McAfee Labs Security Advisory: MTIS09-130

Version 1
    December 11, 2009

    MTIS09-130
    Executive Summary
    Since the last McAfee® Labs Security Advisory (December 10), the following noteworthy events have taken place:
    • The FakeAlert-DefenceLab Trojan has gained media attention.
    • McAfee product coverage has been updated for vulnerabilities in Adobe products and Microsoft Windows.

    McAfee product coverage for these events:

    McAfee Product Coverage *
    ThreatName     Impor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-130-AFakeAlert-DefenceLab

    Low

    UA

    UA

    UA

    N/A

    UA

    UA

    N/A

    UA

    UA



    McAfee Product Coverage Updates *
    ThreatAdvisoryImpor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-129-A
    Adobe JPEG parsing Vuln
    Previous

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    UA

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    Yes

    Yes

    N/A

    Pend

    UA

    UA

    MTIS09-129-B
    Adobe Flash Data Inj RCE
    Previous

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    MTIS09-129-C
    Adobe Flash Mem Corr RCE
    Previous

    Medium

    UA

    Exp

    Exp

    Yes

    Yes

    UA

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    Yes

    Yes

    UA

    Pend

    UA

    UA

    MTIS09-129-D
    ATL COM Init Vuln
    Previous

    High

    UA

    Exp

    Exp

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    Current

    High

    UA

    Exp

    Exp

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    MTIS09-129-E
    Adobe Flash Int OF RCE
    Previous

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    No

    Pend

    UA

    UA

    MTIS09-119-K
    XL formula Mem corr vuln
    Previous

    Medium

    Pend

    Exp

    Exp

    Yes

    Yes

    Pend

    Pend

    UA

    UA

    Current

    Medium

    UA

    Exp

    Exp

    Yes

    Yes

    Pend

    Yes

    UA

    UA

    FakeAlert-DefenceLab[MTIS09-130-A]
     
    Threat Identifier(s)FakeAlert-DefenceLab
    Threat TypeMalware
    Risk AssessmentLow-profiled
    Main Threat VectorsWeb
    User Interaction RequiredYes
    Description
    The FakeAlert-DefenceLab Trojan conducts a fake scan of a system and generates fake messages reporting infections. The Trojan encourages victims to purchase a registered copy of the product to clean those infections. Unsuspecting users may respond to these scare tactics.
    ImportanceLow. This threat has gained media attention.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPUnder analysis
       Host IPSUnder analysis
       McAfee Network Security
       Platform
    Out of scope
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    Out of scope
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationScareware slingers flaunt fake MS endorsement
    FakeAlert-DefenceLab

    Back to top
    Adobe Flash player / AIR JPEG data parsing Remote Code Execution Vulnerability[MTIS09-129-A]
     
    Threat Identifier(s)CVE-2009-3794
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb
    User Interaction RequiredNo
    Description
    A vulnerability in Adobe Flash Player and Adobe AIR while parsing JPEG data could potentially lead to code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of April 24 includes the signature "HTTP: Adobe Flash Player JPG Processing," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    Adobe Flash Player Data Injection Remote Code Execution Vulnerability[MTIS09-129-B]
     
    Threat Identifier(s)CVE-2009-3796
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail
    User Interaction RequiredNo
    Description
    A data-injection vulnerability in Adobe Flash Player and Adobe AIR could lead to code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    Adobe Flash Player Memory Corruption Remote code execution Vulnerability[MTIS09-129-C]
     
    Threat Identifier(s)CVE-2009-3797
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail
    User Interaction RequiredNo
    Description
    A vulnerability in Adobe Flash Player that causes memory corruption could lead to remote code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Adobe Flash Player Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    (MS09-072) ATL COM Initialization Vulnerability (976325)[MTIS09-129-D]
     
    Threat Identifier(s)CVE-2009-2493
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsWeb; E-Mail; Peer-to-Peer Networks
    User Interaction RequiredNo
    Description
    A vulnerability in an ActiveX control built with vulnerable Microsoft Active Template Library (ATL) headers could allow remote code execution. Attackers could exploit the vulnerability via a specially crafted web page. When a user views the page, the attacker could execute remote code.
    ImportanceHigh. On December 8 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of December 8 includes the signature "HTTP: Microsoft ATL COM Initialization Vulnerability ActiveX Kill Bits IV," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 8 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of December 9 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of December 9 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Information(MS09-072
    976325
    ATL COM Initialization Vulnerability (976325

    Back to top
    Adobe Flash Player Integer Overflow Remote Code Execution Vulnerability[MTIS09-129-E]
     
    Threat Identifier(s)CVE-2009-3799
    Threat TypeVulnerability
    Risk AssessmentCritical
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredNo
    Description
    An integer-overflow vulnerability in Adobe Flash Player and Adobe AIR could lead to remote code execution.
    ImportanceMedium. On December 8 Adobe released an update to address this issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming V-Flash will provide coverage.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationSecurity updates available for Adobe Flash Player
    Adobe Flash Player - Upgrade to the latest version

    Back to top
    (MS09-067) Excel Formula Parsing Memory Corruption Vulnerability (972652)[MTIS09-119-K]
     
    Threat Identifier(s)CVE-2009-3131;MS09-067
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb; Peer-to-Peer Networks; E-Mail; IM
    User Interaction RequiredYes
    Description
    A vulnerability in Microsoft Excel could allow remote code execution. The flaw lies in Excel's parsing documents containing a specially crafted formula embedded inside a cell. For an attack to be successful, a user must open an email attachment. An attacker exploiting this vulnerability could gain the same user rights as the local user.
    ImportanceMedium. On November 10 Microsoft released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    The sigset release of November 10 includes the signature "HTTP: Excel Formula Parsing Memory Corruption Vulnerability," which provides coverage.
       McAfee Vulnerability
       Manager
    The FSL/MVM package of November 10 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xThe MNAC release of November 11 will include a vulnerability check to assess if your systems are at risk.
       McAfee Remediation
       Manager
    The V-Flash of November 11 contains coverage for Windows.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional Informationhttp://vil.nai.com/vil/Content/v_vul48481.htm
    http://www.microsoft.com/technet/security/bulletin/ms09-067.mspx

    Back to top
    Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuid e.pdf

    For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

    For McAfee Technical Support, click here.

    For Multi-National Phone Support, click here.

    McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

    *The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

    The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

    McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

    McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

    ® 2009 McAfee, Inc. All rights reserved.