After a month of vacation Patch Tuesday is back and with a vengeance. Today MS released 5 Critical bulletins and 1 Important one. Below is the list of the bulletins released by MS today: MS07-017 - Vulnerabilities in GDI Could Allow Remote Code Execution (925902) MS07-018 - Vulnerabilities in Microsoft Content Management Server Could Allow Remote Code Execution (925939) MS07-019 - Vulnerability in Universal Plug and Play Could Allow Remote Code Execution (931261) MS07-020 - Vulnerability in Microsoft Agent Could Allow Remote Code Execution (932168) MS07-021 - Vulnerabilities in CSRSS Could Allow Remote Code Execution (930178) MS07-022 - Vulnerability in Windows Kernel Could Allow Elevation of Privilege (931784). Be sure to update your computers as soon as possible. You can click here for the update.

Good day everyone!

March seemed to be a relatively quiet month for malware authors. There were fewer mass-mailed malwares, but we still saw a fair share of TROJ_ZLOB’s and WORM_MYTOB’s making their rounds. IM and web based threats were seen in their usual numbers, with the more interesting ones discussed below.

One probable reason why March was a relatively quiet month is because it lacks an international event. January has New Year and February has Valentines. March has, umm… well… it’s summer in the Philippines, and spring in the US, but not much of an event to effectively use as social engineering. The lack of “shocking” headlines could’ve contributed too to the calmer March malware traffic.

Regional Attacks

In a rather unusual attack to Middle Eastern countries, TrendLabs discovered a worm malware that executes only on machines with Arabic or Persian keyboard layouts. The malware’s use of e-mail subjects and bodies that contains references to Israel, Iran, Lebanon, and Gazza, solidifies its intent to infect Arab or Persian speaking users.

In another round of social engineering attack, TROJ_YABE uses another German company, this time the German Telekom, in an attempt to fool users into downloading the malware. The said malware arrives via e-mail claiming to be a bill from German Telekom. A few days earlier, TROJ_YABE was seen arriving as a confirmation e-mail from Apple store Germany.

Malwares that hit it big

Towards the end of March, the security industry was abuzz with the discovery of a new malware that exploits Microsoft’s ANI (animated cursors) file structure in order to download other malicious files.

This is big news because not only it is a zero-day exploit, there is also a readily available toolkit that is able to generate variants of this malware. This malware became so rampant that up to date, there are more than 450 URLs that either hosts the exploit, or hosts the file being downloaded by the exploit.

TrendLabs was quick to react to this emerging threat by releasing a generic detection - EXPL_ANICMOO.GEN a few days after the exploit was discovered. Microsoft too was quick to the draw by releasing the MS07-017 fix.

Web-based Threats

Malware authors are beginning to realize the power of social networking and Web 2.0 in general. A MySpace profile was found to host a .mov file that exploits vulnerability in QuickTime. The QuickTime exploit enables the .mov file to download another malware from a particular URL.

Vulnerabilities and Exploits

Aside from the ANI exploit, there were significantly less Microsoft related vulnerabilities discovered last February and March. Microsoft decided to skip March’s MS patch Tuesday and everything were relatively quiet on exploit land until ANI struck.