Security Protection – Harry Waldron (WP) Rotating Header Image

March, 2011:

SQL Slammer – sudden decrease in activity

Below is an interesting post from the ISC reflecting an unexplained sharp decrease in port 1434 attacks by the decade old SQL Slammer worm

Port 1434: Sudden Slammer Decline? http://isc.sans.edu/diary.html?storyid=10576

QUOTE: We’re interested to know what’s happening out there.  It has been observed through DShield data that Slammer traffic has had a sudden decline.  I played with the data for a while.  I could make it look like many things, such as slow and steady decline over time.  However, the most compelling story is the one where the data drops on March 9 and 10.

Below is the DShield data and graph on port 1434 for March 2011.  It’s speculative at this point as to the cause of the sudden drop.  Japan’s earthquake or Patch Tuesday have been kicked around.  I would be remiss if I did not mention Kevin Liston’s series on Slammer Cleanup during October. We are loving the thought his great effort was a catalyst for the eradication of it. So go back and take a look at your data for us and share what you’re seeing.

Mozilla Firefox 4.0 released

New 4.0 release has just debuted and it is working well in testing as a complementary browser

Firefox 4.0 – Home Page http://www.mozilla.com/en-US/products/download.html?product=firefox-4.0

Firefox 4.0 – Whats New http://www.mozilla.com/en-US/firefox/features/

Firefox 4.0 – Tips and techniques http://www.mozilla.com/en-US/firefox/tips/

Firefox 4.0 – Security http://www.mozilla.com/en-US/firefox/features/#advancedsecurity

Adobe Flash Update – March 21, 2011

Please update the Adobe Flash component for your browsers as automatically prompted

Adobe Flash Player update addresses a critical security issue (CVE-2011-0609) http://www.adobe.com/support/security/bulletins/apsb11-05.html
http://isc.sans.edu/diary/Adobe+Flash+Player+update+RSA+further+notification+and+Play+com+breach/10585

QUOTE:  A critical vulnerability has been identified in Adobe Flash Player 10.2.152.33 and earlier versions (Adobe Flash Player 10.2.154.18 and earlier versions for Chrome users) for Windows, Macintosh, Linux, and Solaris operating systems, and Adobe Flash Player 10.1.106.16 and earlier versions for Android. This vulnerability (CVE-2011-0609), as referenced in Security Advisory APSA11-01, could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being exploited in the wild against Flash Player in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.

Microsoft’s DCU unit disrupts Rustock botnet

Microsoft and other security firms continue to fight spam, botnets, and other sophisticated attacks.  Recently a major complex botnet known as Rustock was taken offline reducing spam attacks and helping to improve Internet safety

Microsoft’s DCU unit disrupts Rustock botnet http://blogs.technet.com/b/microsoft_on_the_issues/archive/2011/03/18/taking-down-botnets-microsoft-and-the-rustock-botnet.aspx
http://www.zdnet.com/blog/security/rustock-botnets-operations-disrupted/8456

QUOTE: Just over a year ago, we announced that the Microsoft Digital Crimes Unit  (DCU), in cooperation with industry and academic experts, had successfully taken down the botnet Waledac in an operation known as “Operation b49”. Today, I’m happy to announce that based on the knowledge gained in that effort, we have successfully taken down a larger, more notorious and complex botnet known as Rustock. This botnet is estimated to have approximately a million infected computers operating under its control and has been known to be capable of sending billions of spam mails every day, including fake Microsoft lottery scams and offers for fake – and potentially dangerous – prescription drugs.

Microsoft Office XP extended support ends July 12, 2011



Microsoft Office XP extended support ends July 12, 2011 http://blogs.pcmag.com/securitywatch/2011/03/office_xp_to_go_off_support_in.php
http://support.microsoft.com/common/international.aspx?RDPATH=dm;en-us;lifecycle&p1=2533

QUOTE: On July 12, 2011, Microsoft Office XP will exit its “Extended Support Phase ending, among other things, the provision of security updates for it.

Browsium UniBrows Tool – Run IE6 inside IE8 or IE9

Thankfully, I’ve been able to move to IE8 for all home and work systems.  However, there are some legacy web applications that still may not run under the latest versions of Internet Explorer.  This new tool allows IE6 based applications to run in a virtualized mode in an IE8 tab if needed.

Browsium UniBrows Tool – Run IE6 inside IE8 or IE9 http://blogs.pcmag.com/securitywatch/2011/03/run_ie6_inside_ie89_with_new_t.php

QUOTE: Most of the world may be running away from Internet Explorer 6 as fast as they can, especially now that it’s officially 3 versions old, but there are users who can’t make the decision so easily. Many businesses wrote in-house web-based applications, sometimes called “line of business apps,” which relied on IE-specific features.  In the long run they will have to change, but in the meantime Browsium has a solution that let these companies put off the decision even longer. UniBrows is a tool that IT can use to allow IE8 users on Windows XP or Windows 7 to run Internet Explorer 6 apps in a tab under IE8. Browsium says that they will support IE9 when the final release is available, so presumably that will be soon.

Browsium UniBrows Tool – Run IE6 inside IE8 or IE9 http://www.browsium.com/unibrows/

QUOTE: Move your organization to Windows 7 or IE8 on Windows XP and keep your IE6 line of business applications intact—without changing a single line of code. UniBrows enables IE6 web applications to run inside an IE8 tab, empowering your organization to streamline the migration process and avoid the complexity and costs of virtualization.

Japanese Earthquake based scams and malware circulating

Within two hours of the 9.0 magnitude earthquake impacting Japan, a fake phishing site was established.  Always be careful with e-cards, related email, or websites during special holidays or news events.

My thoughts, prayers, and deepest sympathies extend to those impacted by this great tragedy.  Please always donate to mainstream sites like the Red Cross or others that are trustworthy.  This way your money will be going to the people affected, rather than criminals.

Japanese Earthquake based scams and malware circulating http://blogs.mcafee.com/mcafee-labs/world-record-for-disaster-scam-site

QUOTE: Approximately two hours after an 8.9 earthquake hit northeast Japan we spotted the first potential donation scam site. We’ve seen this before of course, but for a scam site to appear in just two hours–indexed and with content–is pretty quick in my experience. Hundreds of domains that could be related to the disaster have been registered so far today; we’re keeping an eye on them.

St Patrick’s Day based scams and malware circulating

Always be careful with e-cards, related email, or websites during special holidays or news events.

St Patrick’s Day based scams and malware circulating http://blogs.mcafee.com/mcafee-labs/so-predictable-st-patricks-day-scams

QUOTE:  have blogged many times about how cybercriminals and scammers use holidays, sporting events, and disasters as lures in their never-ending schemes. Just like with tax season, every Valentine’s Day we see more scams. Most high-profile sporting events, such as the FIFA World Cup, inspire them; and certainly recent events like the earthquakes in Haiti, Chile, and Japan serve as bait for these schemes. St. Patrick’s Day finds itself in the same situation.

Firefox 4 – moves from Beta to Release Candidate stage

Star Mozilla’s Firefox browser is a great complimentary browser that I use in conjuction with Internet Explorer.  After beta testing the new version for several months, it has been promoted to the Release Candidate stage.  This indicates a production release will be forthcoming in the future 

Firefox 4 – moves from Beta to Release Candidate stage http://www.mozilla.com/en-US/firefox/RC/

Microsoft Autorun v2.1 improves safety

In recent years, malware has sometimes found it’s way to USB based devices (e.g., Flash Drives, MP3 players, etc).  On infected PCs, many malware agents will search for these devices to add a copy there as well.  Microsoft’s latest changes to Autorun helps prevent these devices from starting automatically and is available by Windows Update now.  The Auto run process is a key technique used to infect other systems.  However, users can always start these devices manually.  It’s a best practice to always scan your portable media devices periodically for malware and always do this when the source might be untrusted

Microsoft’s Autorun update v2.1 now automatically deployed from Windows Update http://isc.sans.edu/diary.html?storyid=10468
http://www.microsoft.com/technet/security/advisory/967940.mspx

QUOTE: Microsoft have moved their Windows Autorun V2.1 (967940) update patch from optional updates to automatic updates. This is the same patch that was released in last month’s patch Tuesday. When  Windows update is next run, this patch will automatically be selected to apply to your machine. This is more likely to affect home users, as companies should be using group policies to control how USB autorun settings operate. Expect one or two calls from confused family members on why their favourite autorun USB stick application has stopped working.