Microsoft has warned about yet another security hole which already gets actively exploited on the net. Affected are installations of Microsofts Office XP and 2003, the ISA Server 2004 and 2006 and Office Small Business Accounting 2006.

It is unclear whether the updates which are to be released later today will already fix the error, but it seems unlikely. Microsoft has a “Fix-it” tool ready which disables the ActiveX component within Internet Explorer to help mitigate the risk. Please use it ASAP!

Dirk Knop
Technical Editor

According to Microsofts announcement of the next Black Tuesday the company plans to release six security bulletins. Three of those are dealing with security holes deemed critical by Microsoft, while the other three are only rated “important”.

Among those three critical vulnerabilities there is one in DirectX. It seems that the Redmond company plugs the holes which are currently attacked in the wild. We detect the JavaScript used to exploit the vulnerability generically up to all currently known versions as “HTML/Shellcode.Gen”. Halvar Flake has a nice writeup in his blog with details of the flaw and shows “how deep the rabbit hole really goes”.

While it stays unclear what the other two Windows vulnerabilities are, there will be updates which wipe out the important security flaws within Publisher from Microsofts Office suite, within VirtualPC and Virtual Server and in the ISA Server. Two of the updates will require a restart, so prepare for some downtime next Tuesday!

Dirk Knop
Technical Editor

The comment about a possible security threat due to a web server in the web browser got picked up by Opera and the Media. The CEO of Opera, Jon von Tetzchner, doesn’t see implied security risks with such a feature. It would be safe as it wouldn’t be worth  to attack millions of computers. Those single computers wouldn’t be interesting because there isn’t much data lying around in a central place.

In order to explain where the security risks reside when having many computers registered in a central place, we have to describe the architecture of Opera Unite. Opera Unite implements the concept of a Peer To Peer (P2P) network in a different way than it was done so far.

We have P2P networks in two flavors: Using a central server where the shared resources are registered, also called centralized P2P network (e.g.: bittorrent, emule, etc.) and without having a central server for resource sharing, also called decentralized P2P network(e.g.: Gnutella). Opera Unite is implementing a little bit of both approaches: There is a central place where the computers are registered in order to get the Opera Unite name (http://sharename.myuser.operaunite.com/file_sharing/), but it doesn’t store the identifier of the shared resources (something like http://sharename.myuser.operaunite.com/file_sharing/admin/malware.exe).

We can see a couple of potential attack vectors here:

1. The Opera Unite central server(s)
containing the index of all the computers running the Opera Unite Software Once this server is compromised, all registered names are available and the attacker can access the user’s files. More information about the service’s architecture are presented here.

2. The Services of Opera Unite software running on user’s computer
Once the software is compromised, we can only assume the worst: The attacker can install programs, can download and upload files on user’s computer. The service is nothing else than a Opera Widget written in JavaScript.

3. The attacker is using the Opera Unite SDK and is building a malicious service for Opera Unite
If a malicious user is creating a service and is sharing it (on http://unite.opera.com/), he is able to create a controlled computer network, usually called by software security specialists a bot net.

Yes, there is an “Approval of Opera Unite Services” process described on dev.opera.com where, among other topics, the following issue is checked: “# The service must not contain malicious or destructive code”.

But how do you define malicious? Is downloading and executing a file malicious? It depends on the file. Is connecting to an SMTP server and send emails malicious? It depends on the content you’re sending and on how many emails you’re sending. There are a lot of scenarios which can be imagined.

We see attacks on millions of PCs on a daily basis. Whether these are from the web via drive-by-downloads, via email or directly on the network level against vulnerable services. Also, of course every single computer counts! A usual bot net consists of thousands of infected, remotely controlled PCs.

The new quality of this potential threat stems from the direction an attack would come from. Now, a user has to surf onto a hacked web site or to start the malware her-/himself after a successful social engineering attack. With a server built into the browser, the attackers can actively scan for victims and offload their malware onto vulnerable computers. Additionally, the other attacks still work, too.

But as Jon von Tetzchner also mentions, Opera takes security concerns seriously, and we don’t have a doubt about it. They will make sure to ship a well-tested, secure product. Anyway, now that the service is public, everybody in the security industry will keep an eye on it. We have already started.

Dirk Knop
Technical Editor

Sorin Mustaca
Manager International Software Development

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

Browser developer Opera today introduced a new feature of its upcoming browser generation 10 with the code name Opera Unite. Basically Opera added a web server to the browser and offers a dynamic DNS service along with it. So everyone can provide content on the Internet from his own computer. And due to the dynamic DNS service with a fixed domain like http://<mycomputer1>.<myusername>.operaunite.com/.

This does sound great and many people would like such a feature. Anyhow, I got scared when reading the news about this feature. Imagine, other browser developers like Mozilla, Apple or Microsoft would add such a feature, too! Everybody would be able to share documents publicly. And executable programs. But who makes sure that those aren’t infected or Trojans themselves?

Plenty of malware uses for example the shared folders of file sharing programs to spread itself; there is no reason not to use a web server which is accessible by everyone with a web browser – and not just for users of a file sharing program. The spreading mechanism can be very simple: Users could get a mail or instant message with a (proper) link to the malware. Or such a link is on another web site.

One indicator for antimalware programs can be a suspicious IP-only address where the executable file is located. Now it can be served with a fully qualified domain name, disabling this indicator (as http://a.b.operaunite.com/malware.exe looks less suspicious than http://143.145.23.45/malware.exe even to the human eye). Before adding such a feature to the browser/server combination for example a so called fast-flux DNS was necessary for adding a domain name for the infected computers. Additionally, a malware author doesn’t need to code an own web server anymore – just reconfigure the browser!

The idea of adding a web server to the browser sounds nice. But it has to be done correctly. Else we might be facing a new dimension of drive-by-downloads (or -uploads) and hacked “servers” in the near future.

Dirk Knop
Technical Editor

As announced, Microsoft released 10 security bulletins with according updates today. They fix 31 security vulnerabilities in the Windows Operating Systems, in the Internet Explorer and in Office. Make sure to install them ASAP!

Adobe also had its first patch day and fixes 13 critical errors (and some undocumented flaws) in Reader and Acrobat. They recommend to update to Adobe Reader 9.1.2, 8.1.6 or 7.1.3, depending on which branch of Readers you need to use. Links for downloading the updates are provided in the security bulletin. These updated versions should be installed as soon as possible, too!

Dirk Knop
Technical Editor

Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

According to http://www.internetworldstats.com/eu/de.htm, 61.1% from the Germany’s population in 2007 had Internet access. From these users, 56% are online every day or almost every day. Having such a widespread Internet usage, it is no surprise that there is quite a lot of activity in the Germany’s Internet scene.

Our statistics show that 14.43% from the Phishing and 15.04% from the Malware URLs (for which we have geo IP information) are hosted on servers located in Germany. The numbers of malicious URLs which are advertised in Germany (not necessarily hosted) can’t be computed, since no one is able to count all the emails which contain the URLs.

Fig. 1: The countries where phishing URLs are hosted

What do we do to stop them?
The most common way of spreading the URLs is the email. Avira is actively in fighting these threats in two different ways:

Avira’s security products

• detect the phishing emails and mark them as such.
• block the access to the URLs which point to phishing and malware websites.

Fig. 2: The registrars which receive notifications to remove dangerous files

Our Labs collaborate with institutions and organizations which send warning information to the registrars and ISPs hosting the dangerous files.

We actively monitor the most phished institutions and issue alerts to the readers of this blog (Figure 3). Of course, not all the names on the list are relevant for the German Users, but once Avira has reached the users all over the world, these information will be very useful.

Fig. 3: Most phished institutions

Sorin Mustaca
Manager International Software Development

Microsoft released the advance notification for the upcoming patch Tuesday next week. So far only one security bulletin is planned, which is supposed to fix the critical vulnerability within PowerPoint – which gets actively exploited for about a month now.

If the patches become available, administrators are well advised to install them as soon as possible!

Dirk Knop
Technical Editor

The Mozilla Foundation has closed several security holes in its products which allow attackers to inject malicious code for example via manipulated web pages. Affected are Firefox, Thunderbird and the Seamonkey browser suite.

An overview of the vulnerabilities is available at the Mozilla website. As the Mozilla based web browsers are highly popular, the cybercriminals develop malware for them as well. So update your Firefox to the current version 3.0.9, Thunderbird to 2.0.0.22 and Seamonkey to 1.1.17 or newer as soon as possible!

Dirk Knop
Technical Editor