[IS&T Security-FYI] Newsletter, May 3rd, 2007

Thu May 3 16:31:58 EDT 2007

In this Issue:

1. Critical But Limited Flaw In PhotoShop
2. Winamp Zero-Day Exploit Code Released
3. Virginia Tech Exploitation on the Internet
4. eBay Users Often Target of Hackers

---------------------------------------------------
1. Critical But Limited Flaw In PhotoShop
---------------------------------------------------

This vulnerability concerns the way Adobe Photoshop CS2 and CS3  
handle the processing of malicious bitmap files, such as .bmp, .dib  
and .rle. A malicious attacker could exploit the flaw to launch a  
buffer overflow attack. That buffer overflow would then allow the  
intruder to take over a user's system. No active exploits exist yet  
and any attacks will be limited, according to security expert Secunia.

Until Adobe Systems develops a fix, Secunia advises users to forgo  
opening bitmap files where the source of the file is not clear or  
verifiable. Adobe is investigating the issue and will update  
customers as it learns more.

Secunia's advisory: <http://secunia.com/advisories/25023/>
ZDNet's article: <http://www.zdnet.co.uk/misc/print/ 
0,1000000169,39286872-39001093c,00.htm>

--------------------------------------------------------
2. Winamp Zero-Day Exploit Code Released
--------------------------------------------------------

A remote code execution vulnerability and exploit for Winamp versions  
5.11 and later has been released. This vulnerability exists within  
Winamp's MP4 decoding. Using email or a website link for  
downloading .MP4 files in order to play are the most likely ways for  
an attacker to use this vulnerability. Removing the association  
of .MP4 files from Winamp will mitigate this vulnerability until the  
vendor makes a patch available.

------------------------------------------------------
3. Virginia Tech Exploitation on the Internet
------------------------------------------------------

As we saw in the wake of recent tragedies, including Hurricane  
Katrina and the London terror bombings, soon after the shooting  
incident at Virginia Tech there were sites attempting to steal money  
from people who thought they were donating to victims' families.  
Security experts at SANS found at least 25 of these fake Web sites  
within days of the event. Only minutes after the tragic incident was  
reported, domain names related to Virginia Tech had been bought up  
and were for sale on eBay.

For those who wish to donate, we suggest to only visit Virginia  
Tech's official site: <www.vt.edu> which has a link available for  
donations. There is no need to visit any other page. We also warn  
people to avoid following any links in unsolicited emails. Users who  
suspect they have fallen victim to a scam are advised to contact  
their bank immediately.

-------------------------------------------------
4. eBay Users Often Target of Hackers
-------------------------------------------------

eBay users could fall victim to fraud as the auction company faces a  
growing number of attacks. Since last December the number of  
fraudulent auctions on the site has grown, causing an onslaught of  
complaints from users who say the increase is at an unacceptable  
level. Usually the attacks involve phishing traps such as when users  
receive an email claiming to be from eBay and directing them to a  
page looking very much like a real eBay page. Keyloggers on these  
pages could capture a user's password and account information.

A latest attack from this past March involved a man-in-the-middle  
approach, in which the attacker doctors specific variables on the  
page, such as the seller's name and ratings as a seller, designed to  
give the victims confidence in the attacker. So far none of these  
attacks have breached the company's customer records or other  
sensitive information.

News source: <http://www.theregister.co.uk/2007/03/06/ebay_trojan/>

As a response to this type of criminal activity, eBay is looking out  
for its customers. According to the eBay site: "eBay, Inc.  
established the Fraud Investigations Team (FIT) to promote the safe  
use of its platforms and to collaborate with local, state, federal  
and international law to enforce policies, prosecute fraudsters and  
help keep the community safe."

If you believe you became a victim of fraud when using eBay, the site  
offers a few tips: <http://pages.ebay.com/securitycenter/ 
law_enforcement.html>

If you have any questions or comments about information in this  
email, please contact us at security at mit.edu and thank you for  
staying aware of IT security issues.

Monique

=========================
Monique Yeaton
IT Security Awareness Consultant
MIT Information Services & Technology (IS&T)
(617) 253-2715
http://web.mit.edu/ist/security