Friday, July 27, 2007

Daily Highlights

The Los Angeles Times reports the early outbreak of West Nile virus−related illnesses in California this summer has claimed a second life, that of an 85−year−old man from Kern County. (See item 23)
ComputerWorld reports millions of documents, both government and private, containing sensitive and sometimes classified information are available on file sharing networks after being inadvertently exposed by individuals downloading P2P software on systems that held the data. (See item 34)
Information Technology and Telecommunications Sector

29. July 25, IDG News Service — Mozilla flaw attack code published. Mozilla is working on patching its Firefox browser after a hacker posted details of a flaw that could let criminals run unauthorized software on a victim's machine. The flaw lies in Firefox's URL handler component, which was the source of another bug Mozilla disclosed Tuesday, July 24. This second flaw was disclosed Tuesday by Billy Rios and Nathan McFeters, security consultants with Verisign and Ernst & Young respectively. Like the first flaw, this one could be exploited by attackers to launch programs on the victim's PC without authorization, said Tyler Reguly, a security research engineer at nCircle Network Security. "They're both related to the URL handling process," he said "It's just different errors within that handling process." Even though the code posted by Rios and McFeters can only be used to launch software that is already installed on a victim's PC, it could be very dangerous if used by criminals, Reguly said. "It's still letting you run any program that exists on the user's computer," he said. "You can make it do some fairly bad things. For example, having it use command−line FTP to download a malicious file off a server somewhere and then execute that file."
Rios' blog: http://xs−−command−execution−in−firefox−2005/

30. July 25, ComputerWorld — Largest vendors account for fewer software flaws. Though it might not seem that way, the top 10 most vulnerable software vendors −− and, yes, that includes Microsoft Corp. −− are contributing a smaller percentage of all vulnerability disclosures per year compared to five years ago. That's according to an analysis by Gunter Ollmann, director of security strategies at IBM's Internet Security Systems X−Force team. Ollmann, who crunched vulnerability data gathered by X−Force between 2002 and 2006, said the overall percentage of security flaws disclosed by the most vulnerable software vendors dropped from 20.2 percent in 2002 to 14.6 percent during that period. Much of that decrease is likely the result of improved quality assurance and testing processes by the most vulnerable software vendors, Ollmann said. Most of their software packages have been through multiple versions and have been combed thoroughly for vulnerabilities by security researchers, Ollmann said. As larger vendors begin to do a better job of locking down their software, hackers and software researchers have begun focusing their attention on newer vendors and their applications, which has resulted in an overall increase in the number of vulnerabilities being reported, Ollmann said.

31. July 25, VNUNet — Password flaw hits Firefox and Safari. The latest versions of Firefox and Safari contain a password management security flaw that could allow certain Websites to access stored usernames and passwords. A message on the Full Disclosure mailing list warned that users who have either browser configured to remember passwords, and have JavaScript enabled, are at risk. Mozilla fixed a similar reverse cross−site scripting flaw in Firefox last November, but this was a lot more serious as it did not require JavaScript to be enabled. Heise Security has a demonstration of the vulnerability on its Website to allow users to determine whether they are vulnerable to the attack. However, some developers and commentators have questioned whether this constitutes a vulnerability in the browser, as it requires the attacker to place malicious code on the Web server.
Heise Security demonstration: http://www.heise−
Source:−safari−pas sword−flaw

32. July 24, Sydney Morning Herald (Australia) — Mobile phone spammer fined in Australia. A mobile phone marketing company has been fined almost $132,000 over spamming practices that affected thousands of people over the past 12 months. DC Marketing Europe, a company notorious for its "missed call" telemarketing schemes, has been fined by the Australian Communications and Media Authority for breaching the Spam Act in July and August last year, by sending unsolicited messages that failed to identify the sender and did not allow the recipient to unsubscribe. Authorities say they are handling as many as 1800 complaints a month from mobile phone customers over rip−offs. Hidden charges and the inability to cancel subscriptions to services such as ringtones, wallpaper and video clips were the most common complaints among the 9000 recorded by the Telecommunications Industry Ombudsman over the past six months, under the Mobile Premium Services Industry Scheme. In the previous 12 months the ombudsman handled fewer than 6000 complaints over premium services, which suggests that complaints have risen threefold since the scheme began.