Sandi over at the Spyware Sucks blog pointed to this thread on Apple’s Mac forums, indicating that some Mac users have been victims of a web-based malware attack:

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

[potentially dangerous URL removed]

And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

Several other users reported similar attacks, whether they were using Safari or Firefox as their browser.

[Update 8/19: There are also reports of this issue from users of Ubuntu, a popular distribution of Linux.]

This is a good reminder that users of operating systems other than Windows are not immune to malware or social engineering.

Symantec describes a vulnerability in Internet Explorer that allows a website with malicious content to install a Microsoft-signed ActiveX control and then exploit a known vulnerability in that control:

Because the control is Microsoft signed, its installation is silent, and does not require any user interaction. Once this vulnerable control is installed on the victim’s computer, it is exploited in the same way as if the control was installed all along. To top it off, this attack is carried out as a drive-by attack, so the unprotected user may never know that they were vulnerable, or had been targeted, let alone infected.

It does not appear that there is a known fix for this right now, so it’s just one more reason to keep your security software up to date if you’re using Internet Explorer.

The other day, Rob Pegoraro at the Washington Post wrote a column about Apple’s tendency to keep its mouth shut rather than communicating with customers:

The Cupertino, Calif., corporation provides some of the best tech support in the business—no other major computer vendor makes it easier to sit down with a live employee and get help. But if you’re not at the Genius Bar at one of its stores, Apple can be one of the least communicative companies around.

And when Apple’s MobileMe online service melted down after its launch last month, subscribers might as well have been yelling at their monitors.

Here at StopBadware.org, we’ve found Apple to be equally uncommunicative. A couple months ago, when we notified them that we were preparing a badware alert about Apple Software Update, they quietly changed the product at the 11th hour but never contacted us about it. More recently, we’ve tried to contact several senior executives there to initiate an informal, low-pressure conversation about their disclosure practices, but our invitation has gone unanswered.

No one is questioning Apple’s ability to design a neat product or generate enthusiasm about a product launch. Failing to engage with the security and user communities, however, is a different thing entirely, and one in which Apple is coming up short. It’s time for the folks in Cupertino to change their (i)tune and start loosening their lips.

Two new tricks have been reported that try to get users to download malicious software. The first is to send links via Twitter. Dmitry at Kaspersky Labs explains:

This profile has obviously been created especially for infecting users, as there is no other data except the photo, which contains the link to the video.

If you click on the link, you get a window that shows the progress of an automatic download of a so-called new version of Adobe Flash which is supposedly required to watch the video. You end up with a file labeled Adobe Flash (it’s a fake) on your machine; a technique that is currently very popular.

In reality, this is a Trojan downloader that proceeds to download 10 banker Trojans onto the infected machine, all of which are disguised as MP3 files.

As alluded to above, the second recently-popular method is to encourage people to download a fake version or update of Adobe Flash Player. As noted in an Adobe alert:

We have seen coverage from the security community of a worm on popular social networking sites that is using social engineering lures to get users to install a piece of malware. According to the reports, the worm posts comments on these sites that include links to a fake site. If the link is followed, users are told they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player.

Adobe continues with the following useful advice:

We’d like to take this opportunity to reiterate the importance of validating installers and updates before installing them. First off, do not download Flash Player from a site other than adobe.com – you can find the link for downloading Flash Player here. This goes for any piece of software (Reader, Windows Media Player, Quicktime, etc.) – if you get a notice to update, it’s not a bad idea to go directly to the site of the software vendor and download the update directly from the source. If the download is from an unfamiliar URL or an IP address, you should be suspicious.

Second, all Adobe software for Windows is signed with a digital certificate that is validated by Windows when you install our software. The Publisher will always be ‘Adobe Systems, Incorporated’, and you can verify this when you double-click the installer, or by right-clicking on the installer, selecting ‘Properties’, and going to the ‘Digital Signatures’ tab.

For Flash Player in particular, you can always go to this page to verify what version of Flash Player you have installed, and what the current version of Flash Player is for your Operating System. The current Flash Player version is 9.0.124.0.

Hat tip to Ryan Naraine of the ZDNet Zero Day blog.

Websense and IBM released security reports this week covering topics from spam to research on the impact of publicizing software vulnerabilities.

In his Security Fix blog post, Brian Krebs continues his coverage on badware distribution, prompted by the release of the report from Websense that includes data from the 40 million websites scanned hourly to collect computer security data. According to the Websense report, three quarters of all web sites containing badware, malicious downloads, are legitimate sites that have been hacked, and 60 of the Top 100 most visited websites have at one point during the last year “either hosted malware or forwarded visitors to malicious sites.”

Krebs writes that spam is still a major conduit to disseminate links to dangerously hacked websites:

According to Websense, nearly 30 percent of those links lead to sites that try to plant software which steals passwords and other sensitive data from victims. The remainder of the spam links attempt to install software that lets attackers control the systems from afar, and/or install additional software without the owner’s knowledge.

Badware authors target legitimate sites, using the prior relationship of trust established between that website and computer users to find holes in security system. Users who are familiar with programs such as NoScript, which blocks Javascript, Java, and Flash from executing without express permission of the user, will know that it is possible to allow scripts for specific trusted websites.

Network World’s Ellen Messmer discusses results from both of the reports. The IBM report tracked statistics relating to 3,534 disclosed software bugs. Messmer writes that “[a]ccording to IBM, 95% of all browser-related online exploits occurred within 24 hours of official vulnerability disclosure.”

On a more positive note, the IBM report finds that the incidence of image spam has been reduced, which has forced spammers for now to return to earlier methods. Yet spam and badware are driven by innovative badware writers, who work hard to stay ahead of security researchers. These reports highlight how important it is for computer users to be aware and use aggressive caution. Krebs recommends two excellent pointers to maintaining the sanctity of your computer:

1. Disable automatic downloads.
2. Browse the internet while using a User account that does not allow downloading or changing passwords or computer keys. This tip is applicable in any operating system, and protects users from absent-minded clicks that may lead to future infestation.