A couple of days ago, proof-of-concept code was posted showing how a malicious web site could trigger a “drive-by download” when a page was viewed with Firefox 3.5. The 3.5.1 release plugs this hole.

You can get the latest version of Firefox from the Mozilla web site or by clicking on “Check for updates…” in the Firefox Help menu or you can wait for the update to be offered to you automatically when you launch Firefox. Personally, I wouldn’t wait too long.

Two of the three critical patches released this month are very high priority because they are already being exploited in the wild. Both deal with ActiveX-related video handling in Internet Explorer. One of them permits “drive-by” infection of a visitor viewing an infected web page. The other works by tricking people into viewing a malformed QuickTime video. These vulnerabilities affect users running Internet Explorer under Windows XP, but not Vista and Windows 7. Microsoft is less forthcoming about the third critical patch but, word is, it impacts all Windows versions.

Bottom line: When Windows Update offers you these critical updates, you should install them. Immediately.

Updates and clarifications . . .

If you are riding herd on any Windows-based servers, Internet Explorer running under Windows Server 2003 is vulnerable to the ActiveX exploits mentioned above; the Server 2008 environment is safe.

And, just to make myself perfectly clear, you have to be running Internet Explorer directly to be affected by these issues. Although other applications — the Outlook email client, for instance — use Internet Explorer components to view web content, they do so in a more restricted environment that blocks ActiveX exploits.

The sole Microsoft patch fixes a “critical” flaw in PowerPoint. “Critical” means it’s a big deal. In this case, opening a maliciously crafted PowerPoint presentation could allow an attacker to execute code remotely on a victim’s computer. All versions of PowerPoint released in the past 10 years are vulnerable to this one.

Adobe is patching Reader/Acrobat to fix yet another problem associated with embedded JavaScript. This issue, as well as a work-around, was discussed in an earlier post here.

You can safely assume that the bad guys, knowing that people are often sloppy about security updates, will try to take advantage of both vulnerabilities. The Adobe Reader bug will likely be the primary target. Almost everyone has Adobe Reader installed on their computer and most folks are used to encountering PDF files on web sites.

Be careful out there.

Security researchers have turned up a couple more vulnerabilities in Adobe Reader (and Adobe Acrobat for those of you running the full, pay-for package). These flaws permit running arbitrary code on a target system without the user’s knowledge. This is triggered by tricking a victim into opening a maliciously crafted, JavaScript-enabled PDF document — typically, an email attachment or a document served up on an infected web site.

First off, ensure Adobe Reader/Acrobat is up to date. This will plug the holes fixed in the last round of updates. Check the Adobe Reader (or Acrobat) version by clicking on the Help menu and then choosing “About…” (If there are two “About” options, use the one that refers to Reader/Acrobat, not the one that says something about plug-ins.) For Reader 9 and Acrobat 9, the version displayed should be 9.1 or later; for Reader/Acrobat 8, it should be at least 8.1.3.

If the program is out of date, the easiest way to fix this is to again select the Help menu, but choose “Check for Updates…” This will download and install the appropriate updates.

For versions older than 8, it’s time to upgrade to the latest release.

Next, disable Adobe Reader/Acrobat JavaScript. Launch the program, click on the Edit menu and select “Preferences…” In the left pane of the Preferences window, choose “JavaScript”; to the right, near the top, un-check (clear) the box labeled “Enable Acrobat Javascript”. Click OK.

Even after this next round of bugs is patched, it is probably best to leave JavaScript disabled. It’s a potential vulnerability and rarely, if ever, used.

Check the Adobe Reader (or Acrobat) version by clicking on the Help menu and then choosing “About…” (If there are two “About” options, use the one that refers to Reader/Acrobat, not the one that says something about plug-ins.) For Reader 9 and Acrobat 9, the version displayed should be 9.1 or later; for Reader/Acrobat 8, it should be at least 8.1.3.

If the program is out of date, the easiest way to fix this is to again select the Help menu, but choose “Check for Updates…” This will download and install the appropriate patches.

All major antivirus vendors should have protection in place by now. Still, the usual caution applies: Do not open any file from an untrusted source. Ever.

Here are the high points:

• Office 2007 is unaffected. Earlier versions are vulnerable (Office 2003, Office XP, Office 2000).
• Office 2004 for the Mac is vulnerable; Office 2008 for Mac is safe.
• The PowerPoint Viewer is not vulnerable.
• Microsoft is working on a patch for this issue.

Further reading: The Register posted a good overview this morning. Also, check out Microsoft’s official security advisory.

But first, what has gone before…

• If you have been following “best practices” — your security patches are current and you have functioning, up-to-date antivirus — you needn’t worry about Conficker.
• If you’ve been remiss about security, you probably don’t need to worry about Conficker, but it sure wouldn’t hurt to check your system. See the “Conficker/Downadup detection and removal” article for details on how to do this. See “The Conficker/Downadup panic” for background. And at least get a decent antivirus program up and running, for crying out loud!

OK. Now, the reason searching for information about Conficker is risky is because the bad guys have poisoned many of the search results with fake sites. Most are likely scams of one sort or another — selling fake antivirus software is a common activity, as is trying to sucker you into installing spyware or other unwanted junk. At least one site is actively serving up malware. The Conficker Working Group is maintaining a steadily growing  list of these malicious sites. This ZDNet posting has additional information.

Bottom line: Searching on phrases like “Conficker virus”, “Conficker removal”, “Conficker nmap” and other similar terms is not a good idea right now. Instead, go directly to one of the major security-related web sites or to a reputable technical news source and search within their sites for information.

Here are some places to start:

• Monitor this very web log. We try to be both reputable and technically accurate.
• ESET
• F-Secure
• Kaspersky Lab
• Symantec
• Trend Micro

First off, the Conficker Working Group maintains a list of detection and repair tools that will deal with Conficker. If you suspect a Conficker infection, or just want to double-check, this is a good starting point. (Personally, I like ESET’s tool, but any of them should work fine.)

Update: The Conficker Working Group list is overloaded/inaccessible this morning (April 1). Here is a list of direct Conficker detection and removal tool links to try:

• ESET
• Kaspersky
• F-Secure
  
• McAfee
• Microsoft Malicious Software Removal Tool
• Sophos
• Sunbelt Software
• Symantec
• TrendMicro

However, the most recent variant of Conficker, Conficker.C, added a nasty trick. It blocks a long list of places offering detection and removal information and tools. This includes all the significant antivirus vendors, as well as Microsoft’s security-related material. If you cannot get to the above download links, but you can reach someplace routine like Google, you’ve likely got a problem.

You should also go to the control panel and launch Windows Security Center. If Windows Security Center is not working, that’s another red flag.

Neither of the above tests necessarily indicates a Conficker.C infection; there are other, nastier viruses that exhibit the same behavior. But failing one or both definitely means it’s time for some housecleaning.

BitDefender put up a web page very recently that is not blocked by Conficker.C and where you can download a general Conficker detection and removal tool. You can find it here: http://www.bdtools.net/. (Update: I’ve got a report that the BitDefender application may generate some false alarms. For now, it is probably best to use this tool only if you can’t reach any of the links listed above.)

Finally, the Windows Secrets Newsletter published a must-read article today titled “Run a Conficker removal tool before April 1“. You should read this for additional background and a more detailed discussion on Conficker detection and removal. (Well, OK, I have some problems with their recommendations regarding security suites, but it is still a first-rate write-up.)

If you have any questions, please feel free to get in touch. See the “Contact Us” section of the sidebar for information on how to do this.

The best, most recent estimate of the number of Conficker-infected computers is around 10 million. This is a big number, but a very small percentage of all the computers in the world. More than half of these systems are in countries with a high percentage of users running pirated versions of Windows who cannot easily obtain security updates. The big issue with Conficker is not its prevalence, but that it represents a huge network of computers — a “botnet” — that can be employed by the bad guys to do unsavory things.

Conficker has been spreading for a few months, but the Conficker-built botnet actually goes live this Wednesday, April 1. That’s when all those infected machines start trying to “phone home” for instructions and updates. This event is what triggered all the news coverage and Viewing With Alarm. In the meantime, an ad hoc, international team of security experts has been working hard — and rather effectively — to block and shut down Conficker’s list of command and control servers. Drama. Skulduggery. International intrigue. Somebody is going to write a great book about this battle some day.

So, what does this mean for those of us just trying to get some work done? Well…

If your antivirus software is up to date and working, you should be OK.  In fact, since Conficker also spreads by infecting USB flash drives, your antivirus software is definitely your first and most important line of defense. All reputable security software vendors are well-aware of Conficker and have had detection and removal routines in-place for quite some time.

Conficker’s primary route of infection exploits a vulnerability patched by Microsoft many months ago. If you’ve been applying Microsoft security updates regularly, your system should not be vulnerable to this technique. If you’ve been ignoring the little yellow shield down there in the System Tray, you should stop doing that.

Bottom line: If you’ve been paying attention to the security basics, Conficker will likely pass you by. Don’t let your guard down, though. Conficker is a very sophisticated piece of malware and the authors will almost certainly release a new strain in short order. If you’ve been careless, see the above  “Conficker/Downadup detection and removal” post.