We strongly advise anyone using Remote Desktop Services to apply Microsoft Patch KB2621440 at the earliest opportunity. This patch fixes two privately reported vulnerabilities within the Remote Desktop Services frequently used by administrators to control servers and end-users using Remote Desktops.

It affects ALL versions of Windows.

The more serious of the two vulnerabilities could allow an unauthenticated hacker to run code on a vulnerable machine, which potentially could result in a very serious security breach.

We believe that this vulnerability will be exploited in the very nearing future.

McAfee have posted help on how to resolve issues on computers that have been affected by the DAT5958 problem that has caused problems world-wide on 21st April 2010.

The McAfee KnowledgeBase article is at:-

https://kc.mcafee.com/corporate/index?page=content&id=KB68780

DAT5959 is now available from McAfee.

More information about the issues are on this blog.

Readers may also be interested in our Managing Consultant's take on this incident, which will be syndicated to IT Director tomorrow.

As an update to our earlier posts:-

McAfee DAT 5959
Major Issues with McAfee AntiVirus DAT5958
McAfee VirusScan Enterprise with DAT 5958 on Windows XP SP3 Machines

McAfee have now released DAT5959 to their web site at http://www.mcafee.com/apps/downloads/security_updates/dat.asp.

We advise caution in apply this update, suggesting that it  should be trialled first on test machines before generally being rolled out.

We understand that McAfee has released DAT5959, which is identical to DAT 5958 that is causing machines world-wide to crash, except is does not contain the "problem".

We believe this DAT was released at 10:15 PDT (GMT-7), although is does not appear to have been posted to the McAfee/NAI web sites as at the time of this post. We presume that this is initially being rolled out to the McAfee update network.

Further to our earlier advisory this afternoon, we now understand that McAfee have suspended DAT 5958 from their update network.

In a circular email, McAfee have stated:-

The 5958 DAT has been removed from McAfee download servers, preventing any further impact to corporate customers. McAfee teams are working with the highest priority to support impacted customers and plan to provide an update virus definition file shortly.

McAfee have provided more details on their web site and on the McAfee Community Web Site. These sites are currently running slowly because of the huge demands being placed on them at present.

Anecdotal reports being picked up by us show huge number of sites being affected world-wide, some with thousands of machines being affected.

Our current understanding is that this only affects Windows XP SP3 machines.

We are receiving reports that McAfee's AntiVirus DAT5958 is causing Windows XP SP3 machines to fail.

Early indications are that this latest update detects svchost.exe as Win32/wecorl.a causing affected machines to crash.

We are aware of whole sites being taken down. Our advice is not to update to DAT5958 and to switch off the autoupdate feature in McAfee VirusScan Enterprise.

Microsoft released MS10-002 at 18:00 GMT today, which patches the exploit that saw Google hacked. Code that exploits the flaw that this patch fixes is already in circulation, so it is important that this patch is applied quickly.

Microsoft are also suggesting that users should upgrade to Internet Explorer 8, which they consider to be significantly more secure.

We would also advise Vista machine owners to apply all the latest patches for their operating system in light of the recent virus problems at the University of Exeter, which Alastair Revell blogged about recently.

Microsoft released today its largest batch of patches ever, addressing some 34 vulnerabilities.

The batch comprises of some thirteen bulletins, eight of which are deemed critical by Microsoft - the most serious category in its classification scheme.

Worryingly, the FTP vulnerability in Microsoft Internet Information Server (IIS) is already allegedly being exploited.

We have recently seen a slight twist in the usual phishing emails that are designed to lure the unwary to web sites with malicious content. These emails, usually informing the recipient that they need to confirm their bank details or other credentials, have become common place and most users are probably sufficiently aware not to be tricked.

However, we have seen a number of emails recently that inform the user that they have a message in their secure inbox on their bank's web site and that they need to urgently log in to read it. Needless to say, the actual link in the email goes nowhere near a reputable bank!

The twist is that several banks and social networking sites do actually use the concept of a secure inbox on their web site to ensure confidential communication with their customers (remember email is far from confidential) and frequently send a normal email to alert the user that they have items needing their attention.

Such emails would be easy to spot if the recipient didn't use the bank that is purported to have sent the email. However, we think some of the emails are sufficiently similar to the branding of existing banks to potentially trick the unsuspecting, who may be customers of the impersonated bank.

We expect this scam to also target social networking sites, such as Facebook, in the near future.

These new phishing emails are, then, very plausible if you use banks or social networking sites that have this facility and use the same branding...

Our advice is NOT to click on links in suspicious or unexpected emails.

You can easily assess the danger of many links by simply hovering the mouse over them. Most newer email programs, such as Microsoft Outlook, will show a popup tooltip displaying the real target for the link. You must examine the link details very carefully to ascertain whether they are safe.

A screen-shot showing a typical tooltip that is displayed when a link is hovered over in Microsoft Outlook. Note that although the link purports to take the reader to their secure inbox, the link actually targets a Russian web site (ie: a .ru domain).

The trend is to embed the name of a well-known bank into the links to trick even the wary. A typical link might look like www.my-well-known-bank.very-malicious-site.cn, etc.

If in doubt, don't!