General discussion

NEWS - October 28, 2010

Mozilla issues Firefox & Thunderbird security updates

Just one week after the previous updates were released, the Mozilla development team have issued updates for the Firefox web browser and for the Thunderbird news and email client to close a critical security vulnerability affecting these products. According to the developers, the updates address a critical security issue that could potentially lead to the remote execution of arbitrary code on a victim's system. The previously reported zero day vulnerability (CVE-2010-3765 ), which was used to attack visitors to the Nobel Peace Prize web site, was related to a bug that lead to a heap buffer overflow when mixing documen t.write and DOM insertion.

As they are based on the same Gecko layout engine versions as Firefox, the 3.1.6 and 3.0.10 security updates for Thunderbird close the same issues addressed in the above Firefox releases. Additionally, the developers note that, while reading email in Thunderbird does not pose a risk to users, the vulnerability could be triggered via an RSS feed if JavaScript is enabled or by a third-party add-on that enables browser-like functionality.

Discussion is locked

Reply to: NEWS - October 28, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 28, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
- Collapse -
Unpatched Critical Flash Player Vulnerability Possibly ...
...Exploited in the Wild'

According to the preliminary findings of some security researchers, a new zero-day vulnerability in Adobe Flash Player might be exploited in the wild to infect users with a trojan.

The alert comes from independent security researcher Mila Parkour, who maintains the Contagio Malware Dump blog. Ms. Parkour was also credited back in September with reporting an actively exploited Adobe Reader zero-day vulnerability.

The researcher posted a screenshot of the new attack in action and it looks like the unpatched Flash Player vulnerability is exploited via malicious SWF content embedded in a .pdf documen t.

Successful exploitation results in two files called nsunday.exe and nsunday.dll being dropped and executed on the system.

According to a ThreatExpert analysis, these files are components of a Wisp trojan variant. Wisp is a relatively new trojan discovered back in March and is capable of stealing information, as well as downloading and executing malicious files.

A VirusTotal scan of the executable, reveals that 15 antivirus engines detect it as malicious, mostly via generic signatures.

It seems like the people behind this threat are used with exploiting zero-day vulnerabilities. Wisp.A was originally distributed via drive-by download attacks targeting an unpatched flaw (CVE-2010-0806) in Internet Explorer.

Adobe's Product Security Incident Response Team has been notified of the suspected Flash Player vulnerability, but it has yet to test and confirm it.
- Collapse -
Security Adivsory for Adobe Flash Player, Reader and Acrobat
Security Adivsory for Adobe Flash Player, Adobe Reader and Acrobat

From the Adobe Product Security Incident Response Team (PSIRT) Blog:

A Security Advisory (APSA10-05) has been posted in regards to a new Flash Player, Adobe Reader and Acrobat issue (CVE-2010-3654). A critical vulnerability exists in Adobe Flash Player and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems. This vulnerability (CVE-2010-3654) could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild against Adobe Reader and Acrobat 9.x. Adobe is not currently aware of attacks targeting Adobe Flash Player.

Adobe Reader and Acrobat 8.x, and Adobe Reader for Android are confirmed not vulnerable. Mitigations for Adobe Reader and Acrobat 9.x are included in the Security Advisory.

We are in the process of finalizing a fix for the issue and expect to provide an update for Adobe Flash Player 10.x for Windows, Macintosh, Linux and Android by November 9, 2010. We expect to make available an update for Adobe Reader and Acrobat 9.4 and earlier 9.x versions during the week of November 15, 2010.
- Collapse -
Firesheep: Baaaaad News for the Unwary

"Firesheep," a new add-on for Firefox that makes it easier to hijack e-mail and social networking accounts of others who are on the same wired or wireless network, has been getting some rather breathless coverage by the news media, some of whom have characterized this a new threat. In reality, this tool is more of a welcome reminder of some basic but effective steps that Internet users should take to protect their personal information while using public networks.

Most online services use secure sockets layer (SSL) encryption to scramble the initial login - as indicated by the presence of "https://" instead of "http://" in the address field when the user submits his or her user name and password. But with many sites like Twitter and Facebook, subsequent data exchanges between the user and the site are sent unencrypted and in plain text, potentially exposing that information to anyone else on the network who is running a simple Web traffic snooping program.

Why should we care if post-login data is sent in unencrypted plain text? Most Web-based services use "cookies," usually small, text-based files placed on the user's computer, to signify that the user has logged in successfully and that he or she will not be asked to log in again for a specified period of time, usually a few days to a few weeks (although some cookies can be valid indefinitely).

Prior (Related) Posts :
How to protect against Firesheep attacks
Firefox extension steals Facebook, Twitter, etc. sessions

Also: Firesheep's a Huge Hit with Amateur Hackers

- Collapse -
Symantec writes off $10 million after faulty AV activation

"Some customers had to wait before service was activated"

Symantec has been forced to write off US$10 million in revenue after a glitch in its sales system prevented some consumers from activating their Norton antivirus software at the time they bought it.

The problem affected less than half a percent of Symantec's customers, CEO Enrique Salem said in an interview. "You'd sign up and there'd be a delay in getting your service activated," he said. "There was just a lag between the front-end system and the back-end system, but it's all been corrected and we've accounted for it."

Symantec has identified the customers affected by the problem and adjusted their accounts accordingly, Salem said. The issue was disclosed Wednesday in Symantec's quarterly earnings announcement.

Starting in November 2005, Symantec began automatically renewing subscriptions for its consumer antivirus product. The company says it keeps customers safe by preventing antivirus signatures from going out of date, but the product has had a few problems too. Symantec paid $375,000 earlier this year to settle a lawsuit brought by the New York attorney general over the practice. The company also faces a class-action suit, brought by a customer who said he was charged for a renewal without notification.

- Collapse -
Bredolab-infected PCs downloading fake antivirus software

A massive takedown operation conducted by Dutch police and security experts earlier this week does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover.

The latest look at the botnet by FireEye's Malware Intelligence Lab shows that two domains are being used to issue instructions to infected computers. PCs that are infected with Bredolab are programmed check in with certain domains in order to receive new commands, wrote Atif Mushtaq, of FireEye.

One domain, which is on an IP (Internet protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus, Mushtaq said. Cybercriminals have found that fake antivirus programs can be a thriving business. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats on the Internet.

The other domain is instructing computers compromised with Bredolab to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia.

- Collapse -
'Want to know who has blocked you on Facebook? Survey ....
....scammers take advantage'

Many Facebook users would love to know who in their social circle has blocked them or removed them from their friend list. For probably good reasons, Facebook doesn't have a way of telling you who has decided they don't want to share information with you via the social network anymore - but there are plenty of users who would love that functionality to satisfy their curiousity.

Scammers, of course, aren't slow to take advantage of an opportunity like this - and you should be careful of giving third-party applications which make claims that they can help you tell who has defriended you access to your account.

Here's an example of an application that is live on Facebook right now. [Screenshot]

The application, called "Who doesn't like me", claims it will

'regularly check your friends to see if anyone has removed you. When it detects that someone has removed or blocked you, a message will popup informing you who it was and a link to there (sic) profile.'

However, be on your guard because if you decide you want the application it will ask your permission to scoop up information from your Facebook profile, and even send you messages at your private email address.

Conintued @ Sophos (New): Naked Security Blog
- Collapse -
Android App Forwards Private Text Messages
Updated: Adding that the app was pulled from the Android Market.

Update: While you don't need anyone's approval to get into the Android Market, the dominant store for Android apps, you do need to follow the rules, and apparently Secret SMS Replicator does not do that. A Google spokesman said via e-mail that the application had been suspended effective Wednesday evening because it "violates the Android Market Content Policy."

If you own an Android phone and are cheating on a significant other by arranging secret trysts through text messages, you might want to think twice about your infidelities - or at least about arranging them via texts.

A new Android application released Wednesday, Secret SMS Replicator, when secretly installed on a cellphone, will forward all text messages to any other phone without the owner's knowledge.

Zak Tanjeloff, chief executive of the app's creator, DLP Mobile, said in a news release: "This app is certainly controversial, but can be helpful to people in relationships where this type of monitoring can be useful."

DLP Mobile also boasts about the clandestine nature of the application: "The app is unique because there is no visible icon or shortcut to access it, so once it?s installed, it will continue to monitor without revealing itself."

DLP Mobile is behind the Mirror App for the iPhone 4 and says it creates about 100 applications a year for the iPhone and Android.
- Collapse -
Demystifying KB976902, a.k.a. Microsoft?s "Blackhole" Update

I've received several e-mails from readers concerned about a mysterious, undocumented software patch that Microsoft began offering to Windows 7 users through Windows Update this week. Some Microsoft users have been spinning conspiracy theories about this patch because it lacks any real description of its function, and what little documentation there is about it says that it cannot be removed once installed and that it may be required as a prerequisite for installing future updates.

Normally, when Microsoft offers a patch through Windows Update, it also will publish a corresponding "knowledgebase" article that describes in great detail what the patch does and why users should install it - and how applying the update may impact current and future operations on the system.

This fix went out via Windows Update on Oct. 26 as a "recommended" and "important" patch, but it lacked any additional details, prompting conspiracy theories and speculation on message boards from users wondering whether they should ignore or install this update - which for many users was sandwiched between the dozens of security patches Microsoft began offering earlier this month as part of its regular Patch Tuesday security update cycle.

To make matters worse, many Windows 7 users said the patch was no longer offered after they declined installing it the first time, leading some curious researchers to dub it the "Blackhole" update.

I have verified with Microsoft that this update is designed to smooth the way for the deployment of future updates on Windows 7 systems (read on to the very end if you'd like the official response from Microsoft). The confusion appears to stem from a timing mistake by the folks at Microsoft, but this incident illustrates the hysteria that can ensue when the world's largest software company fails - for whatever reason - to be fully transparent with a user base that has come to expect detailed advisories with every patch.

Take note of his "Bottom Line" :

- Collapse -
Things To Look Out For In New PCI Version 2.0

"Payment card security standard hasn't changed much, but there are a few issues to prepare for "

No big surprises were found in the new Version 2.0 of the Payment Card Industry Data Security Standards (PCI DSS) and PA-DSS released today - a summary of the changes were announced in August - but some subtle shifts and clarifications to the standard could mean big changes for some merchants.

Perhaps the most significant shift is in application security. The wording for centralized logging of payment applications in the PA-DSS, for example, went from "should" do to "must" do, which will put more pressure on merchants to better secure their applications, notes Eric Knight, senior knowledge engineer at LogRhythm. "This means if people have not been logging applications centrally, [they must do so now]," Knight says.

"The bulk of the tasks ahead for the new PCI DSS 2.0 are focusing more on the applications. You have to be more concerned about what apps have to be audited and protected, and centralized logging needs to be performed," he says, adding that could be challenging for some merchants because the monitoring load will likely increase. "A lot of people have been forwarding logs to syslog collectors. You also must do monitoring on those systems."

Also : PCI Compliance Changes Promote Log Management

CNET Forums

Forum Info