A vulnerability has been discovered in the Firefox Web browser that could be exploited by malicious people to gain knowledge of potentially sensitive information, according to an advisory from security research firm Secunia.

The vulnerability comes less than six weeks after the Mozilla Foundation released a security update to the Firefox browser that included several fixes to guard against spoofing and arbitrary code execution.

"The vulnerability is caused due to an error in the JavaScript engine, as a 'lambda' replace exposes arbitrary amounts of heap memory after the end of a JavaScript string," said the Secunia advisory.

The vulnerability has been confirmed in versions 1.0.1 and 1.0.2. Other versions may also be affected.

Secunia has released an online test to allow Firefox and Mozilla users to determine if they are affected by the bug. The advisory said the immediate solution is to disable JavaScript support.

Web vulnerabilities are not at all unusual, evidenced by Secunia's deep online library of security advisories about Firefox, Internet Explorer, Safari and others. In fact, Jupiter Research analyst Joe Wilcox told TechNewsWorld that vulnerabilities are just "part of the ballgame."

"Flaws will be found because flaws exist and that's going to be true for any Web browser," Wilcox said. "The real question over time is whether the Mozilla folks can keep up with finding problems and then deploying patches in the most efficient manner."

Secunia's online test for the bug is available via its Web site. [from linuxinsider]

Security firm Sophos released a bulletin today warning users of an e-mail which purports to contain links to Microsoft's Windows Update service, but instead delivers a spoofed site that delivers a trojan to the client machine.

Instead of simply inserting links into the e-mail, the author has gone to great lengths to make it look like the real deal, all the way down to the graphics used by Microsoft for its own Windows Update site.

With a subject line of "Update your windows machine", "Urgent Windows Update", or "Important Windows Update", it has fooled many users into installing the trojan onto their machine. The e-mail address has been spoofed to be update@microsoft.com and will appear as "Windows Update" in the From: field.

Unwitting users that click on the link are infected by a Trojan (Troj/DSNX-05), which allows a third-party to gain control of the system and steal data.

Graham Cluley, senior technology consultant for Sophos underscores the severity of this threat. He states, "This criminal campaign exploits the public's rising paranoia about the security of their Windows computers. If users fall for it they may put themselves at risk of being spied upon or having their credit card and online banking details stolen."

GeekCoffee reminds users to NEVER click on unsolicited links that are sent through e-mail, especially when it has to do with downloads to your computer or financial information. Always type the site yourself that you are attempting to reach.

SophosLabs reported earlier today that their analysis center has discovered a worm which takes the law into its own hands against P2P music and video sharing networks.

The W32/Nopir-B worm, which appears to have originated in France, spreads via peer-to-peer file-sharing systems posing as a hacked utility to make copies of commercial DVDs. However, in reality it displays an anti-piracy graphic, and attempts to delete all MP3 music files, disable various system utilities, and wipe .COM programs on the infected PC.

"The internet is swamped with people pirating movies and music, costing the entertainment industry millions each year. The Nopir-B worm targets people it believes may be involved in piracy, but fails to discriminate between the true criminals and those who may have MP3 files they have created themselves," said Graham Cluley, senior technology consultant for Sophos. "Whichever side of the fence you come down on in regards to internet piracy, there's no debate about the criminal nature of this worm - designed to inflict malicious damage on people's Windows computers."

Internet pirates who have illegally distributed music files, movies and TV shows have been in the news recently as ISPs have been ordered in a number of cases to provide identitifying details of those individuals responsible so prosecutions can be brought against them. Last month, a Canadian man lost his job after it was found he had leaked the first episode of the eagerly anticipated BBC science fiction series "Doctor Who" onto the internet three weeks before its official broadcast.

Although there have only been a small reports of the worm, Sophos recommends computer users ensure their anti-virus software is up-to-date, and that companies protect themselves with a consolidated solution which can defend them from the threats of both spam and viruses.

Sophos recently published a report revealing the top ten viruses and hoaxes causing problems for business and home users around the world for April 2005. Sophos collects data from their global network of monitoring stations and compiles reports and bulletins for security notifications.

Their report showed that the top virus, Zafi-D, accounts for 46.6% of all viruses, making this its fifth month at the top of the charts. In addition to this data, Sophos also reported that for the month of April, 2.2% of all e-mails were viral.

The top ten viruses in April 2005 were as follows:

1 W32/Zafi-D 46.6%
2 W32/Netsky-P 20.6%
3 W32/Zafi-B 4.5%
4 W32/Netsky-D 4.5%
5 W32/Netsky-Z 2.5%
6 W32/Netsky-B 2.4%
7 W32/Mytob-Z 1.3%
8 W32/MyDoom-O 1.2%
9 W32/Netsky-C 1.1%
10 W32/Netsky-Q 1.0%
Others 14.3%

Carole Theriault, security consultant at Sophos said,

"Old viruses are still taking advantage of poorly protected computers in April. The Zafi family of viruses accounts for over 50.0% of all the viruses reported to Sophos in the last month. Perhaps the success of these worms lies in their ability to spread in multiple languages, catching out unwary users all over the world. Users should not only be suspicious of unsolicited email in any language, they should also be ensuring up-to-date anti-virus protection is in place to thump this virus family on the head."

"Although Mytob-Z only accounts for a small percentage of the top ten reports, it is the only new worm that has managed to break into the stronghold of old threats," continued Theriault. "First sighted in mid-April, Mytob-Z is a nasty piece of work - not only does it spread ferociously, but it plants a backdoor Trojan horse which can be used by remote hackers to gain access and control over a victim's computer. The computer can then be spied upon or used to send spam or launch denial of service attacks."

According to a study published Monday by the SANS Institute, more than 600 new security vulnerabilities cropped up in the first three months of 2005. Although Microsoft leads the top 20 most critical security issues, hackers are turning their attention to third party software such as media players and databases.

Vulnerabilities in Internet Explorer, Windows Logon and Microsoft's PNG file handling topped the new list, although Computer Associates and antivirus software from McAfee, Trend Micro, Symantec and more were also susceptible to attack.

"These critical vulnerabilities are widespread and many of them are being exploited, right now, in our homes and in our offices," said Alan Paller, director of research for the SANS Institute. "We're publishing this list as a red flag for individuals as well as IT departments."

Media players have also become a way for attackers to compromise a system. Windows Media Player, RealPlayer, Apple's iTunes, and Winamp were each open to buffer overflow vulnerabilities in 2005, with the flaws being exploited in the wild.

SANS says the new list represents only security vulnerabilities found or patched in Q1 2005. Although SANS usually issues a yearly Top20 list, the group has moved to quarterly updates to aid organizations in recognizing potential security issues that could affect them.

"Too many people are unaware of these vulnerabilities, or mistakenly believe their computers are protected," said Paller.

Soccer fans all over the world are being lured in by a new variant of the infamous Sober virus. The virus, which is being sent out in both German and English, promises free tickets to the 2006 World Cup, and once the user opens it, mass e-mails itself to others.

The virus, contained in attachments with addresses from the domain @fifa.de, has clogged up FIFA's own e-mail system, stopping them from sending out e-mails also. Since the worm comes in a .zip file, antivirus programs normally cannot identify it.

According to Graham Cluley, senior technology consultant for Sophos, the worm can use a variety of different subject lines and message bodies.

"Many people will be eager to attend one of the biggest sporting events in the world next year, and may think it is worth the risk of opening the e-mail attachment just in case the prize is for real," Cluley said.

When a new worm spreads around the world, people want to know if they are protected. How fast is it? How does it spread? A new simulation program developed by Symantec Research Labs not only has the answers, it also provides pictures.

The new Symantec Worm Simulator visually demonstrates how worms spread through the Internet, and how they fare against a custom network and security policy.

The Worm Simulator is a substantially updated version of the VBSim program released in 1997. VBSim was the first program to “show” the spread of a virus to Symantec customers. The new Worm Simulator takes VBSim to another level, enabling custom configuration of new worm simulations, configuration of custom networks and protection policy, and incorporates impressive new three-dimensional graphics.

Two simple windows are shown to the user. On the left side is a large rotating globe. This globe depicts the Internet as a whole. Small dots appear on the globe to show the infection spreading. The dots can be configured to represent the entire Internet population, or only the machines on the Internet that are vulnerable to the particular worm.

On the right side of the simulator is a window depicting an individual network, complete with desktop machines, workgroups, and larger company subnets. A simulation can have a custom network topology and security policy. For example, a simulation can specify how quickly machines are patched, whether security software is running on a particular machine, where firewalls are located, and how often users open email attachments.

To use the Worm Simulator, all users need to do is load a simulation file and click “play.” The Worm Simulator is distributed with simulations of six actual worms: MyDoom, Netsky, Sasser, Slammer, Blaster, and SoBig. Each simulation is tailored to accurately represent how the real worm spread in the wild. As the worm spreads, nodes in the network and on the globe start turning colors. Symantec Yellow represents patched and secure machines, while red indicates an infected machine. The SoBig virus simulation, for instance, quickly shows one corporate network turning red, while a different company turns yellow. The yellow company has more machines that are patched or running security software, and are therefore resistant to the worm.

As entirely new worms appear in the wild, simulations of these worms can be constructed to demonstrate the worm's characteristics to users.

The Worm Simulator will be rolled out initially to members of the Symantec Sales organization for demonstrations to enterprise customers. In addition, the Worm Simulator could become a future television star during news coverage of worm outbreaks, enabling viewers to watch a virus as it spreads. Symantec Security Response intends to use the simulator for TV appearances as well.

The simulator is accompanied by documentation on how to run the simulator as well as six worm simulations. These simulations include four networks, each with a different security policy. The networks are described in detail in the documentation.

Firefox seems to be running into more and more security vulnerabilities as the Mozilla Foundation's browser becomes a serious contender to Microsoft's Internet Explorer. Security research company Secunia found two new vulnerabilities that can be exploited to conduct cross-site scripting attacks to compromise a user's system.

The Mozilla Foundation stated that it is aggressively working to provide a better solution to security vulnerabilities as well as a more convenient way to publish updates to users. A temporary fix to the current vulnerabilities is to disable JavaScript.

According to Secunia, the problem is that "IFRAME" JavaScript URLs are not properly protected from being executed in context of another URL in the history list. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an arbitrary site. Input passed to the "IconURL" parameter in "InstallTrigger.install" is not properly verified before being used. This can be exploited to execute arbitrary JavaScript code with escalated privileges via a specially crafted JavaScript URL.

A combination of the vulnerabilities can be exploited to execute arbitrary code. Secunia also claims that the exploit code is publicly available, and has been confirmed to work with Firefox 1.0.3.

MessageLabs, who provides business-level security and management services, has discovered a new variant of the ever-popular Bagle worm. It appears to have originated from a Yahoo group, and MessageLabs alone has intercepted over 70,000 copies of the virus.

The Bagle downloader drops a trojan onto the computer that attempts to download the worm from a number of locations. Once a user opens the file attached to the e-mail, Bagle harvests the e-mail addresses found on the computer, and then forwards itself on to infect more computers. As always, never open attachments that are from unknown sources, and use good judgment while opening attachments from known contacts.

DRM software included on some Sony CDs includes a monitoring utility that is difficult to discover, almost impossible to remove and offers an easy hiding place for malicious code. Mark Russinovich, writing in the Sysinternals blog, details how he uncovered rootkit code on his computer that originated from a Sony music CD he owned.

A rootkit installs itself in Windows systems in such a way that it tells the operating system to quite literally blindly accept its activities. As such, any files contained within the rootkit remain invisible from within Windows. Rootkits are increasingly commonly used by virus writers to hide the activities of their code and now, it seems, also major music publishers.

Once a CD protected by Sony's DRM is played in a PC, an End User Licence Agreement is presented to the user which defines the terms of use of the CD and must be accepted. But it fails include details of the rootkit, and the installation of this code which subsequently occurs happens without the user's permission.

'I didn't find any reference to it in the Control Panel's Add or Remove Programs list, nor did I find any uninstall utility or directions on the CD or on [the software vendor's] site. I checked the EULA and saw no mention of the fact that I was agreeing to have software put on my system that I couldn't uninstall. Now I was mad,' writes Russinovich.

Getting rid of the rootkit proved nigh impossible and caused further problems, according to Russinovich. 'When I logged in again I discovered that the CD drive was missing from Explorer. Deleting the drivers had disabled the CD. Now I was really mad.'

'Not only had Sony put software on my system that uses techniques commonly used by malware to mask its presence, the software is poorly written and provides no means for uninstall. Worse, most users that stumble across the cloaked files with a RKR scan will cripple their computer if they attempt the obvious step of deleting the cloaked files,' he concluded.

But Finnish security company F-Secure warned that the poorly written code creates a safe-house for malicious software. In his investigation, Russinovich noticed that the rootkit's 'cloaking code hides any file, directory, Registry key or process whose name begins with "$sys$". To verify that I made a copy of Notepad.exe named $sys$notepad.exe and it disappeared from view.'

F-Secure tested this and confirmed the claim. 'The system is implemented in a way that makes it possible for viruses (or any other malicious program) to use the rootkit to hide themselves too. This may lead to a situation where the virus remains undetected even if the user has updated antivirus software installed,' said Mikko Hyppönen, Chief Research Officer.

Microsoft says it has come up with a fix for the vulnerability exposed in the graphics rendering engine between Christmas and the New Year.

The fix is for a new strain of virus which affects PCs in that a specially designed Windows Metafile (wmf) could be used to gain access to a machine and take control. The situation is worsened by the fact that source code for the exploit has been published on the Internet and that the virus changes itself when it replicates, making it harder for it to be detected by traditional signature-based security software.

Microsoft says that its own security swat team has come up with a security update for the vulnerability and plans to release the update on 10 January - the first 'Patch Tuesday' of the year.

The update will be released worldwide simultaneously in 23 languages for all affected versions of Windows and will be available through all the usual channels including the Download Centre, Microsoft Update and Windows Update. The company also says that subscribers to Windows' Automatic Updates feature will get the fix automatically.

While the Windows community is anxious that their unpatched machines may remain vulnerable for almost another week Microsoft is anxious to assure everyone that it is not being complacent. The company says has been carefully monitoring the attempted exploitation of the WMF vulnerability since it became public. The company says that while it regards the issue as 'serious' and recognised that malicious attacks are being attempted the scope of the attacks are not widespread.

In the meantime, the company points out that machines can only be infected by opening maliciously crafted links on web pages or emails and warns users to be extra careful. The company also says that the feedback it is getting from anti-virus companies indicate that attacks based on exploiting the WMF vulnerability are being mitigated through up-to-date signatures.
[via PCPro]

Moscow-based Kaspersky Labs claims exploits for the .wmf vulnerability that emerged over the Christmas period were being sold on the virus underground by Russian hacker groups for $4,000. Kaspersky claims in its Malware Evolution report for the last quarter of 2005 that 'it seems that two or three competing hacker groups from Russia were selling this exploit for $4,000.

Interestingly, the groups don't seem to have understood the exact nature of the vulnerability. One of the purchasers of the exploit is involved in the criminal adware/ spyware business, and it seems likely that this was how the exploit became public.'

It claims that the flaw which was only patched by Microsoft in early January was probably first discovered at the start of December, and by a virus writer rather than a security researcher.

If true, this challenges the disclosure argument. Those that made the information on the flaw and exploit code public were slammed by Microsoft and the security community at the time. But if that information had been kept strictly within hacking circles, Microsoft may not have even heard of the problem while its customers were being infected with viruses.

And there's nothing to indicate that Microsoft would have noticed. The flawed .wmf technology was introduced into Windows 3.0 in early 1990.

Indeed, the report says that information on the flaw was not passed on to security companies such as eEye Digital or iDefence and that they in turn were not aware of it as the exploit was being developed specifically for the Russian market.

'The hacker groups didn't understand exactly how the vulnerability functions, and ... the exploit was created in order to be sold on to cyber criminals,' it reads.

But the cyber criminals were quick off the mark. After the middle of December, when the exploit could be bought on the virus underground, trojan viruses and later email worms were on the loose taking advantage of the hole, which had still to be patched. Recently chip builder AMD's support forums were infected, launching a .wmf-based attack at visitors.

Such was the concern of the security community that many gave the unorthodox advice for users to install a patch made available by Windows expert Ilfak Guilfanov, rather than wait for Microsoft to fix it. Microsoft patched the vulnerability 6 January.
[via PCPro]

McAfee said yesterday that it had fixed a serious flaw in ePolicy Orchestrator Common Management Agent without realizing it. The ePolicy Orchestrator is used to manage security software installed on over 40 million computers, mostly used in large organizations. The flaw was said to result in the full compromise of targeted computers by an attacker.

"It is certainly one of the most serious issues that we have come across," John Viega, vice president and chief security architect at Santa Clara, Calif.-based McAfee said in an interview.

Over one million users of MySpace were infected with adware via a banner ad for 'deckoutyourdeck.com' in the past few weeks according to iDefense, a computer security group. The ad exploited a well-known flaw in the way that Intenet Explorer handles WMF images.

Unpatched machines are particularly vulnerable. Merely visiting a page with the deckoutyourdeck.com banner ad causes a download of a Trojan horse program. Those who have installed the patch see a prompt asking to download a file called "exp.wmf" when visiting a page with the advertisement.