Firefox Finds Flaws...

July 2009

Mozilla denies vulnerability as exploitable in new version of Firefox. A flaw discovered in the new version of Firefox is not exploitable, said Mozilla on July 19, responding to reports of another susceptibility in the browser. The vulnerability, originates from the software’s Unicode text handling system which let a remote attacker to execute arbitrary code through Web sites Mozilla on July 17 had announced the availability of Firefox 3.5.1 to fix a critical security vulnerability traced in the browser’s new TraceMonkey java_script engine. But reports by security researchers at the Internet Storm Centre revealed vulnerability in Firefox 3.5.1 which might lead to code injection. BM Internet Security Services and the National Vulnerability Database have reported vulnerability as critical. The vulnerability, originates from the software’s Unicode text handling system which let a remote attacker to execute arbitrary code through Web sites. If the visitor hits the affected page, the software breaks downs, launching denial of service attack. There is no defense available at the moment other than deactivating Java script which is not practical for many web users.

Apple iTunes Blocks Palm

July 2009

With the release of iTunes 8.2.1 (via TiPb), gut46 tells us, Palm Pre syncing with iTunes is indeed kaput. At least on this Pre user's Mac, iTunes sync isn't working after the 8.2.1 update.* According to Apple's surprisingly forthcoming release notes:

iTunes 8.2.1 provides a number of important bug fixes and addresses an issue with verification of Apple Devices.

Thanks Dieter Bohn

2.7 Billion U.S. Computers Vulnerable...

July 2009

Reputed Danish vulnerability intelligence provider Secunia has recently released version 1.5 of its free Personal Software Inspector (PSI) application. Statistics gathered by the software reveal frightening numbers, such as 2,720,800,000 vulnerable programs being installed on U.S. computers. Secunia PSI is a free application that scans the programs installed on a computer in order to determine if they are affected by any security vulnerabilities. In order to make this assessment, PSI queries the company’s database of security advisories, one of the most complete in the world. If an application is found to be vulnerable, PSI verifies if any update or newer version that might fix the issue is available and provides the user with a direct download link to it. The tool also tags programs that reached their end of life and are no longer supported by their developers, as a security risk. According to Secunia, there is an estimated number of 227 million Internet users in the United States, out of which about 400,000 have scanned their computers with PSI. The company notes that PSI users currently have an average of four unpatched programs installed, while the average U.S. Internet users have 12 such applications on their computers. “The fact that US based PC users have more than 2.7 billion vulnerable programs installed are shocking! And quite frankly I am very surprised, we had an idea it would be bad, but couldn’t imagine the enormous scope of this problem. And to make things even worse, the picture formed in the US is the same all over the world,” the manager of Secunia’s PSI Partner Program noted. Secunia’s statistics seem to be consistent with the malware distribution trends observed in recent times. Cyber-criminals have come to rely more and more on vulnerabilities in order to infect computers — and not just the ones affecting the Windows operating system itself, but other popular programs as well, such as Adobe Flash Player, Adobe Reader, Mozilla Firefox, Opera, Internet Explorer, PowerPoint, Word, and so on.

Michael Jackson, Fawcett & McMahon Spur Internet Fraud...

July 2009

While most of the country mourns the deaths of two celebrities, fraudsters seek opportunity by tricking heartbroken followers. The United States Computer Emergency Readiness Team (US-CERT) issued an alert on June 26 warning of increased spam campaigns, phishing attacks and malicious code attacks surrounding the stars’ deaths. Some scams may result in identity theft. Fraudsters have taken advantage of other situations to swindle personal information and money following national and worldwide disasters such as Hurricane Katrina and the Asian Tsunami. In addition to phishing and malicious code attacks, there were many charity scams. Charity and fan paraphernalia scams are expected to be associated with the celebrity’s names. Some of these scams will claim to collect donations from unsuspecting consumers for charitable causes supported by the late stars. Some scams may collect credit card and bank account information as payment for charitable donations or for the purchase of celebrity memorabilia. There will be no donations or souvenirs, the financial account information handed over will be used by the fraudsters to commit existing account fraud, a form of identity theft.

Hacking, Man-In-The-Middle & Extended Validation...

July 2009

Researchers to release tool that silently hijacks EV SSL sessions. If a user thinks they are safe from man-in-the-middle (MITM) attacks as long as they are visiting an Extended Validation SSL (EV SSL) site, then think again: Researchers will release a new tool at Black Hat USA later this month that lets an attacker hack into a user’s session on an EV SSL-secured site. Two researchers, who in March first demonstrated possible MITM attacks on EV SSL at CanSecWest, will release for the first time their proxy tool at the Las Vegas conference, as well as demonstrate variations on the attacks they have discovered. The Python-based tool can launch an attack even with the secure green badge displaying on the screen: “It doesn’t alert the user that anything fishy is going on,” says the principal consultant at Intrepidus and one of the researchers. All it takes is an attacker having a non-EV SSL certificate for a Website, and he or she can hijack any SSL session that connects to it. That is because the Web browser treats the EV SSL certificate with the same level of trust as an SSL domain-level certificate. “There’s no differentiation between the two certs beyond the green badge,” the consultant says. If an attacker has a valid domain-level certificate, he can spoof EV SSL connections and execute an MITM attack, with access and view of all sensitive data in the session, all while the unsuspecting victim still sees that reassuring green badge displayed by his browser.

Who Tagged Who???

July 2009

Tagged site stole identities. New York’s attorney general charged on July 9 that Tagged.com stole the identities of more than 60 million Internet users worldwide, by sending e-mails that raided their private accounts. The attorney general said he plans to sue the social networking Web site for deceptive marketing and invasion of privacy. “This company stole the address books and identities of millions of people,” the attorney general said in a statement. “Consumers had their privacy invaded and were forced into the embarrassing position of having to apologize to all their e-mail contacts for Tagged’s unethical, and illegal, behavior.” Started in 2004 by Harvard math students, Tagged calls itself a “premier social-networking destination.” The California-based company claims to be the third-largest social networking site after Facebook and MySpace, with 80 million registered users. The attorney general said Tagged acquired most of them fraudulently, sending unsuspecting recipients e-mails that urged them to view private photos posted by friends. When recipients tried to access the photos, the attorney general said they would in effect become new members of the site, without ever seeing any photos. Recipients’ e-mail address books would then be lifted, the attorney general said.

HTC Smartphones Vulnerable to Bluetooth Attack...

July 2009

If a user has an HTC smartphone running Windows Mobile 6 or Windows Mobile 6.1, the user may want to think twice before connecting to an untrusted device using Bluetooth. A vulnerability in an HTC driver installed on these phones can allow an attacker to access any file on the phone or upload malicious code using Bluetooth, a Spanish security researcher warned on July 14. “HTC devices running Windows Mobile 6 and Windows Mobile 6.1 are prone to a directory traversal vulnerability in the Bluetooth OBEX FTP Service,” a security researcher said in an e-mail exchange. HTC handsets running Windows Mobile 5 are not affected. For the attack to work, the targeted device must have Bluetooth enabled and file sharing over Bluetooth activated. “This connection can be done either by standard Bluetooth pairing or taking advantage of the Bluetooth MAC spoofing attack,” the researcher said, referring to a process where the attacking device attempts to convince the target that it is another device on its list of paired devices. The directory traversal vulnerability allows an attacker to move from a phone’s Bluetooth shared folder into other folders, giving them access to contact details, e-mails, pictures or other data stored on the phone. They can use this access to read files or upload software, including malicious code. Because the driver, obexfile.dll, is an HTC driver, only handsets from the company are affected. However, HTC is the world’s largest manufacturer of Windows Mobile handsets, selling phones under its own brand as well as making phones under contract for other companies. That means millions of users are potentially vulnerable.

Vulnerability in Microsoft Office Web Components...

July 2009

Please be advised that Microsoft issued an advisory today and the SANS Internet Storm Center is reporting that the vulnerability is being actively exploited on web sites. (http://isc.sans.org/) Here is the link to the Microsoft advisory. http://www.microsoft.com/technet/security/advisory/973472.mspx

The following software is affected by this advisory:

· Microsoft Office XP Service Pack 3

· Microsoft Office 2003 Service Pack 3

· Microsoft Office XP Web Components Service Pack 3

· Microsoft Office 2003 Web Components Service Pack 3

· Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1

· Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3

· Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3

· Microsoft Internet Security and Acceleration Server 2006

· Internet Security and Acceleration Server 2006 Supportability Update

· Microsoft Internet Security and Acceleration Server 2006 Service Pack 1

· Microsoft Office Small Business Accounting 2006

Microsoft is currently developing a security update to address this vulnerability. Until a fix is available, US-CERT recommends the following to help mitigate the risk:

Prevent Microsoft Office Web Components Library from running in Internet Explorer by setting the appropriate kill bit for the control in the registry. More information on setting the kill bit can found in Security Advisory 973472.

· Microsoft Knowledgebase Article 973472 contains instructions on how to implement this workaround automatically.

· Limit user rights on systems to only those that are necessary.

· Keep all systems up to date with the latest patches and anti-virus signatures to limit the attack surface available to attackers.

Thanks K.P.

Abbreviations & Definitions

July 2009

XML: Extensible Markup Language
XHTML: Extensible HTML
SOAP: Simple Object Access Protocol
RSS: Really Simple Syndication
WAP: Wireless Application Protocol
SMIL: Synchronized Multimedia Integration Language
MathML: Mathematical Markup Language
SVG: Scalable Vector Graphic
RDF: Resource Description Framework
WSDL: Web Services Description Language