Sunday, July 29, 2012

Get a Second Opinion from Virus Total

It is not uncommon that an antivirus or anti-malware software program has a f/p (false/positive) detection in a scan. In the event a file that has been on your computer for some time suddenly turns up during a scan, the first recommendation is quarantine rather than remove. If it is a f/p, the file can be restored from quarantine but not easily replaced if deleted, particularly if it is a critical system file.

How can you determine if the detection is a f/p? There are various vendors that provide free on-line computer scans but, in this case, we are looking at one particular file. Among the many services Virus Total provides is the ability to navigate to a specific file on the PC and send it to VirusTotal. As you can see by this example, not every service was detecting this Zbot variant when it was submitted.

To scan an individual file at VirusTotal, just go to Navigate to the location of the file on your computer. After the file is uploaded, click the Scan it! button.

There is more to VirusTotal than scanning individual files. With so many malicious websites, there are occasions when you may want to check whether a site is safe before visiting. VirusTotal also includes the ability to scan URLs. In addition to the Malware Domain Blocklist being integrated in VirusTotal's URL scanning engine, it also includes hpHosts.

hpHosts is maintained by my friend and fellow Microsoft Consumer Security MVP, Steve Burn. The activities that result in domains being included by hpHosts are described at VirusTotal as follows:

  • "Domains being used for advert or tracking purposes.
  • Domains engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
  • Sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter.
  • Sites engaged in the selling or distribution of bogus or fraudulent applications.
  • Sites engaged in astroturfing otherwise known as grass roots marketing.
  • Persons caught spamming the hpHosts forums.
  • Sites engaged in browser hijacking or other forms of hijacking (OS services, bandwidth, DNS, etc.).
  • Sites engaged in the use of misleading marketing tactics.
  • Sites engaged in Phishing.
  • Sites engaged in the selling, distribution or provision of warez (including but not limited to keygens, serials etc), where such provisions do not contain malware."

The next time you are unsure of the safety of a website, go to VirusTotal and Scan it!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Tuesday, July 17, 2012

Mozilla Firefox 14 Includes Critical Security Updates

Firefox 14 was sent to the release channel today by Mozilla.  Included in the update are five (5) critical, four (4) high, and five (5) moderate security updates.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.  

Security Updates Fixed in Firefox 14

    • MFSA 2012-56 Code execution through javascript: URLs
    • MFSA 2012-55 feed: URLs with an innerURI inherit security context of page
    • MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
    • MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption
    • MFSA 2012-51 X-Frame-Options header ignored when duplicated
    • MFSA 2012-50 Out of bounds read in QCMS
    • MFSA 2012-49 Same-compartment Security Wrappers can be bypassed
    • MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
    • MFSA 2012-47 Improper filtering of javascript in HTML feed-view
    • MFSA 2012-46 XSS through data: URLs
    • MFSA 2012-45 Spoofing issue with location
    • MFSA 2012-44 Gecko memory corruption
    • MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop
    • MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

      What's New

      The Release Notes include new and fixed features in version 14.  The numerous Bug Fixes are in the link available in References.

       Known Issues

      • Unresolved -- If you try to start Firefox using a locked profile, it will crash (see 573369)
      • Unresolved -- For some users, scrolling in the main GMail window will be slower than usual (see 579260)
      • Unresolved -- Focus rings keep growing when repeatedly tabbing through elements (see 720987)
      • Unresolved -- Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)


      The upgrade to Firefox 14.  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

      If you do not use the English language version, Fully Localized Versions are available for download.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Thursday, July 12, 2012

      Adobe Flash Player Stability, Bug Fix Update

      Adobe Flash
      Adobe Flash Player version 11.3.300.265 includes bug fixes related to general stability, audio, and video.  No security updates were included in this release.
      The update also introduces silent auto update on MacOS.

      Fixed Issues

      • Upload button not working on (3223953)
      • Audio is garbled in Win XP on certain sound cards (3223249)
      • Audio not heard while playing videos in Flash Player on Win 7 and Vista on certain sound cards (3223256)
      • Video not playing for DisneyConnection (3223286)
      • Various general stability issues

      Known Issues

      • Audio distortion issues when streaming Flash content(3212648)

      Flash Player Update Instructions

      Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

      • Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
      • If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
      • Uncheck any toolbar offered with Adobe products if not wanted.
      • If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
      • The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

      The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

      Verify Installation

      To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

      Do this for each browser installed on your computer.

      To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

      When Adobe Flash Player is updated, it is recommended that Adobe AIR version be checked as well.  Go to Adobe AIR Help to determine the version of Adobe AIR runtime installed.  The current version of Adobe AIR is


      Release Notes  

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Tuesday, July 10, 2012

      Microsoft Security Advisory 2719662, Gadget Vulnerability

      Security Advisory
      Microsoft released KB Article 2719662 which relates to the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7.  Microsoft has discovered that some Windows Vista and Windows 7 gadgets do not adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. 

      Insecure Gadgets or Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time. 

      As described in the Security Advisory:
      "An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

      Microsoft Fix it

      As a work-around, particularly for IT Administrators, Microsoft has provided a Microsoft Fix it solution that blocks the attack vector for this vulnerability.

      The Fix it solution is available from Microsoft KB Article 2719662, with direct links to the download files to enable and disable the solution below.  I suggest that you save both files so that you can disable the solution prior to installing the update when it is released.

      Edit Note:  Report from (H/T: Siljaline).
      "FYI: Microsoft has switched the Enable and Disable Fix-Its. 50906 enables the Fix It. 50907 disables the Fix It."

      Fix this problem
      Microsoft Fix it 50907
      Fix this problem
            Microsoft Fix it 50906


      HatTip:  ky331

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Microsoft July 2012 Security Bulletin Release

      Microsoft released nine (9) bulletins, of which three bulletins are identified as Critical and the remaining as Important.  Several of the updates require a restart.

      The bulletins address sixteen (16) vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic for Applications. 

      NoteMS12-043 (Microsoft XML Core Services) addresses the issues in Security Advisory 2719615.  This critical update affects all supported versions of Windows.  If you installed the Microsoft Fix it solution described in the Security Advisory, apply the Disable solution,  Microsoft Fix it 50898, after installing the security update.

      Security Bulletins

      Bulletin No.Bulletin TitleBulletin KB
      MS12-043Vulnerability in Windows 2722479
      MS12-044Cumulative Security Update for Internet Explorer 2719177
      MS12-045Vulnerability in Windows 2698365
      MS12-046Vulnerability in Office 2707960
      MS12-047Vulnerabilities in Windows 2718523
      MS12-048Vulnerability in Windows 2691442
      MS12-049Vulnerability in Windows 2655992
      MS12-050Vulnerabilities in Office 2695502
      MS12-051Vulnerability in Office 2721015


      The following additional information is provided in the Security Bulletin:


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Saturday, July 07, 2012

      WinPatrol 2012, v25 Released!

      New, updates and fixes are included in the latest version of WinPatrol.  The two new features are a direct result of malware like Stuxnet, Flame as well the FakeHDD family of rogues which hide and disable security programs.

      Before getting to the new features, here is a quick look at the updates/fixes in this release of WinPatrol 2012.

      Updates/Fixes in WinPatrol 2012

      Delayed Start-up Programs -- Bugs related to the Delayed Start feature, particularly on 64-bit operating systems have been fixed so that programs aren’t lost when moving a program from Delayed to its original status and parameter is properly returned.

      Windows XP Kill Task -- The Kill Task feature has been problematic on Windows XP systems for some time.  Bill learned that Microsoft changed the value of one of the parameter masks used in a function called OpenProcess. Successful tests by Windows XP users verifies that the feature is again working as expected.

      Company Name, Details and Correct Path -- The bug for properly displaying the company name of installed programs on Windows 64-bit computers has been resolved.

      Misc Fixes -- The bug that removed WinPatrol as a Start-up program has been fixed.

      New Features in WinPatrol 2012

      The Uninstall Detection feature is available only to Win Patrol PLUS users.  The Start Program Removed Detection is available to all users.  Both features are optional. Legitimate alerts may occur during software updates or when you choose to remove software.

      Uninstall Detection

      The new WinPatrol v25 will track programs that have been installed on your system and will monitor the location Windows uses to store Uninstall information. This location includes the path to the Uninstall command which is often used by malware to remove a program silently. WinPatrol will let you know the names of any programs which are removed.

      Start Program Removed Detection

      All WinPatrol users can benefit from the often requested option of Start program removal. WinPatrol was the first program to let users know if a new auto start-up programs had been added. Now WinPatrol will also let you know if another program has removed one of your Start-up programs. One of the common behaviors of malware is to reduce the possibility of being detected by Anti-Virus or security software. It’s common for new malware to remove programs from your auto start-up list.


      I was in the process of testing a new version of ESET Smart Security, which ended up being an opportune time to test detection of removal by WinPatrol.  Below is a copy of the notification received when I was using the Windows Uninstall feature.

      As you can see, there is a check box to turn off Uninstall Alerts.

      If you are doing system maintenance which includes intentionally removing several programs and wish to temporarily disable the notifications from WinPatrol, merely un-check the box in the notification above or on the Start-up Programs tab.  Don't forget to re-check the opton when you are finished.

      ---> Download WinPatrol 2012 <---

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Is Your Internet Connection in Jeopardy?

      There have been warnings for months about the impending take-down of the temporary DNS servers that the FBI put into place to provide Internet connections to the thousands of computers that were hijacked by the DNS Changer malware.

      The take-down of the FBI servers will occur on Monday, July 9, 2012.  In the event your computer was infected with this malware, you will lose your Internet connection when the servers are taken offline.

      What to do

      If you have not checked your computer yet to find out if it is infected with the DNS Changer trojan, it is important to visit  DCWG has a list of links to security organizations that are maintaining detection sites in local languages.  Each site has instructions on the next steps to clean up possible infections.

      Background information is available from the FBI website at FBI — International Cyber Ring That Infected Millions of Computers Dismantled.

      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...

      Thursday, July 05, 2012

      Security Bulletin Advance Notice for July, 2012

      On Tuesday, July, 10, 2012, Microsoft is planning to release nine (9) bulletins, of which three bulletins are identified as Critical and the remaining as Important.  Several of the updates will require a restart.

      The bulletins address sixteen (16) vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic for Applications. 

      As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.


      Remember - "A day without laughter is a day wasted."
      May the wind sing to you and the sun rise in your heart...