office Word and Microsoft Office Outlook that could allow remote code execution if a user opens a specially crafted Word or Rich Text Format (RTF) file. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights."

MS08-073: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Cumulative Security Update for Internet Explorer (958215)", this bulletin is rated critical for Internet Explorer 5.01 and Internet Explorer 6 Service Pack 1, running on Microsoft Windows 2000; Internet Explorer 6 running on Windows XP; and Internet Explorer 7. For Internet Explorer 6 running on Windows Server 2003, this security update is rated "moderate." This update addresses the vulnerabilities detailed in CVE-2008-4258, CVE-2008-4259, CVE-2008-4260, and CVE-2008-4261. Microsoft says the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer.

MS08-074: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (959070)." This bulletin is rated critical for all supported editions of Microsoft Office Excel 2000. For all supported editions of Microsoft Office Excel 2002, Microsoft Office Excel 2003, Microsoft Office Excel Viewer 2003, Microsoft Office Excel 2007, Microsoft Office Compatibility Pack, Microsoft Office Excel Viewer, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac, this security update is rated important. For Internet Explorer 6 running on Windows Server 2003, this security update is rated moderate. This update addresses the vulnerabilities detailed in CVE-2008-4265, CVE-2008-4264, and CVE-2008-4266. Microsoft says if a user opens a specially crafted Excel file an attacker could exploit these vulnerabilities and take complete control of an affected system.

MS08-075: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Windows Search Could Allow Remote Code Execution (959349)" This bulletin is rated critical for all supported editions of Windows Vista and Windows Server 2008. This update addresses the vulnerability detailed in CVE-2008-4268 and CVE-2008-4269. Microsoft says that "these vulnerabilities could allow remote code execution if a user opens and saves a specially crafted saved-search file within Windows Explorer or if a user clicks a specially crafted search URL. An attacker who successfully exploited these vulnerabilities could take complete control of an affected system."

MS08-076: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerabilities in Windows Media Components Could Allow Remote Code Execution (959807)", this bulletin is rated important for Windows Media Player 6.4, Windows Media Format Runtime 7.1, Windows Media Format Runtime 9.0, Windows Media Format Runtime 9.5, Windows Media Format Runtime 11, Windows Media Services 4.1, Windows Media Services 9 Series, and Windows Media Services 2008. This update addresses the vulnerabilities detailed in CVE-2008-3009 and CVE-2008-3010. Microsoft says the "most severe vulnerability could allow remote code execution. If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system."

MS08-077: Important

Exploitability index: 1. Microsoft recommends that customers apply the update at the earliest opportunity. Titled "Vulnerability in Microsoft Office SharePoint Server Could Cause Elevation of Privilege (957175)", this bulletin is rated important for all supported editions of Microsoft Office SharePoint Server 2007 and Microsoft Search Server 2008. This update addresses the vulnerability detailed in CVE-2008-4032. Microsoft says the "vulnerability could allow elevation of privilege if an attacker bypasses authentication by browsing to an administrative URL on a SharePoint site. A successful attack leading to elevation of privilege could result in denial of service or information disclosure."

Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?

One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.

Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.

To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", co-sponsored with CyberStreetSmart.org and i-Safeworking, and is working to team with various online safety organizations such as the National Crime Prevention Council, the FTC's Bureau of Consumer Protection, CyberStreetSmart.org, i-Safe, the National Cyber Security Alliance, and Consumers Union, and Protection from Brand Infection.

The tips, which should be familiar to most online users, include:

• Don't open attachments because most legitimate e-cards include links to the company's Web site that allow you to go directly to your card.
  
• If something looks a little strange or "phishy" just delete the card.
  
• Use security software on your desktop.
  
• Watch out for misspelled words or names, a disguised name (such as Your Friend, A Secret Admirer), or an odd URL.
  
• Always read the fine print before accepting any terms.
  

While no one can predict what will happen to the economy over the next 12 to 18 months, you can bet your bottom dollar that threats to confidential data will increase substantially in that time frame. Why? Malicious code threats are growing exponentially while the cyberunderground becomes ever more sophisticated.

Fortunately, industry players are starting to team up to lower the cost, complexity, and integration effort needed for data-centric security. Last week, EMC's RSA and Microsoft got together to announce that the software giant will integrate RSA's Data Loss Prevention (DLP) into the Windows infrastructure in order to discover and classify data (Word documents, Excel spreadsheets, and so on). Microsoft will also tightly integrate DLP with its Enterprise Rights Management (ERM) Server. Not to be outdone, security bigwig McAfee on Monday announced that it will integrate its DLP data discovery and policy management solutions with a leading ERM solution from Liquid Machines.

Why the activity?

1. DLP solutions need to become more mainstream
While every company that conducts business over the Web needs DLP capabilities, software solutions require customization, sophisticated skills, and lots of dough. Microsoft's data classification integration into Windows should help alleviate this by providing baked-in DLP basics.

2. DLP and ERM are complementary
DLP technology assumes you don't know where sensitive data is so you want to find it, classify it, and keep it confidential. ERM, on the other hand, assumes you know exactly where the data lives and you want granular protection at the user and file level. These announcements demonstrate that the debate between DLP and ERM was misguided--large organizations need both solutions to safeguard known and unknown sensitive data across the network.

3. Entitlement management is the next challenge
While we figured out how to centralize user authentication pretty well, we still leave entitlement management (i.e., user privileges) to each individual application. This method doesn't scale, is full of security vulnerabilities, and is nearly impossible to audit. Liquid Machines, McAfee, Microsoft, and RSA get this as do others like Cisco Systems (through its Securent acquisition) and Rohati. Clearly, these vendors are positioning themselves for this next moneymaking opportunity.

So what's next? While other DLP vendors will form their own cozy relationships, my hope is that the industry comes together in a group hug and defines some meta data standards for classification, policy definition, and enforcement. I know this isn't likely but it would sure go a long way to help us all protect our sensitive data.

Updated 4:30 p.m. PST with Google comment.

There will be no antiphishing feature in the final version of Firefox 2.0 when it is released later this month, according to Computerworld.

Google asked Mozilla to disable the feature in Firefox 2.0.0.19 that warns users of sites suspected of hosting identity fraud scams because the older browsers rely on an outdated SafeBrowsing protocol that Google is not supporting anymore, Mike Beltzner, director of Firefox, told Computerworld.

Firefox 2.0.0.19 is scheduled to ship December 16 and will be the final security update for the browser. The company released Firefox 3 in June.

Asked for comment, a Google spokesman provided this statement via e-mail: "Google encourages users to always use the latest version of the software they're running. Users of Firefox 2 will be notified of the change when they are updated to 2.0.0.19; we recommend that users upgrade to Firefox 3 to continue getting protection. Firefox 3 includes our Safe Browsing v2 protocol which is more efficient with network bandwidth, continues to help protect against phishing, and also adds malware protection."

Mozilla representatives could not be reached for comment Friday afternoon.

The DNA records of about 850,000 people could be wiped from the U.K.'s national database after the European Union ruled it breached human rights.

The European Court of Human Rights decision on Thursday means that the DNA details and possibly fingerprints of people suspected of a crime, but later cleared, could be removed.

The court found that in keeping the DNA details of people suspected of a crime the "state had overstepped any acceptable margin of appreciation."

The case was brought by two Britons, Michael Marper and "S", who were cleared of crimes and challenged the government over their details being kept on the 4.5 million-strong police database.

A U.K. Home Office representative said the government has until March before it must take any action on the ruling.

Home Secretary Jacqui Smith expressed dissatisfaction with the verdict, saying in a statement: "DNA and fingerprinting is vital to the fight against crime, providing the police with more than 3,500 matches a month, and I am disappointed by the European Court of Human Rights' decision...The existing law will remain in place while we carefully consider the judgment."

Privacy pressure group NO2ID welcomed the decision with the organization's national coordinator Phil Booth describing it as a victory for liberty and privacy.

Nick Heath of ZDNet UKreported from London.