Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jovi Umawing (Technical Communications)

    Coming May 11, Tuesday, Microsoft will be releasing its monthly patch updates, and last Thursday, the company released an advance notification in its Microsoft TechNet site for the updates. Note that these advanced notifications aim to allow Microsoft users to make deployment plans ahead of time. It commonly contains a summary of the security updates or patches, certain software they affect, and severity levels of the covered vulnerabilities for a particular month.

    For the month of May, Microsoft informed its users that two security bulletins, with the maximum severity rating of Critical, will be released. Such a rating means that, once exploited, the vulnerabilities covered in the bulletins could enable the propagation of malware over the Internet without user involvement. Since Microsoft can issue proper bulletin identifiers (in the familiar MSyy-xxx format) only every Patch Tuesday release, let us simply call the bulletins Bulletin 1 and Bulletin 2.

    Bulletin 1 affects the following Microsoft Windows operating systems:

    • Windows 2000
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008
    • Windows 7
    • Windows Server 2008 R2

    On the other hand, Bulletin 2 affects Microsoft Office Suites and Microsoft Visual Basic for Applications.

    Note, however, that the recently released advisory regarding a Microsoft SharePoint vulnerability will not be covered in the Tuesday release. Despite this, Trend Micro Deep Security™ and Trend Micro OfficeScan™ already protect business users against this particular vulnerability via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF rule numbers 1000552 and 1004130. Note that the former rule number had been released initially on July 2006 and updated continuously since then while the later was set to be released on May 11.


    With the 2010 FIFA World Cup less than two months away, cybercriminals (as expected) are banking on this prestigious international football event to trick users. TrendLabsSM spotted the latest threat involving this, and it came in the form of an email message currently being spammed in the wild.

    Click for larger view Click for larger view

    The spam carried a .PDF file attachment which was found to contain details about the lottery the recipient allegedly won. It also instructed the recipient to give out personal information and send them to the contact person or email sender before the prize could be claimed.

    What was interesting about the purported sender of the email—one Mrs. Michelle Matins, Executive Vice Presidentwas also the signatory for the 419 scam, aka the Nigeria scam

    Click for larger view

    Some samples retrieved were noticably free from attachments, and they were puportedly sent by a certain FIFA Vice President named Geoff Thompson. Further investigation revealed that “he,” too, was related to an old scam.

    TrendLabsSM documented the very first spam attack banking on the 2010 FIFA World Cup back in early 2009—a good 18 months before the actual event takes place. The spam involved then was about the recipient winning the online lottery.

    Trend Micro™ Smart Protection Network™ protects users from this kind of attack by blocking spam before they reach inboxes via the email reputation service. Users should be wary of more of these kinds of attacks or variants of these attacks as the sports event draws closer. CNN says that the 2010 World Cup is the first of the “social media age” and thus the world may see record levels of global interactivity surrounding the event.

    Posted in Spam | TrackBacks (4) »

    .PDF files—or their inherent features—have been used by cybercriminals in some of the most noteworthy attacks we have encountered. Modified versions of this file type have been especially notorious these past few months since they are capable of attacking user systems by initially exploiting inherent vulnerabilities found in Adobe Reader and Acrobat. TrendLabsSM has documented a number of these attacks:

    A newly spotted malformed .PDF was found to also attack flaws found in the aforementioned Adobe software products; however, this kind of .PDF contained an object that was embedded within itself using FlateDecode and ASCII85Decode, two common filters used in .PDF files to filter images before compressing them. This object turned out to be an Extensible Markup Language (XML) file bearing a malicious Tagged Image File Format (TIFF) file.

    Trend Micro detects the .PDF file as TROJ_PIDIEF.AAL. It can exploit the following vulnerabilities:

    Once these vulnerabilities are exploited, this Trojan connects to several URLs to download files, which were also found to be malicious. Trend Micro detects these downloaded files as TROJ_DNSCHANG.XT and TROJ_FRAUDPAC.QL.

    Trend Micro protects users via the Smart Protection Network™, which blocks access to all malicious URLs via the Web reputation service and detects all related malware via the file reputation service.


    Regular Release for Microsoft This April

    April 13 is here and for Windows users, this means it is Patch Tuesday. According to the advance notification from Microsoft almost a week ago, the company will be releasing 11 bulletins to address 25 vulnerabilities, 11 of which have been dubbed “critical.” These vulnerabilities were found in Microsoft Office and Windows. Affected users could be exposed to remote code execution attacks if they leave their software unpatched.

    Included in this Patch Tuesday release are patches for the following notable vulnerabilities:

    Trend Micro has documented these vulnerabilities in the following respective posts:

    Adobe Automates Updates

    The same day Microsoft’s patches are released, Adobe will also issue a patch that can address several high-risk vulnerabilities found in Adobe Reader and Acrobat. The patch will be deployed without actual user download and installation. Adobe will release the patch alongside an automatic (silent) updater software, which the company hopes will make downloading and patch deployment a breeze. The said updater can be used by Adobe Reader and Acrobat 9.3.2 and 8.2.2 users for both Windows and Mac OS X.

    Windows users of the said software and versions can activate the silent updater by visiting the Preferences setting under the Updater category and choosing option 2: “Automatically download updates, but let me choose to install them.”

    In 2009, ZDNet released an article about silent patching being the best solution to securing users’ Internet browsers. Please refer here for the complete article.

    To Be Silent or Not to Be Silent

    Security specialists, on the other hand, are not keen on advising silent patching as the best practice to adhere to for enterprise users. The need to have a scheduled patch release, for them, is still a must. “Patching in enterprises is a serious issue. Auto updates are generally not used by administrators because patching can make systems unstable, cause software to have compatibility and performance issues, and the like. They like to test updates first then patch systems in a phased manner,” says Trend Micro researcher Rajiv Motwani.

    This is not to say that there are no positive points on silent updating. In fact, there are several. By simply letting the software quietly update itself once patches are available, users will not be disrupted from their work to do something they consider as tedious and time-consuming. Furthermore, auto updating also helps ensure that most users are secure at any time.

    However, Motwani stresses that there is a downside to it. He explains, “If a flaw is discovered in patching mechanisms and a malicious patch is somehow issued, more customers will be affected. An example was the recent bug in Adobe Download Manager (ADM) wherein any user having ADM could be forced to install software from Adobe’s website because of a design flaw.” More on the story on ADM here.

    A security specialist commented that it is imperative that software companies disclose information regarding security holes found in their software for the sake of their customers.

    “I hope Adobe continues to release security notifications/advisories so that administrators who do not use auto updates can properly prioritize patches. Also, they should continue to disclose the CVEs of all vulnerabilities being patched and none should be silently patched,” Motwani concluded.

    Update as of April 14, 2010, 5:13 a.m. (GMT +8:00):

    Microsoft released the security update that resolves the 25 reported vulnerabilities. Users are advised to download the updates in this security bulletin.

    Update as of April 28, 2010 3:00 p.m. (GMT+8:00):

    Microsoft has rereleased MS10-025 to address a specific vulnerability found only on units running Windows 2000 using a nondefault configuration with Windows Media Services. This bulletin addresses the flaw that allows remote code execution once an attacker sends a specially crafted transport information packet. Microsoft advised users using the said configuration to install the rereleased update.


    Researchers from Microsoft recently unearthed exploits targeting the CVE-2010-0188 vulnerability.

    On February 16, Adobe released a security advisory describing a vulnerability in Adobe Reader and Acrobat 8.X and 9.X. Once the vulnerability is exploited, attackers gain the capability to perform denial-of-service (DoS) attacks on affected systems. Doing so can cause applications and even systems to crash. Attackers can also execute arbitrary code on affected systems.

    Trend Micro detects the exploit binary as TROJ_PIDIEF.EXP, a specially crafted .PDF file. It belongs to a family of known exploits that target Adobe Acrobat and Reader vulnerabilities. This family is also capable of dropping other malicious files such as spyware and backdoors onto affected systems.

    Users are advised to update to the latest versions of the aforementioned Adobe products to secure their systems from attacks related to this vulnerability.

    Trend Micro™ Smart Protection Network™ protects product users from this threat by detecting and executing the malicious file via the file reputation service.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice