Patch Tuesday Heads-Up: 13 Bulletins, 8 Critical

Microsoft is planning a bumper Patch Tuesday next week — 13 bulletins covering 34 security vulnerabilities in a wide range of products. Eight of the 13 bulletins will be rated “critical,” Microsoft’s highest severity rating.

According to Microsoft’s advance notice, the patches coming on October 13 includes fixes for two serious issues that are well-known and already documented — a code execution bug in SMB v2 and a gaping hole in FTP in IIS.

Operation Phish Phry Nets 100 Cyber Criminals

The largest number of defendants ever charged in a cyber-crime case have been indicted in a multinational investigation conducted in the United States and Egypt that uncovered a sophisticated “phishing” operation that fraudulently collected personal information from thousands of victims that was used to defraud American banks.
Authorities in several United States cities arrested 33 of 53 defendants named in an indictment returned last week by a federal grand jury in Los Angeles. Several defendants charged in the indictment are being sought this morning by law enforcement. Additionally, authorities in Egypt have charged 47 defendants linked to the phishing scheme.  Read the full FBI statement [fbi.gov]

Citing Cybercrime, FBI Director Doesn’t Bank Online

The head of the U.S. Federal Bureau of Investigation has stopped banking online after nearly falling for a phishing attempt. FBI Director Robert Mueller said he recently came “just a few clicks away from falling into a classic Internet phishing scam” after receiving an e-mail that appeared to be from his bank.
“It looked pretty legitimate,” Mueller said Wednesday in a speech at San Francisco’s Commonwealth Club. “They had mimicked the e-mails that the bank would ordinarily send out to its customers; they’d mimicked them very well.”  Read the full story [IDG News Service/Robert McMillan]


PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor.

“Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal information of third parties in violation of applicable law,” company representatives wrote in an email sent to the hacker, Moxie Marlinspike. “Please understand that this is a security measure meant to help protect you and your account. We apologize for any inconvenience.”  Read the full story [Dan Goodin/The Register]

iPhone lovers and other smartphone users should take heed: A security researcher showed ways to spy on a BlackBerry user during a presentation Wednesday, including listening to phone conversations, stealing contact lists, reading text messages, taking and viewing photos and figuring out the handset’s location via GPS. Read the full story [IDG News Service/Dan Nystedt]

Among a slew of online cybercrime forums, Pay-Per-Install.org stands out as a malware flea market where shadowy pushers of Trojan downloaders and tools for evading detection are bargaining with thousands of would-be “affiliates” willing to compromise victims’ computers globally and get paid for it.
Top dollar goes to anyone who can compromise computers in the United States. Those who do the dirty work are paid $140 for every 1,000 U.S. computers they seed with bits of malware, to ready these victims’ computers for other types of criminal assaults such as stealing financial data, sending spam or pushing fake antivirus software.  Read the full story [Network World/Ellen Messmer]

Visa has announced new global best practices for data field encryption, also known as end-to-end encryption – a much-discussed solution in the wake of the Heartland Payment Systems breach.
Announced by the global credit card company on Monday, these best practices are designed to further the payment industry’s efforts to develop a common, open standard while providing guidance to encryption vendors and early adopters. Data field encryption protects card information from the swipe to the acquirer processor with no need for the merchant to process or transmit card data in the “clear.”  Read the full story [govinfosecurity.com]

Google has pushed out a new version of its Chrome browser to fix a high-severity security hole that could lead to malicious code execution attacks.
The vulnerability could be exploited to run arbitrary code within the Google Chrome sandbox, the company said in an advisory.

TORONTO — The legitimate economy may be in rough shape right now, but the same cannot be said for the underground economy. Malware authors and botmasters are thriving, experts say, with some online criminals charging as much as $3,500 for their attack toolkits.

A researcher who examined 10,000 Hotmail, MSN and Live.com passwords that were recently exposed online has published an analysis of the list and found that “123456″ was the most commonly used password, appearing 64 times.  Read the full story [Kim Zetter/Wired Threat Level]  More from Dancho Danchev [zdnet.com]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.