0-Day Exploit in Adobe Acrobat and Flash
A new exploit reported active by the http://www.us-cert.gov/cas/techalerts/TA09-204A.html US Computer Emergency Readiness Team (US-CERT)in the Adobe Flash Player and the Adobe Reader that could allow an attacker to execute code on a computer after the user views a webpage or opens a specially crafted PDF document. Adobe has issued an advisory http://www.adobe.com/support/security/advisories/apsa09-03.html here and estimates to have a patch available no sooner than July 30 - 31.
Virus Claims to be Obama's Acceptance Speech
There is a new virus going around via email with a subject of "Obama Acceptance Speech" or "Amazing Speech by Obama". The email links to a malicious web site which claims that the user needs to load a newer version of Adobe Flash player. This newer version is actually a password stealing virus instead. If you get this email delete it immediately and do not click on the link. Additional details are available at http://www.snopes.com/computer/virus/obamaspeech.asp.
Another Critical Out-of-Band Microsoft Patch Released
Microsoft has released another out-of-band patch for a 0-day exploit against Internet Explorer. These 0-day exploits mean that hackers are actively using the flaw to attack computers before the vendor has released a fix. It is important that you install the patch as soon as possible; additional information can be found at http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx .
Critical Out-of-Band Microsoft Patch Released
Microsoft has released a critical patch for a major vulnerability in Windows. This vulnerability has the potential for allowing a worm to propagate and therefore should be applied as soon as possible. More details are available at http://support.microsoft.com/kb/958644 .
More Phishing Attempts, Vulnerable Linux Distributions
There have been continued phishing attempts sent to MTSU email accounts. These claim to be from addresses such as "WEBMAIL.MTSU.EDU" or "MTSU CUSTOMER SERVICE" and ask for personal information including email address, password, age/country, date, and first and last name. The emails also state that failure to send this information will result in loss of account access. These emails are fake and are trying to get personal information from users for fraudulent purposes. If you receive one of these please delete it or forward to email@example.com.
The second news item for today, "Vulnerable Linux Distributions," refers to an OpenSSH vulnerability in the Debian and Ubuntu Linux distributions described at http://isc.sans.org/diary.html?storyid=4421. If your system runs Microsoft Windows then it is not vulnerable but if you run a Debian or Ubuntu Linux server or desktop machine then you may have to update any keys you have generated. Please contact ITD for more information if you have questions about this or if you think your computer may be vulnerable.
Fake "Account update" Emails
Recently an email was sent to accounts at MTSU claiming to be from firstname.lastname@example.org concerning a "WebNews Email Account Update". These emails request that the user reply with his or her email address, password, country, date of birth, and first and last names or the account would be disabled. Any such replies actually go to a third party email address. This email is fake and is not from MTSU; if you receive one of these please delete it or forward to email@example.com
Fake Tax Refund Emails
There have been fake phishing emails received by several people on campus via their MTSU email accounts which say they are due a tax refund from the IRS. The email instructs the recipient to click on a link to access the refund form. This email is fake and is not from the IRS; if you receive one of these please delete it or forward to firstname.lastname@example.org
Online Postcard Worm Circulating
There are email being sent which contain links to supposed online postcard which a friend or co-worker sent. These links actually go to a website which tries to infect your computer with a worm which then tries to spread. If you get an online postcard link you were not expecting, especially with the subject having to do with the fourth of July, please delete it. More information can be found at http://isc.sans.org/diary.html?storyid=3090
Security Videos Posted
EDUCAUSE/Internet2 Computer and Network Security Task Force, the National Cyber Security Alliance, and ResearchChannel sponsored the 2007 Computer Security Awareness Video Contest to raise awareness of IT security at colleges and universities. The Information Technology Division has selected four winning entries from this competition which we feel are the most informative for the MTSU community and are posted at http://www.mtsu.edu/~security/videos.htm.
New Worm Circulating
There is a new worm circulating with email being the most common method of transmission. It starts out by saying "Our robot has detected an abnormal activity from your IP...". This email is fake and the attachment will infect, not fix, your computer; if you get this email please delete it immediately. More information can be found at http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9016420&source=NLT_BNA&nlid=1
WinZip Vulnerability Notes
Recently a vulnerability associated with WinZip version 10 was announced at http://isc.sans.org/diary.php?storyid=1861. What sets this vulnerability apart is that one of last Tuesday's Microsoft patches protects against this. Although this is an added layer of protection, users should not rely on Microsoft to fix problems with third-party software. You should always check the websites for the software you use for updates even though you install Windows updates. An example is Adobe ( www.adobe.com) which frequently releases patches for their Flash player and Acrobat, their PDF viewer.
Multiple Products have Patches Available
In addition to the monthly Windows patches, Apple, Firefox, and Adobe have released patches for their products (Quicktime, Firefox browser, and Flash player respectively). Sans has links at http://isc.sans.org/diary.php?storyid=1694, http://isc.sans.org/diary.php?storyid=1702, and http://isc.sans.org/diary.php?storyid=1695. These vulnerabilities can lead to hackers gaining unauthorized access to your computer so the updates should be applied as soon as possible.
Major Windows Flaw Announced
Tuesday's list of vulnerabilities includes a critical flaw which may allow a worm to propagate among unpatched computers. The DHS has issued a statement at http://www.dhs.gov/dhspublic/display?content=5789 recommending that administrators patch systems as quickly as possible.
Critical Microsoft Patches Released
Microsoft has released a number of patches today and SANS reports that one of them has a potential to pave the way for a worm. See http://isc.sans.org/diary.php?storyid=1471 for details.
Vulnerability in RealVNC
The makers of RealVNC, a product that gives remote access to servers, announced a vulnerability which gives remote users access to the computer without a username/password. Lately, attackers have been using this to access computers as reported at http://isc.sans.org/diary.php?storyid=1341. If you use this product, please upgrade to version 4.1.2 at www.realvnc.com.
Rootkit trojan found on campus
There is a new virus going around called Abwiz.F. This is a trojan which has rootkit capabilities which means that it may not be detected via traditional means. Details can be found at http://www.symantec.com/avcenter/venc/data/trojan.abwiz.f.html.
Several Mac OS X vulnerabilities have been found.
There have been several vulnerabilities found for the Macintosh OS X operating system. The most serious of these will allow malware to be installed by simply visiting a malicious website with no additional user action needed. Although OS X has had less viruses than Windows, as more people use it we will start seeing more of these vulnerabilities being exploited. Details of the vulnerabilities can be found at SANS:
Windows patches have been released over the break
Microsoft has released several patches over the holidays. If you have had your computer turned off over the holidays it may not have received the patch. Many times PCs are set up to automatically download updates but viruses can prevent this and sometimes a reboot is needed to complete the patching process. It is a good idea to check Microsoft's update site at http://windowsupdate.microsoft.com to check for any updates and then reboot your PC.
Email virus prompts attachment blocking
The latest versions of the Mytob and Sober viruses have not been caught by the campus email antivirus system. Because of this, ITD will be blocking several attachment types over the next 48 hours. Some attachment types will continue to be blocked permanently but others, such as .ZIP files, will be allowed though after this time period. Below is a list of file which will be blocked:
*.COM, *.EXE, *.DRV, *.DLL, *.BIN, *.OVL, *.SYS, *.ZIP, *.SCR, *.SHS, *.HLP, *.VBS, *.REG, *.PIF, *.LNK, *.CMD, *.BAT
If you have any questions you may contact the ITD Help Desk at email@example.com or (615) 898-5345.
Fake emails from "MTSU Support Team"
There is a new virus going around which sends emails with an attachment and claims to be from the "MTSU Support Team". Regardless of what the email says, the attachment is a copy of the virus and so the entire email should be deleted. This virus is from a family of worms and one example is at Trend Micro's site.
IT Security Workshops Quickly Approaching
The MTSU IT Security Group teaches two workshops which cover IT security for beginners and system administrators. More information can be found at the IT Security Workshop page.
Wireless Configuration Alert
If you are using the MTSU wireless network it is important that you choose "Infrastructure Mode" in your wireless software. Choosing "Any Available Network" or "Ad Hoc" modes could create an insecure situation by connecting your computer to another wireless computer. Further details on the MTSU wireless network are available at http://www.mtsu.edu/~wireless/.
Firefox Vulnerability Discovered
A critical vulnerability exists in the popular Firefox web browser which can allow hackers access to your computer even if you are running the most recent version of the software. If you use Firefox then please look at the following link for hotfix information: https://addons.mozilla.org/messages/307259.html More information on the vulnerability itself can be found at http://secunia.com/advisories/16764/
Windows Updates Released
This week Microsoft released a number of security updates for Windows. One of these is particularly important because of its potential to allow a worm to propagate. If you do not have automatic updates configured for your computer then please visit http://windowsupdate.microsoft.com for the latest patches. If you do have automatic updates installed, it is a good idea to still visit the Windows Update site to make sure you are getting the latest updates. Also note that you may need to validate your copy of Windows with the Microsoft Genuine Advantage program upon visiting this site.
Worm Targets Backup Exec Vulnerability
There is a worm mentioned at SANS that exploits a vulnerability in Backup Exec, a commonly used third-party backup package. Veritas, the makers of Backup Exec, have released patches for this vulnerability and can be found at seer.support.veritas.com/docs/276604.htm.
This should in no way be a discouragement towards using this backup software; if you currently use Backup Exec it should be updated as quickly as possible but it would also be disastrous to shut it off and not have backups in case of system failure.
Microsoft Releases Critical Patches
Microsoft has released a number of new patches for Windows with three of them being rated "Critical". It is very important if you do not have automatic updates enabled that you go to Microsoft's update site at http://windowsupdate.microsoft.com to get these updates. Without them it is possible for someone to take complete control of your computer. Also note that you should disregard any emails supposedly from Microsoft that contain the patches. There are viruses going around that use this as a means for infection and Microsoft will never send the patches via email. More information is available from Microsoft's site at www.microsoft.com/security.
MarketScore Sites Blocked
MarketScore is a company which claims to speed up web browsing but many security companies have determined it to be spyware. The problem is that it intercepts and reads all encrypted websites that you visit including ecommerce sites and online banking sites. Because of this, MTSU has decided to block all access to the MarketScore servers. More information and removal instructions can be found at Symantec and you may also contact the ITD helpdesk at 5345.
IM Worms - the Latest Trend
A new type of worm is increasing in number on the Internet and infects computers via Instant Messenger (IM) programs. Unlike the IRCBots which do not talk directly to you, the IM worms will target your IM program such as Microsoft Messenger or AOL Instant Messenger.
Some symptoms include the following and may even come from people on your friends list:
Here are some tips to help protect yourself:
IRC Worms Still Around
There has been an increase in this type of virus lately. These are computer worms that can spread automatically and the best way of getting one is by not applying security patches on your PC. Many times they will spread via vulnerabilities in the Windows operating system so it is very important that your PC is kept up to date. You can go to http://windowsupdate.microsoft.com to get the latest updates and you should also run an up to date copy of antivirus software.
Security Scans Available -
Departments may now request security scans of their systems to find vulnerabilities that may exist. For more information, please contact the Security Group at firstname.lastname@example.org.
Security Site Goes Live
The ITD Security Group has now been launched and provides a place to find out about security and also what to do if you think your computer has been infected.