DarkFiber Consulting – IT Managed Services

Airline E-ticket Email Attack

July 31st, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of public reports indicating that a new email attack is circulating. This attack uses email messages that appear to be from legitimate airlines and contain information about a bogus e-ticket. These email messages instruct the user to open the attachment to obtain the e-ticket. If a user opens this attachment, a file may be executed to infect the user’s system with malicious code.

Reports, including a posting by Sophos, indicate that these messages have the following characteristics. Please note that these attributes may change at any time.

  • The subject line “E-Ticket#XXXXXXXXXX”
  • An attachment named “eTicket#XXXX.zip”

DarkFiber Consulting encourages users and administrators to take the following preventative measures to help mitigate the security risks:

AVG Releases Update

July 31st, 2008 . by DarkFiber Consulting

AVG has released version 8.0.156 to address multiple issues. Some of these issues could allow an attacker to cause a crash, resulting in a denial-of-service condition. This version also reduces the amount of incidental traffic generated by the program when searching on particular websites.

DarkFiber Consulting encourages users to review the AVG Program update and apply any necessary updates to help mitigate the risks.

New Storm Worm Activity Spreading

July 29th, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of public reports of a new Storm Worm Campaign. The latest campaign is centered around messages related to the Federal Bureau of Investigation and Facebook. This Trojan horse virus is spread via an unsolicited email message that contains a link to a malicious website. This website contains a link, that when clicked, may run the executable file “fbi_facebook.exe” to infect the user’s system with malicious code.

Reports, including a posting by Sophos, indicate the following email subject lines are being used. Please note that subject lines can change at any time.

  • F.B.I. may strike Facebook
  • F.B.I. watching us
  • The FBI’s plan to “profile” Facebook
  • The FBI has a new way of tracking Facebook
  • F.B.I. are spying on your Facebook profiles
  • F.B.I. busts alleged Facebook
  • Get Facebook’s F.B.I. Files
  • Facebook’s F.B.I. ties
  • F.B.I. watching you

DarkFiber Consulting encourages users and administrators to take the following preventative measures to help mitigate the security risks:

Oracle Releases Security Advisory for WebLogic Plug-in Vulnerability

July 29th, 2008 . by DarkFiber Consulting

Oracle has released a Security Advisory to address a vulnerability in the WebLogic plug-in for Apache. Exploitation of this vulnerability may allow a remote, unauthenticated attacker to compromise the confidentiality or integrity of WebLogic Server applications or cause a denial-of-service condition. The advisory indicates that exploit code for this vulnerability is publicly available.

DarkFiber Consulting encourages users to review the Oracle Security Advisory and implement the workarounds listed in the document to help mitigate the risks. At this time, a patch or update is not available.

DarkFiber Consulting will provide additional information as it becomes available.

RealPlayer Releases Update

July 28th, 2008 . by DarkFiber Consulting

RealNetworks has released an update to address multiple vulnerabilities in RealPlayer. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information. RealNetworks identifies the vulnerabilities as the following:

  • RealPlayer ActiveX controls property heap memory corruption.
  • Local resource reference vulnerability in RealPlayer.
  • RealPlayer SWF file heap-based buffer overflow.
  • RealPlayer ActiveX import method buffer overflow.

DarkFiber Consulting encourages users to review the RealNetworks advisory and apply the appropriate updates to help mitigate the risk.

U.S. Customs and Border Protection Email Attack

July 25th, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of public reports of an attack circulating via bogus email messages that claim to be from “US Customs Service.” The messages may contain the subject line “Parcel requires declaration” and indicate that a parcel has been received addressed to the recipient of the email. These messages may also encourage users to open an attachment to the message that may contain malicious code.

DarkFiber Consulting encourages users to do the following to help mitigate the risks:

  • Review the alert posted by the U.S. Customs and Border Protection regarding this issue.
  • Do not open attachments contained in unsolicited email messages.
  • Refer to the Recognizing and Avoiding Email Scams (pdf) document for more information on avoiding email scams.
  • Refer to the Avoiding Social Engineering and Phishing Attacks document for more information on social engineering attacks.
  • Install anti-virus software and keep virus signature files up to date.

DarkFiber Consulting will provide additional information as it becomes available.

DNS Cache Poisoning Public Exploit Code Available

July 25th, 2008 . by DarkFiber Consulting

DarkFiber Consulting is aware of publicly available exploit code for a cache poisoning vulnerability in common DNS implementations. Exploitation of this vulnerability may allow an attacker to cause a nameserver’s clients to contact the incorrect, and possibly malicious hosts for particular services. As a result, web traffic, email and other important network data could be redirected to systems under the attacker’s control.

DarkFiber Consulting strongly urges administrators to patch affected systems immediately. Please review the following DarkFiber Consulting documents for further details:

DarkFiber Consulting will provide additional information as it becomes available.

NAT/PAT Affects DNS Cache Poisoning Mitigation

July 23rd, 2008 . by DarkFiber Consulting

DarkFiber Consulting released a Current Activity entry and a Vulnerability Note on July 8, 2008 regarding deficiencies in DNS implementations. These deficiencies could leave an affected system vulnerable to cache poisoning. Technical details regarding this vulnerability have been posted to public websites. Attackers could use these details to construct exploit code. Users are encouraged to patch systems or apply workarounds immediately.

A number of patches implement source port randomization in the name server as a way to reduce the practicality of cache poisoning attacks. Administrators should be aware that in infrastructures where nameservers exist behind Network Address Translation (NAT) and Port Address Translation (PAT) devices, port randomization in the nameserver may be overwritten by the NAT/PAT device and a sequential port address could be allocated. This may weaken the protection offered by source port randomization in the nameserver.

DarkFiber Consulting encourages users to consider one of the following workarounds:

  • Place the nameserver outside of the NAT/PAT device in the network infrastructure.
  • Configure the NAT/PAT device to perform source port randomization.
  • Configure the NAT/PAT device to preserve the source port assigned by the nameserver.

Additional information can be found in DarkFiber Consulting Vulnerability Note VU#800113.

More information will be provided as it becomes available.

Mozilla Releases Firefox 3.0.1

July 18th, 2008 . by DarkFiber Consulting

Mozilla has released Firefox 3.0.1 to address three vulnerabilities. Exploitation of these vulnerabilities may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. One of these vulnerabilities may also affect Thunderbird and SeaMonkey. Two of these vulnerabilities were previously fixed in Firefox 2.0.0.16 as well; please see the DarkFiber Consulting Current Activity entry Mozilla Releases Firefox 2.0.0.16 for additional information.

DarkFiber Consulting encourages users to review the following Mozilla Foundation Security Advisories and upgrade to Firefox 3.0.1 or implement the workarounds provided in the documents to help mitigate the risks:

  • MFSA 2008-34 : Remote code execution by overflowing CSS reference counter
  • MFSA 2008-35 : Command-line URLs launch multiple tabs when Firefox not running
  • MFSA 2008-36 : Crash with malformed GIF file on Mac OS X

WordPress Releases Version 2.6

July 18th, 2008 . by DarkFiber Consulting

WordPress has released version 2.6 to address approximately 194 bugs, some of which may be security related.

DarkFiber Consulting encourages users to review the WordPress Blog entry related to the release of version 2.6 and upgrade to WordPress version 2.6 to help mitigate any risks.

« Previous Entries