Wednesday, July 18, 2007

Daily Highlights

The Washington Post reports air travelers should not expect authorities to ease restrictions on gels and liquids in carry−on luggage until sometime next year when new technology may give screeners the ability to more easily spot potential explosives in bags. (See item 12)
·
According to a U.S. intelligence estimate released Tuesday, July 17, the al Qaeda terrorist network has regained enough strength to pose the largest part of a persistent and evolving terrorist threat to the United States over the next three years. (See item 35)
·
Information Technology and Telecommunications Sector

31. July 17, VNUNet — Cross−browser Firefox/IE flaw worsens. The browser flaw which allows attackers to hijack a computer by using Internet Explorer (IE) to launch Firefox is affecting other applications as well. Security researchers Nate McFeters, Billy Rios and Raghav Dube have disclosed information and working exploit code for a similar vulnerability in Trillian. Like the Firefox attack, the Trillian exploit uses a Uniform Resource Identifier (URI) function as the point of attack. The URI allows the browser to launch a third−party application on the user's system in much the same way that a URL is used to access a Web page. When the user visits a specially−crafted page, the application is launched and attack code is run to crash the application and execute code. The attack could be used to remotely install malware on a user's system. The researchers claim that, while this attack only affects AIM clients, any application that allows for URI access could be targeted with similar attacks.
Trillian vulnerability information provided by McFeters, Rios, and Dube:
http://www.xs−sniper.com/nmcfeters/Cross−App−Scripting−2.htm l
Source: http://www.vnunet.com/vnunet/news/2194362/cross−browser−flaw −expands

32. July 16, IDG News Service — Security firm: Don't use iPhone Web dialer. Security researchers at SPI Labs are warning iPhone users not to use a special feature that lets them dial telephone numbers over the Web using the iPhone's Safari browser. The feature was created to give iPhone users a simple way to dial phone numbers listed on Web pages, but according to SPI, the feature could be misused. Attackers could exploit a bug in this feature to trick a victim into making phone calls to expensive "900" numbers or even keep track of phone calls made by the victim over the Web, said Billy Hoffman, lead researcher with SPI Labs. The iPhone could even be stopped from dialing out, or set to dial out endlessly, he said. "Because this vulnerability can be launched from Websites, everybody who has an iPhone has the potential to get exploited," Hoffman said.
SPI Labs blog: http://portal.spidynamics.com/blogs/spilabs/archive/2007/07/16/SPI−Labs−advises−avoiding−iPhone−feature.aspx
Source: http://www.infoworld.com/article/07/07/16/Security−firm−says−to−not−use−iPhone−Web−dialer_1.html

33. July 16, ComputerWorld — Anonymous researcher boasts of building Mac worm. An anonymous security researcher claimed this weekend to have created a worm that exploits a vulnerability in the Mac OS X operating system which Apple Inc. missed in a May round of patches. A poster on the Information Security Sell Out blog said Sunday, July 15, that he or she had written a proof−of−concept worm "in a few hours" that exploits a variation of a vulnerability patched in May by Apple. According to the researcher, he or she exploited a still−unpatched bug in mDSNResponder, a component of Apple's Bonjour automatic network configuring service, in the worm's code. "This vulnerability, as with the ones fixed, gives remote root access," the researcher said. Apple's May security update, 2007−005, included a fix for the mDSN bug.
Information Security Sell Out blog:
http://infosecsellout.blogspot.com/2007/07/oh−look−apple−wor m.html
Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9027179&intsrc=hm_list