Original release date: February 14, 2012
Last revised: –
Source: US-CERT

Systems Affected

* Microsoft Windows
* Microsoft Internet Explorer
* Microsoft .NET Framework
* Microsoft Silverlight
* Microsoft Office
* Microsoft Server Software

Overview

There are multiple vulnerabilities in Microsoft Windows, Internet
Explorer, Microsoft .NET Framework, Silverlight, Office, and
Microsoft Server Software. Microsoft has released updates to
address these vulnerabilities.

I. Description

The Microsoft Security Bulletin Summary for February 2012 describes
multiple vulnerabilities in Microsoft Windows. Microsoft has
released updates to address the vulnerabilities.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code,
cause a denial of service, or gain unauthorized access to your
files or system.

III. Solution

Apply updates

Microsoft has provided updates for these vulnerabilities in the
Microsoft Security Bulletin Summary for February 2012, which
describes any known issues related to the updates. Administrators
are encouraged to note these issues and test for any potentially
adverse effects. In addition, administrators should consider using
an automated update distribution system such as Windows Server
Update Services (WSUS). Home users are encouraged to enable
automatic updates.

IV. References

* Microsoft Security Bulletin Summary for February 2012 -
<https://technet.microsoft.com/en-us/security/bulletin/ms12-feb>

* Microsoft Windows Server Update Services -
<http://technet.microsoft.com/en-us/wsus/default.aspx>

* Microsoft Update – <https://www.update.microsoft.com/>

* Microsoft Update Overview -
<http://www.microsoft.com/security/updates/mu.aspx>

* Turn Automatic Updating On or Off -
<http://windows.microsoft.com/en-us/windows-vista/Turn-automatic-updating-on-or-off>

© 2011 Carnegie Mellon University.
Paul Ruggiero and Jon Foote
Mobile Threats Are Increasing Smartphones, or mobile phones with advanced capabilities like those of personal computers (PCs), are appearing in more people’s pockets, purses, and briefcases. Smartphones’ popularity and relatively lax security have made them attractive targets for attackers. According to a report published earlier this year, smartphones recently outsold PCs for the first time, and attackers have been exploiting this expanding market by using old techniques along with new ones.  One example is this year’s Valentine’s Day attack, in which attackers distributed a mobile picture-sharing application that secretly sent premium-rate text messages from the user’s mobile phone. One study found that, from 2009 to 2010, the number of new vulnerabilities in mobile operating systems jumped 42 percent.  The number and sophistication of attacks on mobile phones is increasing, and countermeasures are slow to catch up.
Smartphones and personal digital assistants (PDAs) give users mobile access to email, the internet, GPS navigation, and many other applications. However, smartphone security has not kept pace with traditional computer security. Technical security measures, such as firewalls, antivirus, and encryption, are uncommon on mobile phones, and mobile phone operating systems are not updated as frequently as those on personal computers. Mobile social networking applications sometimes lack the detailed privacy controls of their PC counterparts.
Unfortunately, many smartphone users do not recognize these security shortcomings. Many users fail to enable the security software that comes with their phones, and they believe that surfing the internet on their phones is as safe as or safer than surfing on their computers.
Meanwhile, mobile phones are becoming more and more valuable as targets for attack. People are using smartphones for an increasing number of activities and often store sensitive data, such as email, calendars, contact information, and passwords, on the devices. Mobile applications for social networking keep a wealth of personal information. Recent innovations in mobile commerce have enabled users to conduct many transactions from their smartphone, such as purchasing goods and applications over wireless networks, redeeming coupons and tickets, banking, processing point-of-sale payments, and even paying at cash registers.
Typical Attacks Leverage Portability and Similarity to PCs
Mobile phones share many of the vulnerabilities of PCs. However, the attributes that make mobile phones easy to carry, use, and modify open them to a range of attacks.
• Perhaps most simply, the very portability of mobile phones and PDAs makes them easy to steal. The owner of a stolen phone could lose all the data stored on it, from personal identifiers to financial and corporate data. Worse, a sophisticated attacker with enough time can defeat most security features of mobile phones and gain access to any information they store.
• Many seemingly legitimate software applications, or apps, are malicious. Anyone can develop apps for some of the most popular mobile operating systems, and mobile service providers may offer third-party apps with little or no evaluation of their safety. Sources that are not affiliated with mobile service providers may also offer unregulated apps that access locked phone capabilities. Some users “root” or “jailbreak” their devices, bypassing operating system lockout features to install these apps.
• Even legitimate smartphone software can be exploited. Mobile phone software and network services have vulnerabilities, just like their PC counterparts do. For years, attackers have exploited mobile phone software to eavesdrop, crash phone software, or conduct other attacks. A user may trigger such an attack through some explicit action, such as clicking a maliciously designed link that exploits a vulnerability in a web browser. A user may also be exposed to attack passively, however, simply by using a device that has a vulnerable application or network service running in the background.
• Phishing attacks use electronic communications to trick users into installing malicious software or giving away sensitive information. Email phishing is a common attack on PCs, and it is just as dangerous on email-enabled mobile phones. Mobile phone users are also vulnerable to phishing voice calls (“vishing”) and SMS/MMS messages (“smishing”). These attacks target feature phones (mobile phones without advanced data and wireless capabilities) as well as smartphones, and they sometimes try to trick users into receiving fraudulent charges on their mobile phone bill. Phishers often increase their attacks after major current events, crafting their communications to look like news stories or solicitations for charitable donations. Spammers used this strategy after the March 2011 earthquake and tsunami in Japan.
Consequences of a Mobile Attack Can Be Severe
Many users may consider mobile phone security to be less important than the security of their PCs, but the consequences of attacks on mobile phones can be just as severe. Malicious software can make a mobile phone a member of a network of devices that can be controlled by an attacker (a “botnet”). Malicious software can also send device information to attackers and perform other harmful commands. Mobile phones can also spread viruses to PCs that they are connected to.
Losing a mobile phone used to mean only the loss of contact information, call histories, text messages, and perhaps photos. However, in more recent years, losing a smartphone can also jeopardize financial information stored on the device in banking and payment apps, as well as usernames and passwords used to access apps and online services. If the phone is stolen, attackers could use this information to access the user’s bank account or credit card account. An attacker could also steal, publicly reveal, or sell any personal information extracted from the device, including the user’s information, information about contacts, and GPS locations. Even if the victim recovers the device, he or she may receive many spam emails and SMS/MMS messages and may become the target for future phishing attacks.
Some personal and business services add a layer of authentication by calling a user’s mobile phone or sending an additional password via SMS before allowing the user to log onto the service’s website. A stolen mobile phone gets an attacker one step closer to accessing the services as the user. If the device contains the owner’s username and password for the service, the attacker would have everything necessary to access the service.
Take Steps to Protect Your Mobile Phone
Although mobile phones are taking on more capabilities formerly available only on PCs, technical security solutions for mobile phones are not as sophisticated or widespread as those for PCs. This means that the bulk of mobile phone security relies on the user making intelligent, cautious choices. Even the most careful users can still fall victim to attacks on their mobile phones. However, following best practices regarding mobile phone security can reduce the likelihood or consequences of an attack.
• When choosing a mobile phone, consider its security features. Ask the service provider if the device offers file encryption, the ability for the provider to find and wipe the device remotely, the ability to delete known malicious apps remotely, and authentication features such as device access passwords. If you back up your phone data to a PC, look for an option to encrypt the backup. If you plan to use the device for VPN access, as some users do to access work networks, ask the provider if the device supports certificate-based authentication.
• Configure the device to be more secure. Many smartphones have a password feature that locks the device until the correct PIN or password is entered. Enable this feature, and choose a reasonably complex password. Enable encryption, remote wipe capabilities, and antivirus software if available.
• Configure web accounts to use secure connections. Accounts for certain websites can be configured to use secure, encrypted connections (look for “HTTPS” or “SSL” in account options pages). Enabling this feature deters attackers from eavesdropping on web sessions. Many popular mail and social networking sites include this option.
• Do not follow links sent in suspicious email or text messages. Such links may lead to malicious websites.
• Limit exposure of your mobile phone number. Think carefully before posting your mobile phone number to a public website. Attackers can use software to collect mobile phone numbers from the web and then use those numbers to target attacks.
• Carefully consider what information you want stored on the device. Remember that with enough time, sophistication, and access to the device, any attacker could obtain your stored information.
• Be choosy when selecting and installing apps. Do a little research on apps before installing them. Check what permissions the app requires. If the permissions seem beyond what the app should require, do not install the app; it could be a Trojan horse, carrying malicious code in an attractive package.
• Maintain physical control of the device, especially in public or semi-public places. The portability of mobile phones makes them easy to lose or steal.
• Disable interfaces that are not currently in use, such as Bluetooth, infrared, or Wi-Fi. Attackers can exploit vulnerabilities in software that use these interfaces.
• Set Bluetooth-enabled devices to non-discoverable. When in discoverable mode, your Bluetooth-enabled devices are visible to other nearby devices, which may alert an attacker or infected device to target you. When in non-discoverable mode, your Bluetooth-enabled devices are invisible to other unauthenticated devices.
• Avoid joining unknown Wi-Fi networks and using public Wi-Fi hotspots. Attackers can create phony Wi-Fi hotspots designed to attack mobile phones and may patrol public Wi-Fi networks for unsecured devices. Also, enable encryption on your home Wi-Fi network.
• Delete all information stored in a device prior to discarding it. Check the website of the device’s manufacturer for information about securely deleting data. Your mobile phone provider may also have useful information on securely wiping your device.
• Be careful when using social networking applications. These apps may reveal more personal information than intended, and to unintended parties. Be especially careful when using services that track your location.
• Do not “root” or “jailbreak” the device. Third-party device firmware, which is sometimes used to get access to device features that are locked by default, can contain malicious code or unintentional security vulnerabilities. Altering the firmware could also prevent the device from receiving future operating system updates, which often contain valuable security updates and other feature upgrades.
Act Quickly if Your Mobile Phone or PDA Is Stolen
• Report the loss to your organization and/or mobile service provider. If your phone or PDA was issued by an organization or is used to access private data, notify your organization of the loss immediately. If your personal phone or PDA was lost, contact your mobile phone service provider as soon as possible to deter malicious use of your device and minimize fraudulent charges.
• Report the loss or theft to local authorities. Depending on the situation, it may be appropriate to notify relevant staff and/or local police.
• Change account credentials. If you used your phone or PDA to access any remote resources, such as corporate networks or social networking sites, revoke all credentials that were stored on the lost device. This may involve contacting your IT department to revoke issued certificates or logging into websites to change your password.
• If necessary, wipe the phone. Some mobile service providers offer remote wiping, which allows you or your provider to remotely delete all data on the phone.

US-CERT is aware of public reports that DigiCert Sdn. Bhd has issued
22 certificates with weak encryption keys. This could allow an attacker to use these certificates to impersonate legitimate site owners. DigiCert Sdn. Bhd has revoked all the weak certificates that they issued. Entrust, the parent Certificate Authority to DigiCert Sdn. Bhd, has released a statement containing more information.

Mozilla has released Firefox 8 and Firefox 3.6.24 to address this issue. Additional information can be found in the Mozilla Security Blog.

Microsoft has provided an update for all supported versions of Microsoft Windows to address this issue. Additional information can be found in Microsoft Security Advisory 2641690.

US-CERT encourages users and administrators to apply any necessary updates to help mitigate the risks. US-CERT will provide additional information as it becomes available.

Relevant Url(s):
<http://blog.mozilla.com/security/2011/11/03/revoking-trust-in-digicert-sdn-bhd-intermediate-certificate-authority/>

<http://technet.microsoft.com/en-us/security/advisory/2641690>

<http://www.entrust.net/advisories/malaysia.htm>

On November 9, 2011 US Federal prosecutors announced Operation Ghost Click, an ongoing investigation that resulted in the arrests of a cyber ring of seven people who allegedly ran a massive online advertising fraud scheme that used malicious software to infect at least 4 million computers in more than 100 countries.

The cyber ring, comprised of individuals from Estonia and Russia, allegedly used the malicious software, or malware, to hijack web searches to generate advertising and sales revenue by diverting users from legitimate websites to websites run by the cyber ring. In some cases, the software, known as DNSChanger, would replace advertising on popular websites with other ads when viewed from an infected computer.
The malware also could have prevented users’ anti-virus software from functioning properly, thus exposing infected machines to unrelated malicious software.

US-CERT encourages users and administrators to use caution when surfing the web and to take the following preventative measures to protect themselves from malware campaigns:
* Refer to the FBI’s announcement of Operation Ghost Click for
additional information on how to protect yourself and recover from
DNSChanger attacks.
* Maintain up-to-date antivirus software.
* Configure your web browser as described in the Securing Your Web
Browser document.
* Do not follow unsolicited web links in email messages.
* Use caution when opening email attachments. Refer to the Using
Caution with Email Attachments Cyber Security Tip for more
information on safely handling email attachments.

RIM has released a security advisory to address a vulnerability in the BlackBerry MDS Connection Service and BlackBerry Messaging Agent for the BlackBerry Enterprise Server.  The vulnerability may allow an attacker to execute arbitrary code or gain unauthorized access to the BlackBerry Enterprise Server.

US-CERT encourages users and administrators to review the BlackBerry security advisory KB27244 and apply any necessary updates to help mitigate the risks.

Relevant Url(s):
<http://btsc.webapps.blackberry.com/btsc/search.do?cmd=displayKC&docType=kc&externalId=KB27244>

Bullies are taking advantage of technology to intimidate and harass their
victims. Dealing with cyberbullying can be difficult, but there are steps
you can take.

What is cyberbullying?

Cyberbullying refers to practice of using technology to harass, or bully,
someone else. Bullies used to be restricted to methods such as physical
intimidation, postal mail, or the telephone. Now, developments in electronic
media offer forums such as email, instant messaging, web pages, and digital
photos to add to the arsenal. Computers, cell phones, and PDAs are current
tools that are being used to conduct an old practice.

Forms of cyberbullying can range in severity from cruel or embarrassing
rumors to threats, harassment, or stalking. It can affect any age group;
however, teenagers and young adults are common victims, and cyberbullying is
a growing problem in schools.

Why has cyberbullying become such a problem?

The relative anonymity of the internet is appealing for bullies because it
enhances the intimidation and makes tracing the activity more difficult.
Some bullies also find it easier to be more vicious because there is no
personal contact. Unfortunately, the internet and email can also increase
the visibility of the activity. Information or pictures posted online or
forwarded  in mass emails can reach a larger audience faster than more
traditional methods, causing more damage to the victims. And because of the
amount of personal information available online, bullies may be able to
arbitrarily choose their victims.

Cyberbullying may also indicate a tendency toward more serious behavior.
While bullying has always been an unfortunate reality, most bullies grow out
of it. Cyberbullying has not existed long enough to have solid research, but
there is evidence that it may be an early warning for more violent behavior.

How can you protect yourself or your children?

* Teach  your  children  good  online  habits – Explain the risks of
technology, and teach children how to be responsible online (see Keeping
Children  Safe  Online for more information). Reduce their risk of
becoming cyberbullies by setting guidelines for and monitoring their use
of the internet and other electronic media (cell phones, PDAs, etc.).
* Keep lines of communication open – Regularly talk to your children about
their online activities so that they feel comfortable telling you if
they are being victimized.
* Watch  for  warning  signs – If you notice changes in your child’s
behavior,  try  to  identify  the  cause  as  soon as possible. If
cyberbullying is involved, acting early can limit the damage.
* Limit availability of personal information – Limiting the number of
people  who  have  access  to contact information or details about
interests, habits, or employment reduces exposure to bullies that you or
your child do not know. This may limit the risk of becoming a victim and
may  make it easier to identify the bully if you or your child are
victimized.
* Avoid escalating the situation – Responding with hostility is likely to
provoke  a  bully  and  escalate  the  situation. Depending on the
circumstances, consider ignoring the issue. Often, bullies thrive on the
reaction of their victims. Other options include subtle actions. For
example, you may be able to block the messages on social networking
sites or stop unwanted emails by changing the email address. If you
continue  to get messages at the new email address, you may have a
stronger case for legal action.
* Document the activity – Keep a record of any online activity (emails,
web pages, instant messages, etc.), including relevant dates and times.
In addition to archiving an electronic version, consider printing a
copy.
* Report cyberbullying to the appropriate authorities – If you or your
child  are being harassed or threatened, report the activity. Many
schools have instituted bullying programs, so school officials may have
established policies for dealing with activity that involves students.
If  necessary, contact your local law enforcement. Law enforcement
agencies have different policies, but your local police department or
FBI  branch  are  good  starting points. Unfortunately, there is a
distinction between free speech and punishable offenses, but the legal
implications should be decided by the law enforcement officials and the
prosecutors.

Additional information

The following organizations offer additional information about this topic:
* National Crime Prevention Council – http://www.ncpc.org/cyberbullying
* StopBullying.gov – http://www.stopbullying.gov/
_________________________________________________________________

Author: Mindi McDowell

US-CERT is aware of public reports of a phishing attack that specifically targets US government and military officials’ Gmail accounts. The attack arrives via an email sent from a spoofed address of an individual or agency known to the targeted user. The email contains a “view download” link that leads to a fake Gmail login page. The login information is then sent to an attacker. Google has indicated that this phishing campaign has been disrupted and that affected parties have been notified.

US-CERT encourages users and administrators to do the following to help mitigate the risks:
* Review the Google blog entry Ensuring your information is safe
online.
* Do not follow unsolicited web links or attachments in email
messages.
* Use caution when providing personal information online.
* Verify the legitimacy of the email by contacting the organization
directly through a trusted contact method.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for more information on avoiding email scams.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.
* Refer to the Using Caution with Email Attachments document for
more information on safely handling email attachments.

Children present unique security risks when they use a computer—not only do
you have to keep them safe, you have to protect the data on your computer.
By taking some simple steps, you can dramatically reduce the threats.

What unique risks are associated with children?

When  a  child  is using your computer, normal safeguards and security
practices may not be sufficient. Children present additional challenges
because of their natural characteristics: innocence, curiosity, desire for
independence,  and  fear  of  punishment.  You  need to consider these
characteristics when determining how to protect your data and the child.

You may think that because the child is only playing a game, or researching
a term paper, or typing a homework assignment, he or she can’t cause any
harm. But what if, when saving her paper, the child deletes a necessary
program file? Or what if she unintentionally visits a malicious web page
that  infects  your computer with a virus? These are just two possible
scenarios. Mistakes happen, but the child may not realize what she’s done or
may not tell you what happened because she’s afraid of getting punished.

Online  predators  present another significant threat, particularly to
children. Because the nature of the internet is so anonymous, it is easy for
people to misrepresent themselves and manipulate or trick other users (see
Avoiding Social Engineering and Phishing Attacks for some examples). Adults
often fall victim to these ploys, and children, who are usually much more
open and trusting, are even easier targets. Another growing problem is
cyberbullying. These threats are even greater if a child has access to email
or  instant  messaging programs, visits chat rooms, and/or uses social
networking sites.

What can you do?

* Be involved – Consider activities you can work on together, whether it
be playing a game, researching a topic you had been talking about (e.g.,
family vacation spots, a particular hobby, a historical figure), or
putting together a family newsletter. This will allow you to supervise
your child’s online activities while teaching her good computer habits.
* Keep  your  computer  in  an  open area – If your computer is in a
high-traffic area, you will be able to easily monitor the computer
activity. Not only does this accessibility deter a child from doing
something she knows she’s not allowed to do, it also gives you the
opportunity  to intervene if you notice a behavior that could have
negative consequences.
* Set  rules and warn about dangers – Make sure your child knows the
boundaries  of  what  she  is allowed to do on the computer. These
boundaries should be appropriate for the child’s age, knowledge, and
maturity, but they may include rules about how long she is allowed to be
on the computer, what sites she is allowed to visit, what software
programs she can use, and what tasks or activities she is allowed to do.
You should also talk to children about the dangers of the internet so
that they recognize suspicious behavior or activity. Discuss the risks
of sharing certain types of information (e.g., that they’re home alone)
and the benefits to only communicating and sharing information with
people they know (see Using Instant Messaging and Chat Rooms Safely,
Staying Safe on Social Network Sites, and the document Socializing
Securely: Using Social Networking Services for more information). The
goal isn’t to scare them, it’s to make them more aware. Make sure to
include the topic of cyberbullying in these discussions (see Dealing
with Cyberbullies for more information).
* Monitor computer activity – Be aware of what your child is doing on the
computer, including which websites she is visiting. If she is using
email, instant messaging, or chat rooms, try to get a sense of who she
is corresponding with and whether she actually knows them.
* Keep lines of communication open – Let your child know that she can
approach you with any questions or concerns about behaviors or problems
she may have encountered on the computer.
* Consider  partitioning your computer into separate accounts – Most
operating systems give you the option of creating a different user
account  for  each  user.  If  you’re  worried that your child may
accidentally access, modify, and/or delete your files, you can give her
a separate account and decrease the amount of access and number of
privileges she has.
If you don’t have separate accounts, you need to be especially careful
about your security settings. In addition to limiting functionality
within your browser (see Evaluating Your Web Browser’s Security Settings
for more information), avoid letting your browser remember passwords and
other personal information (see Browsing Safely: Understanding Active
Content and Cookies). Also, it is always important to keep your virus
definitions up to date (see Understanding Anti-Virus Software).
* Consider implementing parental controls – You may be able to set some
parental controls within your browser. For example, Internet Explorer
allows you to restrict or allow certain websites to be viewed on your
computer, and you can protect these settings with a password. To find
those options, click Tools on your menu bar, select Internet Options,
choose the Content tab, and click the Enable… button under Content
Advisor.
There are other resources you can use to control and/or monitor your
child’s online activity. Some ISPs offer services designed to protect
children online. Contact your ISP to see if any of these services are
available. There are also special software programs you can install on
your  computer.  Different  programs  offer different features and
capabilities, so you can find one that best suits your needs.

Additional information

The  following  websites offer additional information about protecting
children online:
* GetNetWise – http://kids.getnetwise.org/
* StaySafeOnline – http://www.staysafeonline.org/
_________________________________________________________________

Authors: Mindi McDowell, Allen Householder

Users should be aware of potential email scams, fake antivirus, and phishing attacks regarding the Mississippi flooding disaster. Email scams may contain links or attachments that may direct users to phishing or malicious websites. Fake antivirus attacks may come in the form of pop-ups that flash security warnings and ask the user for credit card information. Phishing emails and websites requesting donations for bogus charitable organizations commonly appear after these types of natural disasters.
US-CERT encourages users to take the following measures to protect
themselves:
* Do not follow or open unsolicited web links or attachments in
email messages.
Maintain up-to-date antivirus software.
* Review the Recognizing Fake Antivirus document for additional
information on recognizing fake antivirus.
* Refer to the Avoiding Social Engineering and Phishing
Attacks document for additional information on social engineering
attacks.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for additional information on avoiding email scams.
* Review the Federal Trade Commission’s Charity Checklist.
* Verify the legitimacy of the email by contacting the organization
directly through a trusted contact number. Trusted contact
information can be found on the Better Business Bureau National
Charity Report Index.

Users should be aware of potential email scams, fake antivirus, and phishing attacks regarding Osama Bin Laden’s death. Email scams may contain links or attachments that may direct users to malicious websites. Fake antivirus attacks may come in the form of pop-ups that flash security warnings and ask the user for credit card information. Phishing emails and websites requesting personal information commonly appear after this type of news.

US-CERT encourages users to take the following measures to protect
themselves:
* Do not follow unsolicited web links or attachments in email
messages.
* Maintain up-to-date antivirus software.
* Review the Recognizing Fake Antivirus document for additional
information regarding fake antivirus.
* Refer to the Avoiding Social Engineering and Phishing
Attacks document for additional information on social engineering
attacks.
* Refer to the Recognizing and Avoiding Email Scams (pdf) document
for additional information on social engineering attacks.