Following last month’s 12-bulletin release, which included two zero-day patches, today’s Patch Tuesday release is relatively light. Microsoft only released three bulletins to resolve four vulnerabilities affecting Microsoft Windows and Microsoft Office.

Only one bulletin, which resolves vulnerabilities in DirectShow, Windows Media Player, and Windows Media Center,  has been rated “critical.” The other two bulletins have been rated “important. “ All three bulletins resolve vulnerabilities that can allow remote attackers to execute malicious code on vulnerable machines.

It is worth noting, however, that the MHTML vulnerability missing from last month’s release remains unpatched. Microsoft continues to offer workaround solutions on how to keep systems safe from possible attacks leveraging this vulnerability.

To keep systems up-to-date, users are advised to visit the related Microsoft pages. For enterprise users, we offer specific solutions to deal with vulnerabilities. Both Deep Security and OfficeScan with Intrusion Defense Firewall (IDF) plug-in have existing rules that protect users from the vulnerabilities patched in this month’s release as well as the said MHTML flaw.

One of the primary points raised in this year’s RSA Conference is that mobile threats are as real and pressing as other industry issues today. Amid heated discussions over cloud security, several sessions were spent on reviewing the threats to mobile security and on laying out concrete steps so we can defend our mobile lives.

The Ugly Truth Behind Mobile Security

Mobile threats have been around for years, dating back to when mobile phones first became popular. Earlier versions of mobile malware were primitive in the sense that they neither used encryption nor social engineering tactics. Over time, however, mobile malware proliferators improved on their techniques to ensure their profitability.

Interestingly, despite the emergence of more complex threats at a time when smartphones are changing the mobile landscape such as increasing mobile email use, basic SMS malware still exist. The reason for this is simple—cybercriminals are still making money out of SMS malware. Denis Maslennikov’s presentation revealed that 40–67 percent of the revenue goes to affiliates who invest a relatively small amount to be able to engage in malicious schemes. With infected users losing as much as US$1.2 million per month because of these threats, it’s easy to see why these threats continue to proliferate.

Read the rest of this entry »

A year after the much-hyped April 1st D-day for DOWNAD/Conficker, the world can only hope that it has heard the last of the notorious network worm. As we have seen, DOWNAD variants have effectively infected millions of systems and paralyzed networks in just a matter of months. And while there seems to be very little news on DOWNAD recently, users are still advised to adhere to best computing practices and to implement necessary preventive measures.

As a timely reminder of the extent of this network worm’s capabilities, here is a rundown of the important things we need to remember about DOWNAD.

• DOWNAD can infect an entire network through a single machine. In most cases, all it takes is a single unpatched system for the worm to infect an entire network. It is thus crucial that each and every system is updated with the appropriate patch for the Microsoft OS vulnerability exploited by each threat.
• DOWNAD can attack in more ways than one. There are several ways by which a system—and consequently an entire network—can get infected by DOWNAD. It may arrive via a malicious URL, a spammed message, or a removable drive. WORM_DOWNAD.AD is currently the only variant capable of propagating via removable drives. Unfortunately, this means that a system does not even need to have an Internet or a network connection to become infected, as the worm may arrive through an infected USB.
• Change is but constant for DOWNAD. The DOWNAD variants discovered in 2009 had several code changes, as evidenced by differences in registry changes made by each variant. This just shows that DOWNAD is constantly being updated and refined, revealing a sophisticated cybercrime/malware writing group behind it.
• A huge leap for DOWNAD. The significant increase in the number of domains DOWNAD variants can generate proves the extent of the improvements made on the worm. The number increased from only 250 domains with WORM_DOWNAD.A and WORM_DOWNAD.AD to as many as 50,000 with WORM_DOWNAD.KK.

These are just some of the reasons why DOWNAD became one of TrendLabs’ most persistent threats in 2009. Unfortunately, these same traits can pave the way for a DOWNAD comeback.

Trend Micro™ Smart Protection Network™ continues to protect users from all known variants of DOWNAD/Conficker in real-time by blocking access to identified malicious sites and domains as well as by detecting and preventing the download of malicious files.

The firewall modules available in desktop products likewise prevent the DOWNAD/Conficker from spreading in a network. Moreover, applying the Trend Micro Deep Security solution assures protection on servers and clients against this particular and other network attacks.

Apple Fixes Several Bugs

Releasing one of its biggest Mac OS X security updates, Apple fixes 88 vulnerabilities with Security Update 2010-002/Mac OS X v10.6.3. The update addresses critical issues that can lead to arbitrary code execution, information disclosure, and denial-of-service (DoS) attacks.

One of the critical fixes included is the solution for the AppKit issue, which can lead to an unexpected application termination or arbitrary code execution when spell-checking maliciously crafted documents. The update likewise includes fixes for several critical ImageIO and QuickTime bugs.  Mac OS X users are thus advised to immediately download and install the security update.

Microsoft Releases an Out-of-Band Patch

Microsoft, for its part, recognizes the immediate need to provide a solution for CVE-2010-0806 and has announced the impending release of an out-of-band patch via Security Bulletin MS10-018. The said release will primarily solve issues surrounding the zero-day Internet Explorer (IE) vulnerability affecting IE 6 and 7.

Since it first became public, cybercriminals have exploited the zero-day vulnerability. These exploits have led to malware detections, including several malicious JavaScript files (JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_ COSMU.A, and JS_SHELLCODE.YY). The final payload of which are TSPY_GAMETI.WOW and TROJ_GAMETHI.FNZ, which both lead to game-related information theft.

The advance notification also stated that the out-of-band patch will be a cumulative update for IE. Apart from the critical zero-day patch, the update will likewise address nine other vulnerabilities, some of which also affect IE 8.

The patch is slated for release on March 30, 2010 at approximately 10:00 a.m. PDT (UTC-8). The primary workaround for CVE-2010-0806 is to upgrade to IE 8, which remains unaffected by this particular zero-day vulnerability. However, the best practice is still applying the out-of-band patch as soon as it is released.

Trend Micro Solutions for Windows and Mac Users

Trend Micro Deep Security™ and OfficeScan™ continue to protect business users from the this particular IE zero-day exploit via the Intrusion Defense Firewall (IDF) plug-in if their systems are updated with the IDF10-011 release, rule number IDF10011.

Trend Micro™ Smart Protection Network™ likewise protects product users from this threat by preventing users from accessing sites hosting JS_SHELLCODE.CD, JS_SHELLCOD.JDT, JS_SHELLCODE.YY, and JS_COSMU.A. It also prevents the download and execution of malicious files such TROJ_INJECT.JDT, TROJ_SASFIS.VR, TROJ_DLOADR.VR, TSPY_GAMETI.WOW, TROJ_DROPPR.FNZ, and TROJ_GAMETHI.FNZ via the file reputation service.

Update as of March 31, 2010, 11:30 a.m. (GMT +8:00):

Microsoft released a security update that resolves nine reported vulnerabilities and one unreported vulnerability in IE. The update also addresses the CVE-2010-0806 vulnerability. Affected users are advised to download the updates from this security bulletin.

As alternative browsers battle for the top spot in the market, they also face the challenge of staying secure due to the increased demand for them to provide users a safe computing experience.

Several popular browsers were recently found to have significant security flaws. Topping the list was Internet Explorer (IE), which was found to have two separate security vulnerabilities in March alone.

Firefox likewise made headlines with its own security flaw, which was severe enough to prompt the German government to issue a warning against Mozilla. The vulnerability in question, however, has already been addressed with the recent release of Firefox 3.6.2.

Other browsers like Opera and Safari were also found to have their own flaws. Both of which, however, have already been patched. Well-known security expert Charlie Miller said he has more Safari zero-day flaws to publicly reveal, which is not good for Safari and Google Chrome, which use the same underlying WebKit rendering engine.

Trend Micro researcher Rajiv Motwani says, “Apart from the above-mentioned flaws, we cannot even begin to guess how many are currently being exploited in the wild. We also forget that a large number of users do not actually patch their systems.” He further adds that there are several reasons why users do not patch their systems. These include the nonavailability of a centralized automatic update system, a vendor-dependent patch release cycle, and the perception that a traditional antivirus software can protect them against all kinds of threats. Furthermore, the proliferation of malware posing as software patches further complicates matters by instigating doubt and hesitation among users.

Government steps such as the European Union (EU)-imposed browser ballots that provide greater browser selection may help users work around issues in specific browsers. However, Motwani stresses that changing browsers every time a new zero-day vulnerability is announced is impractical. He adds, “How is the user expected to keep track of zero-day and unpatched vulnerabilities? Also, with each browser being more vulnerable than the next, which is the safest option?”

In addition, enterprise users may require testing for performance impact, stability, and compatibility before they roll out patches. Hence, patching is likely to be delayed given the possible effects they may have. Instead of switching browsers on the fly, users should use updated versions of all security products and ensure that definitions are up-to-date at all times. It is also important to be wary of links, files, and downloadable data on social-networking sites and that come from unknown sources. Disabling scripting or, at least, regulating its use to trusted sites is also a good option to avoid falling prey to exploits that abuse script files.