Spyware, viruses, & security forum: NEWS -April 23. 2012

The developers of the popular open source blog engine WordPress have released a security update for the software. WordPress 3.3.2 fixes unspecified bugs in three external file upload libraries used in the software and other security problems with the application.

The bugs affect both WordPress's current file uploading library Plupload as well as the SWFUpload and SWFObject libraries; these were bundled with older versions of the application and might still be in use by certain plugins on the current versions of WordPress. The developers did not go into detail about the specifics of the security holes but thanked three people from the WordPress community for responsibly disclosing them. Three more fixes address a privilege escalation in the blog engine's multi-site system and two cross-site scripting vulnerabilities in the core components of WordPress. More details on all of these patches and also some additional smaller fixes can be found in the change log.

WordPress 3.3.2 can be downloaded from the project's web site and users can also update their installations of the software automatically from the Update menu in their site's Dashboard.

http://www.h-online.com/security/news/item/WordPress-fixes-file-upload-security-problems-1545416.html

Also: New Version of WordPress Fixes Slew of Security Bugs

See Vulnerabilities / Fixes: WordPress Multiple Vulnerabilities

Microsoft last Friday pulled an Office for Mac 2011 major update from its upgrade servers, acknowledging bugs that have corrupted the Outlook database on some machines.

Office for Mac 2011 Service Pack 2 (SP2) was released April 12. That same day, users who had upgraded began reporting problems on Microsoft's support site, saying that they were unable to run Outlook, the suite's email client.

Last Tuesday, Microsoft confirmed that the SP2 upgrade could in some cases corrupt the Outlook identity database, and offered workarounds to prevent that from happening for those who had not yet installed the service pack, as well as a step-by-step guide to reconstructing the database for those affected by the bug.

Three days later, Microsoft took more drastic action, shutting down the delivery of Office for Mac 2011 SP2 through the company's automatic upgrade service.

"Our goal is provide the simplest update experience for everyone -- so we have temporarily stopped pushing out the SP2 update through Microsoft AutoUpdate while we investigate the issue," Microsoft announced in a Friday post to its Office for Mac blog.

Continued : http://www.pcworld.com/businesscenter/article/254265/office_for_mac_2011_upgrade_pulled.html

Facebook is filled with apps that share your information with third-party "trackers." But a new tool, Privacyscore, helps users decide which apps to use, and which to avoid like the plague.

As anyone who's every used Facebook apps knows, these little suckers can be a real gamble when it comes to privacy. Sure, they all include a list of permissions, and their very own privacy policies for your to peruse through. But what does it all mean? And who has time to read through that stuff, anyway?

A new tool from security research firm PrivacyChoice is now available to help you find out. Dubbed Privacyscore, the free app provides a simple breakdown of the privacy policies and tracking practices of other Facebook apps. It also scores each app on a scale of 1 to 100; the higher the number, the better privacy protections.

"Hundreds of millions of people use Facebook apps every day, sharing personal profile information widely across thousands of app providers," said Jim Brock, PrivacyChoice Founder and CEO, in a statement on the company blog. "Each app provider has its own privacy policies, which in many cases lack even minimal assurances. Our research also revealed that those apps bring in scores of third-party tracking companies, which in many cases also lack basic protections, choices and oversight."

Continued : http://www.digitaltrends.com/social-media/privacyscore-tool-protects-facebook-users-from-seedy-apps/

The experts at SophosLabs have released their latest "dirty dozen" report detailing the world's top spam-relaying countries - and we've discovered that in the space of a year, India has overtaken the United States to become the top global contributor to the junk email problem.

If you have a spam in your inbox, there's an almost one in ten chance that it was relayed from an Indian computer.

The top twelve spam relaying countries for January - March 2012 - [List]

The vast majority of spam comes from home computers that have been compromised by hackers, and commandeered into a botnet. Remote hackers can send spam from recruited computers, as well as potentially steal information or install other malicious code.

The good news is that overall throughput of global email spam messages has decreased since Q1 2011.

This is partly because of better work by ISPs around the world, but also reflects a change in tactics by cybercriminals. Spammers are increasingly finding traditional email spam ineffective, turning to social networks to spread these kinds of marketing spam campaigns instead.

Continued: http://nakedsecurity.sophos.com/2012/04/23/india-becomes-the-king-of-the-spammers-stealing-americas-crown/

Domain name overlord ICANN has been forced to delay its new top-level domain (TLD) expansion by another week as its techies attempt to analyse the fallout of an embarrassing security vulnerability.

Its TLD Application System (TAS), which companies worldwide have been using since January to confidentially apply for gTLDs such as .gay, .london and .blog, has now been down for 10 days due to a bug that enabled some applicants to see information belonging to others.

While ICANN maintains that it has fixed the problem, it now says that it needs at least another week to sift through its mountains of TAS logs, in order to figure out which applicants' data was visible to which other applicants.

ICANN had been receiving reports about the bug since at least 19 March, but only pulled the plug on 12 April, just 12 hours before the final application submission deadline, when it realised how serious the problem could be.

It initially hoped to get the system back up and running by 17 April, but when that deadline passed it then promised to give users an update on the timing by Friday 20 April.

Continued: http://www.theregister.co.uk/2012/04/23/security_bug_delays_new_gtld_launch_again/

PC users infected with a strain of malware called DNS Changer will face their own personal Internet doomsday in July unless they disinfect their computers, the FBI warns.

Users have until July 9 to rid themselves of the DNS Changer malware, which can infect Windows PCs and Macs alike. After that, the FBI will throw a switch that prevents infected computers from accessing the Internet.

It's not as Big Brother as it sounds. DNS Changer is a Trojan that surfaced in 2007 and infected millions of machines. The malware would redirect computers to hacker-created Websites, where cyber-criminals sold at least $14 million in advertisements. DNS Changer also prevented computers from updating or using anti-virus software, leaving them vulnerable to even more malicious software.

Last November, in one of the biggest cybersecurity takedowns ever, the FBI arrested six Estonian nationals that allegedly ran the clickjacking fraud, and seized the rogue DNS servers where infected users were being redirected. The FBI has put up surrogate servers in place of the malicious ones, but only temporarily.

Continued: http://www.pcworld.com/article/254279/fbi_steps_up_internet_doomsday_awareness_malware_campaign.html

Related: Checking Your System for the DNS Changer Malware