19 total posts
Mozilla addresses critical holes with Thunderbird 3.0.1
21 January 2010
The Mozilla developers have announced the availability of the first security and stability update for version 3 of their popular open source Thunderbird email and news client. In addition to a number of stability and bug fixes, Thunderbird 3.0.1 addresses three critical vulnerabilities.
The update fixes a critical vulnerability in the browser engine used by Thunderbird that could cause a crash, possibly leading to memory corruption and the execution of arbitrary code. The other two critical bugs in liboggplay and the Theora video library could also lead to a crash and potentially allow the execution of arbitrary code on a victim's computer. These are the same vulnerabilities were patched in mid-December by version 3.5.6 of Firefox and by version 2.0.1 of the SeaMonkey "all-in-one internet application suite". The developers strongly recommend all users to upgrade to the latest release as soon as possible.
Continued here: http://www.h-online.com/security/news/item/Mozilla-addresses-critical-holes-with-Thunderbird-3-0-1-909529.html
RockYou hack reveals easy-to-crack passwords
Analysis of the 32 million passwords recently exposed in the breach of social media application developer RockYou last month provides further proof that consumers routinely use easy to guess login credentials.
Sensitive login credentials - stored in plain text - were left exposed because of a SQL injection bug in RockYou's website. RockYou admitted the breach, which applied to user password and email addresses for widgits it developed, and pledged to improve security in order to safeguard against future problems.
Database security firm Imperva analysed the frequency of password disclosed by the breach, prior to publishing a report on Thursday on Consumer Password Worst Practices, a problem illustrated by the top ten passwords thrown up by the RockYou security snafu (below).
Continued here: http://www.theregister.co.uk/2010/01/21/lame_passwords_exposed_by_rockyou_hack/
Vulnerability in Windows Kernel Privilege Escalation
New Microsoft Advisory: Vulnerability in Windows Kernel Privilege Escalation (CVE-2010-0232)
Yesterday, we reported about a new Windows Kernel vulnerability  . The vulnerability affects all versions of Windows (NT 3.51 up to Windows 7) unless 16-bit application support is disabled. If exploited, the vulnerability will lead to privilege escalation.
Today, Microsoft released an official response in the form of a Security Advisory . The advisory (KB Article 979682) states that Microsoft is investigating the report, and is not aware of any use of the vulnerability in current exploits.
According to Microsoft's list of vulnerable and non-vulnerable systems, 64 bit version of the Windows OS are not vulnerable, but 32 bit versions are. In part this is due to the fact that 64 bit versions of Windows do not include the vulnerable feature (16 bit compatibility).
The workaround outlined by Microsoft matches the workaround proposed in the advisory: Disable access to 16 bit applications. This should work well for the vast majority of systems. But be aware that there is a reason for this feature: Some old (very old) applications do require 16 bit support. This may in particular affect old custom software and support for odd hardware configurations. A standard office desktop should not require any 16 bit applications. As always: Test first.
Continued here: http://isc.sans.org/diary.html?storyid=8050
Also See: Microsoft Security Advisory (979682)
Vulnerabilities / Fixes - January 20, 2010: http://forums.cnet.com5208-6132_102-0.html?messageID=3227042#3227042
Microsoft Confirms Unpatched Windows Kernel Flaw
OT: Corrected link ( V/F's thread) in above post: Microsoft Windows "KiTrap0D" Privilege Escalation
Microsoft Confirms Unpatched Windows Kernel Flaw
One day after a Google security researcher releases code to expose a flaw that affects every release of the Windows NT kernel -- from Windows NT 3.1 (1993) up to and including Windows 7 (2009) -- Microsoft has released a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.
Microsoft warns that a malicious hacker could exploit this vulnerability to run arbitrary code in kernel mode. For an attack to be successful, the attacker must have valid logon credentials..
The flaw does not affect Windows operating systems for x64-based and Itanium-based computers, Microsoft said.
According to Tavis Ormandy, the Google researcher who released the flaw details, Microsoft was notified about the issue in June 2009. After waiting several months and not seeing a patch, he decided it was in the best interest of everyone to go public.
Continued here: http://threatpost.com/en_us/blogs/microsoft-confirms-unpatched-windows-kernel-flaw-012110
Major virus outbreak at University of Exeter
From Graham Cluley's Blog:
The University of Exeter in England has reported that it suffered a "severe" virus outbreak, which resulted on its entire network being shut down earlier this week.
Although the University reports that 95% of its network is now back to normal operation, mystery still surrounds what exact piece of malware they were hit by.
ZDNet blogger Zack Whittaker appears to have got some inside information, as he quotes an internal support email which says:
'"...this is a completely new virus and we are the only organisation in the world to experience it. None of the mainstream virus software suppliers have seen this virus, and as such, there is no fix."'
Continued here: http://www.sophos.com/blogs/gc/g/2010/01/21/major-virus-outbreak-university-exeter/
New Software Aims to Keep Facebook Safer
As social-media sites like Facebook and Twitter have expanded to include more of the online population, spammers and hackers have come along for the ride. Even the FCC chairman has seen his Facebook page taken over by a malicious program that sent spam to his friends.
Facebook and other firms have started responding to the problem, and on Thursday tech-security company Websense will announce software called Defensio that allows Facebook users to better police the comments appearing on their wall and fan pages. In addition to detecting and blocking threats such as phishing and malicious Web sites, the software lets users restrict comments that include profanity or adult content.
Continued here: http://blogs.wsj.com/digits/2010/01/20/new-software-aims-to-keep-facebook-safer/
Today from Websense Connect:
Websense Introduces First Real-Time Security Application for Facebook
Websense delivers Defensio 2.0, the first real-time threat detection system for the social Web
Organizations and individuals alike are adopting blogging platforms, social Web sites like Facebook and Twitter, and other Web 2.0 technologies at a rapid pace. In fact 59 percent of all U.S. Internet users now use social networks , 70 percent consume content on social media and social networking sites and 46 percent of Fortune 100 companies have an official company presence on Facebook today.
Unfortunately, the social nature of Web 2.0 also causes security risks to spread swiftly and claim many victims. The chairman of the Federal Communications Commission himself fell victim and accidentally spammed his friends on Facebook after mistakenly clicking on a bad link.
Continued here: http://community.websense.com/blogs/websense-features/archive/2010/01/21/websense-introduces-first-real-time-security-application-for-facebook.aspx
Patch it or Scratch it: RealPlayer
Securing your computer isn?t just about making sure the doors and windows into your system are latched and patched: Sometimes, it makes more sense to simply brick up some of these entryways altogether ? by getting rid of programs you no longer use.
There are several programs that I?ve mentioned recently and put in this category (Java, QuickTime, Adobe Reader). Allow me to add another program to this list: RealPlayer. If you have this program installed, ask yourself this question: When was the latest time you used it?
Continued here: http://www.krebsonsecurity.com/2010/01/patch-it-or-scratch-it-realplayer/#more-648
Targeted Attack using "Operation Aurora" as the lure
From the F-Secure Weblog:
Now here's an interesting turn of events.
In the middle of all the attention to the "Operation Aurora" attacks, we're now seeing new targeted attacks that are using this very event as the lure to get the targets to open a malicious attachment!
Here's the email we saw (the mail was forged to look like it came from gwu.edu):
From: david& [blocked] ;@gwu.edu
Date: Wed, 20 Jan 2010 09:26:24
To: (email addresses of the targets)
Subject: Chinese cyberattack
Attached is a short piece I just wrote for the Far Eastern Economic Review about Chinese cyberattack.
I hope you find it interesting.
If you have any good idea / comments, are warmly welcome to feedback.
Attachment: Chinese cyberattack.pdf
The attachment Chinese cyberattack.pdf (md5: 238ecf8c0aee8bfd216cf3cad5d82448) is a PDF file which exploits the CVE-2009-4324 vulnerability in Adobe Reader (again, this is the one which was patched last week).
Continued here: http://www.f-secure.com/weblog/archives/00001863.html
Also from F-Secure:
Intelligence sector hit by a targeted attack
We just blogged about a highly targeted attack against military contractors.
Now we saw one against the intelligence sector.
This attack was done with a PDF file. Again.
When opened, the PDF file (md5: c3079303562d4672d6c3810f91235d9b) looked like this: [...]
It was targetting the CVE-2009-4324 vulnerability. Again. [...]
What really happens in the background? Just like last time, the exploit code drops a backdoor in a file called Updater.exe (md5: 02420bb8fd8258f8afd4e01029b7a2b0).
Now, what is the document talking about? President's day? DNI Information Sharing Environment? We don't know, but a quick web search tells us that apparently there is going to be an Intelligence fair & expo in Germany next month.
Continued here: http://www.f-secure.com/weblog/archives/00001862.html
Firefox Upgrade Available
Firefox released 3.6 today with a few notable improvements.
* Changes were made that prevent other programs from adding their own toolbar to Firefox without your permission.
* Firefox 3.6 will alert you about out of date and insecure plugins.
* Private browsing also removes TEMP files
The full details can be found at Upgrading to Firefox 3.6.
Continued here: http://isc.sans.org/diary.html?storyid=8065
Europe's spam war hits stalemate
ISPs stuck in rut, finds ENISA.
Europe's ISPs are just about holding their own against the global spam barrage, a Europe-wide report has found. Put another way, things are not getting better, but are not getting any worse either.
Judging from the 2009 ENISA (European Network and Information Security Agency) spam survey of ISP's across 27 EU states, ISPs spend substantial sums trapping spam before it gets to the end user, mainly because they have to to keep customers. Small providers spend at least 10,000 Euros ($14,100) fighting unwanted messages, while large companies will exceed seven figure euro sums to do the same.
What most customers probably don't realise is just how many layers of filtering and technology it takes to reduce spam - which is now 95 percent of all email sent says ENISA - to the cleansed inbox most users now experience without causing false positives.
Continued here: http://news.techworld.com/security/3210786/europes-spam-war-hits-stalemate/
?Aurora? update brief DoS
From the Sunbelt Blog:
Early this afternoon Microsoft released an out-of-band security bulletin patching the vulnerabilities in Internet Explorer. The fix has been at the top of the news since the vulnerabilities it treats are believed to have led to the compromise of Google and about 30 other companies last week in what has been called the ?Aurora? attack. The governments of France and Germany suggested that Internet users switch to a different browser until the vulnerability was fixed.
So, I guess, in a way, this is good news: [...]
It means that the word obviously is out that there?s a problem and there?s a fix.
According to Wikipedia, Microsoft?s IE browser (versions 6 through have a 63 percent browser market share. Apparently, every one of them hit Microsoft?s site at the same time for the update.
Continued here: http://sunbeltblog.blogspot.com/2010/01/aurora-update-accidental-dos.html
Available IPv4 addresses dwindle below 10%
Internet registries urge network operators to migrate to IPv6
The long-awaited depletion of the Internet's primary address space came one step closer to reality on Tuesday with the announcement that fewer than 10% of IPv4 addresses remain unallocated.
The Number Resource Organization (NRO), the official representative of the five Regional Internet Registries, made the announcement. The Regional Internet Registries allocate blocks of IP addresses to ISPs and other network operators.
The NRO is urging Internet stakeholders ? including corporations, government agencies, ISPs, IT vendors and users ? to take immediate action and begin deploying the next-generation Internet Protocol known as IPv6, which has vastly more address space than today's IPv4.
Continued here: http://www.networkworld.com/news/2010/011910-ipv4-addresses-dwindle.html?hpg1=bn
Upromise Savings transmits members' CC data
Upromise Savings transmits members' CC data in the clear to shopper-metrics firm
From the Sunbelt Blog:
According to its web site, Upromise members get 1-25 percent discounts on eligible purchases from 600 online retailers, eight percent discounts at more than 8,000 restaurants "...when you pay with a registered credit or debit card." and 1-3 percent discount at registered grocery or drug stores, also if they pay with a registered card.
Upromise, owned by Sally Mae, is the biggest private source of college funding contributions in the U.S., having deposited $450 million to members' college savings accounts.
Continued here: http://sunbeltblog.blogspot.com/2010/01/upromise-savings-transmits-members-cc.html
Ben Edelman's Report:
Upromise touts opportunities for college savings. When members shop at participating online merchants, dine at participating restaurants, or purchase selected products at retail stores, Upromise collects commissions which fund college savings accounts.
Unfortunately, the Upromise Toolbar also tracks users' behavior in excruciating detail. In my testing, when a user checked an innocuously-labeled box promising "Personalized Offers," the Upromise Toolbar tracked and transmitted my every page-view, every search, and every click, along with many entries into web forms. Remarkably, these transmissions included full credit card numbers -- grabbed out of merchants' HTTPS (SSL) secure communications, yet transmitted by Upromise in plain text, readable by anyone using a network monitor or other recording system.
In it's entirety: http://www.benedelman.org/news/012110-1.html
Beware of Massachusetts Senate Race Search Engine Results
Did you follow the Senate race in Massachusetts between Scott Brown and Martha Coakley? Well, so did cybercriminals. They likely had no interest in who won, however. What attracted them was how many of us were performing online searches, looking for information on the race. So, the bad guys raced to answer this need, but it wasn?t with information on who won. It was with traps to infect us with rogue security software.
Symantec?through use of our Norton Safe Web technology?has identified significant search engine poisoning in searches related to the political race. At one point we looked at the results of a search for ?Massachusetts senate race results? and found that 33 of the first 100 search results led to malicious sites. Eleven of the first 100 results for the related search ?Brown Coakley results? also led to malicious sites. Unfortunately none of this is all that surprising to us. From Michael Jackson?s death, to the tragedy in Haiti, to whatever the next big news story is, the bad guys always seek to take advantage of our interest.
Continued here: http://www.symantec.com/connect/blogs/beware-massachusetts-senate-race-search-engine-results
Widespread Attacks Exploit Newly Patched IE Bug
The first widespread attack to leverage a recently patched flaw in Microsoft's Internet Explorer browser has surfaced.
Starting late Wednesday, researchers at antivirus vendor Symantec's Security Response group began spotting dozens of Web sites that contain the Internet Explorer attack, which works reliably on the IE 6 browser, running on Windows XP. The attack installs a Trojan horse program that is able to bypass some security products and then give hackers access to the system, said Joshua Talbot, a security intelligence manager with Symantec.
Once it has infected a PC, the Trojan sends a notification e-mail to the attackers, using a U.S.-based, free e-mail service that Symantec declined to name.
As of midday Thursday, Symantec had spotted hundreds of Web sites that hosted the attack code, typically on free Web-hosting services or domains that the attackers had registered themselves.
Continued here: http://www.pcworld.com/businesscenter/article/187413/widespread_attacks_exploit_newly_patched_ie_bug.html
Verizon, McAfee Bolster Online Security
Verizon (NYSE: VZ) and security software vendor McAfee (NYSE: MFE) on Wednesday announced they will partner together to provide an upgraded version of Verizon Internet Security Suite (VISS) to more than 9 million FiOS Internet and high-speed broadband customers.
Company officials said Verizon is the only Internet service provider to offer broadband customers a combination of McAfee's Internet Security tools, which includes McAfee Family Protection and SiteAdvisor technology, in a bundled Internet security suite.
"Our award-winning Windows Internet security suite now becomes even more powerful with world-class security technology from McAfee," Eric Bruno, Verizon's vice president for product management, said in a statement. "We're excited to work with McAfee to provide VISS subscribers with an enhanced, robust security solution that simplifies online protection at home and in the small-business office."
Continued here: http://www.esecurityplanet.com/trends/article.phpr/3859641/Verizon-McAfee-Bolster-Online-Security.htm
Encryption challenge worth $100K
News that am encrypted swiss army knife from manufacturers Victorinox remained uncracked - and a $100,000 prize went unclaimed - at the Consumer Electronics Show in Las Vegas this month comes as no surprise.
And, says Andy Cordial, managing director of Origin Storage, even if someone had cracked the 2010 version of the famous swiss army knife, they would have obtained a lot more than $100,000 from other sources.
Facebook plugs friends list mobile leak
Facebook has fixed a hole that allowed strangers to see your friends list by accessing the site using a mobile device, the company said on Thursday.
"There was an inconsistency between the Web and mobile versions of the site for the friend list visibility option," Facebook spokesman Simon Axten said in an e-mail.