Mozilla has released version 3.6.13 of its popular Firefox web browser.
This new version contains fixes for 11 security holes, nine of which have been given the worst rating of “critical” severity, as the vulnerabilities can be used to run malicious attack code and install software – the user has to do nothing to be hit in this way, just normal browsing is enough.
Fortunately Firefox contains an integrated update mechanism (Help / Check for Updates to kickstart the process) which can help ensure that most users are rapidly upgraded to the latest version.
However, don’t dawdle. Malicious hackers could try to exploit the vulnerabilities – described on Mozilla’s website – to infect your computer with malware.
A new zero-day exploit in Microsoft Windows was disclosed today. The exploit allows an application to elevate privilege to “system,” and in Vista and Windows 7 also bypass User Account Control (UAC). The flaw was posted briefly on a programming education site and has since been removed.
The exploit takes advantage of a bug in win32k.sys, which is part of the Windows kernel. The flaw is related to the way in which a certain registry key is interpreted and enables an attacker to impersonate the system account, which has nearly unlimited access to all components of the Windows system. The registry key in question is under the full control of non-privileged users.
The flaw appears to affect all versions of Windows back to at least Windows XP, including the latest Windows 2008 R2 and Windows 7 systems. On its own, this bug does not allow remote code execution (RCE), but does enable non-administrator accounts to execute code as if they were an administrator.
There is one mitigation I discovered while researching this exploit. Unfortunately it is somewhat complicated. To prevent the flaw from being exploited you can perform the following actions:
- As an Administrator open Regedit and browse to HKEY_USERS\[SID of each user account]\EUDC
- Right-click EUDC and choose permissions
- Choose the user whose account you are modifying and select Advanced
- Select Add and then type in the user’s name and click OK
- Click the Deny checkbox for Delete and Create Subkey
- Click all the OKs and Apply buttons to exit
The registry keys being changed by this mitigation should not impact a user’s ability to use the system, but changing permissions related to Windows code page settings may cause problems with multilingual installations. In my testing it appears problem-free, but I have only had an hour or two to test. Use at your discretion.
The good news? For this to be exploited, malicious code that uses the exploit needs to be introduced. This means your email, web, and anti-virus filters can prevent malicious payloads from being downloaded. Keep an eye on the Naked Security blog for more information as we learn more about this flaw.
Update: Sophos detects the proof of concept as Troj/EUDPoC-A. Stay tuned for further details as they become available.
I’ve also created this video showing how it works and what you can do.
Malicious hackers have spammed out an attack that pretends to be an email from Facebook support saying that your password has been changed.
The messages, which have a variety of subject lines including “Facebook Service. A new password is sent you”, “Facebook Support. Your password has been changed” and “Facebook Service. Your account is blocked”, have a ZIP file attached which carries a Trojan horse.
A spam is sent from your Facebook account.
Your password has been changed for safety.
Information regarding your account and a new password is attached to the letter.
Read this information thoroughly and change the password to complicated one.
Thank you for your attention,
Sophos products detect the attached ZIP file as Mal/BredoZp-B, and the Trojan horse contained within as Troj/Agent-PLG.
It’s possible that the attackers are attempting to exploit the problems many female Facebook users had this week when the social network disabled many accounts by accident.
Don’t forget – you should always be extremely suspicious of any unsolicited email which arrives out of the blue, encouraging you to open an attachment.
Last week we spoke about the Boonana cross-platform malware, using a malicious Java applet to deliver a cross-platform attack that attempts to download further malware to computers running Windows, Unix and Mac OS X.
Since then some we have seen variants of the original Boonana attack. The samples we have seen have been functionally the same, with the hackers behind them seemingly having obfuscated their code to try and waltz around detection.
Their attempts haven’t been good enough to get past Sophos’s products so far (including our new free anti-virus for Mac home users), and we haven’t had to update our generic detection method.
In the samples we have analysed to date, the attack specifically targets Windows and Mac OS X systems, and just happens to infect other platforms that run Java. Depending upon the flavour of Unix, it doesn’t usually complete its ‘life cycle’ if you’re not running Windows or Mac OS X systems.
Of course, we will update our detection of Troj/Boonana should we see new variants that require it.
In the meantime, watch this video I made last week demonstrating the original version of this attack on Windows, Mac OS X and Ubuntu:
Microsoft has warned users of all supported versions of the Internet Explorer browser that an unpatched vulnerability exists in the product that is being actively exploited by malicious hackers in targeted attacks.
The zero-day vulnerability, described in aMicrosoft’s security advisory, allows cybercriminals to execute code on remote users’ computers without their permission.
In other words, simply clicking on a link in an email could take you to a webpage which would silently install malicious code (such as a backdoor Trojan horse) onto your computer. In short, you could be one click away from having a hacker access your computer or comandeer it into being part of a botnet.
Sophos is adding detection of the malicious webapges as Mal/20103962-A, and the Trojan horse that we have seen being downloaded as Troj/GIFDldr-A.
According to Microsoft’s advisory, Data Execution Prevention (DEP) – which is enabled by default in Internet Explorer 8 on Windows XP SP3, Windows Vista SP1, Windows Vista SP2, and Windows 7 – helps to protect against the attacks.
All eyes will now be on Microsoft to see how quickly they can issue a fix for this vulnerability – it would certainly be impressive if they managed to roll-out a patch in time for next Tuesday’s “Patch Tuesday”, but that may be a little optimistic.
Adobe has issued a security advisory about an as-yet unpatched vulnerability in its popular Flash Player software, affecting users of Windows, Mac, Linux, Solaris and even Google Android.
The critical security hole could allow an attacker to take control of your computer and run malicious code.
The firm also confirmed that the vulnerability also affects Adobe Reader 9.3.4 for Windows, Mac and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Mac. The reason that Acrobat and Reader are also affected is because the programs support Flash content inside PDF files
The new warnings follow closely after news last week of another vulnerability in Reader and Acrobat that was being exploited by malware authors.
Adobe has announced that an update for Flash Player tackling the latest vulnerability is expected to be available during the week of September 27, and an update for Acrobat and Reader will be available the following week.
Last month, Sophos blogger Chet Wisniewski interviewed Brad Arkin, Adobe’s Senior Director of Product Security and Privacy, about the firm’s security strategy and their upcoming sandboxing technology.
You can also download the interview directly in MP3 format.
After earlier roll-outs in the USA and Japan, Facebook has now opened up its location-sharing service in the UK.
In a breakfast briefing in London, Facebook explained that the new service would make it easier for users to share where they were.
But hang on a minute – I don’t want to share where I am. And I don’t want other people to be able to share my location either.
I came back late last night after a few days away on a business trip, to find that my next door neighbour had been burgled. So I want to have total control over when (and if) my location is shared and who gets told my location.
Have you seen messages on Facebook like the following?
OMG! Look what happens when identical TWINS meet on Chat Roulette!
OMG LOL!! Twins meet for first time ever ON CHAT ROULETTE!! rofl --->> <LINK>
OMG! Look what happens when identical TWINS meet on Chat Roulette!
Doubt they will be using Chat Roulette again
OMG LOL!! Twins meet for first time ever ON CHAT ROULETTE!! rofl --->> <LINK> <<<--- sooo funny ...
It is, of course, the latest attempt by scammers to earn a few bucks by tricking you into visiting the link.
You might be intrigued by the thought of identical twins happening across each other on ChatRoulette, but the page you are taken to is going to force you to “share” the content with your online friends before it will actually let you see anything.
And even then, you’ll be nagged to take an online survey (earning the scammers some commission). My advice is that you shouldn’t make this type of scam worthwhile by agreeing to take the survey – often you’ll find that the content you want isn’t waiting for you at the end of the process anyway (and if the video content exists, chances are that it’s also on YouTube for free).
So, all you’re really doing is helping the scammers earn their ill-gotten gains, because your account has now publicised the link to others claiming that you’ve “LOL’d” even though you haven’t seen any actual video content at this point.
It’s a seedy dirty trick – so don’t play into the scammers hands, and think more carefully before you next “like” or “share” a suspicious link on Facebook.
The big news in the IT security industry today is the announcement that Intel plans to acquire McAfee for a jaw-dropping $7.68 billion.
Yes, that’s “billion”. Oh to have such pocket money.
Of course, those of us with long memories will know that Intel is no stranger to the computer security industry.
Indeed they used to have their own anti-virus product (Intel LanDesk Virus Protect) which they sold to Symantec in 1998.
Now, Intel is purchasing Symantec’s arch-enemy McAfee and re-entering the business.
Apple has kept true to its promise, and released a security patch for users of iPhones, iPads and the iPod Touch, closing the door on a vulnerability that could have exposed them to malware and other malicious attacks.
The vulnerability first came to the public’s attention after it was used by a website, JailbreakMe.com, which made it simple for iPhone and iPad users to jailbreak their devices.
As I reported earlier this month, the drive-by jailbreak exploited a vulnerability in the way that the mobile edition of Safari (the default browser used in the iOS operating system) handles PDF files – specifically its handling of fonts. Therefore, just visiting the JailbreakMe website could run code on the visitor’s iPhone, iPod Touch or iPad.
Such a vulnerability, if left unpatched, leaves open opportunities for hackers to spread malicious code to Apple’s mobile products.
The iOS 4.0.2 update for iPhone and iPod Touch can be downloaded and installed using iTunes, with further information available in Apple’s support advisory HT4291.
The same process can be used to update Apple iPads to version 3.2.3 of iOS, with detailed information about the vulnerability published on Apple’s support knowledgebase.