There is a severe security hole in Microsofts Internet Information Services (IIS) versions 5 and 6. “0-day” Exploit code is publicly available on the net. The error is within the FTP component. Thus Microsoft recommends as workaround to disable (anonymous) FTP on IIS, or to withdraw anonymous users the rights to create directories. A security advisory was already available but currently leads to a Bing search page. There you can see the advisory as “cached page” at least.

Opera released the final version 10 of their Web browser. It fixes some security issues and has some new and improved features. They are listed in the changelog.

The OpenOffice.org developers released OpenOffice.org 3.1.1 (changelog). This version fixes a security flaw in the Word document processing which can lead to system compromise. Users of OpenOffice.org should download the new version and update immediatly.

Dirk Knop
Technical Editor

Last week a virus that infects Delphi development environments and then the compiled Delphi programs was detected and got some media attention – infected programs were distributed on cover-mount CDs and DVDs on computer magazines and via Download Portals.

Our developers created a special version of our Avira Removal Tool which is capable of detecting and deleting infected programs. You can download the English version here and the German version here!

Dirk Knop
Technical Editor

As announced, Adobe released the first updates for the critical security vulnerabilities in its products already. The first update is for Adobe Flash-Player – the new version 10.0.32.18 is supposed to close the security hole in the software. You can get it via Adobes web site.

During the day, Adobe wants to release further patches for Adobe Reader and Acrobat. Also, a new version of the Shockwave-Player is already available. Please install the updated versions as soon as possible.

Let me thank all the hardworking administrators out there at this place, especially the Avira admins. They have to roll out all these updates today and already had a busy week due to Microsoft’s out-of-band updates from Tuesday. Don’t forget, it’s System Administrator Appreciation day!

Dirk Knop
Technical Editor

The Risk Level describes the current phishing- and malware threats that we receive in real time from our sources in Internet. These threats are valid and can be accessed by any user in the Internet.

The levels are computed by comparing the amount of threats (malware and phishing separately) received in the last 24 h (called 24h threat value) to the average value from the last 30 days (called average threat value). These levels are computed every 15 minutes.

This is how the graphs with the values per day for the last 30 days looks like:

Fig. 1: Statistics per day, last 30 days

The graph with the values per hour for the last 24h:

Fig. 2: Statistics per hour, last 24h

Level 1 – Normal (Green)

Risk: Low – there is much less activity than the average we have seen in the last 30 days. This condition corresponds to no discernible malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings.

Level 2 – Average (Yellow-Green)

Risk: Low to Moderate - there is relatively less activity than the average we have seen in the last 30 days. This condition corresponds to some malicious activity for the type of threat for which the risk level is issued. The Avira products should function and should be updated using the default settings. This risk level is usually “the calm before the storm”, so we advise our customers to keep an eye on our website for information and updates.

Level 3 – Suspicious (Yellow)

Risk: Moderate – there is the same activity as the average we have seen in the last 30 days. This condition corresponds to clear signs of malicious activity for the type of threat for which the risk level is issued. The Avira products should function with heuristics and generic settings enabled because it might be possible that there is a new variant of a known malware. This risk level means that some unknown malware might be starting to spread, so we advise our customers to keep an eye on our website for information and updates. Please keep the logfiles of the security products under careful observation.

Level 4 – Alert (Orange)

Risk: High – there is the more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update both the signatures and the engine. This risk level means that known malware are spreading, and we strongly advise to keep the logfiles of the security products under careful observation.

Level 5 – Outbreak (Red)

Risk: Very High – there is much more activity than the average we have seen in the last 30 days. This condition corresponds to known malicious activity for the type of threat for which the risk level is issued. The Avira products must be updated more often than the default. Do not forget to update the signatures, the engine and the products. This risk level means that known malware are currently active, creating a severe risk to the infrastructure and normal operations. We strongly advise to keep the logfiles of the security products under careful observation.

Sorin Mustaca
Manager International Software Development

As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.

Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.

The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.

Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.

Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.

Dirk Knop
Technical Editor

There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

Microsoft released 6 security bulletins as announced. The actively exploited security hole in a video ActiveX component gets fixed by the updates, also flaws in DirectShow, the Embedded OpenType Font Engine, VirtualPC and -Server, ISA Server and Office 2007. A fix for the recently discovered vulnerability in Office, ISA Server 2004 and 2006 which also gets exploited on the net already is still missing though – so please apply the workarounds described in Microsofts security advisory or use the provided Fix-it-tool.

Microsoft expects exploits for all fixed vulnerabilities within the next 30 days according to the Exploitability Index of the security bulletin summary. The patches should be applied as soon as possible therefore to protect the own computer and/or network.

The Mozilla Foundation issued a warning of a security hole in the Just-in-time compiler for JavaScript of the new Firefox 3.5 web browser. As exploit code is already publicly available they recommend to turn of the compiler temporarily. From the security advisory:

1. Enter about:config in the browser’s location bar.
2. Type jit in the Filter box at the top of the config editor.
3. Double-click the line containing javascript.options.jit.content setting the value to false.

The developers are currently working on a fix. Until then it is a good idea to implement the described workaround.

Dirk Knop
Technical Editor

Microsoft has warned about yet another security hole which already gets actively exploited on the net. Affected are installations of Microsofts Office XP and 2003, the ISA Server 2004 and 2006 and Office Small Business Accounting 2006.

It is unclear whether the updates which are to be released later today will already fix the error, but it seems unlikely. Microsoft has a “Fix-it” tool ready which disables the ActiveX component within Internet Explorer to help mitigate the risk. Please use it ASAP!

Dirk Knop
Technical Editor

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

Microsoft today announced that it plans to publish 10 security bulletins on the upcoming patch Tuesday. 6 Bulletins are meant to deal with Windows Operating System flaws – 2 of them are considered critical. For Microsoft Office, Word and Excel the company wants to release 3 security bulletins with a critical rating. The updates now also close a security vulnerability in Office for Mac which was fixed in the Windows versions already last month. Another bulletin has updates attached for the Internet Explorer.

A patch for the recently discovered DirectX vulnerability which gets already actively exploited in the wild is still missing though. On Microsofts Security Response Center Blog they explain that the patch still hasn’t the quality that is needed for shipping. Fortunately, the “Fix it for me” buttons in Microsofts Knowledgebase article finally work and deliver an msi installer package. Until a patch is provided, users should apply this hotfix.

Dirk Knop
Technical Editor