Security Fix

• Blogspot Blogs Help Spread Storm Worm Attacks
  In an attack that showcases what cyber criminals have in store for Web 2.0 next year, the individual or group behind the Storm worm is distributing new versions of the malware with the help of hijacked and newly-created Google Blogspot blogs. The Storm worm, one of 2007's most prolific e-mail-borne Trojan horse programs, has always come wrapped in holiday-themed messages or disguised as videos from some recent high-profile news event. The latest Storm versions -- predictably spammed out as Christmas and New Year's greeting cards - don't break with that tradition. It urging recipients to click on a link that then tries to install the Trojan through hook (unpatched Web browser vulnerabilities) or by crook (tricking the user into believing he or she needs to install some "video codec" to view the holiday message). The twist with the new attacks is that someone has apparently planted the malicious Storm download
• Security Updates for Flash, Opera
  Adobe is urging people who use its Flash Player (this includes pretty much all Windows users) to upgrade to a new version that fixes at least nine separate security vulnerabilities that could be exploited to install unwanted software on vulnerable computers. The latest, patched version of the Adobe Flash Player is 9.0.115.0, but regular readers of this blog most likely have version 9.0.47.0 on their systems. Adobe says the flaws are present in pretty much all versions prior to 9.0.115.0. To see what version of Flash you have, visit this link and check the number displayed in the "version information" box. Updates are available for pretty much all browsers on just about any operating system, including Linux and Mac OS X (a Solaris update will be released later on). The latest Windows version is available for download at this page. Updates for other operating systems can be found here (note
• 'Pinch' Authors Pinched?
  A few weeks ago, Security Fix profiled a ubiquitous (but lesser known) class of malicious software called "Pinch," a malware creation kit that is highly sought after on hacker forums because of its adaptability and multitude of features. According to Russian anti-virus firm Kaspersky Lab, it appears that authorities there have identified the authors of Pinch and are closing in on the individuals. From the Kaspersky blog: "Today Nikolay Patrushev, head of [Russia's] Federal Security Services, announced the results of the measures taken to combat cyber crime in 2007. "Among other information, it was announced that it had been established who was the author of the notorious Pinch Trojan -- two Russian virus writers called Ermishkin and Farkhutdinov. The investigation will soon be completed and taken to court." This is welcome news, particularly since it shows that Russian authorities are once again making an effort to go after some of
• Study: $3.2 Billion Lost to Phishing in 2007
  U.S. consumers were scammed out of roughly $3.2 billion over the past year from phishing scams, a significant increase over last year, according to a survey released this week. The estimate, produced by Stamford, Conn.-based research firm Gartner Inc., was based on a survey of 4,500 online adults. The findings indicate that despite a great deal of media attention to the phishing epidemic, the message still isn't getting through to a fairly constant percentage of Internet users. From the survey, which examined consumer experiences with phishing attacks in the year ending Aug. 2007: "Of consumers who received phishing e-mails in 2007, 3.3 percent say they lost money because of the attack, compared with 2.3 percent who lost money in 2006, and 2.9 percent who did so in 2005, according to similar Gartner surveys during those years." Three billion dollars may seem like a high number, but my suspicion is that
• Apple Patches Java, OS X and Safari 3 Flaws
  Apple pushed out a bushel of patches late last week to fix at least 18 security vulnerabilities in its implementation of Java for Mac users. Then on Monday, the company issued a large update that plugged at least 40 security holes in different versions of its OS X operating system. Another standalone patch eliminates a single security flaw in Safari 3 Beta for Windows. The Java update applies to Mac systems running OS X 10.4 (Tiger) and earlier versions. Apple says none of the vulnerabilities patched in the Java roll-up are present in OS X 10.5 (Leopard). However, a fair number of the fixes in the patch batch for OS X also apply to Leopard. Some of the security vulnerabilities included in the 80 megabyte Java package were fixed by Java maker Sun Microsystems nearly a year ago. For Apple users, these are not trivial flaws: Apple says some of
• New QuickTime Player Fixes 3 Security Flaws
  Apple has issued an update to its QuickTime media player software to plug at least three security holes, including one that cyber criminals already are using to break into vulnerable systems. The new version, QuickTime 7.3.1, is available for Mac and Windows. Mac users can grab the update via the built-in Software Update feature. Windows users who have QuickTime already installed can get the fixes using the Apple Software Update program that ships with QuickTime.
• Microsoft Plugs 11 Windows Security Holes
  Microsoft today released software updates to plug at least 11 security holes in PCs powered by its Windows operating systems and other software. Windows users can download the fixes either directly through the Microsoft Update Web site or via Automatic Updates. December's seven update bundles includes fixes for four separate security holes in Internet Explorer 6 and IE7, vulnerabilities that are considered critical for Windows 2000, Windows XP and Windows Vista users. Microsoft rates a flaw "critical" if it can be exploited to break into vulnerable systems with little or no help from the user, save perhaps for browsing a Web site or by clicking on a malicious link in an e-mail or instant message. The IE patch is probably the most important update Redmond issued this month, as the vulnerabilities it corrects have the potential to affect the largest number of people. Microsoft said that criminals already exploited one
• Top 10 Best & Worst Anti-Phishing Web Registrars
  Web site domain name registrars are increasingly finding themselves at the forefront of the never-ending slog against online con artists and phishers. But there is little consensus on how far registrars should go to police their pool of names for fraudulent activity, and the performance of registrars in decommissioning domain names connected to fraud scams is all over the map. Such was one of the many findings in a "brandjacking" report released last month by brand security firm MarkMonitor. November's report, which detailed online fraud trends for Q3 of 2007, was the first to include a list of the top 10 best and worst lists of registrar performance in revoking domain names connected to phishing scams. Domain name registrars can play a crucial role in getting phishing sites shut down, as most phishing sites use some kind of Web site name in their scam. According to the latest stats from
• QuickTime Flaw a Potential Threat to Second Life Fans
  Security experts have spotted several Web sites exploiting an unpatched security hole in Apple's QuickTime media player to install malicious software on computers used to browse the sites. Last week, Security Fix carried a post warning readers about the QuickTime flaw, noting that several sets of instructions showing attackers how to exploit the hole had been posted online. Over the weekend, Symantec reported it had detected a network of sites using the exploits to compromise vulnerable Windows computers. In related news, a pair of security researchers demonstrated how the same QuickTime flaw could be used to "pick the pockets" of people engaging in various online games and virtual worlds. Dino Dai Zovi and Charles Miller described how the vulnerability might be leveraged to steal money from people who are members of "Second Life," a virtual world created by San Francisco-based software developer Linden Lab; the virtual world is populated by
• Malware Targets E-Banking Security Technology
  A new class of malicious software contains a feature specifically designed to thwart online security technology implemented by Bank of America and many other financial institutions that allow their customers to monitor and make changes to their accounts via the Internet. The feature was found in a recent version of "Pinch,"