Today’s Patch Tuesday from Microsoft comes with 9 security advisories, 5 of which are tagged as critical, 4 as important. Collectively, 19 flaws are addressed in these advisories, 15 of which are critical. This set of advisories also includes the bulletin that addresses the previously exploited Microsoft Office Web Components bug.

The critical advisories include patches for vulnerabilities in Microsoft Office Web Components (MS09-043), Remote Desktop Connection (MS09-044), Internet Name Service (MS09-039), Windows Media File Processing (MS09-038), and Active Template library (MS09-037).

The other advisories are for vulnerabilities in ASP.NET (MS09-036), Message Queuing (MS09-040), Workstation Service (MS09-041) and Telnet (MS09-042).

Details about these vulnerabilities can be found at our Security Advisory for the August 2009 Patch Tuesday at the Threat Encyclopedia. The Microsoft blog says that five of the six critical patches are rated “1″ in their Exploitability Index. They are thus expecting there to be some in-the-wild exploits targeting these within 30 days from now.

Again, this is a reminder to make sure that all your applications and operating systems are up to date with the latest patches. Software vendors issue these patches to prevent cybercriminals from exploiting these vulnerabilities. Update now.

Trend Micro OfficeScan users with Intrusion Defense Firewall plugin installed should apply today’s update for the latest filters (IDF09024). This version contains protection from attacks exploiting the above and other vulnerabilities.

It’s about time this technique comes in.. Content Security’s forecast that phishing with captcha would be an emerging fraudulent techniques.

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) used to protect web sites against abusive automated softwares that can register, spam, login, or even splog. However, now a days that isn’t the case anymore.

Just like the traditional PayPal phish, the web page http://{BLOCKED}www.security-paypal.citymax.com/paypal_security.htmlasks the user to provide feedback from their Shopping by asking for their Name, E-mail Address and PayPal password as seen in Figure 1.

Figure 1: Screenshot of bogus PayPal phishing Feedback page

After which, a CAPTCHA image is shown and requires the user to enter the code indicated for spam prevention. However, after entering the user’s personal information, this could be used to
create bogus mail accounts, among other things.

The phishing URL is already blocked by Trend Micro’s Smart Protection Network.

Twitter suffered service problems from hacker attacks on Thursday.

Users of the micro-blogging service Twitter are used to seeing the fail whale, a graphic that appears when the service’s capacity is overloaded. During the denial-of-service (DoS) attack, however, the site was left completely unreachable for around 90 minutes. This means a hacker used a herd of infected computers to send communication requests to overwhelm its servers. At the same time, a terse message on the site’s status blog said it was down. A while later, it added, “We are defending against a DoS attack and will update our status again shortly.”

Facebook and other social networking sites appeared to have been affected by Twitter’s shutdown as the latter runs applications through these sites. As such, there were speculations that the glitches were related.

This is not the first time that Twitter has fallen prey to cybercriminal attacks. The following blog posts point out just some of the recent attacks on the sites:

• Malicious Twitter Posts Get More Personal
• Koobface Increases Twitter Activity
• Koobface Tweets
• Bogus Facebook Malware and a Dancing Girl
• New Koobface Upgrade Makes It Takedown Proof

Because Twitter is one the fastest-growing Internet companies today, it is not surprising that companies use its services to know more about their prospective employees and keep in touch with their clients. In fact, Twitter’s number of unique visitors worldwide reached 44.5 million in June, up 15-fold year over year, according to comScore data. As such, companies that heavily rely on the site’s services may incur losses due to this most recent attack.

There are speculations that the attack was not like a botnet-style distributed DoS (DDoS) attack. According to The Register, the torrent of traffic that brought the site down resulted from myriads of people clicking a link in spammed messages referencing a well-known blogger called Cyxymu at the same time. They contained links to Cyxymu’s Twitter, Facebook, LiveJournal, and YouTube accounts, all of which have been reported to receive abnormal amounts of traffic. The theory was backed by an article from CNET News, which quoted Facebook’s chief security officer saying the attacks targeting multiple websites all contained traffic linking to accounts held by Cyxymu.

A few days after the attack, several theories as to who and what were behind the Twitter attack surfaced. But the prevailing theory, according to Brian Krebs, “suggests that the outage was due to a cyber skirmish stemming from simmering tensions between Russia and Georgia.”

News sites CNet News and CNN opine that “the outage at Twitter (and to a lesser extent Facebook and LiveJournal) was due to an effort to silence an anti-Russian blogger from Tbilisi who has been calling attention to a recent resurgence of tensions in the region.”

A Domain Naming System (DNS)-changing Trojan targeting Macs is currently making the rounds disguised as MacCinema Installer (detected by Trend Micro as OSX_JAHLAV.D. This is the latest variant of OSX_JAHLAV.C, which was identified in June.

The Trojan is supposedly a QuickTime Player update with the file name QuickTimeUpdate.dmg. As with its earlier variants, users are prompted to download the malware when trying to view certain online videos from .com domains with the IP address, 91.214.45.73 such as:

• allincorx
• bigdron
• cikaredo
• civilizxx
• comeandtryx
• deribrowns
• draxxtermania
• givendream
• hitrowzone
• jumborad
• ltdkeeper
• operationelx
• oxxadox
• paxxtiger
• rednetx
• rstdeals
• simplexdoom
• sinisteer
• tdenuwas
• tniredrum
• ufapeace

If infected, a victim’s Web traffic can then be diverted to the website of the attacker’s choosing.

The Trojan contains component files detected as UNIX_JAHLAV.D and obfuscated scripts detected as PERL_JAHLAV.F. The Perl script then downloads a file from a malicious site and stores it as /tmp/{random 3 numbers}, detected as UNIX_DNSCHAN.AA, which allows a malicious user to monitor the affected user’s activities. This may also cause the user to be redirected to phishing sites or sites where other malware may be downloaded from.

Trend Micro Advanced Threats Researcher Feike Hacquebord notes the domain names have been set up such that when the main IP goes or is taken down, cybercriminals can easily move the backend to another IP address without the need to change code or scripts.

It would serve Mac users well to stay away from the above-mentioned domains and IP addresses or be wary of prompts to download software updates that do not come from Apple’s legitimate website.

Mac users are protected by the Smart Protection Network through Trend Micro Security for Mac and Smart Surfing for Mac.