It has come to our attention that once again Phishing and malware injection has reached an alarming rate.

Sample:
Sorry, we were not able to deliver postal package you sent on October the 19th in time because the recipient address is not correct.
Please print out the invoice copy attached and collect the package at our office.
If you do not receive package in ten days you will have to pay 6$ per day.

Your UPS

It is clear to most of us, that UPS would never send you an email with a zip file in it. But then not everyone is experienced and this is the problem. If you have not sent anything via UPS delete stuff like this if you have then go to UPS tracking do not open zip files which have an .exe in them then be silly enough to click them. The best rule is if you do not come from a valid source just delete it.

Obama sex video? Hardly. It's spyware spreading via e-mail

Don't believe everything you read on the Internet: Democratic presidential candidate Barack Obama isn't a terrorist...or a porn star.

A malicious spam e-mail is spreading that claims to have a link to a sex video of Obama but is instead spyware that steals sensitive data from the computer, security firm Sophos warned on Wednesday.

The subject line says "Obama sex video!!!" and the e-mail appears to come from "infonews@obama.com, Graham Cluley, senior technology consultant at Sophos, says on his blog.

Clicking on the link downloads an executable file that plays an amateur porn video, but Obama is not in it.

Meanwhile, behind the scenes a Trojan horse known as Mal/Hupig-D is installed. The Trojan targets Windows machines and steals passwords and bank account data, Cluley said.

Is it the work of the Republicans? Probably not; it has the trademark bad grammar and excessive punctuation of traditional phishing attempts, many of which originate outside English-speaking countries.

The Internet remains vulnerable to exploits of a critical security flaw in the Domain Name System, a Russian programmer demonstrated last week. Writing on his blog on Friday, Evgeniy Polyakov posted that he had succeeded in getting patched DNS software to return an incorrect location in less than 10 hours.

Researchers who spearheaded an international push to get internet service providers and other large organizations to patch the flaw said they weren't terribly concerned about the exploit code. That's because Polyakov's attack took 10 hours to carry out using two machines connected directly to the targeted DNS server via a gigabit ethernet link.

"That's a little different then spending 10 seconds over the internet," to carry out an attack, said Dan Kaminsky, the researcher who first warned of the DNS cache poisoning vulnerability.

The original attack works by flooding a DNS server with thousands of requests for domains with slightly different variations, 1.google.com, 2.google.com, 3.google.com and so forth. That allows attackers to gain a secret transaction number needed to trick other computers into updating their records with IP addresses that lead to rogue websites.

So a word to the big players of world: You dodged a bullet in surviving the Kaminsky bug without issue, but next time you may not be as lucky.
Creating a real fix won't be easy, but it's essential.

Expectations ran running high before Wednesday morning as Kaminsky, director of penetration testing for IOActive, had revealed little about his DNS vulnerability up till then. That didn't stop others from trying to figure it out. But that actually helped Kaminsky in the end; it meant during his speech, he was able to skip the what and go directly to the why.

Security researchers always thought it was hard to poison DNS records, but Kaminsky said to think of the process as a race, with a good guy and bad guy each trying to get a secret number transaction ID. "You can get there first," he said, "but you can't cross finish line unless you have the secret number."

The question is why would someone bother? Well, Kaminsky talked about how deeply embedded DNS is in our lives. Kaminsky said there are three ages in computer hacking. The first was attacking servers (for example FTP and Telnet). The second was attacking the browsers (for example Javascript and ActiveX). We're now about to enter the third age, where attacking Everything Else is possible.

We know that if we type a name.com into a browser, the DNS resolves it to its numerical address. But what we don't realize is that same process occurs when we send e-mail or when we log onto a Web site. These also require DNS lookup.

Kaminsky then detailed how various security methods on the Web can be defeated if one owns the DNS. For example, if a site wants to establish a Trust Authority Certificate with the Certificate Authorities, they use e-mail to confirm the identity of the requester. He also said that it's possible to poison Google Analytics and even Google AdSense, which also rely on DNS lookup.

Prior to the patch, the bad guy had a 1 in 65,000 chance of getting it because the transaction ID is based, in part, on the port number used. With the patch, the chances decrease to 1 in 2,147,483,648. Kaminsky said it's not perfect, but it's a good enough start

The DNS vulnerability in the Internet's design is allowing criminals to silently redirect traffic to Web sites under their control. The problem is being fixed, but its extent remains unknown and many people are still at risk.

The bug's existence was revealed nearly a month ago. Since then, criminals have pulled off at least one successful attack, directing some AT&T Inc. Internet customers in Texas to a fake Google site. The phony page was accompanied by three programs that automatically clicked on ads, with the profits for those clicks flowing back to the hackers.

There are likely worse scams happening that haven't been discovered or publicly disclosed by Internet service providers. "You can bet that the (Internet providers) are going to stay tightlipped about any attacks on their networks," said HD Moore, a security researcher.

The AT&T attack probably would have stayed quiet had it not affected the Internet service of Austin, Texas-based BreakingPoint Systems Inc., which makes machines for testing networking equipment and has Moore as its labs director. He disclosed the incident in hopes it would help uncover more breaches.

The underlying flaw is in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand.

What this means is that a computer user in say, San Francisco, might type http://www.yahoo.com and head straight to the real Yahoo site, while at the same moment, a user in New York — whose traffic is routed through different DNS servers — might type that same Web address and end up on a phony duplicate site.

Looking for secure dns services? SOADNS.com

I will not start this article beating on the Washingtonpost.com. One should seriously question the headline of the article! I guess if it hits the United Nations it is news! The world has problems; #1 is certainly determining blame, followed by a posse mentality.

Giorgio Maone at hackademix was the one consistent calm in the storm of comments. When you look for answers to the Universe this is always good reading material. It is only a joke people so lets not get too serious. This article does point out the problem and suggest some solutions.

I do seriously wonder why the WashingtonPost.com article included the wrong assertion by PandaLabs that the problem is actually Microsoft's, with IIS being the cause. Perhaps just a case of fair and balanced reporting? But then going on for several more paragraphs, with non relevant links over an advisory which is not even the point, is beyond me!

The article's comments did bring the usual Linux desktop dorks out of the woodwork. It always amazes how MAC and Linux people have this idea that they are 10 foot tall and bullet proof. I do have several Linux machines but really this attack has nothing to do with the OS or the web server. A SQL injection is all about poorly formed code. I see you there looking for the person to blame! Stop It!

"Developers at fault? SQL Injection attacks lead to wide-spread compromise of IIS servers" is the headline at ZDNet! It is a great article and should be read by anyone who has any questions about this type of attack also this article. But really lets not go through life with this posse mentality. Lets try to focus more on the thugs who cause this type of thing. I don't mean getting bottom feeding law makers involved. Sharing information and taking action is the only real cure.

A tip to developers: Don't write code and walk away. If you have a contract like this, it must come with warnings to the client. If you maintain a site it is your duty to remain vigilant and update code. If you are not charging for this; you should revise your contracts to assure you have covered all the bases. If you are charging, then do your job!

Microsoft is a company that usually keeps plenty busy advising users of security issues with its products. Redmond is now advising users about a blended security threat that involves users running Apple's Safari Web browser on Windows.

The threat could potentially allow Safari to download a malicious file that Windows would then execute. Microsoft has a work-around it suggests, though no patch is available from Apple (NASDAQ: AAPL) for the issue.

"Security Advisory (953818) does not refer to vulnerability in either Safari or Windows," Tim Rains, security response communications lead for Microsoft said in a statement sent to InternetNews.com.

The Safari issue had been publicly disclosed by security researcher Nitesh Dhanajani on May 15. Dhanajani described the issue as a 'Safari Carpet Bomb' in his discussion of the security risk.

Mozilla warned Wednesday that a malicious program inserted adware code into a Firefox plugin that has been downloaded thousands of times over the past three months.

Because of a virus infection, the Vietnamese language pack for Firefox 2 was polluted with adware, Mozilla security chief Window Snyder said in a blog posting. "Everyone who downloaded the most recent Vietnamese language pack since February 18, 2008 got an infected copy," she wrote. "Mozilla does virus scans at upload time but the virus scanner did not catch this issue until several months after the upload."

Mozilla is now going to add additional scans of its software to prevent this kind of thing from happening in the future.

The malware in the language pack is from the Xorer Trojan, according to discussion on Mozilla's Bugzilla developer Web site, which indicates that Mozilla developers first discovered the issue on Tuesday.

Mozilla missed the code during its initial scan because antivirus vendors had not yet added detection for Xorer into their products. Antivirus vendor Panda Security first detected Xorer on Feb. 28, 10 days after the infected plugin was published. Firefox developers have now scanned all of their plugins.

The open-source browser maker does not know how many people were infected with the adware, but the plugin was downloaded more than 1,200 times in the past week and has been downloaded 16,667 times since November.

Security researchers have developed a new type of malicious rootkit software that hides itself in an obscure part of a computer's microprocessor, hidden from current antivirus products.

Called a System Management Mode (SMM) rootkit, the software runs in a protected part of a computer's memory that can be locked and rendered invisible to the operating system, but which can give attackers a picture of what's happening in a computer's memory.

The proof-of-concept software will be demonstrated publicly for the first time at the Black Hat security conference in Las Vegas this August. The rootkits used by cyber crooks today are sneaky programs designed to cover up their tracks while they run in order to avoid detection. Rootkits hit the mainstream in late 2005 when Sony BMG Music used rootkit techniques to hide its copy protection software. The music company was ultimately forced to recall millions of CDs amid the ensuing scandal.

In recent years, however, researchers have been looking at ways to run rootkits outside of the operating system, where they are much harder to detect. For example, two years ago researcher Joanna Rutkowska introduced a rootkit called Blue Pill, which used AMD's chip-level virtualization technology to hide itself. She said the technology could eventually be used to create "100 percent undetectable malware." Full Article

A blossoming Web attack, first reported by security researcher Dancho Danchev earlier this month, has expanded to hit more than a million Web pages, including many well-known sites.

The number and importance of the sites has increased," wrote Danchev in a where he reported that trusted Web sites such as USAToday.com, Target.com, and Walmart.com have been hit with the attack.

The criminals behind this have not actually hacked into servers, but they are taking advantage of Web programming errors to inject malicious code into search results pages created by the Web sites' internal search engines.

Malicious parties are actively poisoning these sites' search query caching feature to position the keywords among the top ten search results, thereby infecting anyone coming across them," said Danchev, in an instant-message interview.

He believes that more than 1 million Web pages have been infected using this technique.

"The more keywords they submit with [malicious] script, the more pages with popular keywords the high page ranked sites would cache," he said. This increases the chance that someone will see the search results hosted on the reputable site and click on the malicious page.

The Web sites that have been hit with this attack could fix the problem by doing a better job of checking the search queries on their internal search engines to make sure that there is no malicious code in them, Danchev said.

Hackers are increasingly looking for ways to install their code on trusted Web sites. In recent weeks, security vendors have found hundreds of thousands of Web pages affected by this and other similar attacks.

Websense Security Labs has discovered that Google’s popular web mail service Gmail is being targeted in recent spammer tactics. Spammers in these attacks managed to created bots that are capable of signing up and creating random Gmail accounts for spamming purposes.

Websense believes that from the spammers’ perspective, there are four main advantages to this approach. First, signing up for an account with Google allows access to its wide portfolio of services. Second, Google’s domains are unlikely to be blacklisted. Third, they are free to sign up. And fourth, it may be hard to keep track of them as millions of users worldwide are using various Google services on a regular basis. Learn More

Criminals have been able to hack into computer systems via the Internet and cut power to several cities, a U.S. CIA analyst said. Speaking at a conference of security professionals on Wednesday Jan 16 2008, CIA analyst Tom Donahue disclosed the recently declassified attacks while offering few specifics on what actually went wrong.

Criminals have launched online attacks that disrupted power equipment in several regions outside of the U.S., he said, without identifying the countries affected. The goal of the attacks was extortion, he said.

"We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands," he said in a statement posted to the Web on Friday by the conference's organizers, the SANS Institute. "In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

One conference attendee said the disclosure came as news to many of the government and industry security professionals in attendance. "It appeared that there were a lot of people who didn't know this already," said the attendee, who asked not to be identified because he is not authorized to speak with the press.

He confirmed SANS' report of the talk. "There were apparently a couple of incidents where extortionists cut off power to several cities using some sort of attack on the power grid, and it does not appear to be a physical attack," he said.

Hacking the power grid made front-page headlines in September when CNN aired a video showing an Idaho National Laboratory demonstration of a software attack on the computer system used to control a power generator. In the demonstration, the smoking generator was rendered inoperable. The U.S. is taking steps to lock down the computers that manage its power systems, however.

On Thursday, the Federal Energy Regulatory Commission (FERC) approved new mandatory standards designed to improve cybersecurity.

Microsoft said Monday that a flaw in the way its Windows operating system looks up other computers on the Internet has resurfaced and could expose some customers to online attacks. Security Advisory

The flaw primarily affects corporate users outside of the U.S. It could theoretically be exploited by attackers to silently redirect a victim to a malicious Web site.

Microsoft originally patched this flaw in 1999, but it was rediscovered recently in later versions of Windows and was then publicized at a recent hacker conference in New Zealand. "This is a variation of that previously reported vulnerability that manifests when certain client side settings are made," said Mike Reavey, a group manager at Microsoft's Security Response Center.

The bug has to do with the way Windows systems look for DNS (Directory Name Service) information under certain configurations.

Any version of Windows could theoretically be affected by the flaw, but Microsoft issued an advisory Monday explaining which Windows configurations are at risk and offering some possible workarounds for customers. The company said it is working to release a security patch for the problem.

• Customers who do not have a primary DNS suffix configured on their system are not affected by this vulnerability. In most cases, home users that are not members of a domain have no primary DNS suffix configured. Connection-specific DNS suffixes may be provided by some Internet Service Providers (ISPs), and these configurations are not affected by this vulnerability.
 
• Customers whose DNS domain name is registered as a second-level domain (SLD) below a top-level domain (TLD) are not affected by this vulnerability. Customers whose DNS suffixes reflect this registration would not be affected by this vulnerability. An example of a customer who is not affected is contoso.com or fabrikam.gov, where “contoso” and “fabrikam” are customer registered SLDs under their respective “.com” and “.gov” TLDs.
 
• Customers who have specified a proxy server via DHCP server settings or DNS are not affected by this vulnerability.
 
• Customers who have a trusted WPAD server in their organization are not affected by this vulnerability. (See the Workaround section for specific steps in creating a WPAD.DAT file on a WPAD server.)
 
• Customers who have manually specified a proxy server in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
 
• Customers who have disabled 'Automatically Detect Settings' in Internet Explorer are not at risk from this vulnerability when using Internet Explorer.
 

Microsoft released six updates on Tuesday for at least nine security flaws, fixing critical issues in Word, Internet Explorer and the e-mail programs that the company ships with its Windows operating systems.

The most widespread vulnerability appears to be in the way Internet Explorer handles a script error, allowing an attacker to access freed memory. The flaw has been rated critical on for both IE 6 and IE 7 running on Windows XP and Vista. Because Internet Explorer runs in an enhanced security configuration on Windows Server 2003, that platform is not impacted as severely. The three other vulnerabilities fixed by the Cumulative Security Update for Internet Explorer had a maximum severity of Moderate.

Another vulnerability in the way Microsoft's e-mail programs handled news groups via NNTP (Network News Transfer Protocol) was rated Critical for Outlook Express and Important for Windows Vista's Mail application. The software giant rated a vulnerability in Microsoft Word only Critical for Office 2000 and Important for later versions of the productivity suite. A security hole in the Kodak Image Viewer also received a Critical rating by Microsoft.

Windows users should patch their systems as soon as possible. Online attacks have increasingly used flaws in Internet Explorer to redirect unwary visitors, using IFrames, from legitimate sites to malicious sites that compromise the victims computers. The MPack infection tool kit is one of the programs commonly used to automate the process. Espionage attacks emanating from servers in China, among other nations, have regularly used Office flaws to infect the victim's computer.

A vulnerability in Ask.com's toolbar for Internet Explorer could allow an attacker to take control of a person's computer, according to security advisories.

The problem concerns a buffer overflow flaw in the toolbar and involves an ActiveX control, according to an advisory posted by security vendor Secunia APS, which rated the problem as "highly critical," its second most severe rating. It affects version 4.0.2 of the toolbar and possibly others.

Proof-of-concept exploit code for the vulnerability has been publicly posted on other disclosure forums, with a person named "Joey Mengele" credited with finding the flaw. Ask.com officials contacted in London were not immediately available to comment.

The Ask.com toolbar sits below the address bar and can perform a variety of category-specific searches, such as weather information, stock quotes or search a person's desktop, as well as Web searching.

As of Tuesday afternoon local time, WabiSabi Labi Ltd., a Swiss company that specializes in selling vulnerability information, was still auctioning the Ask.com toolbar problem for a minimum of $705, although no bids were listed.

WabiSabi Labi's auctioning of security vulnerabilities has caused a stir among security analysts who believe software companies should be discreetly notified of vulnerabilities and allowed to patch the software so as to not put users in danger. The company maintains security researchers should be rewarded for their work.

The MPack toolkit has received a fair amount of media attention causing it to become one of the most desired Web browser exploit toolkits in the underground hacker scene. The original author was selling the MPack toolkit for $1000 USD, including a year of free support, and additional exploit modules for around $100 USD. Personally like the quote from the author when asked; Do you feel sorry for the people whose machines are infected by an attack? Well, I feel that we are just a factory producing ammunition. Now there is some logic for you!

However, considering the toolkit is written in a script language, it is easy to redistribute and modify. The toolkit is being sold by others now for as low as $150 USD. That is a whopping 85% off. Talk about clearance sale. The sellers likely didn't even need to buy it themselves, but rather probably found some of the multiple Web sites that did not employ standard Web site protections, allowing them to download the whole kit for free.

How it works is clearly outlined and Trend Micro does at least offer a method of discovery. What is odd with all the press about this organized criminal approach to fraud and thieft is governments, security firms, and anti virus companies of the world are doing very little. Now that the cat is out of the bag the variants will be haunting the world making the internet totally infested with poor ignorant users. As the list of variants grows each with its own twist on the base. What is at the core besides ignorance, is the social engineering part of this type of threat.

More details and articles on the topic. EWeek, Microsoft,BBC, Wikipedia

There are many marketing companies that promote web traffic to different Web pages, software installations, etc. They use what they call  'affiliate programs', paying money for every software installed or traffic generated. This web traffic is very assorted: activex, rogue-antispywares, bundles, banners, fakecodecs, iframes, etc.

Although some of these marketing enterprises can be well-intentioned, other have been specifically created by & for cybercriminals to earn money. Here we can see a gif file that was being used by one of these companies in order to advertise itself in an underground malware forum:

A short time ago, analyzing  a Trj/Sinowal variant (a banking Trojan) to discover where it was sending the information to, it was found one of these websites. It was discovered that this site had 4 different kits to install malware through exploits in the same server the page was hosted in:

There was an IcePack, a Traffic Pro, a Prime Exploit System, and a very basic kit that only used two exploits and had no name. These kits were downloading two Trojans: Trj/Galapoper and Trj/Sinowal. This is not the first time we see something similar. The web sites where they promote themselves use to be very eye-catching, here you can see some examples:

http://fantasticdollars.com/
http://iframe911.com/
http://www.iframebiz.com/
http://loads.cc/

What seems to be the solid theme throughout this whole deal is that most of the Trojan Variants are based on a kit called Mpack.

Secure Computing back in June first reported, attackers are using a fake video link on the site to initiate infection with the Trojan, which bombards victims with porn adware, before installing data-stealing code.

To make matters worse, the only defence against such attacks on the popular video-hosting website is the diligence of YouTube's security personnel, who can remove attacks as soon as they find them. However, according to Secure Computing's Paul Henry, this gives the malware distributors a window of opportunity of at least a few hours.

It is a backdoor designed to give the attacker remote control over a compromised computer. It changes essential system settings and modifies certain files. Zlob starts automatically on every Windows startup and stays hidden in background. It waits for remote connections and allows the attacker to download and install additional software, execute certain commands and manage the entire system. Zlob can be very dangerous. Use antivirus and spyware removal tools in order to get rid of this parasite. Some of Zlobs versions pretend to be video codecs to attract people.

Kill processes:
msmsgs.exe pmsngr.exe kdqrn.exe 02.exe kdvhv.exe kdoaf.exe kdkwb.exe kdkat.exe kdlfk.exe kdefp.exe

Delete registry values:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\RegSvr32=%System%\msmsgs.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=explorer.exe,msmsgs.exe
HKCU\Software\Internet Security\
HKCU\Software\HQvideo

Delete files:
msmsgs.exe isaddon.dll isamini.exe pmsngr.exe Programs\\Media-Codec\\ecodec.exe kdqrn.exe Temp\\02.exe kdvhv.exe Temp\\nsq3.tmp\\modern-header.bmp Temp\\nsq3.tmp\\nsExec.dll kdoaf.exe kdkwb.exe System\\kdkat.exe System\\kdlfk.exe System\\kdefp.exe

The partner event registration page of the Microsoft UK events website, has been defaced by a hacker who managed to discover and exploit a web application vulnerability in one of the parameters used by the form on the website, which could previously be accessed at:

http://www.microsoft.co.uk/events/net/eventdetail.aspx?eventid=8399 [taken offline]

The hacker, known by the name "rEmOtEr", managed to deface Microsoft’s page by taking advantage of an SQL Injection vulnerability in one of the parameters used by the form that was embedded in the URL of the page. This particular parameter was not being filtered, thus it allowed the hacker to pass any type of crafted code directly to the database being used by this form.

Full Article

US federal agents are reaching out to computer hackers for help fighting crime and terrorism as a tug-of-war between privacy and public safety continues on the Web.

The National Security Agency (NSA), the department of defence and the FBI were among the spy, military and police agencies represented at DefCon, an international gathering of hackers in Las Vegas.

Lawyers from the foundation are spearheading litigation accusing the NSA of illegally snooping on e-mail and telephone communications. NSA vulnerability analysis chief Tony Sager gave a talk at DefCon, saying the agency was increasingly sharing information with the public in the hope computer wizards wherever they may be become allies in cyber security.

Hacker Roger Dingledine is working on an "anonymity network" called Tor that bounces Internet traffic off "about a thousand" computer servers to thwart tracking who is doing what online.

"The NSA spent decades trying to do things themselves and that didn't work. I'm happy they realise other people can help," he said.

Apple has issued three batches of software updates and fixes for its popular iPhone, Mac OS X operating system and the Safari 3.03 browser beta.

The iPhone fixes address a pair of Safari-related vulnerabilities that came up almost immediately after the phone's release, plus three more that were not disclosed.

A security firm called Independent Security Experts (ISE) first uncovered iPhone vulnerabilities last month and informed Apple of its findings. ISE planned to demonstrate what it found at the Black Hat security conference this week in Las Vegas.

Two of the fixes address cross-site scripting problems, one by preventing JavaScript in remote Web pages from modifying pages outside of their domain, the other by fixing an HTTP injection issue in XMLHttpRequest. Apple credited Richard Moore of Westpoint Ltd. for reporting the issue.

Apple credited the ISE crew for pointing out a heap buffer overflow problem in the Perl Compatible Regular Expressions (PCRE) library, while Apple thanked Tomohito Yoshino, of Business Architects, for reporting an error in the International Domain Name (IDN) that allows for fake URL addresses in fonts that contain look-alike characters.

Once again security researcher Joanna Rutkowska took the stage at Black Hat, and once again she set out to prove in glorious detail how to exploit and attack Microsoft Windows Vista.

This year she brought a new pill and a few more tricks to take Vista to task. "I'm going to talk about Vista kernel protection and why it doesn't work," Rutkowska boldly declared to the overflow crowd.

She then read a quote from Microsoft's Vista documentation that stated that even users with admin privileges cannot load unsigned kernel-mode code on the system. Then she smiled mischievously.

"There are thousands, maybe tens of thousands of third-party drivers that are poorly written and could be a problem," Rutkowska said.

She then displayed two examples, both from video drivers companies, to prove her point. In her view both the ATI Catalyst driver and the NVIDIA nTune Driver are bad in that they could be used as an attack vector to circumvent Vista kernel protection.

With the NVIDIA driver, Rutkowska alleged that the driver was able to read and write registers without any additional checks.

"The whole problem in NVIDIA is that the driver doesn't do the proper checks and can do a write for an arbitrary registry."

To add further insult to injury, the target machine doesn't even need to have the bad driver on the system in order for the attacker to use it as an attack vector.

"The attacker could just include it as part of their own rootkit and then use it to exploit Vista," Rutkowska said. "It doesn't matter whether it's a popular driver or not. We can bring it to the target system and exploit it." Full Article

As reported by John Schwartz in today's New York Times (registration required), security firm Independent Security Evaluators has demonstrated an attack that lets a hostile Web page take full control of an iPhone and capture a user's personal data. Although there is no indication that the vulnerability is being exploited in the wild, computer scientist Steven M. Bellovin of Columbia University is quoted as saying "it looks like a very genuine hack." (You can watch a video demonstration of the attack here.)

Bellovin points out that this sort of attack is inevitable as operating systems on phones get more and more computer-like. The iPhone runs a version of Mac's OS X operating system, though Apple has been extremely stingy with details on just which pieces of OS X are included. It's not clear whether the iPhone attack, which exploits a vulnerability in the Safari browser, might also work against Macs.

To date, attacks against phones have been relatively rare and not very damaging. The Symbian operating system, which is little used in the U.S. but is popular on European and Asian handsets from Nokia and Sony Ericsson, has probably been hit the hardest. I have not heard of any successful attacks on Research in Motion's BlackBerrys. And hackers have only struck a couple of glancing blows on Microsoft's Windows Mobile software, though the threat is taken seriously enough that you can now get protective software for your smartphone from Symantec and others.

Apple likely will move to plug the hole with a patch that can be downloaded to iPhones. But this incident is a clear sign that the cat and mouse game between security experts and hackers that has long been a part of life in the world of personal computers is going to become commonplace in phones too.

Finjan, a developer of Web security products, has found what has to be the nastiest of malware yet because it inserts itself into a legitimate online banking transaction that's supposed to be protected by SSL encryption.

The company is calling this new form of thievery "crimeware," as if we needed another term to keep straight, but it's nasty stuff. In just the month of July, Finjan identified 58 criminals using the MPack toolkit to infect over 500,000 unique users.

MPack may be the most dangerous malware development kit seen yet. It is a PHP-based kit produced by Russian hackers for building mostly keylogging software. It's actually sold and supported by the Russians, complete with a service contract for new versions, and is upgraded every two to four weeks. It's not the first time a service contract has been offered for software that supports the spread of malware.
Full Article Here

Think you're smart at recognizing online scams? Take a quiz to find out. Visit http://tinyurl.com/ytec4u

McAfee Inc.'s SiteAdvisor service has created a 10-question test to see whether you can spot "phishing" attempts to steal passwords and other personal information by mimicking popular Web sites such as eBay Inc.'s PayPal and News Corp.'s MySpace.

Make sure you only mouse over your Hallmark E-Card it might not be real they would never use an IP address associated to postacard.exe

A new, stealthier version of a previously known Russian Trojan horse program called Gozi has been circulating on the Internet since April 17 and has already stolen personal data from more than 2,000 home users worldwide.

The compromised information includes bank and credit card account numbers (including card verification value codes), Social Security numbers and online payment account numbers as well as usernames and passwords. As with its predecessor, the new version of Gozi is programmed to steal information from encrypted Secure Sockets Layer (SSL) streams and send the stolen information to a server in Russia.

The variant was discovered by Don Jackson, a security researcher at Atlanta-based SecureWorks Inc. who also discovered the original Gozi Trojan horse back in January. One of improvements is its use of a new and hitherto unseen "packer" utility that encrypts, mangles, compresses and even deletes portions of the Trojan horse code to evade detection by standard, signature-based antivirus tools. The original Gozi, in contrast, used a fairly commonly known packing utility called Upack, which made it slightly easier to detect than the latest version.

This version of Gozi also has a new keystroke-logging capability for stealing data, in addition to its ability to steal data from SSL streams. According to Jackson, the keystroke logger appears to be activated when the user of an infected computer visits a banking Web site or initiates an SSL session. It is still unclear how exactly the keystroke logger knows to turn itself on and capture information.

Apart from those two differences, the variant is identical to Gozi, Jackson said. The Trojan horse takes advantage of a previously fixed vulnerability in the iFrame tags of Microsoft Corp.'s Internet Explorer to infect systems. Users typically appear to be infected when visiting certain hosted Web sites, community forums, social networking sites and those belonging to small businesses.

The original Trojan horse stole more than 10,000 records containing confidential information belonging to about 5,200 home users, companies, government agencies and law enforcement organizations before being detected. The server to which the data was being sent to had a very professional-looking front end that allowed users to log into individual accounts, view indexed data and get results from queries based on certain fields such as URL and form parameters.

University of Missouri officials said campus computer technicians confirmed a breach of a database last week by a user or users whose Internet accounts were traced to China and Australia.

The hacker accessed personal information of 22,396 University of Missouri-Columbia students or alumni who also worked at one of the system's four campuses in St. Louis, Kansas City, Rolla or Columbia in 2004.

The hacker obtained the information through a Web page used to make queries about the status of trouble reports to the university's computer help desk, which is based in Columbia. The information had been compiled for a report, but the data had not been removed from the computer system.

In January, a hacker obtained the Social Security numbers of 1,220 university researchers, as well as personal passwords of as many as 2,500 people who used an online grant application system.

The university is contacting people affected by the latest breach and providing instructions on how to monitor their credit reports and other financial records for suspicious activity, officials said.

Symantec Corp. researchers Friday warned of an in-the-wild Trojan horse that poses as a Windows activation program to dupe users into entering credit card information in an attempt to reanimate their machines.

Dubbed Kardphisher, the Trojan is nothing much technically, reported Takashi Katsuki, a Symantec researcher. But its author has "obviously taken great pains to make it appear legitimate."

Once the Trojan's installed, it throws up an official-looking screen that claims the user's copy of Windows was activated by someone else. "To help reduce software piracy, please re-activate your copy of Windows now," the screen reads. "We will ask you for your billing details, but your credit card will NOT be charged."

Selecting "No," said Katsuki, shuts down the PC. "Yes," meanwhile, takes the user to a second screen where he or she is asked to enter her name and credit card information, which is then transmitted to the hacker's server. "This Trojan teaches us all a good lesson," added Katsuki. "Trust no one."

An external computer hard drive containing the personal, bank and payroll information of up to 100,000 former and current Transportation Security Administration (TSA) employees was reportedly stolen from a human resources office in Crystal City, VA.  The Federal Bureau of Investigation and U.S. Secret Service are now helping the TSA investigate the theft -- FBI is conducting the investigation, with the Secret Service conducting a "forensic review of equipment and facilities."

The TSA learned about the missing hard drive sometime Thursday, but the agency informed possibly affected employees Friday evening -- a delay which has upset some employees.  TSA spokesperson Ellen Howe reassured agency employees by stating the TSA was "not trying to stall."

"TSA has no evidence that an unauthorized individual is using your personal information, but we bring this incident to your attention so that you can be alert to signs of any possible misuse of your identity," said Kip Hawley, TSA Administrator.

The TSA is unaware if the hard drive has left its premises.  The hard drive contained sensitive information on employees who worked for the TSA from January 2002 until August 2005.  The agency employs almost 50,000 people and is the agency responsible for securing transportation systems in the country, including airports and railroads.

Letters were sent out to all affected employees promising one year of credit monitoring services.

A hacker managed to break into a Mac and win a $10,000 prize as part of a contest started at the CanSecWest security conference in Vancouver.

In winning the contest, he exposed a hole in Safari, Apple Inc.s browser. "Currently, every copy of OS X out there now is vulnerable to this," said Sean Comeau, one of the organizers of CanSecWest.

The conference organizers decided to offer the contest in part to draw attention to possible security shortcomings in Macs. "You see a lot of people running OS X saying it's so secure and frankly Microsoft is putting more work into security than Apple has," said Dragos Ruiu, the principal organizer of security conferences including CanSecWest.

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Dino Di Zovie, who lives in New York, sent along a URL that exposed the hole. Since the contest was only open to attendees in Vancouver, he sent it to a friend who was at the conference and forwarded it on.

The URL opened a blank page but exposed a vulnerability in input handling in Safari, Comeau said. An attacker could use the vulnerability in a number of ways, but Di Zovie used it to open a back door that gave him access to anything on the computer, Comeau said. The vulnerability won't be published. 3Com Corp.'s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest.

One reason Macs haven't been much of a target for hackers is that there are fewer to attack, said Terri Forslof, manager of security response for TippingPoint. "It's an incentive issue. The Mac is not as widely deployed of a platform as say Windows," she said. In this case, the cash may have provided motivation.

JavaScript coding errors and Web developers who are inexperienced at working with emerging programming techniques represent serious threats to the security of many Internet sites and the people who visit them, according to malware researchers.

Speaking at the ongoing ShmooCon hacker convention on March 24, Billy Hoffman, lead research engineer at Atlanta-based software maker SPI Dynamics, detailed what he views as an epidemic problem in today's online world. SPI markets penetration testing tools used by businesses to ferret out security issues from their online sites and applications.

The proposed threat is centered on the prevalence of JavaScript errors and insecure use of so-called Web services programming languages such as AJAX -- which combines asynchronous JavaScript with XML -- in many popular Web sites and applications.

In addition to opening holes in Web applications, Hoffman illustrated how JavaScript and AJAX-based tools can be used by hackers to find new vulnerabilities online, and build XSS (cross-site scripting) attacks that can move from one online domain to another, which he cited as a relatively cutting-edge malware development.

"In the last two years, we've seen JavaScript go from stealing cookies to doing key-logging, screen-scraping and all sorts of phishing attacks," Hoffman said. "JavaScript used to be something that was more annoying than anything, but now it's being used in port scanning, to create self-propagating malware and to steal browser histories."

The researcher, who said that JavaScript vulnerabilities are present in sites maintained by everyone from well-known online retailers to large financial services companies, demonstrated a proof-of-concept exploit based on a JavaScript flaw on CNN.com, and how it could be used to manipulate content on the news site's pages. The issue was reported in security forums several months ago, and sent to CNN by researchers, but it still hasn't been fixed.

Malicious-code writers are using the same techniques to create cross-site scripting threats -- malware attacks that inject code into end users' browsers via holes in legitimate sites -- to mislead consumers into handing over their passwords and giving hackers access to their personal information, according to the researcher.

PayPal and MySpace.com are among the major Web properties that have been targeted by major JavaScript-based XSS attacks in recent months. More Here

Another Trojan horse is spreading through the Internet telephone network of Skype Ltd.

The malicious code, known as both Warezov and Stration, is similar to an earlier version detected in February, but with a new URL (uniform resource locator) and a new version of the malicious code, according to an alert posted Thursday by Websense Inc.

Websense warns Skype users to watch for the message "Check up this," with a URL containing a hyperlink.

The code itself isn't self-propogating but when it runs, the URL is sent to everyone on the user's contact list.

When users click on the link, they are redirected to a site that is hosting a file named file_01.exe. Users are then prompted to run the file and if they do, several other files are downloaded and run. The downloaded files are other versions of the Waresov/Stration malicious code.

However, that server doesn't appear to be operating, according to Websense.

It's the early 21st Century, the United States is the reigning capital of computer attacks, hackers have become international crime rings, and you can buy a stolen credit card number for as little as $1 or a complete identity for $14.

This might read like near-future science fiction, but it's reality, according to a new security report released Monday by Symantec, covering the last six months of 2006.

The Internet Security Threat Report, issued twice yearly by the computer security firm, paints a grim picture. "Attackers are now refining their methods and consolidating their assets to create global networks that support coordinated criminal activity," the report stated.

While a recent report from McAfee showed that Internet domains from Romania, Russia, and the tiny island of Tokelau were among the riskiest in relative terms, the Symantec report found that the U.S. is the source of about 31 percent of all malicious computer activity, beating China (7 percent) and Germany (7 percent).

As for servers used for buying or selling stolen personal information, 51 percent were located in the U.S.

In most areas profiled in the report, the situation has gotten worse. Nearly 30 percent more computers are part of botnets than the previous six months. Trojans can take over a computer without the user knowing it, turning it into a zombie machine used for pumping out spam, launching denial-of-service attacks, or participating in other nefarious activities at the behest of the remote hackers.

On a given day in the period the report covered, there were an average of about 64,000 active bot computers, with China having the highest number.

If you thought you're seeing more and more junk mail, you're right. Spam makes up an astounding 59 percent of all email traffic, the report said, an increase of 5 percent over the first half of the year.

PayPal has been dying! This has got the attention of the media. Which gets more attention from the general public. Which gets more attention of the media. Eventually it'll get the attention of law enforcement. With Enron and MCI going down, people realize again that just because you are a big publicly traded business doesn't mean you are honest. (FAR FROM IT!)

In addition, we've been getting interview requests from additional media. It started with Forbes several months ago. But as each of them pick up the story, so will 10 more. We now have reached "critical mass." We are too big to ignore anymore. So now the media has to pay attention. Now is the time to strike back harder than ever. Not with truck bombs or pipe wielding thugs :-) but with our keyboards, telephones, and pens.

There are options here is but one.

As promised, Microsoft Corp. did not unveil any security fixes for March. But it did push out several other patches it deemed "high priority," including two for Windows Vista.

The last time Microsoft went a month without releasing security fixes was September 2005.

Among the four updates Microsoft pegged as "non-security, high-priority" today were the usual monthly revamp of the Microsoft Malicious Software Removal Tool and new signatures for the Outlook 2003 and Outlook 2007 antispam filters.

One Vista-specific update was also on the list, as was another that affected both XP and Vista.

The first, dubbed "March 2007 Windows Vista Application Compatibility Update," added compatibility "shims" -- code that makes an application think it's actually running on a pre-Vista PC -- for older Windows titles, including Trend Micro's Internet Security, Windows Server 2003 (SP1) Administration Tools Pack and RealNetworks' RealPlayer 6.0.12.

The second was another revision to the Windows Media Format 11 SDK (software developer's kit) code. In the associated support document, Microsoft said that the update corrected a problem that some portable music players had in synchronizing data with subscription services.

The rare no-patch Tuesday caught some security analysts and professionals trying to figure out how to spend their free time.

Mozilla Foundation on Monday issued a critical fix designed to address vulnerabilities in a recent security update for the Firefox browser and SeaMonkey application suite.

The security flaws were discovered in Firefox 1.5.0.9 and 2.0.0.1, as well as in SeaMonkey 1.0.7, according to a security advisory posted by Mozilla.

Security researchers say the initial fix, issued in mid-December, was designed to address vulnerabilities in Firefox, SeaMonkey and Mozilla's Thunderbird e-mail client. But that particular fix introduced a flaw that could allow JavaScript code from Web content to be exploited, then lead to the execution of arbitrary code.

Mozilla advises Firefox users to upgrade to version 1.5.0.10 and 2.0.0.2, and SeaMonkey users to update to version 1.1.1 and 1.0.8.

Disabling JavaScript will not protect users from the vulnerabilities, Mozilla warned.

Security researchers have found a way to use JavaScript to map a home or corporate network and attack connected servers or devices, such as printers or routers.

The malicious JavaScript can be embedded in a Web page and will run without warning when the page is viewed in any ordinary browser, the researchers said. It will bypass security measures such as a firewall because it runs through the user's browser, they said.

"We have discovered a technique to scan a network, fingerprint all the Web-enabled devices found and send attacks or commands to those devices," said Billy Hoffman, lead engineer at Web security specialist SPI Dynamics. "This technique can scan networks protected behind firewalls such as corporate networks."

A successful attack could have significant impact. For example, it could scan your home network, detect a router model and then send it commands to enable wireless networking and turn off all encryption, Hoffman said. Or it could map a corporate network and launch attacks against servers that will appear to come from the inside, he said.

"Your browser can be used to hack internal networks," said Jeremiah Grossman the chief technology officer at Web application security company WhiteHat Security. Both SPI Dynamics and WhiteHat Security came up with the JavaScript-based network scanner at about the same time, he said. The companies plan to talk about their findings at next week's Black Hat security event in Las Vegas.

Full Article

The Storm worm that wreaked havoc in January has opened up a new front in its war against users—instant messaging.

The Trojan virus that was responsible for countless spam e-mails sent around the globe has spawned a new variant that is using AOL Instant Messenger, Google Talk and Yahoo Messenger to proliferate. The worm attacks by detecting when someone is chatting and sending out a message with a link to the first stage of malware on a site. If the user clicks the link, the first stage will execute.

"The botnet handlers will periodically inject new commands into this peer-to-peer network, and one of the first things they do is tell the infected machines to download several executables," explained Jose Nazario, software and security engineer for Arbor Networks.

Click here to read about research showing that IM malware attacks are on the rise.

Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said. Patches are now available on Apple's Web site or through the Software Update selection under the Apple menu on a Mac.

Apple noted that proof-of-concepts for the flaws were posted on the Month of Apple Bugs Web site. But it doesn't appear that attack code has surfaced using the concepts outlined by the project. Apple has fixed several flaws identified during the course of January by the project, but some remain open.

The two flaws that could lead to arbitrary code execution are found in Finder and iChat. There's a buffer overflow flaw in Finder that could allow an attacker to take control of a system by "enticing a user into mounting a malicious disk image," or tricking someone into enabling local access of a file supposedly stored on a remote server. Apple credited Kevin Finisterre, one of the participants in the Month of Apple Bugs project, for reporting the issue, something it did not do on the three other flaws patched on Thursday.

The other patch, for iChat, fixes an issue in which a user could click on a malicious URL in a chat session and trigger an overflow, possibly opening the system to an attacker.

I cannot understand this from the most arrogant group of people on the planet. The OS that claims to be the best solution known to man has flaws? What next no santa claus or the tooth fairy? Perhaps we may not have to watch the stupid commericals anymore with PC and MAC.

In an article posted Feb 13 2007, it appears that our brilliant law enforcement agents have finally figured out that criminals can hang out in unsecure WiFi Hot spots.

What I find so odd about this honestly is that it appears none of them must have ever used one. Honestly if you can attach to any network without some level of difficulty, you should as yourself why? Then disconnect and leave.

According to a report in this week's Washington Post, the 46,000 public access Wi-Fi points scattered across the U.S. offer a new vehicle for criminals to carry out their evil business. Law enforcement authorities, who so far have been focusing their investigations primarily on child pornography and other exploitation of children, say they are growing concerned that the anonymous use of unsecured wireless networks will grow.

This is what the typical Phish looks like as being sampled from the filtering servers. However the urls below are acutally being redirected to: http://manabi-tai.net/postcard.jpg.exe"in the dumps we have sampled. The links here have been removed.

A Greeting Card is waiting for you at our virtual post office! You can pick up your postcard at the following web address:

http://www.all-yours.net/u/view.php?id=a0190313376667

If you can't click on the web address above, you can also
visit E-Greetings at http://www.all-yours.net/
and enter your pickup code, which is: a0190313376667

(Your postcard will be available for 60 days.)

Oh -- and if you'd like to reply with a postcard,
you can do so by visiting this web address:
http://www.all-yours.net/
(Or you can simply click the "reply to this postcard"
button beneath your postcard!)

We hope you enjoy your postcard, and if you do,
please take a moment to send a few yourself!

Regards,
1001 E-Greetings and Postcards
http:///www.all-yours.net/

We observed large scale spam (mass mailing) of 3 different variants of the W32/Tibs downloader.  The message arrives with the subject “Happy New Year” and an attachment “Postcard.exe”. This is a Trojan/Downloader that downloads additional malware onto an infected machine. The downloaded malware harvests e-mail addresses from a victim machine and uploads it to a remote host to further spam. Detection for this was promptly added and definition files released.

This shot was taken off of just one MX Filter server in our network.

This is the weekly shot which will indicate just how many of these are being trapped for saturday.

Surely anyone can see that the url is first going to google then gets redirected to HongKong. What I find odd is I have seen at least 20 copies of this email in one day yet the provider in HongKong or Google has not taken action.

Our mail servers are already filtering against this URL. http://www.google.com/url?q=%68%74%74%70%3A%2F%2F566441026785887484-ma.%76%68%61%75%65%6F%2E%68%6B/%48S%42C/%73ec%75%72e/l%6Fg%69n/?id=25&account=61b6USrKjUva-0288.  It would seem that google could at least assure they are not being party to phishing scams like this and break the URL as well.

StopBadware.org and the Center for Democracy and Technology (CDT) have teamed up to file a formal complaint with the Federal Trade Commission (FTC) against FastMP3Search.com.ar for distributing badware to unsupecting Internet users.

FastMP3Search.com.ar is a site that offers MP3s for download -- however, it requires users to download a plugin in order to download these songs. Unfortunately, this plugin comes bundled with a ton of adware, Trojan horses, and other forms of badware -- none of which is disclosed to the user. We've written up an in-depth report on the FastMP3Search Plugin that explains all of the bad behaviors that users are subjected to when they download this application. For a summary of those behaviors, check out our blog post. Prof. John Palfrey has also posted his thoughts on the subject on his own blog.

Related links:
StopBadware and CDT's FTC complaint
StopBadware's report on the FastMP3Search Plugin

With Christmas fast approaching, Santa Claus reached out for a little help from Stopbadware.org this week.

The consumer advocacy group said it was approached by an Incline Village, Nevada, man who had legally changed his name to Santa Claus, who asked them to help figure out why his Web site was being flagged by Google's Web site filters.

It turned out that Santa's Web site had been hacked.

On Friday, the Web site was still downloading malicious software, according to Roger Thompson, chief technology officer with Exploit Prevention Labs. It exploits a bug in Internet Explorer that Microsoft  patched last August, meaning that people running older versions of the browser could be at risk, Thompson said via instant message.

"The site is hacked," he said. "If you are not patched, it uses an exploit to silently install a huge amount of adware and spyware."

The original problem was soon resolved by Stopbadware.org, but on Friday malware had again cropped up on the Web site.

It is that time again and these bogus postcards are appearing once again. By now everyone should mouse over any link they think is questionable in your email. Though if anything is questionable just don't do it. Here is a prime example where clicking the link will try to execute an application. Don't find out just don't! No postcard is worth it. The return address is member@PostCard.ORG is not the same site as postcards.org. Both these domains seem legit but then who cares. No postcard or e-card should want you to run a .exe! Seems both should be warning people about the scam.

I must post this hack which has come to our attention if for no other reason to save some other administrators some time. First I found the exists of a service called network.exe within System32 though as we all know the name is not important. Look for any unknown service running. Search your regkeys and kill the reference that starts this service.

You will know you have the problem when you cannot click on anything within Enterprise Manager like a database or Logins and go to properties. The error will appear related to xpstar.dll at this point. Well you can copy them from another SQL install or simply run SP4 SQL 2000 again. But this only fixes SQL it does not get to the root of the problem.

The cause is a .bat or .cmd which has been inserted to do the dirty work. Search your system for the offending, in this case it was known as a761.bat but again it can be named anything. So remove the registry entry that tells the bat to run when you logon. Or you have not beat anything yet.

So lets look at the .bat file.

net stop mssqlserver
net stop mssqlserver /Y
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\odsole70.dll
DEL C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xplog70.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\xpstar.dll
del c:\PROGRA~1\MICROS~1\MSSQL\Binn\odsole70.dll
net start mssqlserver

So after we are done making sure the bad code has been removed then make sure the files are in place, as I said this can be done either copying them or reinstall SP4 for SQL 2000.

I won't go into how we stop the badguy from returning. That is up to each administrator what method you want to take. I offer this only as a way to get you out of trouble and allow you the time to think about how they did it and how to prevent it.

A critical security vulnerability in an ActiveX control used by Internet Explorer could allow malicious hackers to use Adobe's Reader and Acrobat software to launch PC hijack attacks, according to a warning from Adobe Systems.

The San Jose, Calif., company released a security support advisory with pre-patch workarounds and warned that multiple unpatched flaws could cause software crashes and "potentially allow an attacker to take control of the affected system."

Affected software includes Adobe Reader 7.0.0 through 7.0.8 and Adobe Acrobat Standard and Professional 7.0.0 through 7.0.8 on the Windows platform. The bugs are only triggered when using Internet Explorer. Users of other browsers are not affected.

Adobe said it is working on a comprehensive patch that will ship "soon" and stressed than an upcoming upgrade to the widely used Adobe Reader program is vulnerable to this issue.