Smokey's Security Weblog

veritas odium parit

Zango crapware is back: pushing somebody else’s popular software and bundling crap with it

Sunbelt Blog | January 29, 2010

Here’s something they don’t teach in marketing 101: If you’re pushing software that no one wants — like, say, annoying adware — and your downloads are going nowhere, what do you do?

Answer: you push somebody else’s popular software AND BUNDLE YOUR CRAP WITH IT!

Remember Zango? It was that irritating adware company that spent years and a million weasel words trying to make its operation seem legitimate. It was fined $3 million in 2006 by the U.S. Federal Trade Commission and it unsuccessfully sued anti-virus vendor Kaspersky in Federal Court in 2007 for calling the Zango malcode “malcode?” After several years of sagging revenue amidst a larger collapse of the adware industry, the company finally folded and sold its assets at fire sale prices last April.

The buyer, Pinball Publisher Network, is still distributing Zango and sadly enough it still offers users nothing of any value, which is why PPN offers Open Office, 7-Zip and Firefox bundled with it. PPN and its affiliates are simply trying to piggyback on those programs and in the process, leech from their value and good name.

Here’s what its fans get:

“Hotbar’s toolbar for IE, Outlook/Outlook Express and Word provides FREE access to premium content including weather, paid for by advertising. Based on keywords generated by your browsing, Hotbar shows ads in a separate browser window or a temporary Slider, and toolbar search suggestions. ShopperReports provides comparison shopping offers in a Sidebar. Both run continuously and update automatically. Uninstall easily via Add/Remove Programs.”

Thanks Sunbelt for informing us! My advice: stay far away from this Zango crapware, same is valid for Pinball Publisher Network. Don’t get be spammed with PPN’s crap…

Informative wikipedia article regarding the Zango crap: http://en.wikipedia.org/wiki/Zango_(company)

January 30, 2010 Posted by | Advisories, Alerts, Anti-Spyware, Malware, Recommended External Security Related Links, Toolbarware | , , , , , , , , , , , , , | Leave a comment

0-Day Extremely Critical Vulnerability in Internet Explorer Could Allow Remote Code Execution

Microsoft Security Advisory (979352)
Vulnerability in Internet Explorer Could Allow Remote Code Execution

Published: January 14, 2010 | Updated: January 15, 2010
Version: 1.1

Executive Summary

Microsoft is investigating a report of a publicly exploited vulnerability in Internet Explorer. This advisory contains information about which versions of Internet Explorer are vulnerable as well as workarounds and mitigations for this issue.

Our investigation so far has shown that Internet Explorer 5.01 Service Pack 4 on Microsoft Windows 2000 Service Pack 4 is not affected, and that Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4, and Internet Explorer 6, Internet Explorer 7 and Internet Explorer 8 on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2 are affected.

The vulnerability exists as an invalid pointer reference within Internet Explorer. It is possible under certain conditions for the invalid pointer to be accessed after an object is deleted. In a specially-crafted attack, in attempting to access a freed object, Internet Explorer can be caused to allow remote code execution.

At this time, we are aware of limited, active attacks attempting to use this vulnerability against Internet Explorer 6. We have not seen attacks against other affected versions of Internet Explorer. We will continue to monitor the threat environment and update this advisory if this situation changes. On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) and our Microsoft Security Response Alliance (MSRA) programs to provide information that they can use to provide broader protections to customers. In addition, we’re actively working with partners to monitor the threat landscape and take action against malicious sites that attempt to exploit this vulnerability.

Microsoft continues to encourage customers to follow the “Protect Your Computer” guidance of enabling a firewall, applying all software updates and installing anti-virus and anti-spyware software. Additional information can be found at Security at home.

Mitigating Factors:

• Protected Mode in Internet Explorer on Windows Vista and later Windows operating systems limits the impact of the vulnerability.
• In a Web-based attack scenario, an attacker could host a Web site that contains a Web page that is used to exploit this vulnerability. In addition, compromised Web sites and Web sites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to visit these Web sites. Instead, an attacker would have to convince users to visit the Web site, typically by getting them to click a link in an e-mail message or Instant Messenger message that takes users to the attacker’s Web site.
• An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
• By default, Internet Explorer on Windows Server 2003 and Windows Server 2008 runs in a restricted mode that is known as Enhanced Security Configuration. This mode sets the security level for the Internet zone to High. This is a mitigating factor for Web sites that you have not added to the Internet Explorer Trusted sites zone.
• By default, all supported versions of Microsoft Outlook, Microsoft Outlook Express, and Windows Mail open HTML e-mail messages in the Restricted sites zone. The Restricted sites zone helps mitigate attacks that could try to exploit this vulnerability by preventing Active Scripting and ActiveX controls from being used when reading HTML e-mail messages. However, if a user clicks a link in an e-mail message, the user could still be vulnerable to exploitation of this vulnerability through the Web-based attack scenario.

Affected Software

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2
Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service pack 2
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Windows 7
Windows 7 for x64-based Systems
Windows Server 2008 R2 for x64-based Systems
Windows Server 2008 R2 for Itanium-based Systems
Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4
Internet Explorer 6 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 6 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 for Windows XP Service Pack 2 and Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 7 for Windows Server 2003 Service Pack 2, Windows Server 2003 with SP2 for Itanium-based Systems, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 7 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 7 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2
Internet Explorer 7 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 for Windows XP Service Pack 2, Windows XP Service Pack 3, and Windows XP Professional x64 Edition Service Pack 2
Internet Explorer 8 for Windows Server 2003 Service Pack 2, and Windows Server 2003 x64 Edition Service Pack 2
Internet Explorer 8 in Windows Vista, Windows Vista Service Pack 1, Windows Vista Service Pack 2, Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2
Internet Explorer 8 in Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2
Internet Explorer 8 in Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2
Internet Explorer 8 in Windows 7 for 32-bit Systems
Internet Explorer 8 in Windows 7 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for x64-based Systems
Internet Explorer 8 in Windows Server 2008 R2 for Itanium-based Systems

Non-Affected Software

Internet Explorer 5.01 Service Pack 4 for Microsoft Windows 2000 Service Pack 4

Revisions

• V1.0 (January 14, 2010): Advisory published
• V1.1 (January 15, 2010): Revised Executive Summary to reflect invesigation of limited targeted attacks. Added Data Execution Protection (DEP) information to Mitigating Factors section. Updated “How does configuring the Internet zone security setting to High protect me from this vulnerability?” in the Frequently Asked Questions section.

Related:

The Microsoft Security Response Center (MSRC) – Security Advisory 979352 Released
The Microsoft Security Response Center (MSRC) – Advisory 979352 Updated

This is a serious vulnerability, and should be rated as ‘extremely critical’

January 15, 2010 Posted by | Advisories, Alerts, News, Recommended External Security Related Links, Vulnerabilities | , , , , , , , , , , , , , | Leave a comment

Spamassasin Y2K10 Rule Bug – Update Your Rules Now!

The Apache SpamAssassin Project – 2010-01-01

Versions of the FH_DATE_PAST_20XX rule released with versions of Apache SpamAssassin 3.2.0 thru 3.2.5 will trigger on most mail with a Date header that includes the year 2010 or later. The rule will add a score of up to 3.6 towards the spam classification of all email. You should take corrective action immediately; there are two easy ways to correct the problem:

– If your system is configured to use sa-update run sa-update now. An update is available that will correct the rule. No further action is necessary (other than restarting spamd or any service that uses SpamAssassin directly).

– Add “score FH_DATE_PAST_20XX 0” without the quotes to the end of your local.cf file to disable the rule.

If you require help updating your rules to correct this issue you are encouraged to ask for assistance on the Apache SpamAssassin Users’ list. Users’ mailing list info is here.

On behalf of the Apache SpamAssassin project I apologize for this error and the grief it may have caused you.

Regards,

Daryl C. W. O’Shea

VP, Apache SpamAssassin

January 2, 2010 Posted by | Advisories, Alerts, Downloads, Recommended External Security Related Links | , , , , , , | Leave a comment