DP's Security Bits

Mozilla Corp. bumped up the threat ranking for an unpatched Firefox bug to "high" yesterday, but promised a fix is coming in Version 2.0.0.12, now slated for release on Feb. 5.

The company's head of security, Window Snyder, confirmed that the browser, when running any of more than 600 add-ons, can be exploited to steal "session information, including session cookies and session history."

Full Story at computerworld.com 

The majority of Web sites serving up attack code are legitimate domains that have been hacked by criminals, according to security research firm Websense Inc.

In a report released last week, San Diego-based Websense said that credible sites accounted for 51% of those classified as malicious. The sites had been compromised by hackers who seeded them with attack code that infected unpatched machines visiting those addresses, it said.

A year earlier, Websense estimated that about 35% of malicious sites were actually legitimate sites that had been compromised.

The remaining deleterious sites were "intentionally built for malicious intent," the Websense report said.

Full Story at computerworld.com 

PayPal reported Monday that it has offered $170 million in cash to acquire Fraud Sciences Ltd., an Israeli company that develops online risk and security tools.

PayPal, a unit of eBay, will use Fraud Sciences' technology to enhance the fraud management systems of both PayPal and eBay. The Israeli firm's risk tools and analytics also will be targeted at accelerating the development of advanced fraud detection tools.

Full Story at informationweek.com 

Consumer electronics chain Best Buy pulled its Insignia-branded 10.4-inch digital picture frame from store shelves last week after finding that some devices were infected with an older computer virus.

As previously reported by SecurityFocus, some consumers have claimed that digital picture frames received over the holidays have infected their computers with malicious programs. Best Buy recalled its 10.4-inch digital picture frame (model no. NS-DPF10A) after finding that a limited number of devices had been infected during the manufacturing process, according to a statement released last week.

http://www.securityfocus.com/brief/670 

Security software makers, as well as independent and media-sponsored testing labs, have agreed to create an industry group to establish best practices and standards in the testing and rating of antivirus software, members of the nascent group told SecurityFocus on Thursday.

More than 40 antivirus researchers and security professionals gathered in Bilboa, Spain, earlier this week to establish the group and discuss guidelines for more rigorously testing antivirus products. The guidelines will focus on documenting the most meaningful ways of testing antivirus products as well as establishing common rules for the data sets which are used for testing, said David Marcus, security research and communication manager at McAfee's AVERT Labs.

Full Story at SecurityFocus

Issued: January 25, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-001 - Critical

Bulletin Information:

* MS08-001 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
 - Reason for Revision: This bulletin was revised to clarify the
    impact of Windows Kernel TCP/IP/IGMPv3 and MLDv2
    Vulnerability (CVE-2007-0069) on supported editions of
    Windows Small Business Server 2003 and Windows Home Server.
    Also included is an explanation and clarification that
    current Microsoft detection and deployment tools already
    correctly offer the update to systems running Windows Small
    Business Server 2003 and Windows Home Server. 
 - Originally posted: January 8, 2008
 - Updated: January 25, 2008
 - Bulletin Severity Rating: Critical
 - Version: 3.0
 

Insignia pulled a line of 10.4-inch digital picture frames from Best Buy stores and its Web sites this week after learning some had been infected with a computer virus during the manufacturing process.

"Once informed, we immediately pulled all units of this product from stores and retail Web sites as a precautionary measure to protect our customers," explains a statement on the Insignia Web site. "This product has been discontinued, and no additional inventory will be sold. Please note that no other Insignia digital picture frame products are affected by this issue."

Full Story at informationweek.com 

Issued: January 23, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-068 - Critical
  * MS07-057 - Critical

Bulletin Information:

* MS07-068 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-068.mspx
  - Reason for Revision: Bulletin updated to add an FAQ regarding
    installing the updates for Windows Media Format Runtime 9.5
    on Windows XP Professional x64 Edition. 
  - Originally posted: December 11, 2007
  - Updated: January 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS07-057 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-057.mspx
  - Reason for Revision: Bulletin revised to address rendering
issues. 
  - Originally posted: October 9, 2007
  - Updated: January 23, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.3

Issued: January 23, 2008

Summary

The following bulletins have undergone a major revision increment.
Please see the appropriate bulletin for more details.

  * MS08-001 - Critical
  * MS07-064 - Critical

Bulletin Information:

* MS08-001 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
 - Reason for Revision: Bulletin updated to add Windows Small
    Business Server 2003 Service Pack 2 as an affected product.
    Also added an FAQ to clarify that current Microsoft detection
    and deployment tools already correctly offer the update to
    Windows Small Business Server 2003 Service Pack 2 customers. 
 - Originally posted: January 8, 2008
 - Updated: January 23, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0
   
* MS07-064 - Critical

 - http://www.microsoft.com/technet/security/bulletin/ms07-064.mspx
 - Reason for Revision: Bulletin updated to reflect that DirectX 9.0
    and 9.0b are also included in this update. 
 - Originally posted: December 11, 2007
 - Updated: January 23, 2008
 - Bulletin Severity Rating: Critical
 - Version: 2.0

The flaw, said Window Snyder, Mozilla's chief security officer, is in the browser's chrome protocol -- "chrome" is the Firefox term for its user interface -- as she responded to reports of the vulnerability and the public posting of a proof-of-concept exploit.

Access to a user's machine would be through one of many Firefox extensions packaged in a flat file structure, rather than collected into a single Java archive, or .jar file, said Snyder. Several popular extensions, including Download Statusbar and Greasemonkey, use a flat file structure. "Users are only at risk if they have one of the 'flat' packaged add-ons installed," Snyder said on the Mozilla security blog.

Full story at computerworld.com 

For the first time, legitimate Web sites compromised by attackers made up the majority of sites used to spread malicious programs, security firm Websense said in a report published on Tuesday.

During the second half of 2007, the number of malicious compromised sites climbed to 51 percent, becoming a more popular way to spread code then sites created by attackers, Websense said in its research highlights. Mass Web site attacks aimed at creating online points of infection have become more common in the past year, including major incidents in March and November.

http://www.securityfocus.com/brief/667 

A new year always brings changes and new challenges for IT managers, and 2008 will be no exception. While there are dozens of emerging technologies that have the potential to disrupt current standards, five that have significant opportunity to lead to major implications for enterprises in the coming year are: virtualization, the role of Apple and managing cross-platform shops, managed data centers, video over IP networks, and presence-aware applications.

Full story at informationweek.com 

More than 80,000 Web sites worldwide display a small green logo that proclaims them to be "Hacker Safe." The logo is provided to them by ScanAlert Inc., a vendor that scans the sites of its clients daily in search of security vulnerabilities.

ScanAlert's logo is the most widely used security seal of its kind on the Web, and it can be found on dozens of marquee-brand sites, including those of Johnson & Johnson, Sony Corp. and Warner Bros. Entertainment Inc. Such widespread use attracted the attention of security vendor McAfee Inc., which in late October agreed to acquire ScanAlert.

Full story at computerworld.com 

With consumers finally getting wise to phishing attacks, scammers are hitting the phones.

The U.S. Federal Bureau of Investigation's Internet Crime Complaint Center (IC3) warned Thursday that so-called "vishing" attacks are on the rise. These are scams where criminals send an e-mail or text message to a victim, saying there has been a security problem and the victim needs to call his or her bank to reactivate a credit or debit card.

"Upon calling the telephone number, the recipient is greeted with 'Welcome to the bank of ...' and then [is] requested to enter their card number in order to resolve a pending security issue," the IC3 said in its alert

Continues at computerworld.com 

OpenID got a massive vote of support on Thursday when Yahoo! promised to support the online identity framework starting January 30.

The technology, which allows users to sign in to a single OpenID provider and then use a specific digital identity at supporting sites, allows people to better control their identity information while online. While America Online, Microsoft, Sun and Novell have begin to implement support for the technology, Yahoo!'s 248 million users could potentially triple the total number of Internet identities that use the distributed system, the company said in a statement.

http://www.securityfocus.com/brief/665 

GRISOFT, developer of the AVG family of security software products, today released the second beta edition of AVG 8.O for Windows for public testing. AVG 8.0 offers a completely new multi-threaded scanning engine that combines anti-virus and anti-spyware while retaining the product’s signature small footprint and scanning efficiency. Additional protection is provided in the form of safe searching and safe surfing protection acquired through the recent purchase of Exploit Prevention Labs, rootkit detection, basic security for MSN and ICQ instant messaging, and detection of malware-infected files on websites. Windows users interested in participating in this public beta can register and download the software at http://beta.avg.com.

Press Release 

Updates released by Apple on Tuesday include security fixes for its iPod Touch, iPhone, and QuickTime media software, but QuickTime remains vulnerable to a recently disclosed Real-Time Streaming Protocol (RTSP) exploit.

"The noteworthy areas of this are the QuickTime fixes," said Andrew Storms, director of security operations at NCircle, a network security company. "Probably more interesting than what they fixed is the fact that these weren't previously known vulnerabilities. ... They fixed three things we didn't know about but didn't fix the thing everybody wished would get fixed."

Full story at informationweek.com 

From SophosLabs:  

Issued: January 16, 2008

Security Advisories Updated or Released Today

 * Microsoft Security Advisory (947563)
  - Title: Vulnerability in Microsoft Excel Could Allow
    Remote Code Execution
  - http://www.microsoft.com/technet/security/advisory/947563.mspx
  - Revision Note: Advisory updated to reflect the correct
    Excel file formats in the MOICE Workarounds section.  

Issued: January 16, 2008

Summary

The following bulletins have undergone a minor revision increment.
Please see the appropriate bulletin for more details.

  * MS07-065 - Important
  * MS07-061 - Critical
  * MS07-030 - Important

Bulletin Information:

* MS07-065 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-065.mspx
  - Reason for Revision: Bulletin updated to add Windows XP Home
    Edition SP2 to the Non-Affected Software table. 
  - Originally posted: December 11, 2007
  - Updated: January 16, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.3
   
* MS07-061 - Critical

  - http://www.microsoft.com/technet/security/bulletin/ms07-061.mspx
  - Reason for Revision: Bulletin updated to add KB article
    information to the Known Issues area of the General
    Information section. 
  - Originally posted: November 13, 2007
  - Updated: January 16, 2008
  - Bulletin Severity Rating: Critical
  - Version: 1.2
   
* MS07-030 - Important

  - http://www.microsoft.com/technet/security/bulletin/ms07-030.mspx
  - Reason for Revision: Bulletin updated to add KB article
    information to the Known Issues area of the General
    Information section.
  - Originally posted: June 12, 2007
  - Updated: January 16, 2008
  - Bulletin Severity Rating: Important
  - Version: 1.1