Friday, October 27, 2006

Address Bar Spoofing in IE 7

Secunia has a report of a bug in Microsoft Internet Explorer 7. It may be possible for attackers to create a pop-up window that will have a spoofed and misleading address bar, with only part of the address displayed. This could be used as part of a phishing scheme to trick users into disclosing information to a malicious website. You can see the details at http://secunia.com/advisories/22542/, including a proof of concept.

Firefox Can Restore Your Session (Even if You Don't Want To)

The newly-released Mozilla Firefox 2 includes a Session Restore feature. This means that connections to some sites that log you in via cookies, like Gmail, will automatically be restored after a browser crash. You may not want that to happen if you share a computer. If so, you will need to turn off this feature via the browser.sessionstore.resume_from_crash setting. If you are not familiar with changing your Mozilla settings, see http://kb.mozillazine.org/About:config.

Thursday, October 26, 2006

False Positive from Symantec Causes Problem

Anti-virus signatures for Symantec AntiVirus were shipped that apparently triggered a false positive alert that the sfc.dll file in Windows XP and 2000 (which powers Windows File Protection) was the Infostealer.Banpaes virus. Symantec then disabled sfc.dll, and prompts you to reboot the computer. When you try to reboot, a Windows XP computer may reboot continuously, and Windows 2000 may blue screen. Symantec has posted a Knowledge Base article at http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2006102011570548 to help anyone whose computer they wrecked. The Internet Storm Center also has information at http://isc.sans.org/diary.php?storyid=1799.

Tuesday, October 24, 2006

Microsoft Re-Releases XML Security Bulletin

Microsoft has re-released their MS06-061 Security Bulletin, which fixed a bug in Microsoft XML Core Services. The first version of their patch did not correctly kill off the flawed version of the Microsoft XML Parser 2.6 if you are running Windows 2000 Service Pack 4. This is a critical security update that helps prevent remote attackers from running their code on your computer. If you haven't gotten the fix yet, or are affected by the re-release, get it at http://www.microsoft.com/technet/security/bulletin/ms06-061.mspx.

First IE 7 Bug is a Leftover

The first bug in Microsoft Internet Explorer 7 is being discussed. It is a problem in redirection handling with the "mhtml:" URI handler. However, according to the Internet Storm Center, this bug is actually something left over from IE 6. It appears that for compatibility reasons, Microsoft included an older MSXML ActiveX component that had this bug, which they say was announced at http://secunia.com/advisories/19738. You can read the full analysis at http://isc.sans.org/diary.php?storyid=1797.

Monday, October 23, 2006

IE 7 Cracks Down on ActiveX Controls

Microsoft Internet Explorer 7 can no longer be considered beta software - so it's time for the BugBlog to start taking a look. The good news is that IE 7 imposes a lot more security on ActiveX controls. That's good -- although it was Microsoft who foisted ActiveX on us in the first place. This review of IE 7 at eWeek talks about the increased security, which is a definite bug fix. Read the whole thing at http://www.eweek.com/article2/0,1895,2033704,00.asp.

Flawed Opera Causes Some Dissonance

Opera 9 has a heap overflow bug that may cause the browser to crash when it tries to handle a very large link. Opera says they have fixed this in Opera 9.02, and that the impact of the bug is a denial of service attack. They also credit iDefense for finding this bug. According to iDefense, the size of the link only has to top 256 characters, and it can be hidden in an iframe. They also say that attackers can use the bug to run their own code on your computer. See their explanation at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=424.

Thursday, October 19, 2006

NetFlix Fixes a Cross-Site Request Bug

Netflix has fixed a bug on their site that may allow an attack called Cross Site Request Forgery. This type of attack may allow an outsider to change your address, add movies to your queue, and otherwise manipulate your account. An attack like this works if you normally stay logged in to a site, and you visit another hostile website that includes code to take advantage of the weakness. Other Web 2.0 sites may also be at risk for this attack, according to the story on ZD Net at http://news.zdnet.com/2100-1009_22-6126438.html.

Tuesday, October 17, 2006

Excel 2003 May Yield the Wrong YIELD

One of the Microsoft Excel 2003 financial functions will give you the wrong answer under a particular set of inputs. If you are using the YIELD function, and the security settlement date is the 30th or 31st of the month, the maturity date is the 30th or the 31st of the same month, and the Basis parameter is 4. Microsoft has a hotfix at http://support.microsoft.com/kb/925797, which must be applied on top of some previously released hotfix packages, described on that page.

Lower Your Defenses When You Install IE 7

With the official release of Microsoft Internet Explorer 7 soon upon us, you may want to know that Microsoft's IEBlog is reminding everyone that they recommend that you temporarily turn off all you anti-virus and and anti-spyware applications before you install IE7. They say that the installation makes so many Registry changes that it may look suspicious to your AV software, which may interfere with the installation. (If you are paranoid, you could probably come up with some other reasons for this.) If you want to be an early adopter, read the blog post and comments .

Bug in AOL Control

When you install America Online 9.0 Security Edition, it installs an ActiveX control, AOL.PicDownloadCtrl.1t, that is marked as being safe for scripting. Security researchers at iDefense discovered a buffer overflow in this control, which means it is not safe for scripting. A malicious website could take advantage of this to run code on your computer. If you use AOL 9.0 or AOL 9.0 Security Edition, log in to the AOL service and you will be automatically updated. See the details at http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=420.

Thursday, October 12, 2006

Bug in Microsoft Server Services

There are two bugs in Microsoft Windows Server Services, that affect Windows 2000, Windows XP, and Windows Server 2003. According to Microsoft, these bugs may allow a remote attacker to trigger a denial of service attack via a network message. According to eEye Digital Security, there is also a risk of the attacker running their code on your computer. By default, most firewalls are configured to block the ports through which these attacks are launched, thus Microsoft considers this only an Important security patch. Get the update at http://www.microsoft.com/technet/security/bulletin/ms06-063.mspx. Microsoft credits Gerardo Richarte of Core Security Technologies, NS Focus, Fortinent, and Matthew Amdur of VMWare for finding these bugs.

Wednesday, October 11, 2006

Another Critical ActiveX Bug for Microsoft

Another bug in an ActiveX control puts users of Windows 2000, Windows XP, and Windows Server 2003 in jeopardy. The bug is in the WebViewFolderIcon ActiveX control, and if you visit a malicious website (using Microsoft Internet Explorer) that tries to exploit this bug, the bad guys may take complete control of your system. This is rated a Critical bug for Windows 2000 and Windows XP by Microsoft, and a moderate bug for Windows Server 2003. Get your patch at http://www.microsoft.com/technet/security/bulletin/ms06-057.mspx, (although there may be some problems with patch availability on 10/10

Sunday, October 08, 2006

A big Patch Tuesday

October 10 is Patch Tuesday, and it will be an extra special one. Microsoft has announced that there will be six security bulletins for Windows, and at least one of them is rated Critical. There will be four security bulletins for Microsoft Office, and at least one will be Critical. There will also be one security bulletin for the Microsoft .NET Framework. That one is only rated Moderate. Look for full coverage in the BugBlog Plus on Tuesday.

Friday, October 06, 2006

Buffer Overflow Bugs in CA BrightStor

Security researchers at Tipping Point found a number of buffer overflow bugs in CA BrightStor ARCserve Backup R11.5, BrightStor Enterprise Backup 10.5, BrightStor ARCserve Backup v9.01, and CA Server Protection Suite r2. The bugs may let remote attackers run code against the various CA products. Fix information is at http://supportconnectw.ca.com/public/storage/infodocs/basbr-secnotice.asp

Thursday, October 05, 2006

Microsoft VML Bug Wins Bug of the Month for October 2006

If it's worth an early patch, it's worth the Bug of the Month.

Read the whole thing here

ATI TV Guide May Lose Its Listings

When using the ATI Multimedia Center 9.15 software with an ATI multimedia card, you may sometimes get a corrupted database for the TV listings. This may prevent the TV Guide software from starting. Fix this by going to the Windows XP Control Panel Add/Remove Programs applet. Select the Gemstar GUIDE Plus+ program, and then select Repair. After repairing, when you run the GUIDE again you will need to enter your name, ZIP Code, and email address again.

Mozilla Bug Report Was a Hoax

The 10/2 Mozilla JavaScript bug report was a hoax. While there is a bug that may be used to crash your browser, attackers can't use it to run hostile code on your computer. Any other claims by the two researchers, who probably won't be invited back to make any more presentations, should also be considered fraudulent. While the BugBlog often reports on what independent researchers say (and these reports also included quotes from Mozilla's security spokesman that lent some credence to their claims) rest assured that these two will no longer be considered valid sources.

McAfee Protection Had a Hole

There is a bug in McAfee ProtectionPilot 1.1.0 and McAfee ePolicy Orchestrator 3.5.0 that may allow remote attackers to run their own code on the "protected" computer. This happens via a boundary error when dealing with long source errors. You can find links to the patches at http://secunia.com/advisories/22222/. According to at least one news story, McAfee was alerted to the bug in July, but the patch was very complex, so that it took till October to fix. Read more at http://www.crn.com/showArticle.jhtml?articleID=193101216.

Tuesday, October 03, 2006

JavaScript Hole in Mozilla

There is a bug in Mozilla Firefox's implementation of JavaScript, and it may allow malicious websites to run their code on your computer due to a stack overflow error. The bug was found by Mischa Spiegelmock, of SixApart, and Andrew Wbeelsoi. A spokesperson for Mozilla said that the issue looks genuine. Also, enough details were disclosed during the presentation that attacks may be mounted. Read more at http://news.com.com//2100-1002_3-6121608.html.

Monday, October 02, 2006

JPEG Image Bug in Mac OS X

There is a bug in the way that Mac OS X 10.4.x computers view JPEG2000 images. An attacker may be able to construct one of these images that can either crash the application viewing it, or run hostile code on your machine. Apple has fixed this in the Security Update 2006-006 and have also patched it in Mac OS X 10.4.8. They credit Tom Saxton of Idle Loop Software Design for finding this bug.