15th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 15th week of 2010. I am Jay Johnson and these are the headlines:

Microsoft Patch Tuesday (pause)
Adobe Patch Tuesday to bring automatic updates while
Fake Antivirus Software Spreads on Facebook (pause)
Apache Foundation Hit By Targeted Attack and Finally
First Anti-virus solution for IPad

And now for this week's newswire details
Microsoft on Tuesday released its Security Advisory for April, which included 11 updates to address 25 vulnerabilities. Impacting popular Microsoft products such as Windows, Microsoft Office and Microsoft Exchange, the software maker deemed five updates critical, another five were considered important and one was ranked moderate. Microsoft recommended in a statement that customers give priority to MS10-019, MS10-026 and MS10-027. Microsoft recommends that customers deploy all security updates as soon as possible. However, Microsoft's guidance on deployment priority is that customers should consider MS10-019, MS10-026 and MS10-027 as the top priority bulletins for April, the company stated in a press released about the security bulletin. According to Microsoft, MS10-019 affects all versions of Windows. The company explains that the issue would allow an attacker to alter signed executable content (PE and CAB files) without invalidating the signature. MS10-026 is a critical update on Windows 2000, XP, Server 2003 or Server 2008, but does not affect Windows 7, Windows Server 2008 R2 or Itanium devices of Windows Server 2008 and Windows Server 2003, Microsoft says. The vulnerability addressed by this update could be triggered simply by visiting a web page hosting a specially crafted AVI file that begins streaming when the page loads. Furthermore Microsoft says that MS10-027 addresses a vulnerability that could be exploited by simply visiting a specially crafted web page, and the update affects only Windows 2000 and Windows XP users. Microsoft also updated its Malicious Software Removal Tool to provide capability to remove Win32/Magania, a password-stealing Trojan.

(pause)
Adobe fixed 15 security flaws in its Reader and Acrobat software for viewing PDF files. The software maker rated the update critical, meaning attackers can exploit the bugs to take control of end users' computers. The updates fix vulnerabilities involving cross-site scripting, memory corruption, font handling, buffer overflow and denial-of-service issues. They affect Reader 9.3.1 for Windows, Mac, and Unix, Acrobat 9.3.1 for Windows and Mac, and Reader 8.2.1 and Acrobat 8.2.1 for Windows and Mac. Adobe provides more information on its update and patch services in a blog post. Adobe also unveiled a feature that would automatically install Reader and Acrobat updates. It may take as long as seven days for the auto updater to be activated on its own, but users can manually kick start the process by opening the applications and choosing check for updates from the help menu. Then the updater will query Adobe servers every three days, which should ensure that patches are automatically installed no more than 72 hours after they're released.

(pause)
A malicious advertisement has been found within an application for Facebook that redirected users to fake antivirus software, according to a security researcher. The banner advertisement for greeting cards was intermittently displayed with an application called Farm Town, which has more than 9 million monthly users according to information published on Facebook. If the bad Shockwave Flash advertisement was displayed, the user was redirected from Facebook through several domains and ended up on a web site selling fake antivirus software. Fake antivirus sites usually tell users their computers are infected and implore them to download the software, which is often completely ineffective. Consumers are charged as much as US$70 for the software, which is also difficult to remove, and have trouble recovering their money. There are hundreds of fake antivirus programs, and security experts estimate it is a multimillion dollar industry. Panda Security wrote in a report last year that as many as 35 million computers worldwide may be infected with fake antivirus programs each month.

(pause)
The Apache Foundation, a nonprofit organization that supports open source software projects and is itself supported by important companies like Google, Yahoo, Microsoft, HP, and Facebook, has been attacked, and the Apache Infrastructure Team warned people today that some passwords were compromised in the process. The team stated in an incident report, If you are a user of the Apache hosted JIRA, Bugzilla, or Confluence, a hashed copy of your password has been compromised. Changing passwords immediately is the recommended course of action. As for what happened, the team provided an impressive amount of information, but we'll just hit the highlights here. Apparently a URL redirect was used in combination with a cross-site scripting attack, and a brute force password attack was conducted at the same time. The attackers then collected some users' passwords, and were able to turn around and access even more systems. The Apache Infrastructure Team has a good handle on how to address these problems, though, and has indeed already taken several important steps. By being so forthcoming about what the incident, the team has probably saved a few other organizations from falling victim to similar attacks, too.

(pause)
Mac security specialist Intego has begun offering the first antivirus scanner capable of inspecting Apple's much-hyped iPad, despite the questionable need for security scans on the device. The iPad, which Apple began, selling in the US last weekend, runs on the same operating system as the iPhone. Only jailbroken iPhones with default passwords have ever been infected with malware and even then only by a handful of high-profile worms, such as the Rickrolling worm in Australia and the D'oh bank credential stealing worm in the Netherlands, which both spread last November. Whether either of these worms might be capable of infecting an iPad is unclear. Intego acknowledges there is no iPad malware to defend against as yet but argues it will be ready if and when the threat materializes. Intego's VirusBarrier X6 offers anti-virus protection for Mac PCs. A maintenance update to the software on Tuesday means that once an iPad is connected to a Mac the technology can copy files from the device and scan them to look for exploit code in files. Suspicious files are quarantined on the Mac and deleted from the iPad. Earlier updates along the same lines allowed files held on an iPhone to be scanned for problems. Intego's VirusBarrier X6 was promoted as the first anti-malware program to scan iPhones and iPod touches. Now it gains the same bragging rights on the iPad. Hundreds of malware strains are capable of infecting Mac-based PCs, compared to millions of Windows-specific malware varieties. Intego competes in the market to sell anti-virus software for Macs against the likes of Symantec and more recently Kaspersky.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.