Both Microsoft and Adobe recently released security bulletins for reported vulnerabilities on their respective products, with Microsoft issuing 3 advisories, and Adobe finally releasing a patch to a previously discussed vulnerability.

Microsoft released the following security bulletins–one critical and two important–addressing several vulnerabilities:

• (MS09-006) Vulnerabilities in Windows Kernel Could Allow Remote Code Execution (958690)
• (MS09-007) Vulnerability in SChannel Could Allow Spoofing (960225)
• (MS09-008) Vulnerabilities in DNS and WINS Server Could Allow Spoofing (962238)

Microsoft, however, has yet to release a security update for the Microsoft Office Excel vulnerability.

On the other hand, a security update to resolve the CVE-2009-0658 vulnerability was released by Adobe. The said vulnerability has been identified in Adobe Reader 9 and Acrobat 9, and earlier versions. It is an array-indexing error when processing a malformed JBIG2 stream within a PDF document. It then could allow attackers to cause a vulnerable application to crash and execute arbitrary code by tricking a user into opening a specially-crafted PDF file. It could potentially allow an attacker to take control of the affected system.

In addition to the above, Adobe is planning to prepare updates for Adobe Reader 7 and 8, and Acrobat 7 and 8 by March 18, 2009. It will also announced the release of Adobe Reader 9.1 for Unix, to be done on March 25.

For more information regarding this vulnerability, you may refer to the link below:

• Security Updates available for Adobe Reader 9 and Acrobat 9

Users are strongly advised to update their system with these latest patches.

Watch out! Cybercriminals, as expected, are jumping in the economic recession bandwagon.

Trust these fraudsters to take advantage of and cash in on the global recession. The Federal Trade Commission is warning against the boom of new online scams that promise government grants to aid cash-strapped consumers.

These include spammed email messages containing links to websites purported to provide information on how to qualify for the economic stimulus package. These sites download spyware into the affected user’s system instead.

Figure 1. Sample spammed message.

A number of malicious websites could also be posing as pages of government agencies, some complete with logos of various news networks, or even a photo of a smiling President Barack Obama urging users to claim their “free grant money.”

These sites promise free information on how to avail of the stimulus money in exchange for a user’s personal information, including name, employment status, salary range, and bank account details. These information are needed supposedly to gauge whether the prospective victim is qualified for a grant but in reality, scammers and phishers sell these stolen credentials in underground markets or use them to hack into bank and other online accounts.

The FTC is advising individuals who have divulged their personal and banking information to such sites to check their bills for unauthorized charges. Trend Micro continues to monitor the Web for recession-related threats as cybercriminals are expected to ride on the popularity of this global concern.