Targeted attacks are a daily occurrence and attackers are fast to employ the latest news stories in their social engineering themes. In a recent targeted attack, delivering a payload of Backdoor.Korplug and caught by our Symantec.cloud services, we observed an attacker taking advantage of a recently published article by the Washington Post in relation to chemical attacks in Syria. The attacker took the full text of the article and used it in their own malicious document in an effort to dupe victims into believing the document was legitimate.
 

Figure 1. Part of malicious document containing the stolen text
 

The attack follows the standard Backdoor.Korplug modus operandi, which we have previously blogged about, of delivering an attached malicious .doc file containing a vulnerability, Microsoft Internet Explorer Use-After-Free Remote Code Execution Vulnerability (CVE-2013-2551 - Bloodhound.Exploit.497), to the target through email.
 

Figure 2. Example of targeted email using chemical attack in Syria theme
 

Symantec will continue to monitor for new and similar threats, such as those detailed in this blog. We also recommend that users refrain from opening any suspicious emails and, as always, we advise customers to use the latest Symantec technologies and incorporate the latest Symantec Consumer and Enterprise solutions to best protect against attacks of this kind.

標的型攻撃は日常的に発生するようになり、攻撃者は最新のニュース記事をすぐさまソーシャルエンジニアリングの材料として利用しています。最近確認された標的型攻撃は、ペイロードとして Backdoor.Korplugを送信するもので、Symantec.cloudサービスで捕捉されました。この攻撃では、シリアでの化学兵器使用疑惑に関連して最近ワシントンポスト紙に掲載された記事が利用されています。攻撃者は、この記事の全文を悪質な文書に利用していますが、これは被害者を騙して、あたかも正規の文書であるかのように思わせることが目的です。
 

図 1.記事を盗用した悪質な文書の一部
 

この攻撃は、Backdoor.Korplug による標準的な手口に従っています。以前のブログでお伝えしたように、「Microsoft Internet Explorer に存在する解放後使用のリモートコード実行の脆弱性」（CVE-2013-2551、Bloodhound.Exploit.497）を含む悪質な .doc ファイルを電子メールで標的に送り付ける手口です。
 

図 2. シリアでの化学兵器使用疑惑に関する報道を悪用した標的型攻撃の電子メールの例
 

シマンテックは、今回のブログで解説したような新しい脅威やそれに類似した脅威について監視を続けます。疑わしい電子メールはそもそも開封しないことをお勧めします。また、いつものことですが、このような攻撃から保護するために、シマンテックの最新技術をお使いいただき、シマンテックのコンシューマ向けまたはエンタープライズ向けの最新ソリューションを導入してください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

One of the newest ways for users to quickly archive data either from their mailbox or from legacy PST files is to use Virtual Vault. Users can drag and drop items right into a particular folder within Virtual Vault and soon afterwards the items will be archived. It's really that simple. There are some things though that are worthy of knowing about before users go ahead and do this sort of thing en-masse.

What do users do?
- Drag and drop from Outlook, or from a PST file. If taking from PST files it should be remembered that the items are removed from the PST file, unless the user does a 'copy' of the items (or even takes a copy of the PST file first)

Where does the data go?
- Adds to the MDC file. This means a few things. Firstly the MDC file will grow, sometimes considerably, depending on how much data is added before the next sychronisation happens.

What happens when they next synchronise?
- UploadItem.aspx per item. Each item is uploaded from the MDC file to the EV server, and archived. Each item results in a call through a file called UploadItem.aspx. The IIS logs on the EV can be mined for useful information around this very aspect. It's possible to work out which users are doing this drag and drop operation, and how much data they are uploading.

What can we do policy-wise?
- It can be prevented completely. The screenshot below shows the policy settings which makes this drag and drop possible:

- It can be auto synchronised.  One of the problems is that the data is somewhat at risk until the next Virtual Vault synchronisation run.  There are some policy settings which can be implemented which help with this and they can be used to automatically trigger a synchronisation when one of the thresholds is crossed.  The policy options are shown in the screenshot below:

After I posted my previous blog entry [1] I went to implement a solution (for which the documentation is done and awaiting moderation to be release here on Connect).

It worked pretty well, but still we have far too many basic inventory coming in. A look at captured NSE's indicated that there is another problem with inventories hijacking the Basic Inventory Capture Item:

Sample 1:

<?xml version='1.0' ?>
<message>
<from><resource guid='{ffffff-ffff-ffff-ffff-ffffffffffff}' typeGuid='{493435F7-3B17-4C4C-B07F-C23E7AB7781F}'/></from>
<to>1592B913-72F3-4c36-91D2-D4EDA21D2F96</to>
<time>20130905211027.187000-120</time>
<body><inventory><dataClass guid="ca029e6b-f124-4399-9b91-10c41b73165b"><data><resource partialUpdate="true"><row PolicyGuid="ffffff-ffff-ffff-ffff-ffffffffffff" TaskInstanceGuid="ffffff-ffff-ffff-ffff-ffffffffffff"/></resource></data></dataClass></inventory></body></message>

<?xml version='1.0' ?>
<message>
<from><resource guid='{ffffff-ffff-ffff-ffff-ffffffffffff}' typeGuid='{493435F7-3B17-4C4C-B07F-C23E7AB7781F}'/></from>
<to>1592B913-72F3-4c36-91D2-D4EDA21D2F96</to>
<time>20130905203801.546000-120</time>
<body><inventory><dataClass guid="246cd556-2330-465c-8dc3-5914d10f7d76"><data><resource partialUpdate="true"><row Compliance="1" PolicyGuid="ffffff-ffff-ffff-ffff-ffffffffffff" StringGuid="00000000-0000-0000-0000-000000000000"/></resource></data></dataClass></inventory></body></message>

A quick query on the database showed the following information for the offending dataclasses:

Conclusion: the Policy Compliance remdiation and status data is sent with the Baisc Inventory Caputre Item which is mis-leading. Given the data is gathered and sent by the agent (Software Management?) we cannot fix it ourself and will have to report the issue as a defect to the Software Management team.

Oh, and here's riddle (2) then:

When is a basic inventory not a basic inventory?

When it's a policy remediation inventory!!!

[1] When is a Basic Inventory not a Basic Inventory?

Contributor: Binny Kuriakose

Spammers continue to leverage the crisis in Syria for their personal gain. Besides taking advantage of a scam message that claimed to be from The Red Cross, spammers are now taking advantage of emails about the news in Syria. They have snuck in a few malicious messages containing random URLs that entice users to go to a compromised malicious website that hosts obfuscated JavaScript codes that downloads the Trojan, Downloader.Ponik.

When the Trojan is executed, it may create the following files:

• %TEMP%\[RANDOM CHARACTERS FILE NAME].bat
• %UserProfile%\Local Settings\Application Data\pny\pnd.exe

The files then inject a malicious executable payload, which may allow the attacker to steal passwords and sensitive information.  

The subject line of the emails has no connection to the body of the message:

Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf

The body of the email contains the following data and has an embedded URL with the following pattern, “http://xxxxx.xxx.xx/xxxxx/index.html”.

Figure 1. Spam email contents

Most of the attacks exploit vulnerabilities on the user’s computer that have not been updated or patched on time. Users are advised to keep their software and antivirus protections up to date, and to not click on any suspicious links or open files from unsolicited sources.

Symantec provides regular security updates to stave off any such attacks from spammers.

Even after setting up the credentials properly on each and every front-end servers, app servers, SQL servers and NetBackup's host properties, it is possible that NetBackup still doesn't see the farm topology. This usually manifests in backups failing with status code 200 "scheduler found no backup to run".

If you encounter the above error message:

1. Log in to the primary front-end server (to identify which box, simply launch your SharePoint 2010 Central Administration console and take note of the hostname on the web address).

2. Launch NetBackup Backup, Archive, and Restore GUI with "Run as administrator".

3. Click "Select for Backup".

4. Let's see whether "Microsoft SharePoint Resources" is listed under All Folders.

If not, do the following:

* Follow http://www.symantec.com/business/support/index?page=content&id=TECH72931

* On top of that, create another copy of spswrapperv3.exe.config, and rename it to: spswrapperv4.exe.config

Put both spswrapperv3.exe.config and spswrapperv4.exe.config in the same location, i.e. <install dir>\Veritas\NetBackup\bin\

on all your SharePoint front-end servers, apps servers, and SQL servers.

* You should be able to see the "Microsoft SharePoint Resources" now.

For many of us around the globe, August may be a month to take a bit of a break from work and go on a summer holiday. In contrast, August appears to the busiest month of the year for the scammers developing Japanese one-click fraud apps. They have increased productivity to publish close to 1,000 fraudulent apps on Google Play during August. As a result, they have succeeded in tricking Android device owners into downloading the apps at least 8,500 times, according to statistic shown on the Google Play app pages. The actual figure is likely much higher and probably exceeds well over 10,000 downloads.
 

Figure 1. Daily publication count for August
 

The number of one-click fraud apps published from the beginning of the year to the end of August now totals approximately 2,500, and the scammers show no signs of slowing down. As usual, most of the apps in August only survived one night before they were removed from the store by the following morning. Although it appears that one night is enough for the scammers to score numerous downloads. The scammers routinely publish apps every single afternoon, perhaps as they end their working day in the office. The chance of app survival increases when they are published over the weekend and some are lucky enough to live for several days allowing time for hundreds of downloads.
 

Figure 2. Apps published monthly
 

As in previous months, August saw several new types of one-click fraud apps appear. They tend to use different tactics, but these new variants have not been very successful, eventually disappearing quite quickly. Interestingly, the same group of scammers publishes 97 percent of the apps.
 

Figure 3. Variants published in August
 

One of the newest variants has had some success in staying alive on Google Play, though the number of downloads remain limited. These apps include numerous links to various online adult-related sites, but one or two links actually lead to fraudulent sites that attempt to con people into paying a fee without properly signing them up for the paid service. The fee to watch adult videos on these sites is typically around US$1,000, which is extremely expensive compared to the average cost of a legitimate service. By mixing the malicious links among other legitimate links, the apps attempt to stay hidden from security checks. The bad links also lead to a redirector URL that then directs the apps to open whatever sites the redirector is configured with. This allows scammers to easily modify where the apps ultimately lead to on the server side if they are under suspicion of being involved in any malicious activity.

The app works in the following way:

1. Once the app is installed, the user is presented with several links to adult-related video sites.
2. Some of the links lead to fraudulent sites. The user then chooses a video from one of these sites.
3. The user attempts to play video.
4. The user is asked to pay a fee.

Figure 4. Fraudulent app
 

While app stores allow users to easily search for and download apps, there is always a risk of getting fooled into download illegitimate apps. Users should only install apps they are certain they can trust. Symantec also recommends using Norton Mobile Security to help stay protected. The apps discussed in this blog are detected by Symantec products as Android.Oneclickfraud.

寄稿: Binny Kuriakose

シリア危機を私利私欲のために悪用するスパムが後を絶ちません。赤十字社から送信されたように偽装した詐欺メッセージを利用するほか、シリアのニュースを扱った電子メールも悪用されています。スパマーは、ランダムな URL を含む悪質なメッセージを仕掛けて、危殆化した悪質な Web サイトにユーザーを誘い込もうとします。この Web サイトには不明瞭化された JavaScript コードがホストされており、そのコードによってトロイの木馬 Downloader.Ponikがダウンロードされます。

Downloader.Ponik が実行されると、以下のファイルが作成されます。

• %TEMP%\[ランダムな文字のファイル名].bat
• %UserProfile%\Local Settings\Application Data\pny\pnd.exe

これらのファイルが、ペイロードである悪質な実行可能ファイルをインジェクトすると、攻撃者はパスワードや重要な情報を盗み出せるようになります。

電子メールの件名は、メッセージの本文とまったく無関係な内容です。

Completed: Please DocuSign this document : Confidential Company Agreement 2013..pdf（完了: この文書に DocuSign で署名してください: Confidential Company Agreement 2013..pdf）

電子メールの本文には以下のようなデータが含まれ、「http://xxxxx.xxx.xx/xxxxx/index.html」というパターンで URL が埋め込まれています。

図 1. スパムメールの内容

ほとんどの攻撃で悪用されているのは、ユーザーのコンピュータでまだ更新されていない、またはパッチが適用されていない脆弱性です。ソフトウェアとウイルス対策定義は常に最新の状態に保つことをお勧めします。また、疑わしいリンクをクリックしたり、送信元の不明なファイルを開いたりしないようにしてください。

シマンテックでは、スパマーから送信されるこのような攻撃から保護するために、定期的にセキュリティ更新を提供しています。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Managing technology in business was never simple. You can go back ten, twenty, even thirty years and find articles about how senior IT roles have struggled to deliver new systems and services whilst keeping existing capabilities running, fending off security challenges, or coping with the always-disgruntled user base. Some things never change.

So, when we look at how the CIO's role is changing, it's not like it is starting from any fixed position, a time when decision making was easier or things 'just worked' - they never 'just worked' ! Decades ago, technology started fragmenting, becoming more distributed as Moore's law enabled computers to become smaller - mainframes begat mini-computers, which then were overtaken by client-server architectures and then by highly virtualised infrastructures.

The trend continues. For example, 'consumerisation' is the tag given to the phenomenon of powerful computers becoming small enough to fit into our pockets and cheap enough for anyone to own. It isn't a particular surprise; indeed, we could all see it coming. We can see where it is going as well, as sensors and processors enable an increasing range of devices to connect - creating the so-called 'Internet of Things'. 

While the fundamental backdrop of change remains the same, technology is becoming more a part of every business and, therefore, more crucial to business strategy. The CIO's role is becoming more significant as a result. Each new wave of IT - be it mobile, big data, cloud computing or whatever - comes with business benefits, but equally creates a series of challenges which can have a significant negative impact on the business if not planned carefully. 

This does put the onus on the organisation to ensure the CIO can be proactive rather than reactive. Technology change isn't something you want to happen to your organisation, leaving you constantly trying to catch up. And neither should the CIO feel on the back foot, adopting coping strategies rather than leading the organisation towards a vision of what is possible. Should the CIO have a role on the board, as has so often been suggested across the years? Maybe - but only if the organisation has a shared vision concerning what this might mean to the business.

Of course CIOs have to earn their stripes, showing that they can successfully manage a stable technology environment even against a maelstrom of change. And not all businesses will want to be technology leaders, preferring to focus on traditional models, in which technology is merely a necessary cost to be minimised. 

But for organisations wanting to use technology to drive new business, the most important thing is to make a proactive decision to involve the CIO directly in business strategy. We can see examples of CIOs involved at board level that graduate to COO positions - not least our own COO, Stephen Gillett or indeed, Ken Harvey at HSBC (now retired).

It is better to adopt a proactive approach than playing lip service to technology, or worse, simply expecting IT to deliver the goods without any advance investment. With technology becoming ever more strategic, organisations that think it will all 'just work' may well find themselves slipping behind their competition, even as the CIO battles to keep the lights on.

There's nothing worse than having a forum query with little information provided. It means extra time taken to ask questions of the OP in order to crack open the required information in order to begin the troubleshooting process.

The easiest way around this is to tag the forum query correctly...and in doing so, you provide as much information as possible. This in itself is really easy to do, and taking the time when creating the query by providing the correct tags will save a lot of effort in trying to decipher the background information.

Information that should be selected must include:

1. Operating system on which product is running - self-explanatory!

2. Select one product (Required) - This is going to tell forumites what product you're using. But more importantly, selecting the version of the product, ie. Backup Exec 2012, is going to ensure that if you don't mention this bit of information in the initial query, forumites will be able to see the version in the tags. No guessing the version and getting this wrong when replying.

3. Select one or two topics (How To, Backup - these 2 being the most important) - Simply put, this is going to identify where your issue lies. Examples of How To tags include Basics, Licensing, Patch, Performance etc. Easy designators of the issue at hand.
Examples Backup tags deal directly with the agents of Backup Exec for example. These would include Microsoft Exchange Mailbox Archiving Option, Agent for Microsoft Exchange Server and Agent for VMware Virtual Infrastructure. If you forget what agents you're using when typing your problem, these tags would designate them.

4. Also show this post on the following group pages - selecting any tags here will limit public viewing, unless general forumites are part of the group you have selected.

If you have any logs that were generated, or screenshots etc, add these in to the forum query by using the File Attachments section.

Simply put...tagging your forum query properly adds in information that can help sort out, or diagnose, your issue a lot faster than if they are left blank.

Thanks!

8 月といえば、世界中の多くの人々が仕事の手をいったん休め、休暇を過ごす時期でしょう。しかし、日本でワンクリック詐欺アプリを開発している詐欺師たちにとっては、8 月こそが繁忙期だったようです。この月、詐欺師たちは生産性を大きく伸ばし、1,000 個近くの詐欺アプリを Google Play に公開しました。Google Play に表示されている統計データによると、騙されてしまった Android デバイスユーザーが、詐欺アプリを少なくとも累計 8,500 回ダウンロードしています。実際の数字はおそらくそれよりもはるかに多く、10,000 回以上ダウンロードされているものと思われます。
 

図 1. 8 月中 1 日あたりに公開された詐欺アプリ数
 

1 月から 8 月末までに公開されたワンクリック詐欺アプリ数は合計で約 2,500 個です。しかも、詐欺師たちがその手を緩める兆しは一向に見えません。これまでと同様に、8 月に公開された詐欺アプリの大半は、翌朝にはストアから削除され、一晩しか持ちませんでした。それでも、詐欺師たちにとっては、ダウンロード数を稼ぐのに十分な時間のようです。詐欺アプリはたいてい、オフィスでの作業時間が終わると思われる毎日午後に公開されます。週末にかけて公開されれば、詐欺アプリが生き残る可能性も高くなるのに加え、運が良ければ数日間もサイト上に残り、多くのダウンロード数を稼ぐものもあります。
 

図 2.月間の詐欺アプリ公開数
 

7 月と同じく、8 月にも新しいタイプのワンクリック詐欺アプリが登場しています。採用されている戦略はさまざまですが、いずれの亜種もそれほどの成功を収められずに短期間で姿を消しています。興味深いことに、アプリを公開している詐欺師たちの 97 % が同じグループに所属しています。
 

図 3. 8 月に公開された詐欺アプリの亜種
 

最新型の亜種のうち、ダウンロード数は限られているものの、Google Play でうまく生き残ったものが 1 つあります。この詐欺アプリには、さまざまなアダルト関連サイトへのリンクが仕込まれていますが、そのうち 1 つか 2 つは実際には詐欺サイトにつながっており、有料サービスに適切に登録しないままに料金を支払うようユーザーを騙そうとします。たいてい、こうした詐欺サイトではアダルト動画を見るための料金と称して 10 万円程度要求されますが、これは合法的なサービスの平均よりもはるかに高い金額です。この詐欺アプリは、他の合法的なリンクの中に悪質なリンクを紛れ込ませることで、セキュリティチェックに見つからないように偽装します。この悪質なリンクは、リダイレクタ URL に誘導され、リダイレクタで指定されているサイトを開くようにアプリに指示します。そのため、悪質な活動に関係していると疑われても、詐欺師たちは、詐欺アプリが最終的にどこに誘導されるかをサーバー側で簡単に変更することができます。

詐欺アプリの動作は、次のとおりです。

1. アプリをインストールすると、アダルト関連動画サイトへのリンクが複数表示されます。
2. 一部のリンクから詐欺サイトに誘導されます。これらのサイトのいずれかから動画を選択します。
3. 動画を再生しようとします。
4. 料金を支払うように要求されます。

図 4.詐欺アプリ
 

アプリストアではアプリを簡単に検索してダウンロードすることができますが、騙されて不正なアプリをダウンロードしてしまうリスクが常に伴います。確実に信頼できるアプリのみをインストールするようにしてください。デバイスを保護するためにノートン モバイルセキュリティを使用することをお勧めします。シマンテック製品では、このブログで説明した詐欺アプリは Android.Oneclickfraudとして検出されます。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。

Hace algunos años, una cámara era una pieza sencilla, un objeto diseñado para hacer una cosa: tomar fotos. En general, satisfacía bien la necesidad. Sin embargo en la última década, hemos visto una integración sin precedentes de tecnologías fotográficas y otras funcionalidades útiles en un mismo dispositivo: el teléfono inteligente o smartphone. Ahora no sólo tenemos la capacidad de grabar fotos y videos al momento, sino que podemos incluso enviar fotos de manera digital a familiares y amigos en tiempo real, desde el mismo dispositivo.

La tecnología evoluciona continuamente. Por ejemplo... ¿Espera la misma claridad de su teléfono con cámara de 1.3 megapíxeles de 2007 que la que requiere de su teléfono inteligente actual? Por supuesto que no. De hecho, no sólo las grandes empresas hacen mejoras tecnológicas a sus productos, sino que también los cibercriminales evolucionan y crean nuevas formas de robar información de las organizaciones para causar estragos en equipos individuales y redes enteras. Como resultado, los fabricantes de soluciones de seguridad continuamente optimizan sus productos para mantenerse adelante de nuevos agentes y amenazas.

En este sentido, Symantec está a la vanguardia de la seguridad y, con una visión y amplio conocimiento sobre las amenazas actuales y tendencias a futuro, nuestras soluciones son las más completas del mercado e integran las tecnologías de seguridad más novedosas para ofrecer protección contra ciberamenazas en constante evolución. La versión más reciente de Symantec Endpoint Protection no es excepción. Symantec Endpoint Protection 12.1 se extiende más allá de lo que se consideraría una actualización menor a su predecesor (Symantec Endpoint Protection 11) y es una herramienta crítica que ayuda a las organizaciones a mitigar el riesgo de ataques dirigidos. Lo mejor es que es gratis para todos los usuarios actuales de Symantec Endpoint Protection 11.

Nuestro Informe Sobre Amenazas a la Seguridad en Internet (ISTR por sus siglas en inglés) demuestra la evolución de las ciberamenzas, de hecho, datos de Symantec Security Response revelan que actualmente menos de la mitad (49%) del malware es detenido por el software de antivirus tradicional.

Quizá se pregunte: ¿qué significa todo esto? La respuesta es simple: las empresas y usuarios requieren tecnologías nuevas y actualizadas para mantenerse a salvo de los cibercriminales. Por ello, Symantec continúa desarrollando formas innovadoras de identificar y neutralizar amenazas, creando el elemento central de una estrategia detallada de defensa que puede proteger contra amenazas nuevas y viejas.

A continuación algunos aspectos sobresalientes de SEP 12.1 que permiten tener una protección empresarial avanzada:

• SONAR - Un motor de reputación renovado que monitorea archivos para identificar mejor las amenazas de día cero y otras desconocidas. La versión actual de Endpoint Protection ha incrementado el número de conductas monitoreadas casi cuatro veces a cerca de 1400 conductas.
• Symantec Insight - Tecnología de seguridad basada en reputación que rastrea casi todos los archivos en Internet para separar los que se conocen de los que representan riesgo. Creada a partir de contribuciones de más de 210 millones de sistemas en más de 200 países, esta tecnología provee a las organizaciones contexto avanzado para determinar si un archivo es de confianza.
• Integración con vShield Endpoint de VMware, que ofrece protección total de máquinas virtuales sin sacrificar el desempeño reduciendo la sobrecarga de análisis hasta 70% y preservando 90% de la capacidad de E/S del disco.
• Una memoria caché remota compartida que permite a los clientes compartir resultados de análisis y omitir archivos previamente analizados por otras máquinas virtuales.
• Compatibilidad con los sistemas operativos más recientes, incluidos Windows 8 y Mac OS X Mountain Lion (todo desde una misma implementación).

A pesar de todos estos beneficios, y de la rápida adopción en el mundo, existen algunas organizaciones que no consideran la migración a Symantec Endpoint Protection 12.1 en sus prioridades, sustentándose en que Symantec Endpoint Protection 11 es “suficiente por ahora”. Esto puede traerles riesgos y complicarles el proceso de actualización. Algunos usuarios de Symantec Endpoint Protection 11 piensan equivocadamente que la migración tomará varias semanas o meses y no se dan cuenta de las ventajas integrales de protección y desempeño disponibles a través de la actualización. Pero los clientes que han realizado la actualización cuentan una historia diferente.

En general, los usuarios de Symantec Endpoint Protection 12.1 pueden obtener una reducción importante en los tiempos de análisis (hasta 70%) y adicionalmente reducir gastos. ¿La mejor parte? Una actualización a la versión 12.1 se implementa tan fácilmente como las versiones de mantenimiento regulares. En muchos casos, los clientes se han sorprendido por actualizaciones exitosas hasta en dos semanas[i] (98% de los encuestados recomiendan ampliamente la actualización a sus colegas de seguridad después de hacer la migración). Además, Symantec Endpoint Protection 12.1 ha superado consistentemente a la versión 11, demostrando el valor que ofrece a sus clientes.

Así como nos resulta incómodo cargar con una cámara voluminosa independiente cuando el mismo tipo de funcionalidad fotográfica/de video se puede aprovechar como parte de un teléfono móvil, no nos podemos conformar con productos de seguridad que no integren los adelantos tecnológicos más recientes. El no aprovechar esta actualización simple y gratuita a Symantec Endpoint Protection 12.1 puede hacer que amenazas nuevas y peligrosas pasen desapercibidas, comprometiendo potencialmente sistemas e información de crítica del negocio. Con la protección de su empresa en juego incluso la más ligera vacilación para actualizar las soluciones de seguridad puede ser un desastre a punto de ocurrir.

Para más información, visite el sitio go.symantec.com/beyondantivirus.

By Kelly Shea, Symantec Global Sustainability Project Manager

As we prepare for the release of Symantec’s FY13 Corporate Responsibility (CR) report, this is a good time to provide additional context around our environment performance – where our focus is as a company, how we’re doing and our goals over the next year.  

As a company, we are committed to positive social impact and operating with integrity and respect for the environment.  Our environmental strategy includes four major sustainability pillars to lessen our impact on the environment, including green IT, responsible sourcing, resource conservation and travel & events.

The electricity we use to power our data center and labs, along with associated greenhouse gas (GHG) emissions, continues to represent our largest environmental impact. To address this issue we’re devoted to achieving ENERGY STAR and LEED certification. We achieved three LEED certifications this past year, including our first Platinum certification in Culver City, California, and now have 20 LEED-certified facilities and one renewal for a total of 21 certifications representing 80 percent of our eligible real estate square footage. Additionally, as the FY13 CR report points out, we decreased our absolute GHG emissions by 88 metric tons from FY12 to FY13.  

One of our ongoing sustainability goals over the next year is energy efficiency. To maximize efficiency in our most energy intensive facilities, we are focused on continuously improving Power Usage Effectiveness (PUE) —a metric used to determine the energy efficiency of a lab or data center. According to our data, in FY13 we expanded energy sub-metering coverage to 73 percent of our lab and data center facilities by square footage and have calculated an average PUE ratio of 1.44 across these facilities—a result significantly lower than our ongoing PUE goal of 1.7 and the industry average PUE of 2.

Our long-term environmental strategy will focus on further embedding corporate responsibility into our core business strategy. We are working toward institutionalizing environmental management through our Environmental Management System (EMS), which provides a structured framework for engaging stakeholders from across the business in identifying business risks and opportunities related to environmental sustainability, and for determining strategies to address those risks and opportunities. We are also looking to uncover new opportunities through the development and delivery of products and services that enable our customers to reduce their greenhouse gas emissions and better adapt to the physical impacts of climate change.

Next in this series: Stay tuned Thursday for the launch of our 2013 Corporate Responsibility Report!

Hello, welcome to this month's blog on the Microsoft patch release. This month the vendor is releasing thirteen bulletins covering a total of 47 vulnerabilities. Thirteen of this month's issues are rated ’Critical’.

As always, customers are advised to follow these security best practices:

• Install vendor patches as soon as they are available.
• Run all software with the least privileges required while still maintaining functionality.
• Avoid handling files from unknown or questionable sources.
• Never visit sites of unknown or questionable integrity.
• Block external access at the network perimeter to all key systems unless specific access is required.

Microsoft's summary of the September releases can be found here:
http://technet.microsoft.com/en-us/security/bulletin/ms13-Sep

The following is a breakdown of the issues being addressed this month:

1. MS13-068 Vulnerability in Microsoft Outlook Could Allow Remote Code Execution (2756473)

   Message Certificate Vulnerability (CVE-2013-3870) MS Rating: Critical

   A remote code execution vulnerability exists in the way that Microsoft Outlook parses specially crafted S/MIME email messages. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

2. MS13-069 Cumulative Security Update for Internet Explorer (2870699)

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3201) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3202) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3203) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3204) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3205) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3206) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3207) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3208) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3209) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

   Internet Explorer Memory Corruption Vulnerability (CVE-2013-3845) MS Rating: Critical

   A remote code execution vulnerability exists when Internet Explorer improperly accesses an object in memory. This vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

3. MS13-067 Vulnerabilities in Microsoft SharePoint Server Could Allow Remote Code Execution (2834052)

   SharePoint Denial of Service Vulnerability (CVE-2013-0081) MS Rating: Important

   A denial of service vulnerability exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could cause the W3WP process on an affected version of SharePoint Server to stop responding, causing the SharePoint site, and any other sites running under that process, to become unavailable until the process is restarted.

   MAC Disabled Vulnerability (CVE-2013-1330) MS Rating: Critical

   A remote code execution vulnerability exists in the way SharePoint Server handles unassigned workflows. An attacker who successfully exploited this vulnerability could run arbitrary code in the context of the W3WP service account.

   SharePoint XSS Vulnerability (CVE-2013-3179) MS Rating: Important

   An elevation of privilege exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.

   POST XSS Vulnerability (CVE-2013-3180) MS Rating: Important

   An elevation of privilege exists in Microsoft SharePoint Server. An attacker who successfully exploited this vulnerability could allow an attacker to perform cross-site scripting attacks and run script in the security context of the logged-on user.

4. MS13-072 Vulnerabilities in Microsoft Office Could Allow Remote Code Execution (2845537)

   XML External Entities Resolution Vulnerability (CVE-2013-3160) MS Rating: Important

   An information disclosure vulnerability exists in the way that Microsoft Word parses specially crafted XML files containing external entities.

   Word Memory Corruption Vulnerability (CVE-2013-3847) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3848) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3849) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3850) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3851) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3852) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3853) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3854) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3855) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3856) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3857) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

   Word Memory Corruption Vulnerability (CVE-2013-3858) MS Rating: Important

   A remote code execution vulnerability exists in the way that affected Microsoft Office software parses specially crafted files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

5. MS13-074 Vulnerabilities in Microsoft Access Could Allow Remote Code Execution (2848637)

   Access Memory Corruption Vulnerability (CVE-2013-3155) MS Rating: Important

   A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   Access Memory Corruption Vulnerability (CVE-2013-3156) MS Rating: Important

   A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   Access Memory Corruption Vulnerability (CVE-2013-3157) MS Rating: Important

   A remote code execution vulnerability exists in the way that Microsoft Access parses content in Access files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

6. MS13-073 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (2858300)

   Microsoft Office Memory Corruption Vulnerability (CVE-2013-1315) MS Rating: Important

   A remote code execution vulnerability exists in the way that Microsoft Excel parses content in Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   Microsoft Office Memory Corruption Vulnerability (CVE-2013-3158) MS Rating: Important

   A remote code execution vulnerability exists in the way that Microsoft Excel parses content in Excel files. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

   XML External Entities Resolution Vulnerability (CVE-2013-3159) MS Rating: Important

   An information disclosure vulnerability exists in the way that Microsoft Excel parses specially crafted XML files containing external entities.

7. MS13-071 Vulnerability in Windows Theme File Could Allow Remote Code Execution (2864063)

   Windows Theme File Remote Code Execution Vulnerability (CVE-2013-0810) MS Rating: Important

   A remote code execution vulnerability exists in the way Windows handles certain specially crafted Windows theme files. This vulnerability could allow an attacker to execute arbitrary code if the attacker convinces a user to apply a specially crafted Windows theme. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

8. MS13-077 Vulnerability in Windows Service Control Manager Could Allow Elevation of Privilege (2872339)

   Service Control Manager Double Free Vulnerability (CVE-2013-3862) MS Rating: Important

   A vulnerability exists in the way that the Windows Service Control Manager (SCM) handles objects in memory. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

9. MS13-070 Vulnerability in OLE Could Allow Remote Code Execution (2876217)

   OLE Property Vulnerability (CVE-2013-3863) MS Rating: Important

   A vulnerability exists in OLE that could lead to remote code execution if a user opens a file that contains a specially crafted OLE object. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user. If a user is logged on with administrative user rights, an attacker could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

10. MS13-078 Vulnerability in FrontPage Could Allow Information Disclosure (2825621)

    XML Disclosure Vulnerability (CVE-2013-3137) MS Rating: Important

    An information disclosure vulnerability exists in FrontPage that could allow an attacker to disclose the contents of a file on a target system.

11. MS13-075 Vulnerability in Microsoft Office IME (Chinese) Could Allow Elevation of Privilege (2878687)

    Chinese IME Vulnerability (CVE-2013-3859) MS Rating: Important

    An elevation of privilege vulnerability exists in Office IME (Chinese) that could allow a low-privilege user to elevate their privileges.

12. MS13-076 Vulnerabilities in Kernel-Mode Drivers Could Allow Elevation of Privilege (2876315)

    Win32k Multiple Fetch Vulnerability (CVE-2013-1341) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Multiple Fetch Vulnerability (CVE-2013-1342) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Multiple Fetch Vulnerability (CVE-2013-1343) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Multiple Fetch Vulnerability (CVE-2013-1344) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Multiple Fetch Vulnerability (CVE-2013-3864) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Multiple Fetch Vulnerability (CVE-2013-3865) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

    Win32k Elevation of Privilege Vulnerability (CVE-2013-3866) MS Rating: Important

    An elevation of privilege vulnerability exists when the Windows kernel-mode driver improperly handles objects in memory. An attacker who successfully exploited this vulnerability could gain elevated privileges and read arbitrary amounts of kernel memory.

13. MS13-079 Vulnerability in Active Directory Could Allow Denial of Service (2853587)

    Remote Anonymous DoS Vulnerability (CVE-2013-3868) MS Rating: Important

    A denial of service vulnerability exists in implementations of Active Directory that could cause the service to stop responding until an administrator restarts the service. The vulnerability is caused when the LDAP service fails to handle a specially crafted query.

More information on the vulnerabilities being addressed this month is available at Symantec's free SecurityFocus portal and to our customers through the DeepSight Threat Management System.

Contributor: Lionel Payet

Back in June we discovered a malicious Android application that was holding user’s Android phones for ransom. This discovery confirmed earlier predictions that ransomware would evolve and arise on new platforms, such as mobile devices.

As part of our pre-emptive SMS spam domain identification, we have detected a recently-registered domain that is currently serving a new Android FakeAV app using ransomware social engineering.  Different hints led us to believe that this application is linked to, or coming from, the same authors behind Android.Fakedefender, which we blogged about back in June. Despite it using a new design and a different ransom payment method, this new variant still contains the older images in its package file. Both versions mainly target Russians users.

Although we have not confirmed the infection vector of this variant we suspect spam, containing a link to the malicious domain, is used.

Figure 1. Recently-registered domain serves malicious Android app

The author behind this malicious application helps users install Android apps from unknown or third-party sources.

Symantec detects this malicious app as Android.Fakedefender.B. It has been impersonating the official application of an adult video website and user who falls prey to the social engineering and installs the app will end up locked out of their Android device.

Once installed a warning message prompts users to run an antivirus scan before entering the full application.

The previous version of this malware impersonated the Android Defender app. In this version, the malware impersonates the Avast antivirus brand. As soon as the antivirus scan finishes, it tricks the user into believing their device is infected by different threats and viruses and informs them their device is locked for protection.

In this variant, the ransom payment method the authors use is MoneyPak—$100 USD to unlock the device— compared to the previous version where the malware authors were asking for the user’s credit card number in exchange of unlocking their phones.  Web money is a popular payment method used by FakeAV and ransomware threats on the Windows platform and has been for many years now. Paying through one of these Web payment companies would perhaps appear more legitimate and secure to affected users than directly handing over their credit card details.

Figure 2. Fake AV app

Since FakeAV and ransomware on Windows systems have been successful for many years – continuing to evolve with new techniques and designs – we have been expecting Android mobile malware to evolve in the same way and come up with new tricks in order to entice users into paying ransoms.

At this time, Android.FakeDefender.B is not incorporating any exploits in an attempt to stop victims from removing the infection. We have previously seen other Android malware, such as Android.Obad, using exploits to surreptitiously extend device administrator privileges making the malware removal difficult. The authors of Android.FakeDefender.B are relying on social engineering and simple tricks such as continuous pop-ups in attempts to extort money from its victims. Anyone infected with Android.FakeDefender.B can manually uninstall the software through Application Manager on their Android device.

To avoid being initially infected, Symantec recommends all users install a mobile security app, such as Norton Mobile Security or Symantec Mobile Security. Malicious apps can also be avoided by only downloading and installing apps from trusted app markets. For general smartphone and tablet safety tips, please visit our Mobile Security website.

We're very excited to be hosting - for the first time - a live stakeholders' call detailing the highlights from our 2013 Corporate Responsibility Report. The report is being released on Thursday, September 12, and details our progress against our corporate responsibility goals in the following areas:

Our People: talent management, employee satisfaction, diversity and inclusion
Your Information: cybersecurity, privacy, online safety
The World: climate change, responsible sourcing and human rights, community investment

Please join us next Wednesday, September 18th!

When: Wednesday, September 18th at 1pm Pacific time (45 minutes in duration)
Access: Please dial in 10 minutes prior to 1pm using the participant passcode 364249

Lora Phillips is Symantec's Senior Manager, Global Corporate Responsibility.

Released just a week or so ago is the new and shiney Enterprise Vault 9.0.5.  If you can't upgrade to Enterprise Vault 10 yet, then it might be worth a look, if you have time to perform the upgrade that is.

As with all these sort of things it is worth checking the Late Breaking News. That's available on this link:

http://www.symantec.com/docs/TECH210065

And the Release Notes are also another good place to start. They are available here:

http://www.symantec.com/docs/TECH204715

And of course the full set of documentation is available too:

http:/www.symantec.com/docs/DOC6418

If you have any SSL certificates with less than 2048-bit keys, now is the time to upgrade. Why? Because the Certification Authority/Browser (CA/B) Forum and the National Institute of Standards and Technology have determined that any key length below 2048-bit is no longer strong enough. As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with readily-available processing capabilities. The cybersecurity industry is moving to adoption of SSL certificates employing at least 2048-bit encryption to help preserve internet security.

As a result, these bodies have mandated that all CAs stop issuing 1024-bit certificates and revoke any certificates with key lengths below 2048-bit after Dec. 31, 2013. While that deadline is still months away, Symantec will revoke some certificates with encryption below 2048-bit as early as Oct. 1, 2013 to help its customers avoid potential disruptions to their sites during holiday internal site lockdown periods.

Does this impact you and your SSL certificates? It could, in any of the following ways:

• Customers with SSL certificates below 2048-bit that expire before Dec. 31, 2013 must renew those certificates with 2048-bit certificate signing requests (CSRs). Certificates that expire before the end of the year will not be automatically revoked on Oct. 1.
• Customers with certificates below 2048-bit that expire after Dec. 31, 2013 must revoke and replace those certificates with 2048-bit CSRs , or the certificate will be automatically revoked as soon as Oct. 1.
• Customers with SSL certificates containing 2048-bit keys (or higher) will not be impacted.

To test your certificate to see if you need to upgrade, check your certificate’s encryption strength.

If you do not act before your certificate is revoked, it could lead to any number of less-than-ideal situations:  browsers blocking visitors from your website, customers receiving security warnings before visiting, transactions left unprotected and susceptible to fraud, and Trust Seals disappearing from your website. All of these deter site visitors from completing transactions and trusting your site. Potential non-financial ramifications also include damage to your brand or customer attrition and decreased lifetime value because customers feel they didn’t receive sufficient notifications – all of which could lead to loss of business to a competitor.

Learn how to replace your certificate by reading our earlier post: What you need to know to migrate from 1024-bit to 2048-bit encryption.

Threats to data security are not only growing but evolving. Therefore it’s imperative that we evolve and upgrade our security features as well to stay ahead of these threats, meet new mandates and maintain the security and trust that people expect. As the trusted and established leader among CAs, Symantec emphatically believes that advancing and adhering to CA/B Forum and other security best practices is in the best interest of our customers, our customers’ customers, and trust on the internet.

Additional Resources

FAQ: Ending support for 1024-bit certificates

Support: Get technical support for 1024-bit transition

There are a few different binaries that make up the Enterprise Vault Outlook Add-in. Some you might have heard of, and some you might not. The most 'famous' of all is Valkyrie.dll.  A new-kid on the block is EVMSP.dll, but what is it?

Here is a screenshot of EVMSP32.DLL on one of my Windows 8 test systems

If you use Outlook and launch Process Explorer you will most likely see that EVMSP32.dll has been loaded by Outlook. The file is part of the glue that forms the Virtual Vault function within the Outlook Add-in.  

寄稿: Lionel Payet

今年 6 月、シマンテックはユーザーの Android 端末を乗っ取って身代金を請求する悪質な Android アプリを発見しました。この発見で、ランサムウェアが携帯デバイスなどの新しいプラットフォームにも出現するだろうという以前の予測が的中したことになります。

プレエンプティブな SMS スパムドメイン識別の一環として、シマンテックは最近登録されたばかりのドメインを検出しました。このドメインが、ランサムウェアのソーシャルエンジニアリングを利用する新しい偽ウイルス対策ソフトウェアの Android 版を送り出しています。また別の手がかりから、このアプリは Android.Fakedefenderの背後にいるのと同じ作成者に関係している、またはその作成者から発信されていると考えられています。Android.Fakedefenderについては、去る 6 月にこのブログでもお伝えしました。デザインが新しくなり、身代金の支払い方法も変化していますが、今回の新しい亜種のパッケージファイルには今も古い画像が含まれています。新旧どちらのバージョンも、標的は主としてロシア語圏のユーザーです。

この亜種の感染経路はまだ判明していませんが、悪質なドメインへのリンクを記載したスパムが使われているものとシマンテックは見ています。

図 1.最近登録されたばかりのドメインから悪質な Android アプリが送信される

この悪質なアプリの背後にいる作成者は、サードパーティの未知のソースから Android アプリをインストールさせようとします。

シマンテックは、この悪質なアプリを Android.Fakedefender.Bとして検出します。Android.Fakedefender.Bは、アダルトビデオサイトの公式アプリケーションに偽装しており、ソーシャルエンジニアリングに引っかかってアプリをインストールしたユーザーは、Android デバイスからロックアウトされてしまいます。

インストールすると警告メッセージが表示され、ユーザーはアプリの全機能を使う前にウイルススキャンを実行するよう促されます。

このマルウェアの旧バージョンは、Android Defender アプリに偽装していましたが、今回のバージョンが偽装しているのは、ウイルス対策ソフトウェアとして知られる Avast です。ウイルススキャンが完了すると、デバイスが別の脅威やウイルスに感染していると思い込ませ、保護のためにデバイスをロックすると通知してきます。

今回の亜種で、作成者がランサムウェアの支払い方法として使っているのは MoneyPak で、デバイスのロックを解除するには 100 米ドルが必要です。以前のバージョンでは、ロック解除の引き換え条件としてユーザーのクレジットカード番号が求められていました。Web マネーは、Windows プラットフォームで偽ウイルス対策ソフトウェアやランサムウェアに好んで用いられる手段であり、何年も前から使われています。被害を受けたユーザーから見ると、直接クレジットカード情報を渡すより、いずれかの Web 決済会社を介した支払いのほうが、正規で安全という印象があるようです。

図 2.偽のウイルス対策アプリ

Windows システム上の偽ウイルス対策ソフトウェアやランサムウェア何年も前から成功しており、新しい手口と設計を身に着けて進化し続けています。Android 版のモバイルマルウェアも同じような進化の道をたどり、ユーザーを欺いて身代金を払わせるために、新しい手口を備えるようになると、シマンテックは予測してきました。

現時点で、Android.FakeDefender.B は被害者が感染を除去できないようにする目的で悪用を組み込んではいません。これまでには、Android.Obadのように他の Android マルウェアが、密かにデバイスの管理者権限を利用してマルウェアの除去を難しくする例が確認されていました。Android.FakeDefender.B の作成者は、ソーシャルエンジニアリングと、連続ポップアップのような簡単な手口を利用して被害者から金銭を詐取しようとします。Android.FakeDefender.B に感染しても、Android デバイスのアプリケーションの管理機能を使えばマルウェアはアンインストールできます。

そもそもの感染を防ぐためには、ノートン モバイルセキュリティや Symantec Mobile Securityなどのセキュリティアプリのインストールをお勧めします。信頼できるアプリマーケットからダウンロードしたアプリのみをインストールするようにすれば、悪質なアプリは回避できます。スマートフォンとタブレットの安全性に関する一般的なヒントは、モバイルセキュリティの Web サイト（英語）にアクセスしてください。

* 日本語版セキュリティレスポンスブログの RSS フィードを購読するには、http://www.symantec.com/connect/ja/item-feeds/blog/2261/feed/all/jaにアクセスしてください。