Malicious Office Documents Cause Security Woes

Exposure:

Today, Microsoft released two security bulletins describing seven vulnerabilities found in components that ship with Microsoft Office XP and 2003 for Windows, and Office 2004 for Mac. These bulletins do not affect the more current versions of Office, such as 2007 Microsoft Office System or Microsoft Office 2008 for Mac.

The vulnerabilities affect different versions of Office to varying degrees. Though the seven vulnerabilities differ technically, and affect two different Office components, they share the same scope and impact. By enticing one of your users into downloading and opening a maliciously crafted Office document, an attacker can exploit any of these vulnerabilities to execute code on a victim’s computer, usually inheriting that user’s level of privileges and permissions. If your user has local administrative privileges, the attacker gains full control of the user’s machine.

According to Microsoft’s bulletins, an attacker can exploit these flaws using many different types of Office documents. In one bulletin, Microsoft specifically states PowerPoint documents are vulnerable. However, they also mention any "Office file" in their other alert. Therefore, we recommend you beware of all unexpected Office documents.

If you’d like to learn more about each individual flaw, drill into the "Vulnerability Details" section of the security bulletins listed below:

•  MS10-003: Multiple PowerPoint Code Execution Vulnerabilities, rated Important
•  MS10-004: Microsoft Office MSO.DLL Code Execution Vulnerability, rated Important

Solution Path

Microsoft has released patches for Office to correct all of these vulnerabilities. You should download, test, and deploy the appropriate patches throughout your network immediately, or let the Microsoft Automatic Update feature do it for you.

MS10-003:

•  Office XP w/SP3
•  Office 2004 for Mac

MS10-004:

PowerPoint update for:

•  Office XP w/SP3
•  Office 2003 w/SP3
•  Office 2004 for Mac

Verizon is putting the final touches on it’s new plans and for the most part if you want any type of phone that does more than dial a number you WILL buy a data plan. Overall Verizon says this will average out for most users so the monthly cost are about the same yet they also admit they see the revenue per user continuing to rise.

Reports and rumors are coming out that Verizon will be releasing multiple new phones in the upcoming months. From the much anticipated iPhone to more Android based phones it looks like Verizon has finally decided it’s time to upgrade their less than unique phone lineup.

The latest rumor to show up is all about a new Android phone from Motorola called the Devour. Basically it appears to be a slightly less advance version of the Motorola Droid so expect to see pricing be slightly lower although it will run Android 2.1.

It also appears HTC will be releasing an update for the Eris to push it to Android 2.0 or 2.1. Of course how quickly Verizon will make the update available is anyone’s guess. If your wondering why running Android 2.x is such a big deal it has several major updates such as supporting multiple Exchange accounts as well as a browser update.

Of course with CES coming up there’s always a lot of news and rumors about new products and not to be outdone Palm is rumored to have a new Palm Pre Plus ready for Verizon. This will be a slightly larger and newer version of the Palm Pre.

Lastly will there be an iPhone for Verizon? It was a given last year but as the year ended most had cast doubts on Verizon’s iPhone plans. There are those however that still see an iPhone in Verizon’s future probably sometime in the summer as Apples releases it’s newest version of the huge successful iPhone. With little to go on the belief is the new iPhones will be smaller, have a 5MP camera, be built by AsusTek vs. Hon Hai which makes the current models, use a Qualcomm hybrid CDMA/WCDMA chip that allows multiple cell carrier signal types  and show up mid year.

Of course let’s not forget to warn anyone looking at Verizon for a new phone they have enacted a new $350 cancellation fee on their “Smartphone” line so if your thinking of buying now and switching if and when they release an iPhone you may want to change those plans.

Word is Dell will keep the Winston-Salem plant open for a few more months allowing around 400 workers a little more breathing room. No further information is out there as of yet but I’m sure we will see local leaders take all the credit somehow.

Adobe Corrects At Least Seven Vulnerabilities in Flash Player and Air

They also warn of a zero day flaw in Illustrator CS3 and CS4

Severity: High

9 December, 2009

Summary:

§ This vulnerability affects: Adobe Flash Player 10.0.32.18 and earlier, running on all platforms. Some flaws also affect Adobe AIR 1.5.2

§ How an attacker exploits it: By enticing your users to visit a website containing malicious Flash content

§ Impact: In the worst case, an attacker can execute code on your computer, potentially gaining control of it

§ What to do: Download and install the latest version of Adobe Flash Player and Air

Exposure:

Adobe Flash Player displays interactive, animated web content called Flash, often formatted as a Shockwave (.SWF) file. Adobe’s Flash Player ships by default with many web browsers, including Internet Explorer (IE). It also runs on many operating systems.

In a security bulletin released on the same day as Microsoft Patch Day, Adobe warned of at least seven critical vulnerabilities that affect Adobe Flash Player 10.0.32.18 for Windows and Macintosh (as well as all earlier versions). Some of the flaws also affect Adobe Air 1.5.2 as well. Adobe’s bulletin refers to seven CVE numbers, which suggests that their update fixes seven security vulnerabilities. The bulletin doesn’t describe the flaws in much technical detail. However, it does warn that if an attacker can entice one of your users to visit a malicious website containing specially crafted Flash content, he could exploit many of these unspecified vulnerabilities to execute code on that user’s computer, with that user’s privileges. If your Windows users have local administrator privileges, an attacker could exploit this flaw to gain full control of their PC. If you use Adobe Flash Player in your network, we recommend you download and deploy the latest version throughout your network as soon as possible.
On a related note, the day before releasing the Flash update, Adobe also released an advisory about a critical buffer overflow vulnerability in Illustrator CS3 and CS4. The flaw has to do with Illustrator’s inability to properly parse specially crafted .EPS files. If an attacker can entice one of your Illustrator users into opening a malicious .EPS file, he can also exploit this flaw to execute code on that user’s computer, with the user’s privileges. There is no patch for this flaw yet. Adobe plans to release one in January.

Solution Path

Adobe has released a new version of Flash Player and Air. Specifically:

§ Flash Player 10.0.42.34

§ Air 1.5.3

If you use these products in your network, we recommend you download and deploy their updates as soon as possible.

I am seeing around a two dozen or more virus laden emails a day right now all with the same general subject lines such as:

“payment request from "Qualcomm" or “payment request from "Google"” or “Your Credit Balance is over its limit”

These all contain a backdoor Trojan in the attachment so again and again I remind everyone to not click those attachments you get in email. I like that “transaction inspector module”, they are always looking for something that will just make people click away, well DON’T!

When you leave messages on your e-mail server, you can choose from several options to delete your messages. To make your choice, you need to consider several factors about your e-mail usage, such as how long you want the messages to be accessible from multiple computers and the storage limits imposed by your e-mail server administrator. If you exceed your storage limit, you might be unable to receive new messages or might be charged additional fees.

Here’s an early Christmas present for all those going in and out of Greensboro, Piedmont Triad Airport, FREE Wifi courtesy of Google. Unlike the typical $10 or more per day to get that twenty minutes of browsing before your flight you will be able to check that last email all thanks to Google. On top of this if your flying Virgin America, probably not for most of us, you will also be able to browse the Internet on any flight.

Word of warning as I’ve posted here before on using public WiFi:

• Always use a software firewall, XP’s built in Firewall will suffice
• Do not browse any site where you will enter private data unless that site is SSL, even then there is a risk of a man in the middle attack
• NEVER send private data via email, on a Public WiFi or not!
• Always assume your browsing is monitored when on a Public WiFi