NetWatch

Since December the Conficker worm, also known as Downadup, has grown from 2 Million to over 8.6 Million infected computers since we first discussed it here Decemeber 18th.

Conficker primarily spreads through a Windows Vulnerability (MS08-067) which if unpatched allows the worm to attack the Windows file sharing service. Conficker variants have also been discovered that spread through removable media like USB flash drives. Most businesses have some form of firewall to protect direct Internet access to their computers, but if a machine behind your firewall is infected, the infected machine has full access to attack other internal computers. Possible network infection sources are laptops, flash drives that have been used on infected machines, or Conficker being installed by another web/email based spyware.

Until now Conficker has been happy to just rack up the number of infected machines, but the infected machines can be centrally controlled as a Botnet. Infected machines in the Conficker Botnet could be used to do a number of nasty things from sending spam, to attacking computer networks, spying on infected users, or even destroying data. Since the infected machines are calling home looking for instructions we do not know how they could used until marching orders are given.

Here is a list of things you can do to verify you do not have this bug, and help protect yourself in the future:

1. Install Microsoft Critical Updates upon their release.
If Microsoft has released a fix, virus writers will reverse engineer the fix to understand the problem Microsoft is fixing. The virus writer can then write a virus to take advantage of the problem and attack those people that do not update their systems.

2. Make sure each computer’s Anti-Virus is up to date.
If you notice your computer has not updated your virus definitions, and you can not get them to update, have someone look at that PC immediately. One of the things Conficker does is block access to the download sites of the anti-virus software so infected machines cannot get updates.

3. Scan your Computers with Both Anti-Virus and Anti-Spyware software

If you have questions about Conficker, the current  updates, or any computer support troubles Please call us at 989-791-3400 or email us at support@creativenetcare.com.

As we discussed last week, this is one of the two exploits in the wild that Microsoft acknowledged, but had not yet come out with a fix.  Yesterday, Microsoft noted that they have documented a botnet made up of  up to 2 Million compromised PCs due to this vulnerability.  For more information here is an Microsoft article discussing this exploit in the wild.

Microsoft released a series of patches covering Windows 2000/XP/2003/2008/Vista and Internet Explorer versions from 5.0 through the newly released beta version of IE 8 today at 10am.  Being released outside of the normal release timeframes, Microsoft is encouraging that these updates for MS08-078 dated 12/17/2008 be applied as soon as possible.

After releasing the largest single batch of critical patches in several years, Microsoft has also issued two Security advisories detailing security problems that have not patched yet.  One is a vulnerability in Internet Explorer, and the other is in Microsoft Wordpad.  Microsoft notes that they have seen exploits for both problems in the wild, but they are not far reaching at this time.  Other security blogs are saying that the source code to take advantage of these holes has been released to the public, so both of these issue will be exploited more especially if Microsoft waits to patch them.

Microsoft normally likes to hold patches for testing purpose before releasing them for public use.  Patches are normally released on Tuesday therefore the name Patch Tuesday.  Sometimes vulnerabilities occur that require a more immediate response.  If that is the case Microsoft will release patches before Tuesday, but this does not happen often.

Considering the release of exploit code for these problems, I would assume we may see out of band releases for both these problems sooner then later.

For More Information: (Word Pad Advisory 960906) (Internet Explorer Advisory 961051)

Tuesday Microsoft issued 28 vulnerability fixes and labeled 23 of them Critical.  Three of the other five patches are labeled Important.  The patches were issued in eight updates for Windows, Internet Explorer, Office, SharePoint, Windows Media, Visual Basic and Visual Studio.   Most of the vulnerabilities represent security holes that allow an attacker, or malware software to take over non-patched systems.

Normally we hold and review patches released on Tuesday until any bugs are found and discussed on newsgroups.  Once we have reviewed the patches we normally release selected patches for install on Friday afternoon for install over the weekend.

After reviewing these patches, and their potential risks, we have released them for install tonight for our NetCare Customers.  We reccomend that you implement any changes released by Microsoft on 12/9/08 to close these vulnerabilities.  Normal install for Microsoft updates would be through Windows Updates, or WSUS server.

For More Information click for the Microsoft Release Notes

Sun has released updates for Java SE. These updates address multiple security issues in Java Runtime Environment (JRE) and Java SE Development Kit (JDK).

Note that the Sun security alerts corresponding to the specific vulnerabilities addressed in this update are not available at the time of this entry.

While we maintain all NetCare customers at the current build of version 6.0, some applications may require older family versions to be maintained.  If so here are the minimum secure builds for each maintained family version.  New versions should be installed, and older releases should be remove when possible to close security concerns.

Please review Java SE 6 Release Notes and apply any necessary updates.

Adobe has released a security bulletin to address a vulnerability in Adobe AIR. This vulnerability can be triggered if an Adobe AIR application loads data from an untrusted source. Exploitation of this vulnerability may allow a remote attacker to execute JavaScript code with elevated privileges.

Adobe AIR is a application development platform that allows AIR applications to run on your desktop whether you are connected to the Internet or not.  Adobe pushed their AIR software out as part of the upgrade to their Adobe Acrobat Reader version 8.0 and above.  The AIR platform is not a necessary utility for business computing.  We currently remove it immediately after installing Acrobat Reader.

We encourages users to consider removing AIR from Add/Remove programs.  If you use the AIR platform please review Adobe Security Bulletin APSB08-23 and upgrade to Adobe AIR 1.5 to help close the vulnerability the risks.

Symantec has released a security advisory to address multiple vulnerabilities for Symantec Backup Exec. These vulnerabilities may allow an attacker to gain access to or modify information, cause a denial of service, or potentially execute arbitrary code.

The attacker would need to be able to connect directly via network to servers running Backup Exec, or agent software.  Since most servers running this software are protected by firewall the risk are limited to internal network stations being compromised and used a platform to attack the servers with Backup Exec.

Affected Products

Note: ONLY the product versions and builds listed above as affected are vulnerable to these issues. This impacts the remote agents present on both Media servers and Remote backup hosts.

Symantec has ranked this as High Severity.  For more information see Symantec Security Advisory SYM08-021

The Internet marked an infamous anniversary November 2nd 2008. Twenty years early the first replicating program designed to infect network-connected computers was released onto an unsuspecting Internet.  This program was called the Morris Worm for the 20-year old Cornell University student Robert Morris, that designed and released the program.  The term Worm came from the ability of the program to move from computer to computer on its own, and it was the prototype of several different types of viruses, spyware, and worms that we see today.

The Worm quickly exploited known weaknesses in common computer programs and disabled 10% of all Internet-connected system, which were estimated at more than 60,000 machines.  In 1998 when the Morris Worm was released, the Internet was primarily made up of only researchers and government agencies.

Unfortunately, the types of vulnerabilities that Robert Morris took advantage of twenty years ago still exist in the programs we use today. The difference is that software manufacturers and computer security professionals look for these problems and offer fixes for the problems.  Today’s problem is tracking vulnerabilities as they are found and applying the fixes before someone can take advantage of them to compromise your computers.

Just this past week, security professionals found a new worm exploiting a critical Windows bug (Microsoft Security Bulletin MS08-067) to build a new botnet.  Botnets are large groups of infected systems that are under control of the virus writer, and can be used to disrupt other systems or send spam.  Called ”Conficker.a” by Microsoft, the worm infects network connected PCs that have not been patched for a vulnerability that Microsoft patched with an emergency fix in late October.  Researchers estimate the number of infected system to be around 500,000 systems.  If the infected machines had been patched back in October this would have never occurred.

At Creative Computing, we have decided to provide a new service called NetWatch that will act as an Emergency Broadcast System for critical computer updates from Microsoft and other common software programs used by our business clients. Monitoring security websites, blogs and mailing lists is something we do at Creative Computing to support our NetCare clients.  As new fixes are made available we will review them for stability and let NetWatch subscribers know that new patches are ready and need to be applied to their systems.

The best part about NetWatch is that the service is completely Free! Once you sign up we will begin delivering updates about critical patches to your inbox.  You will still have to apply the updates, but at least you will know which ones to apply and when you should.  We hope NetWatch will be a useful service to help you stay on top of security events as they happen.  As always we welcome any feedback and ways that NetWatch could be improved.

To Signup for NetWatch Service Please click the following Link:

http://creativenetcare.com/netwatch-signup