Microsoft has released an out-of-band security bulletin for July 2009 to address critical vulnerabilities in Internet Explorer. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

With the release of the out-of-band bulletins on July 28, 2009, this bulletin summary replaces the out-of-band bulletin advance notification originally issued on July 24, 2009.

The revised bulletin summary Web page includes the out-of-band security bulletins as well as the security bulletins already released on July 14, 2009.

In an advance notice published late Friday, Microsoft announced that it will release two out-of-band software updates on Tuesday, July 28, 2009, ahead of its regularly scheduled updates on August 11, 2009. The patches will include a critical fix for Internet Explorer as well as a related moderate Visual Studio patch.

"While we can't go into specifics about the issue prior to release, we can say that the Visual Studio bulletin will address an issue that can affect certain types of applications," says Mike Reavey, group manager of the Microsoft Security Response Center.

More information can be found on Microsoft's advance notification.

Microsoft has released a security bulletin for July 2009 to address six vulnerabilities in Microsoft Windows products, three of them are critical. We strongly suggest applying the patches provided by Microsoft for these vulnerabilities.

Critical

Vulnerabilities in the Embedded OpenType Font Engine Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely.

The patch and additional information are available here.

Vulnerabilities in Microsoft DirectShow Could Allow Remote Code Execution
This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file.

The patch and additional information are available here.

Cumulative Security Update of ActiveX Kill Bits
This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control.

The patch and additional information are available here.

Important

Vulnerability in Virtual PC and Virtual Server Could Allow Elevation of Privilege
This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system.

The patch and additional information are available here.

Vulnerability in Microsoft ISA Server 2006 Could Cause Elevation of Privilege
This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.

The patch and additional information are available here.

Vulnerability in Microsoft Office Publisher Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

The patch and additional information are available here.

References:
• Microsoft Security Bulletin Summary for March 2009

An official website of the Iranian government was compromised. A hidden Iframe tag which retrieves an obfuscated malicious scripts which exploit multiple vulnerabilities was injected into the website. Visitors of the governmental website may end up with a Trojan downloader taking over their system.

During the last month we have been tracking a large botnet network, based upon El Fiesta tookit. Computers that were forcibly joined to the Botnet were exposed to information theft and were used for sending spam emails via live.com and via an internal SMTP engine installed by Trojan downloaders.

Image 1: The Iranian governmental website

Image 2: The Iranian governmental website page code compromised

Image 3: The obfuscated exploit page

Upon execution of the obfuscated code, the following vulnerabilities are exploited:

• Adobe Acrobat and Reader JBIG2 image stream buffer overflow
• Adobe Acrobat and Reader Multiple Arbitrary Code Execution
• NCTsoft NCTAudioFile2 ActiveX buffer overflow
• Microsoft 'msdds.dll' COM Object Heap Memory Vulnerability
• Microsoft Access Snapshot Viewer ActiveX
• MS Internet Explorer XML Parsing Buffer Overflow
• Microsoft Data Access Components (MDAC) remote code execution
• Microsoft Internet Explorer VML stack buffer overflow
• MS Internet Explorer WebViewFolderIcon remote code execution
• Firefox  No Script local exploit
• FireFox behavior vulnerability

Upon successful exploitation, Trojans are installed on the infected computer making it part of the Hacker’s Botnet, which is being managed by El Fiesta toolkit. During the past month we have observed half a million infected hosts controlled by this Botnet server.

Image 4: El fiesta toolkit exploits and overall infected hosts (part1)

Image 5: El fiesta toolkit exploits and overall infected hosts (part2)

Image 6: Botnet Server statistics

Once our ‘Honeypot’ clients were controlled by the ‘El Fiesta’ botnet, they were used for sending Spam emails via live.com and via an internal SMTP engine installed by the Bot Trojans. The Spam emails contents were supplied by another web server hosted in Ukraine.

Image 7: An infected client sending Spam via live.com mail account

Image 8: An infected client sending Spam via internal SMTP engine

Image 9: The spam web server supplies the spam email header and content to be sent by the Bot client

One of the Trojans installed by the Botnet downloads a rouge Anti-virus program called Guarddog 2009. The rouge website is hosted on the same server of the El Fiesta toolkit.

Image 10: The Trojan downloader code

Image 11: The rouge Anti-virus program

North Korea is blamed for a series of massive DDoS (distributed denial-of-service) attacks on government and commercial websites in US and South Korea.
These politically motivated attacks first began on Saturday July 04, Independence Day in the US; following is a list of the US and South Korean websites targeted so far.

The latest cyber attacks remind us of the attacks against Georgian government websites last year during its conflict with Russia over South Ossetia (See our blog post).