McAfee Labs Security Advisory: MTIS09-134

Version 1
    December 18, 2009

    MTIS09-134
    Executive Summary
    Since the last McAfee® Labs Security Advisory (December 17), the following noteworthy events have taken place:
    • The FakeAlert-AntiVirusPro Trojan has gained media attention.
    • A remote code execution and heap overflow vulnerability in Microsoft Windows Indeo Codec has been publicly disclosed.
    • McAfee product coverage has been updated for the Exploit-PDF.ag Trojan.
    • McAfee product coverage has been updated for vulnerabilities in Mozilla Firefox and SeaMonkey.

    McAfee product coverage for these events:

    McAfee Product Coverage *
    ThreatName     Impor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-134-AFakeAlert-AVPro

    Low

    Pend

    N/A

    N/A

    N/A

    UA

    UA

    N/A

    N/A

    UA

    MTIS09-134-BMS Indeo RCE vuln

    Medium

    UA

    Exp

    Exp

    UA

    Yes

    UA

    Pend

    N/A

    UA



    McAfee Product Coverage Updates *
    ThreatAdvisoryImpor-
    tance
    DAT  BOP  Host
    IPS
    McAfee
    Network
    Security
    Platform
    McAfee
    Vulnerability
    Manager
    MNAC 2.xMcAfee
    Remediation
    Manager
    McAfee
    Policy
    Auditor
    SCAP
    MNAC
    SCAP
    MTIS09-133-A
    Exploit-PDF.ag
    Previous

    High

    Yes

    N/A

    N/A

    Yes

    UA

    UA

    N/A

    N/A

    N/A

    Current

    High

    Yes

    N/A

    N/A

    Yes

    No

    No

    N/A

    N/A

    UA

    MTIS09-133-B
    Mozilla libtheora RCE
    Previous

    Medium

    N/A

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    Current

    Medium

    N/A

    UA

    UA

    UA

    UA

    N/A

    Pend

    UA

    UA

    MTIS09-133-C
    Mozilla liboggplay RCE
    Previous

    Medium

    N/A

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    UA

    Current

    Medium

    N/A

    UA

    UA

    UA

    UA

    N/A

    Pend

    UA

    UA

    FakeAlert-AntiVirusPro Trojan[MTIS09-134-A]
     
    Threat Identifier(s)FakeAlert-AVPro
    Threat TypeMalware
    Risk AssessmentLow-profiled
    Main Threat VectorsWeb; E-Mail
    User Interaction RequiredYes
    Description
    The FakeAlert-AntiVirusPro Trojan tricks users into downloading fake anti-virus software. This malware shows false error messages, misleading spyware scan results, and aggressive advertising to persuade users to purchase it.
    ImportanceLow. This threat has gained media attention.
    McAfee Product Coverage *
       DAT filesCoverage will be provided as FakeAlert-AntiVirusPro in the 5836 DATs, to be released December 18.
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    Out of scope
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    Out of scope
       McAfee Policy Auditor SCAPOut of scope
       MNAC SCAPUnder analysis
    Additional InformationMcAfee: FakeAlert-AntiVirusPro
    The Register: Google Doodle poisoned by scareware slingers

    Back to top
    Microsoft Windows Indeo Codec Remote Code Execution and Heap Corruption Vulnerabilities[MTIS09-134-B]
     
    Threat Identifier(s)CVE-2009-4309; CVE-2009-4310; CVE-2009-4311; CVE-2009-4312; CVE-2009-4313
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsWeb
    User Interaction RequiredNo
    Description
    The Indeo codec contains multiple vulnerabilities that may allow remote code execution. Indeo is used by media players to decompress certain types of video files. Exploitation requires an attacker to entice a user to open a maliciously crafted media file, or visit a website that hosts the file.
    ImportanceMedium. On December 17, details of this vulnerability were publicly disclosed.
    McAfee Product Coverage *
       DAT filesUnder analysis
       VSE BOPBuffer overflow protection is expected to cover code-execution exploits.
       Host IPSBuffer overflow protection is expected to cover code-execution exploits.
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    The FSL/MVM package of December 9 includes a vulnerability check to assess if your systems are at risk.
       MNAC 2.xUnder analysis
       McAfee Remediation
       Manager
    An upcoming Remedy V-Flash will contain remedies for this issue.
       McAfee Policy Auditor SCAPCoverage not warranted at this time
       MNAC SCAPUnder analysis
    Additional InformationMicrosoft: Security Enhancements for the Indeo Codec

    Back to top
    Exploit-PDF.ag Trojan[MTIS09-133-A]
     
    Threat Identifier(s)Exploit-PDF.ag
    Threat TypeMalware
    Risk AssessmentLow-profiled
    Main Threat VectorsE-Mail; Web; Peer-to-Peer Networks
    User Interaction RequiredYes
    Description
    Exploit-PDF.ag is malware that exploits a vulnerability in Adobe Acrobat and Reader. These maliciously crafted PDF files exploit the vulnerability CVE-2009-4324. (Full details are available from Adobe at http://www.adobe.com/support/security/advisories/apsa09-07.html.) The malware installs and executes the malicious downloader Trojan Generic Downloader.fg, which downloads further malware, detected as Generic Dropper.og.
    ImportanceHigh. This threat has gained media attention.
    McAfee Product Coverage *
       DAT filesCoverage is as Exploit-PDF.ag in the 5834 DAT files, released December 16.
       VSE BOPOut of scope
       Host IPSOut of scope
       McAfee Network Security
       Platform
    The UDS release of December 15 includes the signature "UDS-HTTP: Adobe Acrobat JavaScript PDF Code Execution Vulnerability," which provides partial coverage.
       McAfee Vulnerability
       Manager
    Out of scope
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    Out of scope
       McAfee Policy Auditor SCAPOut of scope
       MNAC SCAPUnder analysis
    Additional InformationMcAfee: Exploit-PDF.ag
    Adobe: Security Advisory for Adobe Reader and Acrobat

    Back to top
    Mozilla Products "libtheora" Integer Overflow Vulnerability[MTIS09-133-B]
     
    Threat Identifier(s)CVE-2009-3389
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredYes
    Description
    An integer overflow vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in an integer overflow condition in the Theora video library. When the dimensions of a video extend beyond a particular point, multipliying the video's display dimensions can cause a 32-bit integer overflow. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service condition.
    ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPUnder analysis
       Host IPSUnder analysis
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming remedy V-Flash will have a remedy for this update.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-67

    Back to top
    Mozilla Products "liboggplay" Media Library Code Execution Vulnerability[MTIS09-133-C]
     
    Threat Identifier(s)CVE-2009-3388
    Threat TypeVulnerability
    Risk AssessmentMedium
    Main Threat VectorsE-Mail; Web
    User Interaction RequiredYes
    Description
    A vulnerability in Mozilla Firefox and SeaMonkey may allow remote code execution. The flaw lies in specific "memory safety issues" in the liboggplay media library. Exploitation can occur via a specially crafted video file, possibly allowing the execution of arbitrary code. Failed exploit attempts may result in a denial-of-service condition.
    ImportanceMedium. On December 15 Mozilla released a patch that fixes the issue.
    McAfee Product Coverage *
       DAT filesOut of scope
       VSE BOPUnder analysis
       Host IPSUnder analysis
       McAfee Network Security
       Platform
    Under analysis
       McAfee Vulnerability
       Manager
    Under analysis
       MNAC 2.xOut of scope
       McAfee Remediation
       Manager
    An upcoming remedy V-Flash will have a remedy for this update.
       McAfee Policy Auditor SCAPUnder analysis
       MNAC SCAPUnder analysis
    Additional InformationMozilla: Mozilla Foundation Security Advisory 2009-66

    Back to top
    Detailed descriptions of the Security Advisories can be found in the Users Guide: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_UsersGuid e.pdf

    For more information on McAfee Avert Labs Security Advisories, see: https://kc.mcafee.com/content/mtis/McAfee_Avert_Labs_Security_Advisory_FAQ.pdf

    For McAfee Technical Support, click here.

    For Multi-National Phone Support, click here.

    McAfee values your feedback on this Security Advisory. Please reply to this mail with your comments.

    *The information provided is only for the use and convenience of McAfee's customers in connection with their McAfee products, and applies only to the threats described herein. McAfee product coverage statements are limited to known attack vectors and should not be considered comprehensive. THE INFORMATION PROVIDED HEREIN IS PROVIDED "AS IS" AND IS SUBJECT TO CHANGE WITHOUT NOTICE.

    The information contained herein is the property of McAfee, Inc. and may not be reproduced or disseminated without the expressed written consent of McAfee, Inc.

    McAfee and/or additional marks herein are registered trademarks or trademarks of McAfee, Inc. and/or its affiliates in the United States and/or other countries. McAfee Red in connection with security is distinctive of McAfee brand products. All other registered and unregistered trademarks herein are the sole property of their respective owners.

    McAfee, Inc. 3965 Freedom Circle, Santa Clara, CA 95054 888.847.8766 www.mcafee.com

    ® 2009 McAfee, Inc. All rights reserved.