Get a Second Opinion from Virus Total

It is not uncommon that an antivirus or anti-malware software program has a f/p (false/positive) detection in a scan. In the event a file that has been on your computer for some time suddenly turns up during a scan, the first recommendation is quarantine rather than remove. If it is a f/p, the file can be restored from quarantine but not easily replaced if deleted, particularly if it is a critical system file.

How can you determine if the detection is a f/p? There are various vendors that provide free on-line computer scans but, in this case, we are looking at one particular file. Among the many services Virus Total provides is the ability to navigate to a specific file on the PC and send it to VirusTotal. As you can see by this example, not every service was detecting this Zbot variant when it was submitted.

To scan an individual file at VirusTotal, just go to https://www.virustotal.com/. Navigate to the location of the file on your computer. After the file is uploaded, click the Scan it! button.

There is more to VirusTotal than scanning individual files. With so many malicious websites, there are occasions when you may want to check whether a site is safe before visiting. VirusTotal also includes the ability to scan URLs. In addition to the Malware Domain Blocklist being integrated in VirusTotal's URL scanning engine, it also includes hpHosts.

hpHosts is maintained by my friend and fellow Microsoft Consumer Security MVP, Steve Burn. The activities that result in domains being included by hpHosts are described at VirusTotal as follows:

• "Domains being used for advert or tracking purposes.
• Domains engaged in the distribution of malware (e.g. adware, spyware, trojans and viruses etc).
• Sites engaged in or alleged to be engaged in the exploitation of browser and OS vulnerabilities as well as the exploitation of gray-matter.
• Sites engaged in the selling or distribution of bogus or fraudulent applications.
• Sites engaged in astroturfing otherwise known as grass roots marketing.
• Persons caught spamming the hpHosts forums.
• Sites engaged in browser hijacking or other forms of hijacking (OS services, bandwidth, DNS, etc.).
• Sites engaged in the use of misleading marketing tactics.
• Sites engaged in Phishing.
• Sites engaged in the selling, distribution or provision of warez (including but not limited to keygens, serials etc), where such provisions do not contain malware."

The next time you are unsure of the safety of a website, go to VirusTotal and Scan it!

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Mozilla Firefox 14 Includes Critical Security Updates

Firefox 14 was sent to the release channel today by Mozilla.  Included in the update are five (5) critical, four (4) high, and five (5) moderate security updates.

Based on the extensive list of security updates, it is recommended that the update be applied as soon as possible.  

Security Updates Fixed in Firefox 14

• MFSA 2012-56 Code execution through javascript: URLs
• MFSA 2012-55 feed: URLs with an innerURI inherit security context of page
• MFSA 2012-53 Content Security Policy 1.0 implementation errors cause data leakage
• MFSA 2012-52 JSDependentString::undepend string conversion results in memory corruption
• MFSA 2012-51 X-Frame-Options header ignored when duplicated
• MFSA 2012-50 Out of bounds read in QCMS
• MFSA 2012-49 Same-compartment Security Wrappers can be bypassed
• MFSA 2012-48 use-after-free in nsGlobalWindow::PageHidden
• MFSA 2012-47 Improper filtering of javascript in HTML feed-view
• MFSA 2012-46 XSS through data: URLs
• MFSA 2012-45 Spoofing issue with location
• MFSA 2012-44 Gecko memory corruption
• MFSA 2012-43 Incorrect URL displayed in addressbar through drag and drop
• MFSA 2012-42 Miscellaneous memory safety hazards (rv:14.0/ rv:10.0.6)

What's New

The Release Notes include new and fixed features in version 14.  The numerous Bug Fixes are in the link available in References.

• NEW -- Google searches now utilize HTTPS
• NEW -- Full screen support for Mac OS X Lion implemented
• NEW -- Plugins can now be configured to only load on click (requires an about:config change)
• NEW -- The Awesome Bar now auto-completes typed URLs
• CHANGED -- Improved site identity manager, to prevent spoofing of an SSL connection with favicons
• DEVELOPER -- Pointer Lock API implemented
• DEVELOPER -- New API to prevent your display from sleeping
• DEVELOPER -- New text-transform and font-variant CSS improvements for Turkic languages and Greek
• FIXED -- Various security fixes
• FIXED -- GIF animation can gets stuck when src and image size are changed (743598)
• FIXED -- OS X: nsCocoaWindow::ConstrainPosition uses wrong screen in multi-display setup (752149)
• FIXED -- CSS :hover regression when an element's class name is set by Javascript (758885)

 Known Issues

• Unresolved -- If you try to start Firefox using a locked profile, it will crash (see 573369)
• Unresolved -- For some users, scrolling in the main GMail window will be slower than usual (see 579260)
• Unresolved -- Focus rings keep growing when repeatedly tabbing through elements (see 720987)
• Unresolved -- Windows: The use of Microsoft's System Restore functionality shortly after updating Firefox may prevent future updates (see 730285)

Update

The upgrade to Firefox 14.  To get the update now, select "Help" from the Firefox menu at the upper left of the browser window, then pick "About Firefox."  Mac users need to select "About Firefox" from the Firefox menu.

If you do not use the English language version, Fully Localized Versions are available for download.

References

• Common questions after updating Firefox
• Security Updates
• Mozilla Firefox Release Notes
• Bug Fixes 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Adobe Flash Player Stability, Bug Fix Update

Adobe Flash Player version 11.3.300.265 includes bug fixes related to general stability, audio, and video.  No security updates were included in this release.

The update also introduces silent auto update on MacOS.

Fixed Issues

• Upload button not working on photoshop.com (3223953)
• Audio is garbled in Win XP on certain sound cards (3223249)
• Audio not heard while playing videos in Flash Player on Win 7 and Vista on certain sound cards (3223256)
• Video not playing for DisneyConnection (3223286)
• Various general stability issues

Known Issues

• Audio distortion issues when streaming Flash content(3212648)

Flash Player Update Instructions

Although Adobe suggests downloading the update from the Adobe Flash Player Download Center or by using the auto-update mechanism within the product when prompted, if you prefer, direct download links are available.

• Direct Download link for Firefox, Safari, Opera:  http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player.exe
   
• Direct Download for IE users:  http://download.macromedia.com/pub/flashplayer/current/support/install_flash_player_ax.exe
• Flash Player Uninstaller:  http://download.macromedia.com/get/flashplayer/current/support/uninstall_flash_player.exe

Notes:

• Beginning with Adobe Flash Version 11.3, the universal 32-bit installer will include the 32-bit and 64-bit versions of the Flash Player.  
• If you use the Adobe Flash Player Download Center, be careful to uncheck the optional McAfee Security Plus box.  It is not needed for the Flash Player update.
• Uncheck any toolbar offered with Adobe products if not wanted.
• If you use alternate browsers, it is necessary to install the update for both Internet Explorer as well as the update for alternate browsers.
• The separate 32-bit and 64-bit uninstallers have been replaced with a single uninstaller.

The latest version for Adobe Flash Player for Android is available by downloading it from the Android Marketplace by browsing to it on a mobile phone.

Verify Installation

To verify the Adobe Flash Player version number installed on your computer, go to the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe Flash Player" from the menu. 

Do this for each browser installed on your computer.

To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.

When Adobe Flash Player is updated, it is recommended that Adobe AIR version be checked as well.  Go to Adobe AIR Help to determine the version of Adobe AIR runtime installed.  The current version of Adobe AIR is 3.3.0.3610.

References

Release Notes  

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft Security Advisory 2719662, Gadget Vulnerability

Microsoft released KB Article 2719662 which relates to the Windows Sidebar and Gadgets on supported versions of Windows Vista and Windows 7.  Microsoft has discovered that some Windows Vista and Windows 7 gadgets do not adhere to secure coding practices and should be regarded as causing risk to the systems on which they’re run. 

Insecure Gadgets or Gadgets installed from untrusted sources can harm your computer and can access your computer's files, show you objectionable content, or change their behavior at any time. 

As described in the Security Advisory:

"An attacker who successfully exploited a Gadget vulnerability could run arbitrary code in the context of the current user. If the current user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

Microsoft Fix it

As a work-around, particularly for IT Administrators, Microsoft has provided a Microsoft Fix it solution that blocks the attack vector for this vulnerability.

The Fix it solution is available from Microsoft KB Article 2719662, with direct links to the download files to enable and disable the solution below.  I suggest that you save both files so that you can disable the solution prior to installing the update when it is released.

Edit Note:  Report from http://www.dslreports.com/forum/r27320136-Microsoft-Security-Advisory-2719662 (H/T: Siljaline).

"FYI: Microsoft has switched the Enable and Disable Fix-Its. 50906 enables the Fix It. 50907 disables the Fix It."

Enable	Disable
Fix this problem Microsoft Fix it 50907	Fix this problem       Microsoft Fix it 50906

References

• MSRC: Gadgets, certificate housekeeping and the July 2012 bulletins
• Tech Net Advisory: Microsoft Security Advisory (2719662) Vulnerabilities in Gadgets Could Allow Remote Code Execution
• Knowledge Base Article: Microsoft Security Advisory: Vulnerabilities in Gadgets could allow remote code execution

HatTip:  ky331

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Microsoft July 2012 Security Bulletin Release

Microsoft released nine (9) bulletins, of which three bulletins are identified as Critical and the remaining as Important.  Several of the updates require a restart.

The bulletins address sixteen (16) vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic for Applications. 

Note:  MS12-043 (Microsoft XML Core Services) addresses the issues in Security Advisory 2719615.  This critical update affects all supported versions of Windows.  If you installed the Microsoft Fix it solution described in the Security Advisory, apply the Disable solution,  Microsoft Fix it 50898, after installing the security update.

Security Bulletins

Bulletin No.	Bulletin Title	Bulletin KB
MS12-043	Vulnerability in Windows	2722479
MS12-044	Cumulative Security Update for Internet Explorer	2719177
MS12-045	Vulnerability in Windows	2698365
MS12-046	Vulnerability in Office	2707960
MS12-047	Vulnerabilities in Windows	2718523
MS12-048	Vulnerability in Windows	2691442
MS12-049	Vulnerability in Windows	2655992
MS12-050	Vulnerabilities in Office	2695502
MS12-051	Vulnerability in Office	2721015

Support

The following additional information is provided in the Security Bulletin:

• The affected software listed have been tested to determine which versions are affected. Other versions are past their support life cycle. To determine the support life cycle for your software version, visit Microsoft Support Lifecycle.
• Security solutions for IT professionals: TechNet Security Troubleshooting and Support
• Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center
• Local support according to your country: International Support

References

• MSRC: Gadgets, certificate housekeeping and the July 2012 bulletins
• TechNet: Microsoft Security Bulletin Summary for July 2012
• Security and Safety Center:  Microsoft security updates for July 2012 

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

WinPatrol 2012, v25 Released!

New, updates and fixes are included in the latest version of WinPatrol.  The two new features are a direct result of malware like Stuxnet, Flame as well the FakeHDD family of rogues which hide and disable security programs.

Before getting to the new features, here is a quick look at the updates/fixes in this release of WinPatrol 2012.

Updates/Fixes in WinPatrol 2012

Delayed Start-up Programs -- Bugs related to the Delayed Start feature, particularly on 64-bit operating systems have been fixed so that programs aren’t lost when moving a program from Delayed to its original status and parameter is properly returned.

Windows XP Kill Task -- The Kill Task feature has been problematic on Windows XP systems for some time.  Bill learned that Microsoft changed the value of one of the parameter masks used in a function called OpenProcess. Successful tests by Windows XP users verifies that the feature is again working as expected.

Company Name, Details and Correct Path -- The bug for properly displaying the company name of installed programs on Windows 64-bit computers has been resolved.

Misc Fixes -- The bug that removed WinPatrol as a Start-up program has been fixed.

New Features in WinPatrol 2012

The Uninstall Detection feature is available only to Win Patrol PLUS users.  The Start Program Removed Detection is available to all users.  Both features are optional. Legitimate alerts may occur during software updates or when you choose to remove software.

Uninstall Detection

The new WinPatrol v25 will track programs that have been installed on your system and will monitor the location Windows uses to store Uninstall information. This location includes the path to the Uninstall command which is often used by malware to remove a program silently. WinPatrol will let you know the names of any programs which are removed.


Start Program Removed Detection

All WinPatrol users can benefit from the often requested option of Start program removal. WinPatrol was the first program to let users know if a new auto start-up programs had been added. Now WinPatrol will also let you know if another program has removed one of your Start-up programs. One of the common behaviors of malware is to reduce the possibility of being detected by Anti-Virus or security software. It’s common for new malware to remove programs from your auto start-up list.

Samples:

I was in the process of testing a new version of ESET Smart Security, which ended up being an opportune time to test detection of removal by WinPatrol.  Below is a copy of the notification received when I was using the Windows Uninstall feature.


As you can see, there is a check box to turn off Uninstall Alerts.



If you are doing system maintenance which includes intentionally removing several programs and wish to temporarily disable the notifications from WinPatrol, merely un-check the box in the notification above or on the Start-up Programs tab.  Don't forget to re-check the opton when you are finished.

---> Download WinPatrol 2012 <---

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Is Your Internet Connection in Jeopardy?

There have been warnings for months about the impending take-down of the temporary DNS servers that the FBI put into place to provide Internet connections to the thousands of computers that were hijacked by the DNS Changer malware.

The take-down of the FBI servers will occur on Monday, July 9, 2012.  In the event your computer was infected with this malware, you will lose your Internet connection when the servers are taken offline.

What to do

If you have not checked your computer yet to find out if it is infected with the DNS Changer trojan, it is important to visit http://www.dcwg.org/detect/.  DCWG has a list of links to security organizations that are maintaining detection sites in local languages.  Each site has instructions on the next steps to clean up possible infections.

Background information is available from the FBI website at FBI — International Cyber Ring That Infected Millions of Computers Dismantled.

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More

Security Bulletin Advance Notice for July, 2012

On Tuesday, July, 10, 2012, Microsoft is planning to release nine (9) bulletins, of which three bulletins are identified as Critical and the remaining as Important.  Several of the updates will require a restart.

The bulletins address sixteen (16) vulnerabilities in Microsoft Windows, Microsoft Office, Internet Explorer, and Visual Basic for Applications. 

As happens each month, Microsoft will also release an updated version of the Microsoft Windows Malicious Software Removal Tool on Windows Update, Microsoft Update, Windows Server Update Services, and the Download Center.

References

• MSRC Blog:  Advance Notification Service for July 2012 Security Bulletin Release
• TechNet: Microsoft Security Bulletin Advance Notification for July 2012

Remember - "A day without laughter is a day wasted."
May the wind sing to you and the sun rise in your heart...

Read More