12345

2/24/2012

[Warning]Malicious files are spreading through facebook chat window

1. Information

With a chat window of Facebook, malicious files are spreading in these days.
Malicious users typed malicious URL to induce user to click for download malicious file.
These shorten URL are used to spread malicious files and hard to be determined its malicious status before clicking.



2. Spreading path and symptoms of infection

This malicious file can be spread via chat window of facebook, and if infected, it spreads itself to victim's friend as a chat message. INCA Internet has gathered various variants of that malicious file and has completed to update.


User can download malicious file with clicking shorten URL.


When extracting downloaded ZIP file, we can see the malicious file(root file). If infected, the copied file(C:\WINDOWS\mdm.exe) of maliciuos file will try to connect to certain external site and will able to vulnerable on downloading additional malicious file.



Created file
- C:\WINDOWS\mdm.exe (195,072 bytes)

3. How to prevent

In case of this kind of malicious file can be spread itself widely with using chat box on Facebook. Besides, shorten URL cannot easily be determined whether malicious or not. Furthermore, malicious shorten URL can be used to spread malicious file on Android-based platform.

To use PC safely from security threats of these malicious attachments, we recommend you download latest security updates and obey following "Security management tips" for general users.

Security management tips

1. Maintain the latest security update on OS and applications
2. Use anti-virus SW from believable security company and keep updating the latest engine and using real time detecting function
3. Do not see and download attached file from suspicious e-mail.
4. Keep caution to link from instant messenger and SNS.

INCA Internet (Security Response Center / Emergency Response Team) runs responding system against various security threats.

◆ Diagnosis name
- Worm/W32.Fakefburl.180887
- Worm/W32.Fakefburl.195072
- Worm/W32.Fakefburl.141312

2/15/2012

Microsoft Security Bulletin Summary for Febrary 2012

1. Introduction

Microsoft(MS)'s regular security updates were released for Febrary 2012.
Users who use MS OS strongly recommended update to be safe from Windows Kernel-Mode Drivers Vulnerability, Ancillary Function Driver Vulnerability, Microsoft SharePoint Vulnerability, Color Control Panel Vulnerability, C Run-Time Library Vulnerability, Indeo Codec Vulnerability, Microsoft Visio Viewer 2010 Vulnerability, and .NET Framework and Microsoft Silverlight Vulnerability.



2. Update details

[Critical]
[MS12-008] Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (2660465)

Vulnerability: GDI Access Violation Vulnerability- CVE-2011-5046
Keyboard Layout Use After Free Vulnerability- CVE-2012-0154

This security update resolves a privately reported vulnerability and a publicly disclosed vulnerability in Microsoft Windows. The more severe of these vulnerabilities could allow remote code execution if a user visits a website containing specially crafted content or if a specially crafted application is run locally. An attacker would have no way to force users to visit a malicious website. Instead, an attacker would have to convince users to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website.

Affected Softwares

- Windows XP SP3
- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista SP1
- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-008



[Important]
[MS12-009] Vulnerabilities in Ancillary Function Driver Could Allow Elevation of Privilege (2645640)

Vulnerability: AfdPoll Elevation of Privilege Vulnerability- CVE-2012-0148
Ancillary Function Driver Elevation of Privilege Vulnerability- CVE-2012-0149

This security update resolves two privately reported vulnerabilities in Microsoft Windows. The vulnerabilities could allow elevation of privilege if an attacker logs on to a user's system and runs a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit the vulnerabilities.

Affected Softwares

- Windows XP Professional x64 Edition SP2
- Windows Server 2003 SP2
- Windows Server 2003 x64 Edition SP2
- Windows Server 2003 SP2 Itanium-based
- Windows Vista x64 Edition SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-009



[Important]
[MS12-010] Cumulative Security Update for Internet Explorer (2647516)

Vulnerability: Copy and Paste Information Disclosure Vulnerability- CVE-2012-0010
HTML Layout Remote Code Execution Vulnerability- CVE-2012-0011
Null Byte Information Disclosure Vulnerability- CVE-2012-0012
VML Remote Code Execution Vulnerability- CVE-2012-0155

This security update resolves four privately reported vulnerabilities in Internet Explorer. The most severe vulnerabilities could allow remote code execution if a user views a specially crafted web page using Internet Explorer. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Internet Explorer 6 with Windows XP Service Pack 3
- Internet Explorer 6 with Windows XP Professional x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 SP2
- Internet Explorer 6 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 6 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 with Windows XP SP3
- Internet Explorer 7 with Windows XP Professional x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 SP2
- Internet Explorer 7 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 7 with Windows Server 2003 with SP2 for Itanium-based Systems
- Internet Explorer 7 whit Windows Vista SP2
- Internet Explorer 7 with Windows Vista x64 Edition SP2
- Internet Explorer 7 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 7 with Windows Server 2008 for x64-based Systems SP2
- Internet Explorer 7 with Windows Server 2008 for Itanium-based Systems SP2
- Internet Explorer 8 with Windows XP SP3
- Internet Explorer 8 with Windows XP Professional x64 Edition SP2
- Internet Explorer 8 with Windows Server 2003 SP2
- Internet Explorer 8 with Windows Server 2003 x64 Edition SP2
- Internet Explorer 8 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 8 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 8 whit Windows Vista SP2
- Internet Explorer 8 with Windows Vista x64 Edition SP2
- Internet Explorer 8 with Windows Server 2008 for 32-bit Systems SP2
- Internet Explorer 8 with Windows Server 2008 for 64-bit Systems SP2
- Internet Explorer 8 with Windows 2008 R2 for x64-based Systems SP1
- Internet Explorer 8 with Windows 2008 R2 for Itanium-based Systems SP1
- Internet Explorer 9 with Windows Vista SP2
- Internet Explorer 9 with Windows Vista x64 Edition SP2
- Internet Explorer 9 with Windows Server 2008 for 32-bit SP2
- Internet Explorer 9 with Windows Server 2008 for 64-bit SP2
- Internet Explorer 9 with Windows 7 for 32-bit and Windows 7 for 32-bit SP1
- Internet Explorer 9 with Windows 7 for x64-based and Windows 7 for x64-based SP1
- Internet Explorer 9 with Windows Server 2008 R2 for 64-bit and Windows Server 2008 R2 for 64-bit SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-010



[Important]
[MS12-011] Vulnerabilities in Microsoft SharePoint Could Allow Elevation of Privilege (2663841)

Vulnerability: XSS in inplview.aspx Vulnerability- CVE-2012-0017
XSS in themeweb.aspx Vulnerability- CVE-2012-0144
XSS in wizardlist.aspx Vulnerability- CVE-2012-0145

This security update resolves three privately reported vulnerabilities in Microsoft SharePoint and Microsoft SharePoint Foundation. These vulnerabilities could allow elevation of privilege or information disclosure if a user clicked a specially crafted URL.

Affected Softwares

- Microsoft SharePoint Server 2010 SP1
- Microsoft SharePoint Foundation 2010 SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-011



[Important]
[MS12-012] Vulnerability in Color Control Panel Could Allow Remote Code Execution (2643719)

Vulnerability: Color Control Panel Insecure Library Loading Vulnerability- CVE-2010-5082

This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .icm or .icc file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-012



[Critical]
[MS12-013] Vulnerability in C Run-Time Library Could Allow Remote Code Execution (2654428)

Vulnerability: Msvcrt.dll Buffer Overflow Vulnerability- CVE-2012-0150

This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a specially crafted media file that is hosted on a website or sent as an email attachment. An attacker who successfully exploited the vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows Vista SP2
- Windows Vista x64 Edition SP2
- Windows Server 2008 for 32bit and Windows 2008 for 32bit SP2
- Windows Server 2008 for x64-based and Windows Server 2008 for x64-based SP2
- Windows Server 2008 for Itanium-based and Windows Server 2008 for Itanium SP2
- Windows 7 for 32-bit and Windows 7 for 32bit SP1
- Windows 7 for x64-based and Windows 7 for x64-based SP1
- Windows Server 2008 R2 for x64-based and Windows Server R2 for x64-based SP1
- Windows Server 2008 R2 for Itanium-based and Windows Server 2008 R2 for Itanium SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-013



[Important]
[MS12-014] Vulnerability in Indeo Codec Could Allow Remote Code Execution (2661637)

Vulnerability: Indeo Codec Insecure Library Loading Vulnerability- CVE-2010-3138

This security update resolves one publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user opens a legitimate file (such as an .avi file) that is located in the same directory as a specially crafted dynamic link library (DLL) file. An attacker who successfully exploited this vulnerability could run arbitrary code as the logged-on user. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-014



[Important]
[MS12-015] Vulnerabilities in Microsoft Visio Viewer 2010 Could Allow Remote Code Execution (2663510)

Vulnerability: VSD File Format Memory Corruption Vulnerability- CVE-2012-0019
VSD File Format Memory Corruption Vulnerability- CVE-2012-0020
VSD File Format Memory Corruption Vulnerability- CVE-2012-0136
VSD File Format Memory Corruption Vulnerability- CVE-2012-0137
VSD File Format Memory Corruption Vulnerability- CVE-2012-0138

This security update resolves five privately reported vulnerabilities in Microsoft Office. The vulnerabilities could allow remote code execution if a user opens a specially crafted Visio file. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the logged-on user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Microsoft Visio Viewer 2010 SP1
- Microsoft Visio Viewer 2010 64-bit SP1

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-015



[Critical]
[MS12-016] Vulnerabilities in .NET Framework and Microsoft Silverlight Could Allow Remote Code Execution (2651026)

Vulnerability: .NET Framework Unmanaged Objects Vulnerability- CVE-2012-0014
.NET Framework Heap Corruption Vulnerability- CVE-2012-0015

This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted web page using a web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Affected Softwares

- Windows XP SP3 for Microsoft .NET Framework 2.0 SP2
- Windows XP SP3 for Microsoft .NET Framework 4
- Windows XP Professional x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows XP Professional x64 Edition SP2 for Microsoft .NET Framework 4
- Windows Server 2003 SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 SP2 for Microsoft .NET Framework 4
- Windows Server 2003 x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 x64 Edition SP2 for Microsoft .NET Framework 4
- Windows Server 2003 SP2 Itanium-based for Microsoft .NET Framework 2.0 SP2
- Windows Server 2003 SP2 Itanium-based for Microsoft .NET Framework 4
- Windows Vista SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Vista SP2 for Microsoft .NET Framework 4
- Windows Vista x64 Edition SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Vista x64 Edition SP2 for Microsoft .NET Framework 4
- Windows 2008 for 32bit SP2 for Microsoft .NET Framework 2.0 SP2
- Windows 2008 for 32bit SP2 for Microsoft .NET Framework 4
- Windows Server 2008 for x64-based SP2 for Microsoft .NET Framework 2.0 SP2
- Windows Server 2008 for x64-based SP2 for Microsoft .NET Framework 4
- Windows Server 2008 for Itanium SP2 for for Microsoft .NET Framework 2.0 SP2
- Windows Server 2008 for Itanium SP2 for Microsoft .NET Framework 4
- Windows 7 for 32-bit for Microsoft .NET Framework 3.5.1
- Windows 7 for 32-bit for Microsoft .NET Framework 4
- Windows 7 for 32bit SP1 for Microsoft .NET Framework 3.5.1
- Windows 7 for 32bit SP1 for Microsoft .NET Framework 4
- Windows 7 for x64-based for Microsoft .NET Framework 3.5.1
- Windows 7 for x64-based SP1 for Microsoft .NET Framework 4
- Windows Server 2008 R2 for x64-based for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for x64-based for Microsoft .NET Framework 4
- Windows Server R2 for x64-based SP1 for Microsoft .NET Framework 3.5.1
- Windows Server R2 for x64-based SP1 for Microsoft .NET Framework 4
- Windows Server 2008 R2 for Itanium-based for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for Itanium-based for Microsoft .NET Framework 4
- Windows Server 2008 R2 for Itanium SP1 for Microsoft .NET Framework 3.5.1
- Windows Server 2008 R2 for Itanium SP1 for Microsoft .NET Framework 4

- Reference site

http://technet.microsoft.com/en-us/security/bulletin/MS12-015