[octoberasian]

Another exploit has been found in Adobe Reader.

So far, it only affects Linux versions of the Reader. versions 8.14 and 9.1 (newest release). It hasn't been found yet in Windows or Mac versions at the moment.

However, it is best to stay cautious and disable Javascript in Adobe Reader as instructed above.

=============================================================

Another iFrame/Flash/Javascript exploit was found on FFXI Wikia.

I've checked it myself and it seems to have been removed already.

However I recommend using Firefox 3 with AdBlock and NoScript add-ons.

If you still use IE7 or use IE8, I recommend installing IE7 Pro. IE6 does not work.

[octoberasian]

Adobe Critical Vulnerability (again)

As said above, a critical vulnerability was found again in Adobe Reader and Adobe Acrobat. At that time, it was only thought to exist in Linux versions of the Adobe software.

However, today, Adobe released an update for both products for not only Linux but Windows and Mac versions as well.

Recommend to update your versions from 9.1 to 9.1.1.

Full details of the vulnerability are described here:
http://www.adobe.com/support/security/bull.../apsb09-06.html

The exploit occurs when Reader or Acrobat crashes and allows an unauthorized user access to the computer.

Reader updates are here: BE ABSOLUTELY SURE YOU GET VERSION 9.1.1

Windows:
http://www.adobe.com/support/downloads/pro...latform=Windows

Mac:
http://www.adobe.com/support/downloads/pro...mp;platform=Mac

Linux:
http://www.adobe.com/support/downloads/pro...p;platform=Unix

Acrobat updates are here: BE ABSOLUTELY SURE YOU GET VERSION 9.1.1

Windows:
http://www.adobe.com/support/downloads/pro...latform=Windows

Mac:
http://www.adobe.com/support/downloads/pro...mp;platform=Mac

[octoberasian]

Adobe and Microsoft Critical Security Vulnerabilities

This is a big one and very lengthy. Adobe and Microsoft released product updates today that patched a critical security vulnerability that would allow a hacker access to your computer and take control of it.

You are advised to update your products immediately.

Adobe software affected: (Both Windows and Mac versions.)

- Adobe Reader
- Adobe Acrobat

Microsoft software affected:

- Microsoft Windows XP, Vista, 2000, Server 2003, Server 2008; both 32-bit and 64-bit versions
- Microsoft Office 2000, 2003, and 2007 for Windows
- Microsoft Office 2004 and 2008 for Mac
- Microsoft Internet Information Services
- Microsoft Internet Explorer
- Microsoft Works 8.5 and Works 9.0
- Microsoft Sharepoint Server

Microsoft security bulletin:
http://www.microsoft.com/technet/security/...n/ms09-jun.mspx

Adobe security bulletin:
http://www.adobe.com/support/security/bull.../apsb09-07.html

Software download locations:
Adobe Reader 9.1.2

• Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4486
• Mac (Power PC): http://www.adobe.com/support/downloads/detail.jsp?ftpID=4499
• Mac (Intel): http://www.adobe.com/support/downloads/detail.jsp?ftpID=4498

Adobe Acrobat 9.1.2

• Windows: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4489
• Mac: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4502

Microsoft Updates

• http://update.microsoft.com
• Start > All Programs > Windows Update
• Start > Control Panel > Windows Update

[octoberasian]

Possible Malware in FFXI Atlas Vana'diel Bestiary section

Infected URL: http://monsters.ffxi-atlas.com/monsters/?id=

The "id" variable must be followed with a 4-digit numerical id linking to the monster you are looking for that will bring up the warning in Avast. Example: "?id=2564" or "?id=1145" will bring up the warning. At the moment, I can't really verify if this is a false positive or not, but be careful if you are visiting that website for now.

Searching for monsters there will bring up the following warning in Avast:
 avast_ffxi_atlas.jpg (50.98K)
Number of downloads: 0

The website seems to be infected (again), and even with NoScript and AdBlock enabled, the page will still open. You will need an antivirus program such as Avast or AVG, and possibly Antivir with active, real-time link scanning.

AVG offers a standalone link scanner here: http://linkscanner.avg.com/

Notes:
- AVG's link scanning software may make certain websites unable to load properly
- Link scanning does give a slight decrease in speed in loading web pages as each URL is scanned before being sent to the browser

[Corrderio]

FFXI Atlas having virus threats? Who knew?

[octoberasian]

Spoof e-mail and phishing scam warning

Spoiler! --Click here to view--

"PlayOnline Account Administration" <notifications@pol.com>

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
ACCOUNT ADMINISTRATION US
PlayOnline ID Investigation
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

Greetings!

It has come to our attention that you are trying to sell/trade your personal PlayOnline / FINAL FANTASY XI account(s) or its assets.
As you may or may not be aware, this activity is considered RMT (Real Money Trading) and conflicts with the EULA and Terms of Service Agreement.
Recent suspicious activity on your account has been detected. This may include:

-Access at multiple terminals within a short amount of time
-Access from multiple IP addresses within a short amount of time
-Significant fluctuations in gil or inventory
-Extremely large amounts of gil on an otherwise undeveloped character
-Rapid procurement/sale of in-game assets
-Rapid distribution of in-game assets to multiple characters
-Evidence gained through an outside source
-Unreasonable or otherwise suspicious behavior as noted by a SQUARE ENIX or PlayOnline representative

As a result of one or more of the above conditions, or other conditions not specified by this e-mail, your account has been deemed a red-flag risk for potential RMT activity.
If this proves to be true, your account can and will be disabled. To avoid such measures, your utmost cooperation is requested.
If it can be verified that you are the original owner of this account, and that you are still in control of the account, investigation regarding account sales would be unnecessary.
This is done most easily by confirming your personal information along with concealed information about the account. If the information is deemed accurate, the investigation will be dropped.

You can confirm that you are the original owner of the account by replying to this email with:

Use the following template below to verify your account and information via email.

* Date of birth
* Zip code
* Country
* PlayOnline password

-(if applicable)-
* SQUARE ENIX Account Name
* SQUARE ENIX Account Password

(NOTE that your PlayOnline ID is not necessary. Never disclose your PlayOnline ID and password at one time under any circumstances.)

If you ignore this mail your account may be closed without additional notice. Once the account has been verified, we will reply to your e-mail informing you that we have dropped the investigation.

We ask that once submitted, you do not change any of this information until the investigation is completed.

_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/
Thank you for your time.
_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/

If you received an e-mail similar to that above, DO NOT REPLY! The e-mail is a scam, a spoof posing as an official e-mail from Square-Enix.

Square-Enix will never ask for any identifiable information through e-mail correspondence. This also includes your PlayOnline ID and password, and if you have it, Square-Enix account user name and password.

The only one time Square-Enix will ask for such information relating to your account is through account recovery process. This, again, does not ask for your POL ID and password, but other information needed for the recovery process. And, this will not be done through e-mail or over the phone, but through a notarized form to be signed by someone with the Power of Attorney.

From the PlayOnline website: http://www.playonline.com/ff11us/polnews/news16372.shtml

Jun. 12, 2009 19:15 [PDT] From: PlayOnline
Warning Regarding PlayOnline ID and Password Fraud

It has come to our attention that certain individuals are contacting FINAL FANTASY XI players in-game, and referring them to fake websites resembling the log-in page of the official Linkshell Community site. The fraudulent site directs players to enter their PlayOnline ID and password, with the intent of using the collected information to compromise the account. We are currently investigating and working to take the appropriate actions against these malicious websites.

Be careful with your information so as not to become a victim of "phishing." Do not disclose your PlayOnline ID or password to anyone or attempt to log-in anywhere other than the official FINAL FANTASY XI Linkshell Community and PlayOnline website.

*The only exception is when dealing directly with a PlayOnline Information Center representative via the PlayOnline Service & Support Web Chat system. You may be asked for your PlayOnline ID or registration code in such cases.

Also, please note that no Square Enix representative (Game Master (GM) staff included) will ever ask you to provide your PlayOnline ID or password from within the game or via e-mail. If you experience such a request while in-game, please contact a GM to report it.

Keep your data safe! Keep your PlayOnline ID and Password secure!

Anti-phisihing tools:

Netcraft Anti-phishing toolbar for IE and Firefox
http://toolbar.netcraft.com/

[octoberasian]

Firefox 3.5 Javascript Vulnerability

From Mozilla Security Blog:

"The vulnerability can be exploited by an attacker who tricks a victim into viewing a malicious Web page containing the exploit code."

The temporary fix until an update is released is to disable the JIT, just-in-time, compiler in Firefox.

To do so, follow the instructions below:

1. In the address bar above, without quotes, type in "about:config"
2. You will get a page with a silly message "This might void your warranty!" Just press "I'll be careful..." to proceed.
3. In the "Filter:" field, type in "jit," again without quotations.
4. You want to look for "javascript.options.jit.content" and double-click it (or right-click "Toggle") to set it to false and it will disable it.
5. Close Firefox and restart it.

Mozilla will release a fix within two weeks time as they find a fix and test it before releasing it in the next Firefox update.

Who does this affect?

Well, anyone who uses Firefox 3.5 and happens to visit a website that runs malicious Javascript code. This can also be Javascript hidden in banner ads or in hidden iframes on the website. It may also affect those who are stupid and naive enough to fall for phishing websites.

So, until a fix is released, disable JIT for now.

[octoberasian]

An update to Firefox, version 3.5.1, was released today.

You can get it at this link or go to Help then "Check for Updates..." or "Apply Downloaded Updates..." (if it has already downloaded it).

You can re-enable JIT by repeating Step 4 above by double-clicking it to set it to true.

[octoberasian]

FFXI Atlas is now completely infected

As mentioned in a previous post above regarding an infected page on FFXI Atlas website, checking again today and it seems that the infection has spread to the entire website.

 regionlist_js.jpg (72.58K)
Number of downloads: 1

The infected item in question is the "regionlist.js" file that is used on the front page of FFXI-Atlas.com. Originally, the infection, which is the same one as previously warned, was only contained on the Vana'diel Bestiary section of the website.

It looks like now that the entire website has been compromised, and the admins/original site owner no longer wishes to continue the site and remove and fix the infected files.

I highly recommend that no one visits the website from now on.

Edit:

Firefox 3.5.1 has another exploit, and this time could potentially allow the browser and its computer be susceptible to DoS (denial-of-service) attacks.

[Crispleaf]

This morning, FFXIclopedia's main page seems to be immediately redirecting your browser to antimalwarescannerv9.com which tries to get you to install free anti-virus software which is actually a virus.

I'm assuming they've been hacked and they'll be fixing it soon.

[octoberasian]

This morning, FFXIclopedia's main page seems to be immediately redirecting your browser to antimalwarescannerv9.com which tries to get you to install free anti-virus software which is actually a virus.

I'm assuming they've been hacked and they'll be fixing it soon.

A week ago, a KI user reported getting a pop up when visiting FFXIclopedia regarding a supposed virus found on the website and asking it to install an anti-virus program. Both Antimalwarescanner and the antivirus program the other user found are fakes. Honestly, I think one of the ads are infected or compromised, and hopefully Wiki admins remove them soon.

I don't get any of these redirection or pop-ups. Then again, I use Firefox 3.5.1 with NoScript and AdBlock add-ons. IE7/IE8 have a similar program called IE7 Pro-- http://www.ie7pro.com/.

I highly recommend that if you use Firefox or IE7/IE8 to use either add-ons for both browsers. Opera 9 has something similar but isn't automatic unless you manually add the HTML element or URL to its blacklist. Chrome I haven't used much, but all I know it has a pop-up blocker and Safari as well, but nothing close to NoScript or AdBlock.

Other than that, the only other website besides Somepage that users shouldn't visit is FFXI Atlas, that's been completely compromised and it looks like the website is no longer maintained by the admins.

[pathwriter]

Yeah, my browser (Firefox with NoScript and a pile of other protections) got hijacked by something on FFXIclopedia the other day. Had to shut the whole thing down, but it didn't get a chance to cause any harm.

[octoberasian]

Guess what? Adobe Flash and Reader Exploits found, again!

New exploits have been found in Flash Player 9 and 10, and Adobe Reader 9.1.2.

"This vulnerability (CVE-2009-1862) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows."

Source: http://blogs.adobe.com/psirt/2009/07/updat...er_acrobat.html

A temporary solution for Adobe Reader is mentioned on the same blog post in the URL above:

"Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat v9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF that contains SWF content. Depending on the product, the authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:\Program Files\Adobe\Reader 9.0\Reader\authplay.dll or C:\Program Files\Adobe\Acrobat 9.0\Acrobat\authplay.dll. Windows Vista users should consider enabling UAC (User Access Control) to mitigate the impact of a potential exploit. Flash Player users should exercise caution in browsing untrusted websites. Adobe is in contact with Antivirus and Security vendors regarding the issue and recommend users keep their anti-virus definitions up to date."

Instead, I highly recommend you install and use alternative PDF readers until an update is released:

Foxit Reader - http://www.foxitsoftware.com/pdf/reader/

Web-based readers:

PDFMeNot - http://www.pdfmenot.com/

Zoho Viewer - http://viewer.zoho.com/

This exploit most affects Windows users, but is also found in Macintosh and Unix-based OSes.

There is no alternative to Flash Player and the only possible temporary solution is to disable the Flash Player in your browser. NoScript add-on for Firefox 3 and IE7 Pro for IE7/IE8 browsers have this option to. If the website you trust is safe, you can manually re-enable Flash for that website, or whitelist it so long as you can trust the website. Silverlight is not an alternative to Flash Player and will not play SWF (Flash) files. It is a proprietary program from Microsoft in direct competition with Adobe's Flash.

I also recommend using either of the following link scanners:

McAfee SiteAdvisor - http://www.siteadvisor.com/

AVG LinkScanner - http://linkscanner.avg.com/

Avast Antivirus has this built-in into their AV software.

NOTE: Link scanners will slow down the loading of websites as each link is scanned before loading them onto your browser. AVG LinkScanner has known problems with a few websites.

AVG Antivirus and iTunes

What can be a silly twist of faith or something else entirely, a recent antivirus definition update for AVG Antivirus software has falsely identified two iTunes components as being a virus--iTunes.dll and iTunesRegistry.dll.

The virus in question is Small.BOG. This is a false positive, or falsely identified file by an antivirus program.

It is recommended to update your definition files to correct this problem or you will be unable to use iTunes. XD

[Charitwo]

A week ago, a KI user reported getting a pop up when visiting FFXIclopedia regarding a supposed virus found on the website and asking it to install an anti-virus program. Both Antimalwarescanner and the antivirus program the other user found are fakes. Honestly, I think one of the ads are infected or compromised, and hopefully Wiki admins remove them soon.

I don't get any of these redirection or pop-ups. Then again, I use Firefox 3.5.1 with NoScript and AdBlock add-ons. IE7/IE8 have a similar program called IE7 Pro-- http://www.ie7pro.com/.

I highly recommend that if you use Firefox or IE7/IE8 to use either add-ons for both browsers. Opera 9 has something similar but isn't automatic unless you manually add the HTML element or URL to its blacklist. Chrome I haven't used much, but all I know it has a pop-up blocker and Safari as well, but nothing close to NoScript or AdBlock.

Other than that, the only other website besides Somepage that users shouldn't visit is FFXI Atlas, that's been completely compromised and it looks like the website is no longer maintained by the admins.

FFXIclopedia's admins have no control over the ads, though we are the ones that report problems to the host (Wikia), they're aware of the issue and are trying to remove it. If you're logged in you won't see ads very many places and adblock (and noscript if you like whitelisting everywhere you go) is a good practice wherever you are.

Wikia gave me this link when I reported the issue: http://www.huliq.com/1/83848/personal-anti...s-program-avoid

[octoberasian]

Yup, hence why I mentioned that one of the ads must be infected. I do hope the Wikia admins can narrow down which ad it is.

If counting the one on BlueGartr Forums and the two on KI, I think we're up to four or five potential victims so far? One I think got infected with these fake antivirus programs.

It reminds me what happened to my sister. She called me up one day a few years ago wondering why her antivirus program wasn't working. I come over to her apartment and turn on her computer. Lo and behold she had one of those fake antivirus programs. It latched on so well that the only solution was to reformat the entire computer. I've only managed to salvage half of her files and documents she had. The rest were pretty much lost or infected.

Oh, the fake antivirus program reported a whopping 2000 viruses loaded on her computer. The antivirus program I had loaded on a floppy disk found somewhere in the vicinity of 600 viruses. My sister, mind you, doesn't visit porn sites. Apparently, the rogue antivirus program downloaded them whenever she connected online and opened up Internet Explorer 6. It went like "Open IE6, get a pop-up, another virus loaded."

It was ridiculous. The antivirus program at that time that I had loaded on floppy disk had no way of removing the rogue program.

Her computer was pretty much a lost cause. All it took was entering Windows XP installation, delete the partition, and do a full format, and re-install everything.

Nowadays, has it happened again? Nope. My sister now uses a Macbook Pro. XD

[NikosThePLDMan]

did you kick her ass for using IE6? I kick my fiance, dad and brother's ass for using IE6. They all use Firefox with NoScript and Kaspersky AV or I will not work on their stuff. Have to love being the family IT guy.

[octoberasian]

Adobe Flash Player and Adobe Reader updates

The previous security exploits found in Adobe Flash Player (version 9.0.159.0 and 10.0.22.87) and Adobe Reader (version 9.1.2) have been updated on August 4th.

Details of the security vulnerability can be found in the Adobe security bulletin here:
http://www.adobe.com/support/security/advi.../apsa09-03.html

Flash Player update: http://get.adobe.com/flashplayer/

Adobe Reader update: http://get.adobe.com/reader/

Mozilla Firefox 3.5.2

Firefox was updated to version 3.5.2 to fix a security vulnerability in its use of SSL-protected communication.

You can get the update here: http://www.mozilla.com/en-US/firefox/personal.html

PlayOnline Precautionary Measures for Unauthorized Access notice (August 6, 2009)

Source: http://www.playonline.com/ff11us/polnews/news16684.shtml

Reports regarding unauthorized access have declined after the implementation of Square Enix Security Token. However, we are still receiving reports about them from users who have not implemented Square Enix Security Token. We would like to take this time to suggest possible ways to prevent the PlayOnline ID and password from being stolen through the Windows version of the PlayOnline Viewer.

- Do not share PlayOnline ID and password with anyone even if the other person is a close friend.
*Square Enix employee will never ask you for the PlayOnline password.

- Do not leave PlayOnline IDs and passwords written down where they may be found by others.

- Do not use a password which can easily be guessed by a third person.

- When accessing PlayOnline using a computer that will be shared by many others, be sure to use the "Guest Login" feature and not register the account information to the PlayOnline Viewer.

- While visiting various websites, do not click on a link if you are unsure about the content of the link.

- Do not use any type of third party software since there is a possibility of damage to the character data and danger of the PlayOnline ID and password being stolen.

- Be sure to install Windows Update and perform virus checks periodically to keep your computer's security setting up to date.

In addition, use of the Square Enix Security Token is very effective to prevent damage to game data through unauthorized access. If you are using the Windows version of the PlayOnline Viewer, it is highly recommended to use one.

In order to ensure that your personal data and the PlayOnline account remain safe and secure, please be sure to manage your Windows and internet connection settings.

[Dr. Ifto]

FFXI-atlas gave me another problem 2 days ago. Its getting ridiculous with them

[octoberasian]

It is the reason why I warned in above post to no longer visit the website.

I have no doubt in my mind that the admins are no longer maintaining the website.

[octoberasian]

Microsoft Security Updates


Microsoft has released 13 security updates for Microsoft Windows. They are the following:

• MS09-050 - addresses a vulnerability in Microsoft Windows (KB 975517)
• MS09-051 - addresses a vulnerability in Windows Media (KB 975682)
• MS09-052 - addresses a vulnerability in Windows Media (KB 974112)
• MS09-053 - addresses a vulnerability in Internet Information Services (IIS) (KB 975254)
• MS09-054 - addresses a vulnerability in Internet Explorer (KB 974455)
• MS09-055 - addresses a vulnerability in Microsoft Windows (KB 973525)
• MS09-056 - addresses a vulnerability in Microsoft Windows (KB 974571)
• MS09-057 - addresses a vulnerability in Indexing Service (KB 969059)
• MS09-058 - addresses a vulnerability in Microsoft Windows (KB 971486)
• MS09-059 - addresses a vulnerability in Microsoft Windows (KB 975467)
• MS09-060 - addresses a vulnerability in Microsoft Office (KB 973965)
• MS09-061 - addresses a vulnerability in Microsoft .NET (KB 974378)
• MS09-062 - addresses a vulnerability in Microsoft Windows (KB 957488

Each link has links to your own specific OS from XP to Windows 7.

You can also get them by opening up Windows Update in the Start Menu (or under All Programs if Vista/Windows 7). Alternatively, you can go to http://windowsupdate.microsoft.com