Security firm Avira disabled the ProActiv behavior recognition module in some of its products with an update. A few days after the release of “Service Pack 0” May 14, the company’s security software unexpectedly blocked the access to important systems components. As a consequence, some computers did not start at all, while others could only be booted in secure mode. May 15, Avira announced it solved the behavior recognition problem with an update. Avira said the patch can be installed by updating manually to solve the problem. What the company did not say is the update simply disables the ProActiv behavior recognition module — which is not even listed in the extended configuration dialog once the update is installed.

Source: http://www.h-online.com/security/news/item/Avira-update-puts-behaviour-recognition-on-hold-1578360.html

Following the release of Apache OpenOffice 3.4.0 the week of May 7, the Apache Software Foundation (ASF) detailed the security fixes included in the new version of the open source productivity suite. According to the ASF, the first stable release of OpenOffice under its governance addresses three security vulnerabilities, all of which are rated as “important.” These include an integer overflow error when handling embedded images and a memory overwrite bug when loading WordPerfect files, both of which could allow for the execution of arbitrary code. The third hole is related to unchecked memory allocations in malformed PowerPoint files that the developers say could be used to cause a denial-of-service. Attacks on all these flaws would require the user to open a specially crafted file. OpenOffice.org 3.3 and the beta version of 3.4 are affected; earlier versions may also be vulnerable. The Security Team advises all users to upgrade to the final 3.4 release.

Source: http://www.h-online.com/security/news/item/Apache-details-OpenOffice-3-4-security-fixes-1578504.html

The developers of sudo released updates to the privilege elevating utility to patch a bug that allows an attacker to execute commands they should not be able to access on a remote system. Shortly after, they issued a regular update that includes these fixes along with several new features. Sudo versions 1.8.4p5 and 1.7.9p1 fix a security issue in the program that can allow a legitimate user who is included in the sudoers file to run commands on other hosts. When sudo is asked to run a command by a user, it consults sudoers to see if the user has permission. Sudoers rules include the ability to define permission by the host’s IP address by matching with absolute addresses or matching with a netmask specification. It is the matching with netmasks, which are typically used to allocate users permissions by subnet, where the problem lies. The flaw is present in the IP network matching code of sudo versions 1.6.9p3 through 1.8.4p4. The exploit was reported internally through Red Hat’s Bugzilla bug tracking system and was already fixed in Ubuntu by backporting the fix to older versions of the package. Red Hat is also expected to fix its versions of sudo soon. The project advised all users to update to a patched version of the program as soon as possible. Where they cannot upgrade, users are advised to switch to defining host permissions using IP addresses instead of netmasks.

Source: http://www.h-online.com/security/news/item/Security-vulnerability-in-sudo-s-netmask-function-patched-1578395.html

The developers of Bitcoin, the anonymous digital currency system, fixed a flaw in the system that allowed stop receiving updates from the Bitcoin network. To send and receive payments, Bitcoin nodes encode the transfer information into blocks of data that get aggregated into a globally distributed block chain. Each transaction is cryptographically signed and linked to the previous one. For this system to work, the user’s client needs to communicate with the global network frequently to keep up to date with the transactions that have happened since the last time it was online. If a node is isolated from the network for a significant amount of time, it cannot initiate or receive transfers of bitcoins. The developers did not yet explain how the vulnerability in the Bitcoin software can be exploited — they want to give users sufficient time to patch their clients before releasing information that could be used by hackers to reverse engineer a working exploit. They have, however, released version 0.6.2 of the client that fixes the problem. Backports of the fix for versions 0.5.5 and 0.4.6 are also available. The developers stated the vulnerability cannot be used to compromise users’ wallets.

Source: http://www.h-online.com/security/news/item/DoS-vulnerability-in-Bitcoin-1578558.html

Researchers from Trend Micro recently reported that a piece of malware, identified as Worm_Steckct.evl, is distributed via a link sent in private messages on Facebook and instant messaging programs. The shortened links contained in the posts point to an archive called “May09- Picture18.JPG_ www(dot)facebook.com.zip” which hides a file named “May09-Picture18.JPG _www(dot)facebook.com.” The .com extension reveals the malware is an executable file. Once it is run, the worm terminates all the processes and services created by security software, ensuring antivirus applications cannot disrupt its processes. Steckct.evl then downloads another worm, detected as Worm_Eboom.ac, which monitors the victim’s browsing sessions. It does not only log the posts and private messages the user creates or deletes on Facebook, MySpace, Twitter, WordPress, or Meebo, but it can also spread by utilizing the user’s active session on these sites.

Source: http://news.softpedia.com/news/Worm-Uses-Facebook-PM-s-and-Instant-Messaging-Apps-to-Spread-270148.shtml

RealNetworks is warning users about multiple security vulnerabilities in its RealPlayer media player application for Windows; the company says none of the now fixed holes are known to have been used to compromise systems. The released update, Version 15.0.4.53 of RealPlayer, closes three security holes. One hole is related to ASM RuleBook parsing that could be exploited by an attacker to remotely execute arbitrary code, another is a memory corruption problem related to MP4 file handling in the QuickTime plugin used by RealPlayer, and the third is a buffer overrun in the Media parser. RealPlayer Versions 11.0 to 11.1 and 14.0.0 to 15.0.3.37, as well as RealPlayer SP 1.0 to 1.1.5 are affected; RealPlayer for Mac is not vulnerable. RealPlayer 15.0.4.53 — available for Windows 7, Vista SP1, and XP SP3 — corrects these problems.

Source: http://www.h-online.com/security/news/item/RealPlayer-update-fixes-security-vulnerabilities-1578444.html

The recent trend of attackers using stolen digital certificates to make their malicious executables look legitimate is continuing unabated, with researchers now having come across a series of variants of the Etchfro trojan that are using certificates taken from several companies and issued by VeriSign, Thawte, and other certificate authorities. After looking at recent examples of malware signed with stolen certificates, researchers at Norman ASA, a security firm in Norway, noticed there was an aberrant string in one specific optional field included in the stolen certificates. It is unclear what, if any, purpose the string serves, but Norman researchers started searching the company’s malware database, looking for other samples with the same string. The search yielded more than 20 samples with the same atypical string, and each of them included a stolen digital certificate. All of the malware samples, except one, was some version of the Etchfro trojan. The other one is a version of the Gh0st RAT tool.

Source: http://threatpost.com/en_us/blogs/stolen-certificates-found-malware-possibly-targeting-tibetan-groups-051512

Visitors to Wikipedia who see advertisements on the site have most likely fallen victim to a browser-based malware infection, Wikimedia Foundation, the organization operating the Web site, said May 14. “We never run ads on Wikipedia,” said the director of community advocacy for the Wikimedia Foundation. “If you’re seeing advertisements for a for-profit industry … or anything but our fundraiser, then your Web browser has likely been infected with malware.” One example of such malware is a rogue Google Chrome extension called “I want this,” the director said. However, similar malicious add-ons might also exist for Mozilla Firefox, Internet Explorer, and other browsers, he said. This type of malicious software is known as click fraud malware and can target multiple Web sites at once.

Source: http://www.computerworld.com/s/article/9227179/Wikipedia_warns_users_about_malware_injecting_ads_into_its_pages

Pinterest scam toolkits are available for sale to inexperienced scammers, according to McAfee. Usually sold on underground forums, these toolkits contain many tools. All actions needed to scam users are included and automated: creating Pinterest invites and mass comments on posts, mass creation of bit.ly links, and scraping Amazon for products based on given keywords and then submitting them to Pinterest. Pinterest scams usually work by luring people in with offers of free gift cards, and the offered links land them either on sites hosting survey scams, on Amazon or other sites (which results in the scammers earning money by referral), or lead them to premium rate trojans (if the Pinterest visitor uses a mobile device to visit the site).

Source: http://www.net-security.org/secworld.php?id=12931&utm

Cybercriminals targeted the release of Diablo III, May 14, with scams themed around the widely anticipated video game. Blizzard’s games systems collapsed due to the higher than expected demand for the game, the London Guardian reported. The software company is attempting to stop pirates from stealing the new role-playing game by forcing users to log into its servers before they can start playing it. This created a bottleneck centered around log-in systems at Blizzard, which struggled to service demand. Technical glitches were an unexpected bonus for scammers, who launched scams featuring the promotion of bogus crack and key-gen sites. These fake sites might potentially be more attractive than they normally would be as gamers struggle to acquire legitimate content through regular channels. Some of the scam sites GFI Software identified included supposed online key purchasing sites that actually install malicious software. Other spam Diablo III-themed links collated by the security firm lead to unrelated flash games, spam linkdumps, and a “donation experiment” where installs of the software offered enter targets into a supposed prize draw giveaway. These various scams are being promoted through the Web at large and social media Web sites, including Facebook and Pinterest.

Source: http://www.theregister.co.uk/2012/05/15/diablo_3_scams/