Microsoft today released 13 security bulletins that cover a total of 34 vulnerabilities, the most vulnerabilities Microsoft has ever addressed on a single Patch Tuesday. (The previous record was set in June when Microsoft addressed 31 vulnerabilities in 10 bulletins.)

Windows 7
The barrage of security fixes comes a week before Microsoft is expected to officially release Windows 7, a new version of Windows. Five of the security bulletins released today fix security vulnerabilities in the yet-to-be-released operating system, indicating that Windows 7 will bring little change when it comes to the security of Windows.

Booby-trapped Web sites
Many of the vulnerabilities addressed by the fixes could be exploited if a Windows user simply visits a malicious Web site or opens a rigged media file, favorite attack methods among cybercriminals.

Among the fixes the critical vulnerability (MS09-062) exposes Windows XP and Windows Vista users to attacks that exploit the Graphics Device Interface (GDI+), a Windows component used to process image files that has been patched repeatedly over the past couple of years.

Microsoft has repeatedly had to fix problems related to the Graphics Device Interface in Windows and vulnerabilities in the component have been exploited broadly in the past. Security researchers will be looking to reverse engineer today’s patches, which may very well lead to exploits being created.

Zero day vulnerabilities
Of the 13 bulletins, eight are rated critical by Microsoft, the company’s highest risk rating. Five are deemed important, one notch lower on Microsoft’s severity scale. Nine of the vulnerabilities had been previously disclosed, allowing cyberattackers a way to break into Windows systems before the fix was available.

McAfee recommends that users install Microsoft’s patches as soon as possible. Home users should use Windows Automatic Updates while business users need to have a risk management strategy in place to prioritize the patches.

McAfee provides enterprises with endpoint and network based security technology as well as risk and compliance tools to shield against cyberattacks and allow organizations to patch on their own time. Last week we announced Risk Advisor 2.0, which well tell enterprises what risks they face and show what countermeasures to take for protection.

McAfee Labs Security Advisories provide detail on the coverage of McAfee products when it comes to Microsoft’s vulnerabilities. You can subscribe online.

Overnight McAfee Avert Labs confirmed that there is a political element to Thursday’s cyberattacks that downed Twitter and slowed down Facebook. According McAfee Avert Labs, blogging site LiveJournal, video site Youtube and photo sharing service Fotki were also among the targets.

“What do they have in common? They all hosted an account of a pro-Georgian blogger who went under the nickname ‘Cyxymu’,” Dmitri Alperovitch, vice president of threat intelligence at McAfee Avert Labs, wrote in a blog published early Friday morning.

All the Web sites involved suffered a distributed denial-of-service (DDoS) attack on Thursday. Reportedly, the DDoS attacks were specifically on the pages hosted for Cyxymu, who had just a few days ago blogged about the upcoming one year anniversary of the war between Georgia and Russia. (The nickname is taken after Sukhumi, the capital of Abkhazia, one of Georgia’s pro-Russian breakaway republics.)

In addition to the web-based DDoS attacks, McAfee’s TrustedSource reputation system had also detected a spam campaign that referenced the targeted blogs, Alperovitch wrote.

“We believe this campaign had a dual-purpose,” Alperovitch wrote. One purpose was to attack the social networking Web sites, the other to flood Cyxymu’s inbox hosted by Google’s Gmail service with e-mail messages. “This was likely part of an intimidation campaign,” Alperovitch wrote.

New cyberattacks piggyback on DDoS news

McAfee Avert Labs has already seen the first example of cybercrooks piggybacking on the news of the denial of service attacks to launch other scams. The second result for a Google search on “Sukhumi DDoS” earlier Friday was a link to a Web site that offered to add Cyxymu as a friend on a social networking service. Instead the link was a lure redirecting to a Web site promoting a fake anti-virus product.

(This posting was updated with content on Facebook and botnets at 11.30 AM PT on Thursday Aug. 6.)

Twitter, the rising star among social networking Web sites, was downed on Thursday morning (Pacific Time) due to an apparent distributed denial of service attack. At the same time, Facebook also came under attack.

“On this otherwise happy Thursday morning, Twitter is the target of a denial of service attack,” Biz Stone, Twitter’s co-founder, wrote in a posting on Twitter’s blog Thursday morning. Facebook told Wired.com that it “encountered network issues related to an apparent distributed denial-of-service attack.” Facebook didn’t go down, but said the attack “resulted in degraded service for some users.”

So what is a distributed denial of service attack and why would somebody attack Twitter or Facebook?

In a distributed denial-of-service, or DDoS, attack, the target is overloaded with requests for information. The requests come from a large number of sources, typically compromised computers in a botnet run by cybercrooks. As a result, legitimate users can no longer access the site. Web site operators can defend against DDoS attacks by monitoring the traffic to their sites and filtering out malicious traffic using a firewall or other network security tool.

Distributed denial of service attacks happen for a variety of reasons. In this case it could simply be for the notoriety of taking down a high profile Web site like Twitter.com or Facebook, but it may also be for more nefarious reasons such as political motivations or to extort money. Hacktivism and extortion schemes are common online, the equivalent of disruptive protests in the streets and ‘protection money’ in the brick and mortar world.

Your PC may be used to attack Facebook and Twitter

The average computer user can’t do anything if a Web site is down due to an attack. However, users can prevent their computer from becoming part of the attacking force.

The compromised computers used to assault Web sites in a DDoS attack are typically unproteced PCs of unknowing computer users that have been commandeered by cybercriminals and networked into a botnet. To prevent this from happening, computer users should practice good PC hygiene by making sure the operating system and applications are up to date on patches and running current security software, such as the products sold by McAfee.  

To learn if you’re part of a botnet or became the victim of another cybercrime, you can scan your computer at no cost to you and get help from experts at the McAfee Cybercrime Response Unit.

DDoS History

While still common, most DDoS attacks today aren’t as high profile as they were nearly 10 years ago. Back in 2000 e-commerce giants eBay, Amazon.com and Buy.com, along with Yahoo, news site CNN.com, online trading sites E*Trade and Datek, and technology information provider ZDNet reported similar attacks. The sites were down, sometimes for days, and the FBI held press conferences about the spate of attacks.

McAfee is investigating the Twitter and Facebook attacks, our researchers are plowing through data to find out more about the make up of this particular attack.

Personal online accounts of Twitter CEO Evan Williams, his wife and several of his colleagues have reportedly been compromised and confidential data on the popular social networking company is now being leaked to the media.

TechCrunch on Tuesday reported that it had received a ZIP file containing about 310 documents including “executive meeting notes, partner agreements and financial projections to the meal preferences, calendars and phone logs of various Twitter employees.”

Twitter is obviously a very attractive target to hackers because it is a high profile social networking Web site. That means that Twitter and the people who work there need to be extra diligent when it comes to security. Twitter CEO Evan Willams has acknowledged that himself as well in an e-mail to TechCrunch.

The attacker, using the pseudonym “Hacker Croll” claims to have gained access to the confidential Twitter information by taking advantage of password reminder features on online services such as Web-based e-mail. This once again exposes the weakness in such services. If they are not designed and used correctly, password reminder services can be a weak link in security.

When setting reminders, users should vary the questions and responses they use and only pick questions to which the answer can not easily be guessed or found online. In today’s world of social networking Web sites there is a lot more personal information online about each individual than before, so pick a question to which the answer is not on your MySpace, Facebook or Twitter feed.

McAfee has seen a significant increase in online attacks that take advantage of social networking services recently. In the past worms and viruses spread using vulnerabilities in Windows and the Outlook Express e-mail client, today worms crawl over sites such as MySpace, Facebook and Twitter. It is important that users of these social networking sites understand that they can’t trust every link that appears on their profile page or feed, just you can’t trust all attachments and spam messages that arrive in e-mail.

Today is a sad day. I was a teenager in the eighties and grew up with Michael Jackson’s music blasting everywhere, it was a shock to hear about his untimely death.

Quickly brought back into reality, McAfee Avert Labs colleague Guilherme Venere posted a very timely warning that it won’t be long before cybercriminals will take advantage of the news to attempt to scam people into installing malicious software or give up personal information.

With the death of Jackson and also Farrah Fawcett being top of mind for a lot of people and many wanting to find out more details, this news cycle unfortunately makes a great hook for cybercrooks.

“Every time a disaster happens or news about some celebrity reaches the media, malware writers try to take advantage of it,” Venere writes. “The most common attack vector is email. Watch out for spam offering links to “news” or “pictures” of deceased celebrities. Most of the time, they will take you to Web sites offering advertisements for pharmacy products such as Viagra and Cialis or, even worse, will try to install malware on your machine!”

Scammers have also become adept at search engine optimization, or SEO. So when you’re looking for news using Google or Yahoo look for trustworthy sites in the search results.  Cybercrooks know how to trick search engines into serving up their malicious sites among the search results.  These malicious sites maybe rigged to install spyware or other nefarious programs on your machine. (McAfee’s SiteAdvisor rates search results and protect against such attacks.)

In general, everyone should run up-to-date security software on their PCs in addition to the latest security patches and a firewall to be protected against attacks.

As the swine flu outbreak reaches near pandemic levels, cybercriminals continue to use the flu scare as bait to scam Internet users.

About five percent of global spam volume now mentions “swine flu” to trick people into opening the e-mail message. That could amount to billions of messages each day. McAfee Avert Labs has seen between 80 billion and 100 billion spam messages each day over the last month. Note: there was no spam at all that mentioned swine flu before the weekend.

The swine spam is being sent from all over the world, which isn’t a surprise since the messages are sent from compromised computers networked in a criminal botnet. Still, about half of all the swine flu spam seen to date originated in Brazil, the United States and Germany. There’s a chart that shows the breakdown on the McAfee Avert Labs blog.

McAfee has also seen sites with the words “swine” and “flu” pushing malicious code. In one case a Russian-based site instructs the visitor to install a “video codec” to view a movie. This isn’t a real codec to allow viewing; instead it is malicious software that puts the victim’s computer at the beck and call of the attacker.

Additionally, McAfee Avert Labs has seen an increase in the registration of domain names that mention swine flu, which could indicate a rise in malicious sites that take advantage of the scare.

Should you need information on the flu situation, go to the World Health Organization, CDC or any other reputable source, do not follow links that arrive in spam, instant messages or on social networking Web sites. If you think your PC might be infected or that you may have been the victim of a cybercrime, visit McAfee’s free Cybercrime Response Unit.

For your reference, subject lines for the swine flu messages include:
Salma Hayek caught swine flu!
Madonna caught swine flu!
First US swine flu victims!
US swine flu statistics
Swine flu worldwide!
Swine flu in Hollywood!
Swine flu in USA

As the sun sets in California I thought I should provide an update on Conficker, the Windows computer worm that some predicted could wreak havoc on the Internet today.

Leading up to April 1st there has been a lot of speculation about a mass activation of the Conficker worm. Researchers at McAfee Avert Labs have been monitoring all day for any signs of a Conficker outbreak. As midnight struck across the globe, we have not seen any mass malicious activity. That’s the good news, the Internet is working as well today as it did yesterday.

However, this doesn’t mean Conficker was an April Fools’ prank. The worm is very real and according to some estimates has already infected as many as 12 million computers. Security is not a joke. McAfee Avert Labs today saw Conficker infected hosts attempting to call their master to get instructions, however those calls are not getting through. In the words of Avert Labs Researcher Vu Nguyen: “It is like E.T. phoning home, but nobody’s there.”

Why are Conficker bots not getting new commands from their master? This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren’t watching as closely. Today every security company was watching closely and everyone was on high alert.

Computers infected with Conficker become part of an army of compromised computers and could be used to launch attacks on Web sites, distribute spam, host phishing Web sites or other nefarious activities. Additionally, once it is on a computer, Conficker digs itself in by attempting to deactivate security software and sabotaging tools to remove it.

Conficker first surfaced late last year, taking advantage of a security flaw in Microsoft’s Windows operating system to spread. Microsoft provided an emergency fix for the vulnerability last October with Security Update MS08-067. However, because many systems were not patched and not properly secured Conficker has slithered onto many Windows computers.

If you notice that you’re unable to access Web sites such as www.mcafee.com or your security software is acting up, that could be a sign that your system was taken by Conficker.

Protecting against Conficker isn’t hard and being proactive about security is always easier than having to clean up an infection after the fact. There are two basic things that will ensure a Windows computer is shielded against the worm.

1) Install Microsoft’s Security Update MS08-067
2) Run up-to-date antimalware software

A lot more information on Conficker is available on McAfee’s dedicated Conficker page. Also read the more technical Avert Labs blog if you want more detailed information on the worm and its activities today.

Even if the calendar says April 1, security isn’t a joking matter. A worm called Conficker may come back with a roar on April Fools’ Day. While this may be a prank and the actual event could be immaterial, you should make sure your computer systems are protected against this pest.

For many security professionals, including us at McAfee, Conficker is a déjà vu. It brings us right back to the late nineties and earlier this millennium when worms such as Blaster and Sasser wreaked havoc on the Internet by infecting one computer after the other without requiring any user action. It is important to note though that Blaster and Sasser were much more widespread than Conficker.

Conficker first surfaced late last year, taking advantage of a security flaw in Microsoft’s Windows operating system to spread. Microsoft provided an emergency fix for the vulnerability last October with Security Update MS08-067. However, because many systems were not patched and not properly secured Conficker has slithered onto as many as 12 million Windows computers, according to some estimates.

Several variants of Conficker have surfaced since the original. One variant, Conficker.C, could activate on April 1 and start another assault on Windows computers. Computers infected with Conficker become part of an army of compromised computers and could be used to launch attacks on Web sites, distribute spam, host phishing Web sites or other nefarious activities.

Additionally, once it is on a computer, Conficker digs itself in by attempting to deactivate security software and sabotaging tools to remove it. If you notice that you’re unable to access Web sites such as www.mcafee.com or your security software is acting up, that could be a sign that your system was taken by Conficker.

The good news is that protecting against Conficker isn’t hard. There are two basic things that will ensure a Windows computer is shielded against the worm.

1) Install Microsoft’s Security Update MS08-067
2) Run up-to-date antimalware software

Systems that for some reason can not be updated or run antimalware software should be isolated. For enterprises, McAfee’s intrusion prevention products including McAfee’s Network Security Platform and McAfee Host Intrusion Prevention also protect systems from getting hit by Conficker.

Should your computer be infected by Conficker and there is no antimalware solution, McAfee Avert Labs’ Stinger tool can remove the malware. In addition, McAfee Avert Labs has published a technical document to help find Conficker on your systems in case there has been a compromise.

McAfee Avert Labs will monitor the state of the Internet on April 1 and report on any Conficker activity on the Avert Labs blog. Meanwhile, if you have any indication who is behind Conficker, report them to the authorities and you may be eligible for a $250,000 reward offered by Microsoft.