by Ryan Naraine
January 2nd, 2009 @ 11:53 am

Third party plug-ins like Adobe Flash do a poor job of cleaning traces of your browser sessions, rendering private-browsing features somewhat useless, according to a new study by researcher Katherine McKinley.

McKinley, a researcher at iSec Partners, created a tool for testing the functionality of clearing private data after a browser session and browsing in private mode and found that some browsers — most notably Apple’s Safari for Windows — do a poor job of wiping traces of a browser session. McKinley warns (.pdf):

Third party plug-ins like Adobe Flash, which is far more popular than any individual browser or platform, seem to undermine the data protection schemes offered by all common browsers, however. While browsers are introducing more features with privacy implications, such as persistent local storage, they have mostly integrated the management of this type of information into a single location.

When users want to ensure their privacy with respect to information stored via the browser standard methods, they can go to a single location to clear the data, use a separate browser, or use a working private browsing mode, if available. Plug-ins need to take extra steps to ensure the privacy of their users. The clear best practices in this area, as exemplified by Google’s Gears, prompts users before allowing a site to store data on their system, holds a per-browser data store, and integrates their management UI into the browser UI.

by Rafe Needleman
January 3, 2009 4:04 PM PST

There's a scam spreading through Twitter. Direct messages (DMs) are showing up in Twitter accounts with appealing come-ons to visit a site on blogspot.com. The text is, "hey! check out this funny blog about you..." The URL in the message then redirects to a page that looks like the Twitter login page, but is actually not on Twitter--it's a site, twitter.access-logins.com, that masquerades as Twitter to steal your login credentials instead.

If you need to log in to Twitter, do it on Twitter.com itself. And to play it safe, double-check your browser address bar to make sure that's where you are. The phishing site in question also appears to support the theft of Facebook IDs. I have not received this bogus Twitter message, but the Twittersphere is abuzz over this scam. Read more on the Twitter Status blog, Chris Pirillo's blog, VentureBeat, or Mashable. Related: Koobface virus hits Facebook

Update: If you are logged in to the real Twitter.com, you'll now see an update about this scam on the page. No warning appears if you use another Twitter client, like Twhirl.

Update 2: The effect of getting taken in by this scam seems to be that affected accounts send messages to their followers with the original phishing message. To date, no other effect of falling victim to the scam has been reported. However, since many people use the same user ID and password for multiple online services, it's possible that credentials collected from this scam could be used to log in to other services, including financial sites.

As Twitter recommends on its blog: "If this has you feeling a bit weirded out, feel free to change your Twitter password."

December 30, 2008 6:15 AM PST

BERLIN--A key piece of Internet technology that banks, e-commerce sites, and financial institutions rely on to keep transactions safe suffers from a serious security vulnerability, an international team of researchers plans to announce Tuesday.

They plan to demonstrate how to forge security certificates used by secure Web sites, a process that would allow a sufficiently sophisticated criminal to fool the built-in verification methods used by all modern Web browsers--without the user being alerted that anything was amiss. The problem is unlikely to affect most Internet users in the near future because taking advantage of the vulnerability requires discovering some techniques that are not expected to be made public as well as overcoming engineering hurdles: performing the initial digital forgery consumed approximately two weeks of computing time on a cluster of 200 PlayStation 3 consoles.

In addition, a criminal needs to find a way to reroute traffic from a legitimate Web site to his own, perhaps through techniques that have become well-known in the last few years. Yet if one group can do it today, others eventually will. "We have a proof-of-concept that allows us to impersonate any supposedly secure Web site on the Internet," said David Molnar, a doctoral student in computer science at the University of California at Berkeley.

Molnar and six other researchers plan to present their findings during an afternoon session of the Chaos Computer Club's annual conference here on Tuesday. Other team members include Jacob Appelbaum and Alexander Sotirov. Their work has focused on finding vulnerabilities in a technology known as Secure Sockets Layer, or SSL, which was designed to provide Internet users with two guarantees: first, that the Web site they're connecting to isn't being spoofed, and second, that the connection is encrypted and is proof against eavesdropping.

by Steven Musil
December 29, 2008 6:20 PM PST

Microsoft on Monday denounced reports that a vulnerability exists in Windows Media Player that would allow for remote code execution. Microsoft said in a company blog post that it had investigated reports that surfaced on the Internet last week and found them to be "false."

The flaw is "reliability issue with no security risk to customers," the company said on its Security Vulnerability Research & Defense blog. The investigation followed claims published Wednesday on the Bugtraq security mailing list by researcher Laurent Gaffie that a vulnerability existed in Windows Media Player 9, 10, and 11.

Gaffie said the vulnerability would allow a hacker to create a malformed WAV, SND, or MIDI file to compromise a PC running Windows Vista or Windows XP, and included a proof-of-concept code he said would allow remote code execution. Along with its denial, Microsoft criticized Gaffie for publishing his claims without first contacting the software giant:

The security researcher making the initial report didn't contact us or work with us directly but instead posted the report along with proof of concept code to a public mailing list. After that report, other organizations picked the report up and claimed that the issue was a code execution vulnerability in Windows Media Player......

By Tony Dennis
29 December 2008, 12:09

THERE'S A growing threat to Android and Apple handsets, says security specialist, ESET. It is also predicting a rise in Windows malware. These including proof-of-concept attacks and attacks against Webkit-based browsers found in Iphone and Google Android based handsets.

Following the INQ's own exposé of the increasing prevalence of malware here, ESET has released its own Top Ten ways to protect against malware. In the Number One spot is disabling the Autorun feature in Windows. Other tips include logging onto the Net as an ordinary user and not as the administrator. ESET is also predicting that hackers will build on the current ability to extort money from innocent surfers through fake anti-virus products.

A favourite trick is to spoof a real anti-virus company. According to Dave Harley, director of malware intelligence with ESET, some hackers "are introducing rudimentary 'real' detection into the product, blackening vendor reputations in public forums, and threatening legal action against real security vendors and others who might expose them."

Presently ESET is amassing over a gigabyte of new fake anti-virus samples per day on its web site -Threatsense.net - which collates data from around 10 million systems globally.

By Gregg Keizer
December 29, 2008

Amazon.com Inc. last week warned customers running Windows XP that a Samsung digital photo frame it sold through earlier this month might have come with malware on the driver installation CD. An Amazon.com customer posted the warning a week ago to the online retailer's user forum.

It its note to customers, Amazon.com noted that a Samsung advisory had been issued for the SPF-85H, an 8-in. digital photo frame that Amazon sold for approximately $150 starting in October. The Samsung SPF-85H is no longer available on Amazon.com. "We have recently learned that Samsung has issued an alert ... our records indicate that you have purchased one of the digital photo frames through the Amazon.com website and are therefore affected by this alert," said Amazon in the note.

Samsung released its advisory download PDF on Nov. 27, and listed five photo frame models as affected: SPF-75H, SPF-76H, SPF-85H, SPF-85P and SPF-105P. According to Samsung's alert, "a batch of Photo Frame Driver CDs contain [sic] a worm virus in the Frame Manager software. This is a risk of the customers [sic] host PCs being infected with this worm virus." Samsung did not specify how the malware got on the CD, or how it escaped its quality control checks.

Amazon's advisory identified the malware as "W32.Sality.AE," the name assigned by Symantec Corp. Other security vendors, such as McAfee Inc. and Trend Micro Inc., have pegged the malware with other names, including "W32/Sality" and "Troj_Agent.xoo," respectively. Symantec's write-up said W32.Sality.AE was a downloader, a malicious program that once installed, downloads even more malevolent attack code.

By Gregg Keizer
December 24, 2008

Microsoft Corp. today confirmed that it has been working on a critical vulnerability in SQL Server for more than eight months, but declined to say whether it has had a patch ready since September, as an Austrian security researcher has alleged.

On Monday, the company warned customers of a bug that could be used to compromise servers running older versions of the database software, which is widely used to power Web sites and applications. "Microsoft opened an investigation for this vulnerability in April upon the initial report by the security researcher," said a company spokesman in an e-mail today. "We immediately started an investigation and have been working on this issue since that time," he added.

The researcher, Bernhard Mueller of SEC Consult Security, a Vienna-based security consulting company, went public with details of the vulnerability as well as an exploit code on Dec. 9, apparently after tiring of Microsoft's lack of communication. According to Mueller, who posted findings in an advisory on the SEC Consult site, as well as to prominent security mailing lists, the bug was reported to Microsoft on April 17, 2008, and Microsoft's last message to him was on Sept. 29.

After four requests for an update on a patch's status during October and November, Mueller disclosed the vulnerability. Mueller also said that Microsoft had informed him in September that it had completed a fix. The Microsoft spokesman didn't directly respond to a question about whether the company had a patch in hand, as Mueller claimed, but instead said, "At this time, security updates are not available for the affected versions listed in Microsoft Security Advisory 961040."

By Joel Hruska
December 24, 2008 - 01:55PM CT

URL redirect notifications are often meant to serve as security measures, but at least one malware blackhat is exploiting these services and redirecting site visitors from the website they think they are about to visit to a spyware-infested haven.

That's bad enough on its own, but the as-yet-unknown assailant has also used search engine optimizations to push the polluted redirectors higher in Google's search rankings. Part of the problem—a significant part—is that many companies/websites use open redirects that will cheerfully redirect incoming traffic to whatever URL they're asked to send it to, even if that traffic didn't originate within the host site.

When MySpace or Microsoft inform you that you're about to be redirected off their site, they don't perform any sort of check to see if that's a good place for you to be going. That lack of security is now turning out to be a problem. According to security researcher Gary Warner, an attacker can first seed infected links across a wide variety of blogs, guestbook entries, forum posts, and false stories.

Since the links reference prominent websites that already hold high Google ranks, the false posts themselves are more likely to be presented as initial results. The malware hook, in this case, is double-baited. By using a popular set of keywords (say, World of Warcraft) and attaching them to an IBM redirect, our spammer has built himself a nifty trap. If all goes well, misdirected search traffic begins to flow into whatever domain the blackhat has devoted to that purpose.

By Elinor Mills
December 23, 2008, 11:00 AM PST

Consumers continued to face online threats to their personal data and finances in 2008 from bigger, badder botnets to scams exploiting the economic downturn to more security holes in trusted sites.

But some quick action on the part of a security researcher and collaboration among Microsoft, Cisco Systems, and other companies in simultaneously releasing patches for a major flaw in an important protocol likely prevented a major attack on the Internet.

Dan Kaminsky, director of penetration testing for IOActive, warned security software vendors about the problem with the Domain Name System that translates Web addresses into numerical Internet Protocol addresses in a secret meeting in March. And on July 8 vendors released their patches in an unprecedented, synchronized effort.

While the efforts may have staved off a complete shutdown of the Internet, the flaw was still exploited in small, random attacks after the patches were released, Kaminsky said in August. Meanwhile, popular sites like Facebook became attractive targets for virus writers.

By Joel Hruska
December 23, 2008 - 05:14AM CT

The ISP shutdowns of 2008 may have cut the overall amount of spam flooding across the Internet, but the largest share of the world's malware is still being hosted right here in the United States. According to the most recent Sophos report, the US hosts 37 percent of all malware sites followed by China (27.7 percent) and Russia (9.1 percent).

Despite the well-publicized Atrivo and McColo cutoffs, the US share of total malware rose from 23.4 percent in 2007 to 37 percent in 2008, while China's share dropped by nearly 50 percent, from 51.4 to 27.7 percent. Other malware trends in 2008 include a rise in infected e-mail attachments. In 2005, 1 in every 44 e-mails carried a viral attachment, but that ratio had fallen to 1 in 909 in 2007.

This year, the number of attached payloads rose—1 in 714 e-mails was infected—though this may represent little more than a blip on the long-term radar. Botnet masters and their ilk also continued to play on current events; both the Obama campaign and the September financial crisis on Wall Street were targeted by spammers pretending to offer access to vital information or "secret" data. At least one Trojan—Mal/Hupig-D—managed to gain a foothold for itself by purporting to offer a link to a porn starring President-elect Obama.

Unfortunately, the botnet master opted not to run identical campaigns for Obama, Biden, Palin, and McCain, thus preventing (or saving) us from having access to a very disturbing data set. Scareware and fakeware antivirus programs were also big in the latter half of the year, but this is one trend that may have a short lifespan. The FTC has filed complaints against such companies, and Microsoft has pledged its own considerable resources toward fighting the scareware malaise.

by Steven Musil
December 22, 2008 8:15 PM PST

Microsoft issued an advisory late Monday confirming a remote code execution vulnerability affecting its SQL Server line. The vulnerability affects Microsoft SQL Server 2000, Microsoft SQL Server 2005, Microsoft SQL Server 2005 Express Edition, Microsoft SQL Server 2000 Desktop Engine (MSDE 2000), Microsoft SQL Server 2000 Desktop Engine (WMSDE), and Windows Internal Database (WYukon).

Not affected by this issue, Microsoft said, are systems with Microsoft SQL Server 7.0 Service Pack 4, Microsoft SQL Server 2005 Service Pack 3, and Microsoft SQL Server 2008. From Microsoft's advisory:

Microsoft is aware that exploit code has been published on the Internet for the vulnerability addressed by this advisory. Our investigation of this exploit code has verified that it does not affect systems that have had the workarounds listed below applied. Currently, Microsoft is not aware of active attacks that use this exploit code or of customer impact at this time.

In addition, due to the mitigating factors for default installations of MSDE 2000 and SQL Server 2005 Express, Microsoft is not currently aware of any third-party applications that use MSDE 2000 or SQL Server 2005 Express which would be vulnerable to remote attack. However, Microsoft is actively monitoring this situation to provide customer guidance as necessary.

By Gregg Keizer
December 22, 2008

Microsoft Corp.'s developers missed a critical bug in Internet Explorer because they weren't properly trained and didn't have the right testing tools, a noted proponent of the company's secure code development process acknowledged last week.

The bug, which Microsoft patched last week with an emergency update, had gone undetected for at least nine years. In an insider's description on Microsoft's Security Development Lifecycle blog, Michael Howard, a principal security program manager at the company, offered a postmortem analysis of the IE vulnerability and Microsoft's code-writing and reviewing process.

Howard, who is perhaps best known for co-authoring the book Writing Secure Code, said the flaw was a "time-of-check-time-of-use" bug in how IE releases data binding objects. The vulnerability was not found by programmers because they had not been told or taught to look for them in such cases, Howard said. "Memory-related [time-of-check-time-of-use, or TOCTOU] bugs are hard to find through code review," he said.

"We teach TOCTOU issues, and we teach memory corruption issues, and issues with using freed memory blocks; but we do not teach memory-related TOCTOU issues." Microsoft's testing tools -- including "fuzzers," which are automated tools that drop data into applications, file formats or operating system components to see if and where they fail -- also missed the bug, Howard acknowledged.

By Egan Orion
17 December 2008, 12:39

SMUG FIREFOX users snickering as they watch Microsoft's scramble to patch Internet Exploder's critical zero-day security vulnerability can wipe those smiles off their faces and get to updating. Mozzarella has just unleashed Firebadger 3.0.5, which fixes three critical security flaws in the leading open sauce web browser.

This latest release addresses eight Firefox security advisories in all. Three vulnerabilities are labeled critical flaws. Mozilla says those "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." Those are described as XSS vulnerabilities in SessionStore, XSS and JavaScript privilege escalation and Crashes with evidence of memory corruption.

Of the other five patches, one is labeled high impact and a second is tagged as moderate impact, whilst the other three fix minor, low impact vulnerabilities. The Firefox update service will offer to download version 3.0.5, or users can download the new release from Mozilla's website and install it manually.

by Ryan Naraine
December 16th, 2008 @ 11:33 am

Microsoft is planning to ship an emergency Internet Explorer update tomorrow (December 17) to counter an escalating wave of malware attacks targeting a zero-day browser vulnerability. The out-of-band update, which will be rated critical, follows the public discovery of password-stealing Trojans exploiting the bug on Chinese-language Web sites.

Over the past week, the attacks have expanded with hackers using SQL injection techniques to seed exploits on legitimate Web sites. This will be the second out-of-band update from the MSRC (Microsoft Security Response Center) in the last two months. Back in October, the company shipped MS08-067 to plug an extremely critical worm hole that affected Windows 2000, Windows XP and Windows Server 2003.

The IE patch will be available for all supported versions of the browser. According to this pre-patch advisory from Microsoft, the in-the-wild attacks have targeted IE 7 on Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Windows Vista (including SP1) and Windows Server 2008. The actual flaw exists in the way IE handles DHTML Data Bindings:

Malicious HTML that targets this vulnerability causes IE to create an array of data binding objects, release one of them, and later reference it. This class of vulnerability is exploitable by preparing heap memory with attacker-controlled data (“heap spray”) before the invalid pointer dereference.

by Jessica Dolcourt
December 15, 2008 3:00 AM PST

Lavasoft on Monday unveiled a new antivirus application it hopes will do as well as its runaway hit Ad-Aware. The encore, Lavasoft Anti-Virus Helix, is Lavasoft's first full-fledged antivirus application, following the tracks of the company's popular adware and spyware-sniffer, as well as a lesser-known file shredder, firewall, and registry cleaner.

Lavasoft Anti-Virus Helix shares the most sought-after components of antivirus apps: malware blockers, on-the-fly detection, a scanner, malware removal, and protection from e-mail viruses and Web threats. It offers full system scanning and, in addition, lets you pick from preset scans or create a profile to scan a smaller portion of your PC, for instance, just your "C" drive.

Lavasoft's new antivirus app performed well in our tests. It beeped when encountering a suspicious file and wouldn't budge until we ignored, deleted, or quarantined it. While a good practice, the need to babysit the scan could undo the benefit of any overnight scans you schedule. Lavasoft Anti-Virus Helix lets you do any number of things with the data, including print, save, and send reports. However, it could use an internal browser to look up information online about discovered threats.

Other extras can be found in the app's configuration menu. When you elect to enter expert mode, you'll be able to turn on rootkit scanning, scan outgoing e-mail messages, and specify MIME types to block (simplistically, any area of an e-mail where malware can hitch a ride). We appreciate being able to add suspicious files from the quarantine interface.