Microsoft Security Update and Google Security Site

Couple of interesting security related stories I wanted to touch on. Google has been picking up the pace recently in being proactive about removing and blocking malicious websites from their search engine, recently they posted a study by them and Provos that said over 450,000 web pages are launching drive-by downloads of malware and another 700,000 web pages that launch downloads of suspicious software. Lots of news articles followed saying that Google said 1 in 10 websites are potentially malicious, lots of them, I thought they were misreading it, but I wasn’t for sure until today when Google launched a security blog saying it was being misreported.

Unfortunately, the scope of the problem has recently been somewhat misreported to suggest that one in 10 websites are potentially malicious. To clarify, a sample-based analysis puts the fraction of malicious pages at roughly 0.1%. The analysis described in our paper covers billions of URLs. Using targeted feature extraction and classification, we select a subset of URLs believed to be suspicious for in-depth investigation. So far, we have investigated about 12 million suspicious URLs and found about 1 million that engage in drive-by downloads. In most cases, the web sites that infect your system with malware are not intentionally doing so and are often unaware that their web servers have been compromised. Source: Introducing Google’s online security efforts

Here is a map of the globe highlighting the worst countries for drive-by downloads, of course most of the sites are in China, Russia, the US and Germany, they are highlighted in red. Orange means medium activity, yellow means low activity and green means no activity.

Location of malware distribution servers

Should be an interesting read, hope they really keep us up to date, and don’t just use it to react to stuff. Microsoft has released Microsoft Security Advisory (937696), Release of Microsoft Office Isolated Conversion Environment (MOICE) and File Block Functionality for Microsoft Office. Both features are designed to make it easier for customers to protect themselves from Office files that may contain malicious software, such as unsolicited Office files received from unknown or known sources. MOICE makes it easier by providing new security mitigation technologies designed to convert specific Microsoft Office files types, while File Block provides a mechanism that can control and block the opening of specific Microsoft Office file types. The Zero day blog says,

The tool, called MOICE (Microsoft Office Isolated Conversion Environment), can be used in tandem with Group Policy settings to convert documents in legacy (.doc) formats to OpenXML formats, stripping out potentially harmful elements that could pose a potential security risk.

The conversion process takes place in a safe, quarantined sandbox environment, so the user?s computer is fully protected. (See previous blog entry on the MOICE plans). Source: Microsoft releases Office exploit isolation tool

And in a related post, Zero Day describes the latest Monthly Intelligence Report from Messagelabs and says there is a surge in targeted malware against a known Word vulnerability and is suggesting an exploit generator kit may be circulating online.

These attacks increased dramatically since March 2007 from four attacks going to four single recipients to 66 attacks going to 273 recipients in April.

?On first sight, it appears that more than one hacker ring is using this Microsoft Word exploit, and so an exploit generator kit might exist, although this has not yet been found,? said Alex Shipp, senior anti-virus technologist at MessageLabs.

The report said a Taiwanese crime ring called ?Task Briefing? continued its use of Microsoft Office exploits during April, launching spear-phishing attacks with PowerPoint documents embedded in e-mails.

The ring made six attacks this month, sending 61 emails accounting for 10 percent of all targeted e-mails in April, the longest of which lasted 45 hours. In March, the same gang sent 151 emails accounting for more than 20 percent of targeted attacks.

During April 2007, MessageLabs said it intercepted 595 e-mails in 249 separate targeted attacks aimed at 192 different organizations. Of these, 180 were one-on-one targeted attacks aimed at a specific organization. Source: MS Word exploit generator circulating?

The security landscape sure is changing, and if you think you aren’t vulnerable as a person or an agency, your are severely mistaken. The report is available here.