The Tekky Thread

[towhom]

Mozilla slaps band-aid on 11 Firefox flaws
ZDNet News & Blogs / Technology News
Posted by Ryan Naraine @ 6:35 am
June 12th, 2009
blogs.zdnet.com/security/?p=3593&tag=nl.e550

Mozilla has joined this week’s patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.

Six of the 11 issues are in advisories rated “critical” because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine. Here’s a snapshot of the critical issues:

MFSA 2009-32 JavaScript chrome privilege escalation

MFSA 2009-29 Arbitrary code execution using event listeners attached to an element whose owner document is null

MFSA 2009-28 Race condition while accessing the private data of a NPObject JS wrapper class object

MFSA 2009-24 Crashes with evidence of memory corruption

Firefox 3.0.11 is shipped via the browser’s automatic update mechanism.

[fr33ksh0w2012]

BE AWARE THAT YOUR COMPUTER COULD ALSO BE ATTACKED BY GERMAN COCKROACHES LIKE MINE WAS ALWAYS SPRAY NEAR THE BACK OF YOUR P.C. OR YOU COULD BE IN FOR A "EXPLOSIVE" SURPRISE LIKE I HAD!!!!!!!!!!!!!!!!

[towhom]

Jun 16, 2009 8:45:34 GMT 4 @fr33ksh0w2012 said:

BE AWARE THAT YOUR COMPUTER COULD ALSO BE ATTACKED BY GERMAN thingyROACHES LIKE MINE WAS ALWAYS SPRAY NEAR THE BACK OF YOUR P.C. OR YOU COULD BE IN FOR A "EXPLOSIVE" SURPRISE LIKE I HAD!!!!!!!!!!!!!!!!

Hiya fr33ksh0w2012-

Yeah, there's bugs...and then there's bugs...

I make it a point to open and clean (gently vacuum) the interior of my tower every month. It helps keep things running - especially the fans.

Peace and Joy
Always

Sally Anne

[towhom]

I use this program link to remove those pesky forwarding indictors from emails [Note: after having completely scanned the email for "undesirables" prior to opening it.]

See Universal Character Stripper (UCS) link:
www.projectpc.net/universal_character_stripper.htm

It's great for "cleaning up" the message. Just "Copy" the text you want to edit. Open the UCS link and "Paste" it in the "Sick Text" (left) window. "Select" the characters you want removed (from the left margin of the forwarded message text) under the "Chars" list and click on the "Transform" button located on the right hand side below the text boxes. You should see the "Healed Text" in the right box. You can then "Select" and "Copy" the "Healed Text" and "Paste" it into a new message screen for sending it on.

Hope this helps!

Sally Anne
PS - this is for text only. If you want to include images, you will need to save the images to a folder on your hard drive and re-embedded them in your new message.

[papat]

Jun 16, 2009 8:45:34 GMT 4 @fr33ksh0w2012 said:

BE AWARE THAT YOUR COMPUTER COULD ALSO BE ATTACKED BY GERMAN thingyROACHES LIKE MINE WAS ALWAYS SPRAY NEAR THE BACK OF YOUR P.C. OR YOU COULD BE IN FOR A "EXPLOSIVE" SURPRISE LIKE I HAD!!!!!!!!!!!!!!!!

Hi fr33,
good to ya back on line.
You have a pm.

Papa T

[towhom]

Apple finally patches musty old Java for Mac vulnerabilities
ZDNet News & Technology / Technology News
Posted by Ryan Naraine
June 15th, 2009 @ 2:05 pm
blogs.zdnet.com/security/?p=3637&tag=nl.e550

Apple has finally released a Java for Mac update to fix multiple security flaws that were patched upstream more than six months ago.

The fix comes three weeks after developers released proof-of-concept code to demonstrate the severity of the flaw and to nudge embarrass Apple into shipping the patch.

Today’s patch covers the following:

[ SEE: Mac OS X vulnerable to 6-month old Java flaw ]

• Multiple vulnerabilities exist in Java 1.5.0_16, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.5 to version 1.5.0_19.
  
  
• Multiple vulnerabilities exist in Java 1.4.2_18, the most serious of which may allow an untrusted Java applet to obtain elevated privileges. Visiting a web page containing a maliciously crafted untrusted Java applet may lead to arbitrary code execution with the privileges of the current user. These issues are addressed by updating Java 1.4 to version 1.4.2_21. Further information is available via the Sun Java website.

Because of licensing and other hiccups, Apple will always be late with its Java for Mac updates. Perhaps it’s time for Sun to merge the Mac Runtime for Java with the standard Java codebase and ship Java for Mac themselves.

[towhom]

Apple iPhone OS 3.0 update plugs 46 security holes
ZDNet News & Blogs / Technology News
Posted by Ryan Naraine
June 17th, 2009 @ 11:25 am
blogs.zdnet.com/security/?p=3644&tag=nl.e589

Apple’s latest iPhone OS 3.0 software updates includes patches for multiple vulnerabilities, some with serious security implications.

The update, which is only available for download via iTunes, covers a total of 46 documented vulnerabilities, including several that allows malicious code execution if a user simply visits a rigged Web site or views a manipulated image.
[Note from towhom: Personally, I think that any wormy Apple update that forces downloads via the Apple iTunes site is sneaky, given their history of "hidden add-ons". This is not just an issue with Apple - MicroSnot has their own little "bag-of-sneaky-tricks", too.]

According to an Apple advisory, the most serious vulnerabilities were fixed in CoreGraphics, ImageIO, Mail, Safari and WebKit.

The update also fixes security problems in IPSec, libxml, the MPEG-4 Video Codec, Profiles and Telephony.

I am not an iPhone user. Cell phones are great for portable "in touch" access. They are even great for text messaging (especially for those of us with hearing impairments). However, I have never been a fan of the mobile web and its applications. If I want internet access, I prefer my desktop (heck, I don't even like using my laptop).

I am also a fan of retaining and using my landline phone - complete with a mix of WIRED and cordless phones. Why? If you lose power, you lose the cordless phones, VoIP and cable modem/TV, but not the wired landlines. Unless, of course, the entire telephone trunk cable and/or Central Office servicing your NPA (area code)-NNX (exchange) is/are down. There are ways around that, though. Right, Telcom guys and gals?

Yeah, I'm still "old school" when it comes to "keeping in touch".

Peace and Joy
Always

Sally Anne

[kiek]

Yes and so am I, Sally Anne!
Recently threw out the cordless 'landline' phone and bought and old fashioned cord phone! Works great and you can sit down to talk to someone! ;D
Like you I hate the small screens on the mobile phones...you need glasses and a magnifier.... ;D to read something!
;-))

[fr33ksh0w2012]

Jun 18, 2009 13:07:20 GMT 4 @kiek said:

Yes and so am I, Sally Anne!
Recently threw out the cordless 'landline' phone and bought and old fashioned cord phone! Works great and you can sit down to talk to someone! ;D
Like you I hate the small screens on the mobile phones...you need glasses and a magnifier.... ;D to read something!
;-))

MORE LIKE A GOD D*MN MICROSCOPE

WHAT I'D LIKE TO SEE ARE LANDLINE VIDPHONES ONES WITH BIG COLOR SCREENS AND AN ELECTRONIC DIRECTORY ASSISTANCE WHERE YOU COULD "FLIP" THROUGH THE PAGES AND PRESS A BUTTON ON THE PHONE FOR WHOM YOU'D LIKE TO CALL(like the yellow pages) ;D ;D ;D THAT WOULD BE KEWL!

[towhom]

Jun 18, 2009 14:46:17 GMT 4 @fr33ksh0w2012 said:

Jun 18, 2009 13:07:20 GMT 4 @kiek said:

Yes and so am I, Sally Anne!
Recently threw out the cordless 'landline' phone and bought and old fashioned cord phone! Works great and you can sit down to talk to someone! ;D
Like you I hate the small screens on the mobile phones...you need glasses and a magnifier.... ;D to read something!
;-))

MORE LIKE A GOD D*MN MICROSCOPE

WHAT I'D LIKE TO SEE ARE LANDLINE VIDPHONES ONES WITH BIG COLOR SCREENS AND AN ELECTRONIC DIRECTORY ASSISTANCE WHERE YOU COULD "FLIP" THROUGH THE PAGES AND PRESS A BUTTON ON THE PHONE FOR WHOM YOU'D LIKE TO CALL(like the yellow pages) ;D ;D ;D THAT WOULD BE KEWL!

Hi fr33ksh0w2012 and Kiek!

That would be nice, however the entire White and Yellow pages' directory databases were recently breached by hackers. I do not know (nor was it stated) how deep the breach was. This would impact customer-requested non-pub(lished), non-list(ed) and cell phone telephone numbers (TNs) if the hack was "total".

Just an FYI - you can "list" your telephone number is any name you choose (provided it's not a copyrighted name, like "Elmer Fudd" or "Daffy Duck"). The "bill name" is the one that can't be altered. The default (free) mode is "listed". To have a "non-published" number you must pay a monthly fee. Non-listed numbers are generally open only to business accounts with (multiple) trunk lines. They only list their main number. For business muli-list numbers in multi-directories, they receive one free White and one free Yellow page "plain" listing in their "exchange" directory [Note: "exchange" in Telcom terms refers to the Central Office (CO) that provides the dial tone for the local service. There are COs that handle multiple "cities or towns" - like the "248 area code, 541 exchange" can be found in multiple "adjacent block" cities in Metro Detroit.] All other listings (plain and formatted - like "BOLD type") incur a monthly fee. Some resident customers have multi-line set-ups. If the billing is handled under one billing account number, only the designated main line would be the "free" listing. All other "listings" would incur a monthly fee. If the separate lines are handled by separate bills, each line would receive one free listing and (of course) a monthly charge for non-published handling.

So, to avoid additional monthly charges, you may want to consider another "listed" name.

Hope this helps.

Sally Anne

[towhom]

Fake Microsoft patches themed malware campaigns spreading
ZDNet News & Blogs / Technology News
Posted by Dancho Danchev
June 18th, 2009 @ 7:57 am
blogs.zdnet.com/security/?p=3648&tag=nl.e539

Researchers from Computer Associates (NASDAQ:CA) and Sophos are reporting on three currently active malware campaigns using fake Microsoft patch themes as a social engineering tactic to spread over email.

[Note: See this link for high res image.]

The first one is spreading as an “Important Windows XP/Vista Security Update” and is offering a bogus Conficker removal tool, the second is using an “Outlook re-configuration” — also spammed earlier this month — and the third one is using an out-of-the-band “Update for Microsoft Outlook / Outlook Express (KB910721)” theme, which in reality is nothing else but a trojan.

The fake Conficker removal tool campaign has been active for over a week now, with Symantec pointing that not only are the authors unable to make the difference between Troj/Brisv.A and Conficker, but also, they misspelled Conficker as ConFlicker in between attaching their malware to Symantec’s original removal tool in an attempt to build more legitimatecy into the campaign.

[Note: See this link for high res image.]

A similar fake “Conficker Infection Alert” spam campaign redirecting to scareware took place in April, however, despite the fact that cybercriminals continue sticking to the cyclical pattern of the “Microsoft security update/patch” social engineering theme, compared to previous campaigns where the timing was perfect, in this latest one it thankfully isn’t.

Go through related posts:

• Fake WordPress site distributing backdoored release
  
• Fake CNN news items malware campaign spreading rapidly
  
• Waledac botnet spamming fake SMS spying tool
  
• Fake Windows XP activation trojan goes 2.0
  
• Malware poses as fake Yellowsn0w iPhone unlocker

The second, Outlook re-configuration campaign is serving Outlook_update.exe through several legitimate and logically compromised web sites, next to the purely malicious ones. Interestingly, the third campaign promoting the fake Outlook critical update has directly attached the executable officexp-KB910721-FullFile-ENU.exe to the email, indicating their lack of experience in such campaigns.

With a well known pattern of abusing the momentum advantage for malicious purposes by hijacking emerging news stories or events -

• Swine flu email scams circulating
  
• The Web’s most dangerous keywords to search for
  
• Cybercriminals syndicating Google Trends keywords to serve malware
  
• Cybercriminals hijack Twitter trending topics to serve malware

- it shouldn’t take long before Iran’s massively covered election starts appearing in malicious campaigns.

I know this can be a pain, but whenever the MicroSnot "Updates Available" shield appears in the process bar I ignore it and access "Windows Update" or "Microsoft Update" through my start menu. Let it run through the official Microsoft site. Once the updates are downloaded and installed the shield will disappear.

Personally, I never let "Automatic Updates" download anything. I have it set to "notify me when updates are available for download" and then go through the manual updating process.

On another note - Outlook Express is NOT an email program known for its security features. Even Outlook has issues. Running the email programs in a sandbox for polling does provide another layer of security.

[towhom]

The latest from Adobe MudHut:

Critical Adobe Shockwave flaw affects millions
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
June 24th, 2009 @ 9:41 am
blogs.zdnet.com/security/?p=3664&tag=nl.e550

Adobe’s Shockwave Player contains a critical vulnerability that could be exploited by remote hackers to take complete control of Windows computers, according to a warning from the software maker.

The flaw affects Adobe Shockwave Player 11.5.0.596 and earlier versions. Details from Adobe’s advisory:

This vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected system. Adobe has provided a solution for the reported vulnerability (CVE-2009-1860). This issue was previously resolved in Shockwave Player 11.0.0.465; the Shockwave Player 11.5.0.600 update resolves a backwards compatibility mode variation of the issue with Shockwave Player 10 content. To resolve this issue, Shockwave Player users on Windows should uninstall Shockwave version 11.5.0.596 and earlier on their systems, restart, and install Shockwave version 11.5.0.600, available here: get.adobe.com/shockwave/. This issue is remotely exploitable.

Adobe boasts that 450 million Internet-enabled desktops have installed Adobe Shockwave Player.

[towhom]

Remote code execution exploit for Green Dam in the wild
ZDNet News & Blogs / Technology
Posted by Dancho Danchev
June 24th, 2009 @ 7:52 am
blogs.zdnet.com/security/?p=3658&tag=nl.e550

The recently exposed as vulnerable to trivial remotely exploitable flaws Chinese censorware Green Dam, has silently patched the security flaws (China confirms security flaws in Green Dam, rushes to release a patch) outlined in the original analysis detailing the vulnerabilities.

However, not only is the latest Green Dam v3.17 version still vulnerable to remotely exploitable flaws, but also, for over a week now a working zero day exploit (Exploit.GreenDam!IK; W32/GreenDam.A) has been circulating in the wild.

Here are more details on the remote code execution flaw in the latest version:

“Green Dam intercepts Internet traffic using a library called SurfGd.dll. Even after the security patch, SurfGd.dll uses a fixed-length buffer to process web site requests, and malicious web sites can still overrun this buffer to take control of execution. The program now checks the lengths of the URL and the individual HTTP request headers, but the sum of the lengths is erroneously allowed to be greater than the size of the buffer. An attacker can compromise the new version by using both a very long URL and a very long “Host” HTTP header. The pre-update version 3.17, which we examined in our original report, is also susceptible to this attack.”

Click here for high res image.

According to Green Dam’s official web site, the latest 3.17 version which still remains exploitable, has already been downloaded 426,138 times, combined with raw data on over 7,172,500 downloads of the previously vulnerable version, the current situation could easily turn the “Great Botnet of China” from theory into practice if the exploits ends up embedded within a web malware exploitation kit.

[towhom]

Firefox Aims to Unplug Scripting Attacks
How websites can block code from unknown sources.
Technology Review / arXiv Blog
Monday, June 29, 2009
www.technologyreview.com/computing/22940/

Sites that rely on user-created content can unwittingly be employed to attack their own users via JavaScript and other common forms of Web code. This security issue, known as cross-site scripting (XSS), can, for example, allow an attacker to access a victim's account and steal personal data.

Now the makers of the Firefox Web browser plan to adopt a strategy to help block the attacks. The technology, called Content Security Policy (CSP), will let a website's owner specify what Internet domains are allowed to host the scripts that run on its pages.

"In this case, they are not creating a new technology alternative to HTML, nor protecting the user against an existing problem," says Eduardo Vela, an independent security researcher who will talk about XSS attacks at next month's Black Hat security conference, in Las Vegas. "They are actually removing the features in HTML that allowed these problems in the first place."

XSS attacks have caused numerous headaches, particularly for social networks and Web 2.0 companies, allowing attackers to hijack eBay auctions, for example, and create a worm that caused MySpace users to automatically befriend a user named "Samy." The core problem is that many sites allow untrusted users to add their own content to pages while Web browsers treat all content returned by a website as coming from the same entity. If the website is trusted, the content created by an unknown user is trusted as well. The issue has been counted as one of the 25 most serious coding problems by the SANS Institute, a training organization for system administrators and programmers.

In many cases, Web companies can hunt down and restrict dangerous user-created content. But because many sites are so big, finding and fixing all vulnerabilities is a time-consuming and difficult task. Moreover, many sites, notably social-networking ones, want to allow their users some leeway to create interesting content.

Mozilla's CSP will break with Web browsers' tradition of treating all scripts the same way. Instead, it will require that participating websites put their scripts in separate files and explicitly state which domains are allowed to run the scripts.

The Mozilla Foundation, which makes the Firefox browser, selected the implementation because it allows sites to choose whether to adopt the restrictions. "The severity of the XSS problem in the wild and the cost of implementing CSP as a mitigation are open to interpretation by individual sites," Brandon Sterne, security program manager for Mozilla, wrote on Mozilla Security Blog. "If the cost versus benefit doesn't make sense for some site, they're free to keep doing business as usual."

The new security measure is based on suggestions made by Web-security specialist Robert Hansen back in 2005. The researcher had been studying different types of Web attacks and had identified an interesting idea: allowing websites to change the security level of the user's browser.

Hansen turned the idea on its head and, instead, came up with a model that he called Content Restrictions. "The model shouldn't be, if you trust me, disable all the security; the model should be, trust me to tell you not to trust me," says Hansen, who is now CEO of Web security consultancy SecTheory. "If I know a page is bad, then I should be able to tell you that the page is bad."

An engineer at the Mozilla Foundation, Gervase Markham, championed the idea within the Firefox team and further developed the technology, and noted Web security researcher Jeremiah Grossman publicly called for adoption of the technique. Four years later, Mozilla has committed to implementing the technology.

The new Firefox security feature could help block another form of attack, known as clickjacking, which allows an attacker to trick a user into clicking an unsafe button--for example, initiating a bank transfer when she believes that she is sending an e-mail. However, clickjacking is a problem so pervasive that an opt-in model really doesn't work, says Hansen.

Not everyone agrees that such Content Restrictions is the way to go. Microsoft has created a cross-site scripting filter in Internet Explorer 8 that blocks probable attacks from reaching the victim's browser. The company has also introduced a new feature, called X-FRAME-OPTIONS, in Internet Explorer 8, which can be enlisted by sites to restrict the use of scripts in iframes--a trick employed by attackers to run code invisibly.

Such efforts, and the difficulty of incorporating CSP into the software giant's Web architecture, .NET, makes it likely that Mozilla's CSP won't be adopted by other browser makers, argues Vela, who plans to present his own solution at Black Hat. "I sincerely don't think it's going to be largely adopted," he says, "mostly because it's so complicated."

Mozilla, which declined to comment beyond the blog posting, will likely have the technology ready to incorporate into Firefox in 6 to 12 months, says Hansen. "The next step is to get eBay and MySpace to pick it up and say, 'Hey, this is great,'" the researcher says.

[towhom]

June malware report - something's phishy
ZDNet News & Blogs / Technology
Posted on ZDNet News: Jul 06, 2009 4:56:14 AM
news.zdnet.com/2100-9595_22-318200.html?tag=nl.e550

June marked an increased in malware and the "highest rate of phishing attacks to date" on the Web, Fortinet's latest report on online threats found.

The threat management vendor released on Monday its latest monthly report, which highlighted the current reign of Trojan horses and "disappointing" anti-spam campaigns.

Of the overall 108 newly-reported vulnerabilities in June, 62 were active exploits, indicating an "all-time high" of 57.4 percent, Fortinet said.

Fortinet said the majority of overall activity came from the United States, which contributed 22 percent of all reported exploits.

A significant proportion of the attacks were traced back to Asia--specifically, Singapore, Japan and Korea, which ranked second, third and fourth place, respectively. Some 13.57 percent of all attacks originated in Singapore.

Online games sites hosted the most number of Trojans, followed by Zbot variants W32/Zbot.M and W32/Zbot.V, which climbed to second and third place, respectively. The Zbot malware spreads keylogging and data-siphoning Trojans through e-cards sent via e-mail, directing users to malicious sites.

Another commonly used malware redirecting visitors to infected sites was the JS/PackRedir.A, which moved up 36 positions on the list to fifth position, said Fortinet.

In a separate release Monday, antivirus company Symantec released an alert warning of another Trojan, Infostealer.Bancos, which attempts to steal passwords after by enticing users to click on infected PDF files. Infostealer.Bancos has most recently been seen in PDF files sent via e-mail messages that purport to reveal Elvis Presley's whereabouts, said Symantec.

Efforts in vain According to Fortinet's report, spam levels remain unchanged in spite of efforts to take down spam-spreading network, 3FN/Pricewert.

Derek Manky, Fortinet's project manager of cybersecurity and threat research, said in the report: "There were some very noteworthy trends that surfaced in the June report, such as the growing popularity of Web-borne malware, which we see driving the next generation of threats to online services.

"Hackers continue to attempt to drive mass traffic to their threats, utilizing various tactics aided by large online communities and as a result, [now] more than ever, users should be wary about who and what they trust," he said.

Symantec's alert also noted: "Be wary of what you are doing on the Web, especially when it comes to current news stories. If asks you to download a new codec or open a PDF [file], just say no!"

The H1N1 virus was another hot topic hitting inboxes in recent months, as reported by McAfee and Cisco IronPort.

Phishing can be costly. According to earlier estimates from Gartner, each phishing attack last year cost the U.S. financial services industry an average US$351.