Smokey's Security Weblog

veritas odium parit

Corruption accusation: Rising AntiVirus in a bad spotlight

From Wired Blog:

The head of the internet monitoring department of Beijing’s Municipal Public Security Bureau was arrested on suspicion of taking more than RMB 40 million ($5.8 million) in bribes to help an anti-virus company defeat its competitor.

Yu Bing, whose bureau monitors e-mail and web usage in the country as part of China’s Great Firewall surveillance system, is accused of taking money from Rising, an anti-virus firm, to frame an executive at its competitor, Micropoint Technology. A vice president of Rising has been arrested as well under suspicion of bribing Yu.

Yu and fellow police officers allegedly manufactured evidence against Micropoint Vice President Tian Yakui proving that he spread computer viruses and broke into a computer system to steal trade secrets. Tian reportedly spent 11 months in prison on the charges, and Micropoint encountered three years of obstacles to launch its anti-virus software. Tian was targeted apparently because he was a former vice president at Rising who left the company with Rising’s former managing director to build Micropoint.

February 26, 2009 Posted by | Anti-Virus, Friends, News, Recommended External Security Related Links | , , , , , , | 1 Comment

0-Day Exploit Adobe Reader and Acrobat: extremely critical vulnerability

Security Bulletin Adobe.com:

An extremely critical vulnerability has been identified in Adobe Reader 9 and Acrobat 9 and earlier versions. This vulnerability would cause the application to crash and could potentially allow an attacker to take control of the affected system.

There are reports that this issue is being exploited. Adobe is planning to release updates to Adobe Reader and Acrobat to resolve the relevant security issue. Adobe expects to make available an update for Adobe Reader 9 and Acrobat 9 by March 11th, 2009. Updates for Adobe Reader 8 and Acrobat 8 will follow soon after, with Adobe Reader 7 and Acrobat 7 updates to follow. In the meantime, Adobe is in contact with anti-virus vendors on this issue in order to ensure the security of our mutual customers.

Affected software versions: Adobe Reader 9 and earlier versions / Adobe Acrobat Standard, Pro, and Pro Extended 9 and earlier versions.

Shadowserver.org:

The malicious PDF’s in the wild exploit a vulnerability in a non-JavaScript function call. However, they do use some JavaScript to implement a heap spray for successful code execution. The malicious PDF’s in the wild contain JavaScript that is used to fill the heap with shellcode. Since this exploit relies on both JavaScript and non-JavaScript components there are some potential reliability issues which has led to confusion over which platforms are affected.Testing of the exploit with XP SP3 using Adobe Reader 8.1.1, 8.1.2, 8.1.3 and 9.0.0 shows that the vulnerability results in code execution on all of them. There may be cases where Adobe Reader crashes without code execution, especially on systems with more physical memory and faster processors. This is likely due to the race condition needed to populate the heap before certain data structures are parsed by Reader.

The exploit can be effectively mitigated by disabling JavaScript. In this scenario Adobe will still crash but the required heap spray will not occur and code execution is not possible. There may be a method for populating the heap with the necessary shellcode without JavaScript, however if such a technique exists I am not aware of it. As a general rule I like the idea of both disabling JavaScript in Adobe Reader and also flagging PDF documents containing JavaScript at perimeter devices.

How-to disable JavaScript in Adobe Acrobat (Reader):

Click: Edit -> Preferences -> JavaScript > Uncheck Enable Acrobat JavaScript

February 21, 2009 Posted by | Advisories, Alerts, Friends, Malware, Recommended External Security Related Links, Vulnerabilities | , , , , , , , | Leave a comment

OpenDNS Unveils Major Upgrades to Statistics System, Provides Botnet Protection Service and Actionable Network Insight

Leading DNS infrastructure and security provider OpenDNS announces new account statistics functionality, giving network administrators even more insight into network activity, and a new OpenDNS Botnet Protection feature, which will be used e.g. to fight the Conficker virus. OpenDNS services are for free.

Feb 9, 2009 — San Francisco, CA — OpenDNS, provider of the award-winning service that makes the Internet safer, faster, smarter and more reliable, today announced a series of new functionalities for its robust network statistics system. OpenDNS network statistics are rich with data that provides network administrators insight into what is happening on their network, from traffic patterns to malware, coupled with tools to take action.

The enhancements to the OpenDNS statistics system include the addition of the much-anticipated Top Domains feature, which allows network administrators the ability to monitor all domains visited from within their network. Further, Top Domains is now integrated with the OpenDNS Web content filtering system, and provides the ability to manage blocking preferences directly from the Top Domains list. This new integration empowers network administrators to spot trends before they become problems and immediately take action, blocking Web sites or categories of Web sites appearing in their network statistics they deem inappropriate.

Also announced today is the new OpenDNS Botnet Protection feature, and its timely use to fight the Conficker virus. Conficker, also known as Downadup, uses a set of seemingly random domain names as a meeting place for the virus to exchange data with its author, such as how many new machines each host has brought into the botnet, or details on any code upgrades or attacks the owner wants to take place. These domain names are generated using an algorithm so they change every day, making traditional methods like revoking domain registrations used by botnet authors ineffective. OpenDNS and leading anti-virus company Kaspersky Lab have teamed to identify whether the virus has penetrated an OpenDNS users’ network, and stop resolving the domain names the virus is using. This effort effectively prevents the virus from causing damage, and the new OpenDNS stats system immediately alerts the network administrator.

“The OpenDNS stats system and its recent enhancements provide invaluable tools to those tasked with operating a network and spotting trends before they become problematic,” said OpenDNS Founder and CTO David Ulevitch. “To be able to see that a certain Web site – which consumes a disproportionate amount of bandwidth – is among the most visited, or that Conficker has managed to penetrate the network, is extremely helpful to any network administrator.”

About OpenDNS

OpenDNS is the leading provider of free security and infrastructure services that make the Internet safer through integrated Web content filtering, anti-phishing and DNS. OpenDNS services enable consumers and network administrators to secure their networks from online threats, reduce costs and enforce Internet-use policies. OpenDNS is used today by millions of users and organizations around the world. For more information about OpenDNS, please visit: www.opendns.com.

February 15, 2009 Posted by | Advisories, Anti-Virus, Downloads, Friends, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , | Leave a comment