Spyware, viruses, & security forum: NEWS - September 10, 2012

The recent 5.4 release of Foxit Software's proprietary PDF Reader addresses a DLL hijacking vulnerability that could be exploited by an attacker to compromise a victim's system. According to the company, previous versions of its software contained a security hole that allowed it to call and execute malicious code stored in an infected Dynamic Link Library (DLL) file.

For an attack to be successful, a victim must first open a PDF file in the same directory as a specially crafted version of a system DLL file. This could occur, for example, when an attacker publishes a PDF file on a WebDAV or SMB share and places the crafted DLL in the same shared folder. When the file is opened, Foxit is loaded and begins to load system libraries, but because of a programming oversight, it will first look for some of these libraries in the directory it loaded the PDF from. So a malicious DLL with the same name as a system library that is searched for can inject itself into the application and have its code executed.

Versions up to and including Foxit Reader 5.3.1.0606 are affected. The company credits Remy Brands with discovering the issue on 24 August. While Foxit notes that it corrected the problem just two days later, it only released Foxit Reader 5.4, which contains the fix, on 6 September.

Further information about the 5.4 update, including a list of new features, can be found in the release announcement. Foxit Reader 5.4 is available to download from the company's site; existing users can upgrade to the new version by selecting the "Check for Updates Now" option under the Reader help menu.

http://www.h-online.com/security/news/item/Foxit-Reader-5-4-fixes-DLL-hijacking-vulnerability-1703878.html

Microsoft's decision to make Internet Explorer 10 in Windows 8 have the "Do Not Track" (DNT) option turned on by default has stirred a heated discussion among browser developers, online analytics companies, privacy advocates, advertisers, and the Tracking Protection Working Group of the World Wide Web Consortium (W3C).

The latest oil to that particular fire has been added by the Apache Foundation, which added a patch to its open source Apache HTTP Server that will make it ignore the DNT header if sent by the IE10 browser.

Apache HTTP Server is the world's most popular web server, and the patch - named "Apache does not tolerate deliberate abuse of open standards" by its creator Roy Fielding - will effectively ignore the header even if the actual choice was made by a human.

"The only reason DNT exists is to express a non-default option. That's all it does. It does not protect anyone's privacy unless the recipients believe it was set by a real human being, with a real preference for privacy over personalization," explained Fielding, who is one of the founders of the Apache HTTP Server Project but also a scientist at Adobe and one of the editors of the DNT standard.

Continued : http://www.net-security.org/secworld.php?id=13555

Also:
Apache Blocks IE 10 Do Not Track Privacy Setting
Apache webserver updated to ignore Do Not Track settings in IE 10
Apache ignores Internet Explorer 10's do-not-track header

Do you think that Windows help file is safe? Think again.

Malware authors can create boobytrapped .HLP files, designed to infect your computer.

Take for instance, the strange .HLP file which was sent to SophosLabs by some of our customers at the end of August.

The file, Amministrazione.hlp ("Amministrazione" is Italian for "Administration") was an example of how cybercriminals can use social engineering to trick unsuspecting users into infecting their computers. [Screenshot]

If opened, the help file displays an error message: [Screenshot]

Help could not read the current Help file.
Make sure there are no errors on the disk, or if the file is on a network drive, that the server is active. (163)

In the background, however, a file called Windows Security Center.exe is being dropped onto the computer, which in turn creates a file called RECYCLER.DLL. [Screenshot]

Continued : http://nakedsecurity.sophos.com/2012/09/10/keylogger-help-file/

From TrendLabs Malware Blog:

Earlier this year, a new breed of Remote Access Tool (RAT) called Plugx (also known as Korplug) surfaced in the wild. PlugX, reportedly used on limited targeted attacks, is an example of custom-made RATs developed specifically for this purpose.

The idea behind using this new tool is simple: less recognition and more elusiveness from security researchers. However, this does not mean that this attack is new. Our monitoring reveals that PlugX is part of a campaign that has been around since February 2008.

The said campaign used the Poison Ivy RAT and was reported to target specific users in Japan, China, and Taiwan. This campaign was also part of a large, concerted attack as documented earlier this year. True to its origins, we have observed that Plugx was distributed mainly to government-related organizations and a specific corporation in Japan.

Similar to previous Poison Ivy campaigns, it also arrives as an attachment to spear-phished emails either as an archived, bundled file or specially crafted document that exploits a vulnerability in Adobe Acrobat Reader or Microsoft Office. We,ve encountered an instance of Plugx aimed at a South Korean Internet company and a U.S. engineering firm. [Screenshot: PlugX Email Sample]

Continued : http://blog.trendmicro.com/plugx-new-tool-for-a-not-so-new-campaign/