Google Chrome Stable 11 is released!

The Google Chrome team is happy to announce the arrival of Chrome 11.0.696.57 to the Stable Channel for Windows, Mac, Linux, and Chrome Frame. Chrome 11 contains some really great improvements including speech input through HTML.

Read More at Google Chrome Release Blog.

Avira receives AV-Test.org certificate

Avira TechBlog: Great news – our Avira Premium Security Suite received the next AV-Test.org certificate, this time for the first quarter of 2011! So far the suite thus achieved all available AV-Test.org certificates since the beginning of the certification process. The certificate approves the tested products a good quality in detection, repair and usability.

This means that users of the Avira Premium Security Suite can be assured to be well protected from the threats they face when using their computers on the Internet!

Survey reveals Mac and PC people think differently

TUAW: According to the results of a massive survey by Hunch.com, Mac people are frequently young, vegetarian city-dwellers who like modern art, liberal politics, and independent films. Meanwhile, Windows supporters tend to be older, more conservative, and more likely to compare talking about computers to "struggling with a foreign language."

Whether you're collecting evidence for the Mac vs. Windows debate you have planned for the weekend or preparing for an appearance on Family Feud, Hunch's results offer some fun and fascinating insights into the tastes and habits of Mac and PC users, from what TV shows they watch to what snacks will best satisfy their afternoon munchies.

Started by Flickr co-founder Caterina Fake, Hunch provides visitors with personalized recommendations for just about everything from books and movies to cars, vacation spots, and colleges. Between March 2009 and April 2011, Hunch asked 388,315 of its visitors about their preferred computing platforms. Among the respondents (typically tech-savvy early adopters who may not represent a true cross section of the general public), 52% identified themselves as PC people while 25% said they were Mac aficionados. The rest declined to answer the question or didn't consider themselves loyal to any computing platform.

By combining this data with the results of over 80 million other responses to "Teach Hunch About You" questionnaires, Hunch found some interesting correlations between choice of operating system and a variety of other personal preferences. According to the overall results, Mac users tend to be hummus-gobbling vegetarian city-dwellers who enjoy fancy foods and art-house movies. Or perhaps hummus-gobbling vegetarian city-dwellers prefer Macs -- correlational data is tricky like that. What do think? Do these results accurately reflect reality? Or do they falsely endorse long-standing stereotypes for Mac and PC fans? Discuss in the comments.

Vulnerabilities in Microsoft Office and OpenOffice compared

Since 2003, the number of exploitable vulnerabilities
has fallen considerably in Microsoft's Office suite.

H-Online: Independently of each other, security specialists Dan Kaminsky and Will Dormann from Carnegie Mellon University's CERT have found that, in the past few years, the number of flaws and exploitable vulnerabilities in individual versions of Microsoft Office has fallen dramatically, achieving results that are even below those ofOpenOffice. However, their findings should be treated with caution, as they are based on automatic evaluations and say little about the actual threat potential.

For their analyses, both researchers used fuzzing tools to create several thousand flawed .doc files, loaded them into the office products, and evaluated the results with Microsoft's "!exploitable Crash Analyzer" tool. Kaminsky and Dormann then proceeded to count the number of crashes and the flaws classified by Crash Analyzer as vulnerabilities that can, or can potentially, be exploited for attacks. However, the tool uses an automated mechanism to classify risks.

Dormann found that the number of crashes decreased steadily from Office XP through Office 2003 and 2007 to Office 2010. Reportedly, the number of exploitable holes also decreased continuously from seven to zero. The researcher only compared versions 3.2.1 and 3.30 RC7 of OpenOffice, and found that, while there was a fall in the number of crashes and exploitable flaws (from 18 to 15) between the products, the number was still considerably higher than that achieved by Microsoft Office.

Kaminsky's research yielded more drastic results: while Office 2003 was still found to contain 127 (potentially) exploitable holes, numbers reportedly dropped to 12 for Office 2007 and to seven for Office 2010. By comparison, the version of OpenOffice that was available in 2003 (version 1.1) reportedly contained 73 vulnerabilities, dropping to 62 in 2007 and to 20 in 2010.

Kaminsky and Dormann only offer conservative interpretations of their results. Kaminsky says that, in his view, the situation has improved considerably. Neither of the researchers makes a statement about the potential reasons for their findings. With Microsoft, the introduction of the Software Development Lifecycle is likely to have played a major role, as the vendor has established specific processes and tools for increasing its product security in this context.

However, it would be a mistake to read too much into the results. For instance, they appear to vary greatly in similar tests, and Microsoft's products are currently still a far more popular attack target than OpenOffice, which means that the risk of an infection is higher even if there are fewer vulnerabilities. This could, of course, change when the support of Office XP runs out (12 July 2011), prompting businesses and users to upgrade to newer versions of Office. In these versions, mechanisms such as the "Office File Validation" feature attempt to prevent the execution of specially crafted files. This function also became available for Office 2003 and 2007 too on the latest Patch Tuesday.

Yet another VB100 award for Avira!

Avira TechBlog: The series continues – Avira AntiVir Personal and Avira AntiVir Professional received the April 2011 VB100 award! The tests were executed in a Windows XP SP3 environment by the Virus Bulletin test engineers.

The Avira anti malware solutions performed very well: All WildList samples were detected, all of the polymorphic viruses too. Also, more than 99 percent of the Worms and Bots were blocked. The heuristics test also looks very good: With 96 percent of the yet unknown malware samples filtered out Avira ranks among the best solutions!

Adobe Flash Player 10.2.159.1 is now available

Adobe Flash Player 10.2.159.1 is now available!

Download it from here: http://get.adobe.com/flashplayer/

Latest PowerPoint security patch has problems

On its recent patch day, Microsoft released security updates to fix vulnerabilities in multiple versions of its Office products. The patch for PowerPoint 2003 can, however, have negative consequences – after installation existing presentations may be unable to be opened or may cause an error message stating that the file is corrupted and cannot be fully displayed. In the latter case, the content of the presentation can only be partially read and any non-displayed elements, in particular background images, are lost for good after saving.

Microsoft is working on the problem and has published a knowledge base article which confirms the existence of the problem. Until the bug is resolved by a new update, users who experience problems are advised to uninstall the security patch from the control panel. Its designation is: Security Update for PowerPoint 2003 (KB2464588).

The Update Wave is rolling: Apple, Adobe, Google

Avira TechBlog: Today some updates need attention – they fix critical security issues and should be installed immediately!

The update reign starts off with Apple. Critical security vulnerabilities are closed within the Safari web browser 5.0.5 – they allowed cyber criminals to smuggle in malware. For Mac users, additionally a security update is available for the Snow Leopard operating system. It fixes an issue with stolen certificates which arose a three weeks ago at Comodo and is amazingly tiny for an Apple security update, only 4 MByte. And then for iPhone, iPad and iPod Touch users the update to iOS 4.3.2 is available which basically closes the same security holes for the mobile devices as well.

As announced by Adobe, the Flash Player update which will be available during the day today is already available for users of the Google Chrome web browser. Chrome 10.0.648.205 for Windows, Mac and Linux comes with the new Flash Player plug-in 10.2.154.27. According to the Chrome Release Blog, also three critical security vulnerabilities in the GPU process have been fixed. The update should be installed automatically already – to make sure to use the latest version, click on the tool symbol and check the “About Chrome” menu entry.

Facebook password changed? Malware attack poses as message from Facebook support

Sophos Labs: Repeat after me: It's "Facebook", not "FaceBook".

Learn that lesson and it can be one of the tricks you can use to protect yourself against a spammed-out malware campaign, which tries to trick you into believing that Facebook support has changed your password.

Computer users are receiving emails claiming that the popular social network has automatically changed their password to secure their account.

Here's a typical message:

Dear user of FaceBook.
Your password is not safe!
To secure your account the password has been changed automatically.
Attached document contains a new password to your account and detailed information about new security measures.
Thank you for attention,
Administration of Facebook.

Your alarm bells should be ringing instantly when you receive this message for a number of reason, not least that it can't decide if it's "Facebook" or "FaceBook", but also because why would Facebook ever email you an attachment? And why are they being so impersonal and not using your name?

Subject lines used in this malicious campaign include "Facebook. Your password has been changed! [NUMBER]" and "Facebook. The new password to your account. [NUMBER]" and even "Facebook Support. Personal data has been changed! [NUMBER]", and in each case the email is accompanied by an attached zip file which pretends to contain the new password.

However, the real payload of the file is to infect your Windows computer with Malware Zbot-AV.

So, just because an email claims to hail from password@facebook.com, support@facebook.com or message@facebook.com, realise that its headers could have been forged - and don't blindly follow its instructions unless you're absolutely certain it's legitimate.

Perhaps the easiest thing to do if you're told your Facebook password has been changed, is try to log into Facebook to see if it's true or not?

You can stay informed about the latest scams by joining the Omid's Blog! Facebook page.

Adobe plans Flash Player Update tomorrow

Avira TechBlog: This is good news – for the recently acknowledged zero-day security vulnerability within Adobe Flash Player, Acrobat and Reader there will be a first update available tomorrow. Adobe updated their security advisory on that matter to reflect the update schedule – the Flash player update fixing the vulnerability for Windows, Mac, Linux and Solaris will be available tomorrow, Friday, April 15.

For the also vulnerable Adobe Reader and Acrobat, updates are planned “no later than the week of April 25, 2011″. The only exception is Adobe Reader X for Windows which will be updated on the regular planned Patchday on June 14, as the integrated sandbox prevents successful exploitation there according to Adobe.

Please be prepared to download and install the update tomorrow as soon as it is available!

WordPress.com suffers hacker attack - how to change your password

Sophos Labs: Millions of blog owners around the world are being advised to consider their password security, after WordPress.com was hacked.

To its credit, Automattic - the company behind the WordPress.com blogging platform - didn't mince its words or try to apply any spin to the incident, explaining it had suffered a "low-level (root) break-in to several of [its] servers, and potentially anything on those servers could have been revealed."

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.

WordPress's gurus continue to investigate the security breach, and says it has taken steps to prevent it happening again.

It's worth pointing out that the security incident only potentially affects blogs posted on WordPress.com, not sites which have decided to self-host their own WordPress blog using the software from WordPress.org.

So, until we know more, I think it would be sensible for all WordPress.com users to follow the advice - and consider if they are using a secure password. Better safe than sorry, after all.

Here's how you change your WordPress.com password, if you think it might not be secure.

1. Go to Users / Personal settings

2. Choose a strong, unique password. (How to choose a good password and take care of it?)

We don't know that the WordPress.com security breach gave the hackers access to bloggers' passwords, but we do know that many internet users have chosen to use the same password on multiple websites. So if your password was stolen from one website, it could then be used to unlock many other online accounts - and potentially cause a bigger problem for you.

So always use unique passwords.

Furthermore, computer users should ensure they don't use dictionary words as passwords as it is relatively easy for hackers to figure these out using electronic dictionaries that simply try out every word until they get the right one.

Even though your WordPress password may not have been compromised, it still makes sense and is good practice to make sure that you have a chosen a good, strong password now.

Follow up: Hacker Gains Access To WordPress.com Servers, Site Source Code Exposed

Follow up from: Hacker Gains Access To WordPress.com Servers

Tech Crunch: WordPress.com has revealed that someone has gained root-access (“low-level,” as in deep) to several of its servers this morning and that VIP customers’ source code was accessible. WordPress.com VIP customers are all on “code red” and in the process of changing all the passwords/API keys they’ve left in the source code.

“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.

We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

While Automattic is downplaying the leak, sites’ source code could include API keys and Twitter and Facebook passwords which can let interested parties gain access to sensitive information as well as shut people out of their Twitter and other vulnerable accounts.

Automattic says that the investigation “is ongoing.” I’ve contacted founder Matt Mullenweg for more information and will update this post when I hear back.

WordPress.com currently serves 18 million publishers, including VIPs like TED, CBS and is responsible for 10% of all websites in the world. WordPress.com itself sees about 300 million unique visits monthly.

Hacker Gains Access To WordPress.com Servers

Tech Crunch: WordPress.com has revealed that someone has gained access to several of the their servers this morning and that VIP customers’ source code was accessible. WordPress.com customers are all on ‘code red’ and in the process of changing all the passwords/api keys they’ve left in the source code.

“Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed.


We have been diligently reviewing logs and records about the break-in to determine the extent of the information exposed, and re-securing avenues used to gain access. We presume our source code was exposed and copied. While much of our code is Open Source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.”

While Automattic is down playing the leak, site source code includes API keys like Twitter and cookie log-ins which can let interested parties gain access to sensitive information like Twitter accounts.

Automattic says that the investigation “is ongoing.” I’ve contacted Automattic for more information and will update this post when I hear back.

Updated: Follow up: Hacker Gains Access To WordPress.com Servers, Site Source Code Exposed

Microsoft launches first Internet Explorer 10 preview

Fulfilling the hints Microsoft dropped back in March, the Redmond software company unveiled the first platform preview of Internet Explorer 10 at MIX 11 in Las Vegas on Tuesday.

This first preview of Internet Explorer 10 builds on the big HTML5 push that began with IE9, and adds support for more advanced Web standards, such as CSS3 Gradients as background images, and CSS3 Flexible Box and multi-column layout.

Microsoft said code refreshes will take place approximately every twelve weeks for IE10.

As usual, Internet Explorer's new tricks can be checked out at ie.microsoft.com/testdrive right now.

Google says it did not lie about government certification for Apps

BetaNews: Google found itself fending off criticisms from competitor Microsoft on Monday over whether or not its Google Apps product truly had an important government security clearance. Called the Federal Information Security Management Act (FISMA) standard, the Mountain View, Calif. company claimed on its webpage that the Government version of Apps had it. It didn't.

Instead, Google Apps Premier had the proper certification, while the more restrictive Government version was still in the process of getting FISMA certified. This is required by some government agencies in order to participate and win bids for any IT contract.

Microsoft uncovered this in a Justice Department filing from December after those documents were unsealed by the court.

"Google easily could have explained that it had received certification for Google Apps Premier and was in the process of seeking certification for Google Apps for Government," Microsoft deputy general council David Howard wrote in a blog post on Microsoft TechNet. "Instead, Google has continued to state that Google Apps for Government has FISMA certification itself."

Howard seemed to express confusion at how Google could assume that it had the certification for its Government version merely because its more expansive Premier offering had it. "If that were the case, then why did Google, according to the attachments in the DOJ brief, decide to file a separate FISMA application for Google Apps for Government?"

In any case, the information is coming to light as part of a lawsuit Google filed against the Department of the Interior over its insistence that bidders on a contract use a Microsoft product, which Microsoft won. While a lower court judge agreed that this bid process was rigged to favor Redmond, and injunction was filed while the argument was settled.

Google contends it did not lie. "We did not mislead the court or our customers," enterprise strategy and business development chief David Mihalchik told Computerworld. "Google Apps for Government is the same system [as Premier] with enhanced security controls that go beyond FISMA requirements."

Mihalchik did not answer the question as to why Google continued to insist that the Government version itself had the FISMA certification, which remains the central issue in the dustup.

Ubuntu Desktop 8.04 LTS approaches end of life

H-Online: In a post on the project's security announce mailing list, Ubuntu Release Manager Kate Stewart has reminded users that the desktop version of Ubuntu 8.04 LTS, code named Hardy Heron, will reach its end of life in May. Version 8.04 of the Debian-derived Linux distribution was released on 24 April 2008.

Based on the 2.6.24 Linux kernel, it placed a stronger focus on stability and ease of use, rather than on new features, and included the GNOME 2.22 desktop environment, as well as a new installer that allowed Ubuntu to be installed directly under Windows without having to boot from CD or re-partition the hard disk. Built-in applications included version 2.4 of the OpenOffice.org office suite, Firefox 3.0 Beta 5, the F-Spot photo manager and the GIMP image editor. After 12 May 2011, no new updates, including security updates and critical fixes, will be available. The server edition of Ubuntu 8.04 LTS will continue to be supported until May 2013.

Hardy Heron users are advised to upgrade to a later release to continue receiving updates. The developers note that users wanting to upgrade to 10.10 from 8.04 will first have to upgrade to 10.04 LTS. Standard releases of Ubuntu are supported for 18 months of updates for both the desktop and server versions, while Long Term Support (LTS) versions of Ubuntu are supported for three years for the desktop releases and five years for server releases.

The current development release is Ubuntu 11.04 Beta 1, code named "Natty Narwhal", from the end of March. The final version of Natty Narwhal is scheduled to be released on 28 April 2011. The latest stable release is version 10.10 "Maverick Meerkat", while the current Long Term Support version is Ubuntu 10.04.2 LTS "Lucid Lynx". Ubuntu is sponsored by UK based Canonical Ltd.

Microsoft's record Patch Tuesday

H-Online: It's a record for Microsoft: 9 critical and 8 important updates close a total of 64 security holes. In the worst case, a number of the vulnerabilities allow for remote code execution; in other words, arbitrary code can be injected and executed, such as from specially crafted documents and websites. Microsoft put 44 of them in the category Exploitability Index 1, meaning that the code that exploits the flaw will probably go into circulation soon.

The software affected ranges from Windows to Internet Explorer, Office, Visual Studio, .NET, and GDI+. For an overview, see the Microsoft Security Bulletin Summary for April 2011. At the top of Microsoft's to-do list are updates for Internet Explorer (MS11-018) and the client/server file shares (SMB, MS11-019/MS11-020), followed by the new kill bits for vulnerable ActiveX components (MS11-027) and the .NET update in MS11-028.

Monster update MS11-034 is truly remarkable; it patches 30 security holes in Windows kernel drivers in one fell swoop. Two recurring bugs in internal memory management can apparently allow users to escalate their system rights.

In a blog post, Microsoft's security team underscores two new security functions that are reportedly available with the update. First, Microsoft now also offers extended security checks of Office files for Office 2003 and 2007 (Office File Validation). Because the Office sandbox called "Protected View" is only available in Office 2010, users of older versions now at least receive a warning notice if a file seems suspicious. The blog post does not, however, say whether the alarm also works with the flash exploits in Excel and Word files.

The second new security function is a direct reaction to the Alureon/TDL rootkit, which managed to out-smart 64-bit Windows and launch Windows in a maintenance mode that also accepts unsigned drivers. Redmond has now provided an improved loader to remedy the situation. Microsoft says Alureon is the most common rootkit in Germany.

Chromium-based Flock social web browser is no more

H-Online: In a post on their home page, the Flock developers have announced that support for their Chromium-based social web browser will officially be discontinued on 26 April 2011. Thanking their "loyal users" for their support, the developers encourage the Flock community to migrate to another browser.

Flock began life as a cross-platform browser start-up in April 2005. Distinguishing itself from other browsers, Flock automatically managed updates and media from several popular social services, including MySpace, Facebook, Bebo, Digg, YouTube and Twitter.

Prior to version 3.x, the browser was based on Mozilla's Gecko HTML rendering engine, the same used by the 3.x branch of Firefox. However, when the Flock 3 beta arrived, it dropped the engine used by Firefox and switched to Google's open source Chromium browser platform. The last major update to Flock was version 3.5 from late November 2010; three point updates were later released to address various bugs.

In January of this year, the company was acquired by US game maker Zynga, which is well known for it's popular online games, such as FarmVille and Mafia Wars. While users can continue to use the browser, the company notes that several "key features will stop working after 4/26/11 and over time the browser will no longer be secure as software updates and upgrades will no longer be provided".

As no further security updates will be provided, the developers encourage all Flock users to upgrade to either Google Chrome or Mozilla's Firefox web browser. An Official End of Support FAQ is available on the company's web site.

My naked pic is attached - malware spammed out

SophosLabs: Are you in the habit of having complete strangers email you naked pictures of themselves?

That's the only reason I can think of that you can legitimately explain why your computer has been infected by the latest malware attack that has been spammed out around the world.

Users are seeing messages in their inbox, which attempt to trick recipients into opening the attached file with the promise of a nude photo.

The messages read

I love wild sex and looking for a discreet partner.
I have my picture attached to this email. Take a look at it and get back if you like what you see.

and have the subject line "my naked pic is attached".

Sure enough, there is a file attached to the emails (it's called picture.zip) but it isn't a potential sex partner who is contacting you. Instead, the attachment contains a fake anti-virus attack - designed to con you into believing that your computer has a barrage of security problems, and fool you into handing over your credit card details.

Hopefully most people will think with their brains and not with their trousers, and not be tempted into opening the attachment. However, experience has shown that even a malicious attack as obvious as this is likely to capture some unwary computer users.

First Firefox 4 update coming on April 26

Mozilla Links: Mozilla has announced that it will release the first update for Firefox 4 on April 26, about a month after the original release, back in March 22.

New with this release is that Mozilla will start using code names (somehow related to the main branch codename, in this case Tumucumaque) for udpates as well, as a way to help developers that follow Firefox development closely, more clearly understand what is coming when.

As explained in the Mozilla Wiki, it is not unusual that in the middle of an update development (say Firefox 3.6.20), a critical security or stability bug is discovered that forces Mozilla to put thing on hold and rush a quick update, which would then become 3.6.20. All previous bug fixes are then released with Firefox 3.6.21, causing some serious headaches to developers when trying to spot bugs targeted for the next release.

With code names, Firefox 4.0.1 is Macaw, no matter what happens between now and April 26. If, say, a zero-day vulnerability is discovered, the emergency update will get a new codename (Anteater, actually), making it perfectly clear what each one is about.

In related news, Aurora, the new development branch that will enable Mozilla’s new faster development cycles, will be created tomorrow.

A new security flaw hits VLC

H-Online: Following on from last week's S3M vulnerability in the VLC media player, a new advisory warns of a buffer overflow when playing MP4/MPEG-4 files.The bug, reported by Aliz Hammond, requires that a user open a specially crafted MP4 file. According to Secunia, the vulnerability is found in the MP4_ReadBox_skcr()function in the demultiplexer and is rated as "highly critical". All versions from 1.0.0 to 1.1.8 are affected by the problem.

Corrections have been applied to the source code tree and the issue will be resolved in VLC media player 1.1.9 when it is released. Patches for older versions are also available for those who compile their own binaries. The Videolan developers recommend that users refrain from opening files from untrusted third parties and web sites until the patch is applied. As an alternative, they suggest that removing the libmp4_plugin.* files from the VLC plugin installation directory will disable the plug-in.

BBC News/Dad walks in on daughter Facebook scams

SophosLabs: Criminals and scammers on Facebook aren't resting on their laurels... in fact, they are branching out and using multiple techniques all rolled into one scam.

Tonight's blockbuster spam is taking on several guises. One version is a likejacking attack that spams your wall with the message "Dad walks in on daughter... EMBARRASING!!!" and "This really has to be an awkward moment."

They seem to be quickly rotating through a long list of Google (goo.gl) short URLs to evade detection.

Strangely, it appears that the likejacking protection Facebook introduced last month is not working. At the moment the page has over 49,000 likes and is growing.

A variation of the same scam seemingly aimed at a more international audience pretends to be from BBC News. It is an application using variations of the word news or newz.

It posts messages to your wall saying "Everyone do check what she did on cam ...." and seems to also play on the recent spate of photo tagging scams.

All of this ultimately leads to an obviously faked video on YouTube, covered by a survey scam. The video on YouTube has over 77,000 views, implying that many people are filling out the surveys that generate cash for the scammers.

As with all of these different Facebook lures, try to resist the temptation to click them, and be sure to click the report spam button to alert the Facebook security team.

To stay up to date on the latest scams, spams and other security and privacy advice join my Facebook page.

Zero-Day Vulnerability in Adobe Flash Player, Reader and Acrobat

Avira TechBlog: Adobe released a security advisory in which it warns from a zero-day vulnerability within current version of Adobe Flash Player, Reader and Acrobat. Affected are Flash Player 10.2.153.1 and earlier versions for Windows, Mac, Linux and Solaris, the current version integrated in the Chrome web browser, and 10.2.156.12 and earlier versions for Android. The authplay.dll component of current and older version of Adobe Acrobat and Reader are also affected; according to Adobe, the sandbox of Acrobat Reader X prevents from execution of malicious payloads though.

The vulnerability allows attackers to inject malicious code with manipulated documents. Currently targeted attacks are reported by Adobe which use a Word document with a specially prepared Flash Player file (.swf) embedded to infect victims.

The company currently is finalizing a schedule for updated software versions. Until those updates are available, users should take care of which documents they open. Suspicious are documents which are sent without expecting them.

Twitter spam and viagra galore

Spam mails claiming to be from Twitter that send you to pharmacy sites are a popular wheeze for spammers, and here we go again.

It seems I have "two PR messages from Twitter". If that wasn't enough to get me clicking (it isn't), I can also join in on sports conversations, argue with bloggers and tell the World when I stumble into some form of natural disaster.

Hammering one of the many links will actually take me to 219(dot)84(dot)119(dot)56/afternoon(dot)html, which will send me to pharmacydrugstorehealthprofessionals(dot)net.

All the Cialis you can eat!

That might not be a good idea though.

Bear in mind that spam blasts like the one above can sometimes lead to malware most horrid, so - as always - stay safe (and don't go messing with random pills bought on the internet, either).

Fake Certificate in Malware – with Message

Avira TechBlog: The malware authors every now and then send us virus researchers some messages. For example in the compiled binary itself, or as debug output. Now we found a Zbot Trojan variant which tries to evade detection by carrying a digital certificate and therewith looking more legitimate. And this certificate is registered to “DetectMe! :) ”, also adding random data behind the certificate.

We see hints like these regularly – malware authors proposing names for their malicious creations or suggesting a place where a signature based detection would be suitable. Of course, such hints are ignored by us for detection but make us smile for a short time.

In this special case, our heuristics already notice other suspicious properties of the file and Avira thus detects the malware as TR/Crypt.ULPM.Gen.

ZeroAccess, an advanced kernel mode rootkit

Prevx Blog: In the last couple years there have been three major players who dominated the scene in the field of the kernel mode rootkit development. They are Rustock rootkit - with its latest build discovered in the wild in 2008 - MBR rootkit - firstly discovered in January 2007 - and TDL rootkit, which can be considered the most advanced kernel mode rootkit to date, able to infect both x86 and x64 versions of Windows operating system.

In mid 2009 another player quietly started targetting Windows and its kernel, slowly becoming more than "yet another rootkit". ZeroAccess rootkit, also known as Max++ rootkit, showed since its beginning a very good code development and interesting features, like exploiting the NTFS file system's feature called junction (a folder symbolic link actually) to create fake folders able to kill most security software when they tried to get access to such folders.

Since 2009 the rootkit evolved until the last release that strongly resembles the TDL3 rootkit in many features, like the implementation of a hidden volume where it stores its configuration data and other infection files. TDL3 creates an hidden drive by formatting last sectors of the hard drive with its own TDL file system and then encoding it using RC4 encryption. ZeroAccess instead creates a new file inside system32\config folder. This file will be mounted by the rootkit as a hidden volume, it'll be formatted using the NTFS filesystem and encrypted using RC4 encryption as well.

In both situations the system won't be able to directly access to the hidden volumes, so every file stored inside those volumes will be hidden from security software and from the operating system.

We have analyzed the rootkit dropper and published a video on YouTube that shows how to unpack it to better analyze the rootkit code.





The technical analysis of the rootkit can be downloaded from the link below:

ZeroAccess - an advanced kernel mode rootkit

My Facebook wall has been viewed X times - viral survey scam spreads rapidly

SophosLabs wrote: Do you want to know the total number of times that your Facebook wall has been viewed? Are you curious as to who may be stalking you on Facebook?

If so, you're a prime candidate for scammers who are exploiting that desire to put money into their own pockets.

Here are the latest messages spreading virally between thousands of Facebook users who have fallen for the scam:

Different incarnations of the scam use slightly different wording, and dream up different numbers for the boys and girls who are said to have looked at your Facebook wall:

SHOCKING! My Facebook wall has been seen 1981 times.
Boy views: 1169.
Girl views: 812.
Check yours @: [LINK]

WOW! My Facebook wall has been seen 2306 times.
Boy views: 1568.
Girl views: 738.
Check yours @: [LINK]

SHOCKING! My Facebook wall has been viewed 1326 times.
Boy views: 610.
Girl views: 716.
Check yours @: [LINK]

AMAZING! My Facebook wall has been viewed 2410 times.
Boy views: 819.
Girl views: 1591.
Check yours @: [LINK]

When you see one of your Facebook friends post a message like the above, chances are that you might be tempted to try it out for yourself. So what does happen if you click on one of those links?

Well, the first thing you see is a standard Facebook application request dialog - requesting your permission to grant a third-party app access to your Facebook profile. If you give it permission, then it will be able to peruse your Facebook page and post messages in your name.

The scammers have created a variety of different rogue applications that they are using in this particular scam. Facebook, sadly, doesn't adequately verify the people who create apps so you're playing Russian Roulette when you allow a complete stranger this level of access to your Facebook page.

Of course, you want to know how many boys or girls are checking out your Facebook - so you're likely just to grant the rogue application permission to your Facebook page.

Big mistake. You should have clicked on "Don't allow" instead.

The next thing you know, you are taken to a page which looks like it has lots of information about who has been viewing your Facebook wall.

But do you notice that all the information about who has been stalking you on Facebook is "locked" away? The page is asking you to complete a "30 second" security check to "prove you are human" in the form of an online survey. The implication is that you'll find out who has been viewing your Facebook profile, once you have completed the online test.

What the scammers don't tell you is that they earn commission for each survey completed. Furthermore, they have already exploited your own Facebook page to post out a message to your friends, inviting them to also find out how many times their Facebook wall has been viewed. In this way the revenue-generating survey scam spreads virally.

And do you ever discover who has been viewing your Facebook wall? I'm afraid not. But you have made some money for the scammers, and helped them with their nefarious scheme.

If you've been affected by this scam, you should clean up your account before any further damage is done.

Make sure that you stay informed about the latest scams spreading fast across Facebook and other internet attacks. Join the Omid's Blog! Facebook page.

Comodo Group Issues Bogus SSL Certificates

from Schneier on Security by Schneier:

This isn't good:

The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com.

The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker's control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes.

At a minimum, the attacker would then be able to steal login credentials from anyone who entered a username and password into the fake page, or perform a "man in the middle" attack to eavesdrop on the user's session.

More news articles. Comodo announcement.

Fake certs for Google, Yahoo, and Skype? Wow.

This isn't the first time Comodo has screwed up with certificates. The safest thing for us users to do would be to remove the Comodo root certificate from our browsers so that none of their certificates work, but we don't have the capability to do that. The browser companies -- Microsoft, Mozilla, Opera, etc. -- could do that, but my guess is they won't. The economic incentives don't work properly. Comodo is likely to sue any browser company that takes this sort of action, and Comodo's customers might as well. So it's smarter for the browser companies to just ignore the issue and pass the problem to us users.

Massive SQL injection attack making the rounds—694K URLs so far

Thanks to my friend, Pondus!

Ars Technica: Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000 (it’s over millions of site when you are reading this)—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file.

The attack appears to be indiscriminate in its targets, with compromised machines running ASP, ASP.NET, ColdFusion, JSP, and PHP, and no doubt others. SQL injection attacks, which exploit badly-written Web applications to directly perform actions against databases, are largely independent of the technology used to develop the applications themselves: the programming errors that allow SQL injection can be made in virtually any language. The underlying cause is a programmer trusting input that comes from a Web page—either a value from a form, or a parameter in a URL—and passing this input directly into the database. If the input is malformed in a particular way, the result is that the database will run code of the attacker's choosing.

In this case, the injected SQL is simply updating text fields within the database, to make them include an extra fragment of HTML. This HTML in turn loads a JavaScript from a remote server, typically "http://lizamoon.com/ur.php" or more recently, "http://alisa-carter.com/ur.php." Both domain names resolve to the same IP address, and presently that server is not functional, leaving browsers unable to load the malicious script when they visit infected pages. Previously, it contained a simple script to redirect users to a fake anti-virus site.

The massive scale of these attacks (and the rapidly growing number of affected URLs) was first noticed by Websense Security Labs. On Tuesday, around 28,000 URLs were compromised; now more than 20 times more URLs are infected, and the numbers are still growing.

The injected code is also found on a number of product pages on Apple's iTunes Store. Apple fetches RSS feeds from podcasters that broadcast using iTunes, and in a number of cases these broadcasters have been compromised by the SQL injection attack. As a result, the malicious code has made its way into Apple's system. However, due to the way Apple processes the RSS feeds, there appears to be no exploitation vector; the injected HTML is safely nullified.

SQL injections following this pattern appear to have been happening off and on for six or more months now. The domain name hosting the JavaScript changes each time, but the file name—ur.php—and the style of injection remain consistent. The actions of the scripts have been similar too; pop-up windows and malware downloads. Previous efforts were on a much smaller scale, however: hundreds of compromised URLs instead of hundreds of thousands. In these earlier cases, the attacks originated from IP addresses in eastern Europe and Russia.

It's been a busy week for SQL injection; at the weekend, MySQL.com, the website of Oracle-owned open source database MySQL, was hacked, again using SQL injection. A little embarrassing for a database vendor to be unable to use its own database securely.

Chrome Bookmarks Integrate with Google Search

Google Operation System: Until recently, Google Bookmarks and Chrome Bookmarks were two separate features that didn't speak the same language. Even if you could save your Chrome bookmarks to a Google account, they weren't saved to Google Bookmarks. For some reason, your bookmarks are available in a special Google Docs folder.

Chrome bookmarks have a web interface, but it's likely that the obvious will happen: Chrome bookmarks could be saved to Google Bookmarks. Jérôme Flipo noticed that the Google Bookmarks OneBox already includes Chrome bookmarks. I've tried to find SmallNetBuilder.com and Google's OneBox returned it even if it was starred in Chrome, not in Google Bookmarks.

Google +1

Google Operation System: Google +1 is yet another attempt to make Google more social. It's Google's version of the Facebook "likes", a simple feature that's very powerful because it's part of a social network.

Google will show +1 buttons next to all search results and ads, while encouraging other sites to include the buttons. All +1's are public and they're tied to Google Profiles. The goal is to use this data to personalize search results and ads by recommending sites +1'd by your friends. Google Social Search already does this, but there's no support for Facebook likes, so Google had to come up with a substitute.

"+1 is the digital shorthand for 'this is pretty cool.' To recommend something, all you have to do is click +1 on a webpage or ad you find useful. These +1's will then start appearing in Google's search results," explains Google.

This feature is slowly rolled out to Google.com, but you can try it by enabling the +1 search experiment.

One thing is clear: Google won't have to translate "+1" when it will localize the service, but it will have a hard time translating "+1's", "+1'd" and other cryptic constructs. Google +1's URLs already look weird (here's the homepage: http://www.google.com/+1).

Your +1's are listed in a profile tab, where you can manage them. There's also a page that lets you disable personalizing Google ads using +1's and other information from your Google profile.

Google now has the most important pieces of a social network (profiles, activity stream, likes, apps), but there's still no social network, no magic "glue" that connects the existing pieces. As Danny Sullivan explains, the "+1 social network" is made up of your Google Talk friends, the people from Gmail's "My contacts" group and the people you follow in Google Reader and Google Buzz, but you'll soon be able to connect other services like Twitter and Flickr. It's actually a meta social network, an artificial service that won't have too many enthusiastic users, just like Friend Connect.