Archive for January, 2008
After researcher Gerry Eisenhaur reported about Firefox flaw about information leaks that can allow an attacker to load any javascript file on a machine, Mozilla announced that the vulnerability will be patched with Firefox 2.0.0.12. New patch is expected shortly. As Mozilla official Snyder says Firefox is not vulnerable by default. attacker can use holes in add-ons to collect session information, including session cookies and session history. After Firefox patch also new patched versions of vulnerable add-ons are expected.
|
Security company Immunity reported about new exploit attack for a TCP/IP vulnerability in Microsoft’s Windows. Seems that patch issued on January 8 fixed a Transmission Control Protocol/Internet Protocol (TCP/IP) processing vulnerability that was critical for XP and Vista, but Immunity issued a proof of concept and now goes with workable exploit. Company issued a flash movie with info about this exploit and it is available for its paying subscribers.
|
Some users have reported that photo frames purchased from Best Buy, Target and Walmart are infected with malware/viruses. Internet Storm Center at sans.org calling all infected customers to upload their programs via contact form so they can review the problem and inform the Anti-Virus vendors.
|
Jeff Jones, a security strategy director in Microsoft’s Trustworthy Computing group, reported that Windows Vista is more secure OS than XP since it was hit by significantly fewer publicly disclosed security flaws in its first year than Windows XP and open source rivals in their first years. In its first year Microsoft released 17 security bulletins and patches affecting Vista, compared to 30 for XP in its first year. Vista had 9 patches, XP had 26, Red Hat 64, Ubuntu had 65 and Mac OS X 17. Most of those success is related to the changes made in way Microsoft handles patching and that resulted in less work for system administrators on Vista compared to Windows XP. However those figures do not indicate which operating system is “more secure” than the others.
|
Mozilla researchers has confirmed a proof of concept information leak flaw in Firefox–even fully patched versions. Firefox leaks information that can allow an attacker to load any javascript file on a machine. A visited attacking page is able to load images, scripts, or stylesheets from known locations on the disk. Attackers may use this method to detect the presence of files which may give an attacker information about which applications are installed. Some extensions, such as Download Statusbar and Greasemonkey may store information in Javascript files and an attacker may be able to retrieve them.
|
After reports about new Skype flaw, Skype team has been forced to turn off a video-sharing feature as act of preventing attackers exploiting a software flaw to launch a self-copying worm attack against other Skype users. The software bug, reported last week by security researcher Aviv Raff, stems from the way Skype uses an Internet Explorer component to render HTML. Skype’s video-sharing feature allows users to share videos hosted on two sites - Dailymotion.com and Metacafe.com - while chatting with other Skype users. Video sharing website Metacafe had a cross-site scripting flaw that could allow hackers to run JavaScript on Metacafe.com and install unauthorised software on the victim’s computer. After that attackers could forward links to the malicious web page to all of the Skype contacts in the victim’s computer, spreading the infection.
|
Security vendor Fortinet has detected new malicious SymbianOS Worm that affects S60 2nd Edition phones. Worm is identified as SymbOS/Beselo.A!worm and spreads itself via multimedia file (MMS) with a name either Beauty.jpg, Sex.mp3 or Love.rm. After clicking on attachment the worm harvests all the phone numbers located in the phone’s contact lists and targets them with a viral MMS carrying a Symbian Installation Source version of the worm. In addition to harvesting these numbers, the malware also sends itself to generated numbers located in China. So, if you have a Symbian S60 phone, and you receive a media file, answer “no” to any installation prompt that appears when trying to open the file.
Also we can also recommended having Anti-Virus software running on your phone.
|
 ScanSafe reported that over 10,000 web sites hosted on Linux servers running Apache are infected with files that generate constantly-changing malicious JavaScript. When visitors reach the hacked site, the script calls up an exploit cocktail that includes attack code targeting recent QuickTime vulnerabilities, the long-running Windows MDAC bug, and even a fixed flaw in Yahoo Messenger. If the visitor’s PC is unpatched against any of those exploits it’s infected with new variant of Rbot, the notorious backdoor Trojan, and automatically users PC is added to a botnet. Users can protect themselves from attack by making sure all software on their systems is patched and that their security software signatures are up-to-date. Website administrators should disable dynamic loading in their Apache module configurations.
|
 Security researcher Aviv Raff reported about new Skype vulnerability that could give the opportunity for hackers to insert malicious software onto a victim’s PC. Apparently the flaw has to do with the way that Skype makes use of a Windows Internet Explorer component to render HTML. Skype does not apply strict security controls to the software, an attacker could run scripting code on the victim’s system in a dangerous fashion and ultimately install malicious software. The flaw affects the latest version of Skype - version 3.6.0.244 and older versions may also be at risk. Skype has been reported about this problems so we’re expecting their reaction.
|
 Apple has released updates for four security holes in QuickTime and fixed three flaws in the iPhone and iPod Touch. All four of the QuickTime vulnerabilities were able to end in “arbitrary code execution,” meaning that attacker can inject malware or hijack the system. None of the patches fix the vulnerability disclosed last week by Italian researcher Luigi Auriemma, who posted a proof-of-conceptexploit for another flaw in the Real-Time Streaming Protocol (RTSP).
|
|
|
