"This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter," wrote Mozilla's Blake Kaplan in a comment on the bug report.
It didn't take long for researchers to discover that the bug was exploitable and could be used to execute arbitrary code. It's also been squashed in the 3.5.1 update, however researchers have discovered a similar bug that remains. According to Mozilla, it is looking into the issue, but so far doesn't believe the newly discovered bug is exploitable.
This week, Microsoft announced that DirectShow ActiveX code in Internet Explorer 6 and 7 that was reserved for future use has finally been used - by malware providers. The DirectShow Video ActiveX control in the msvidctr.dll file can be used to take over your system if you visit an infected website. According to Symantec, thousands of websites (primarily in China and other parts of Asia) have been affected.
Who's vulnerable? According to Microsoft Knowledge Base article 972890, Windows Server 2003, Windows XP SP2, Windows XP SP3, and Windows XP 64-bit edition are at risk if they haven't upgraded to IE8. IE8 is not vulnerable because the DirectShow ActiveX control being exploited was disabled in IE8. But, if you're still running IE7 (or - horrors! - IE6), what now?
Although Microsoft doesn't have a software patch, it's offering the next best thing: visit KB article 972890 to download and run Microsoft Fix it control 50287 to work around the problem (the same site also offers Microsoft Fix it control 50288 to disable the workaround). The woraround and disable workaround controls are distributed in .msi installer files. Microsoft also recommends the workaround for Windows Vista and Windows Server 2008 users who are still running IE7.
If you want to learn more about what the workaround changes, you can visit the Microsoft Security Advisory (972890) page. This page lists the CLSID values that must be changed. This information can be incorporated into a .reg file, or can be distributed to multiple PCs in a domain using Group Policy. For additional information, see Security Focus article 35558.
Hackers have targeted everyone from QuickTime users to epilepsy patients, so is anyone really suprised to see them now going after PowerPoint users?
That's the latest word from Microsoft, who noted that Mac users running PowerPoint are also vulnerable (no matter what Justin Long says), although there has been no evidence that hackers have tried to attack the platform. The "critical" vulnerability relies on the intended victim opening an infected PowerPoint file either downloaded from the web or received as an email attachment.
"At that point, the attacker would then have complete control over everything the user's account has permission to do on the system," said Alfred Huger, a senior researcher with Symantec.
Patches have been released for Windows users, but not for Mac computers. However, Microsoft did say it was working on one.
AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"
A research study by Forefront Client Securitycited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.
Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.
Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:
AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.
To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump.
Softpedia reports that pirated copies of Windows 7 will be provided with security updates, update rollups, and even service packs. What is Microsoft thinking? Is Redmond promoting piracy?
The idea of providing security and other updates to pirated copies as well as legit copies of Windows might seem crazy, but here's the reasoning, straight from Paul Cooke, director of Windows Client Enterprise Security:
Keeping a machine up to date is one of the first steps in helping ensure that they remain reliable, compatible, and safe from threats when they are online. Some of the most famous incidents of malicious software infection have come after security updates were publicly available from Microsoft - Blaster, Zotob, Conficker and Sasser, just to name a few. Rest assured that we at Microsoft are committed to making sure that security updates are available to all of our users to help ensure a safe online experience for everyone.
Note that Cooke is laying the blame for many recent security problems where it belongs: on users and companies who will not upgrade their software to block such threats. By continuing the recent policy of allowing users of non-genuine Windows to receive security updates, Microsoft is saying, in effect, 'don't blame us if unpatched systems are compromised.'
However, don't think that Redmond's turning a patched eye to either casual piracy or software counterfeiting. Pirated copies of Windows 7 won't be eligible for some of Microsoft's goodies, and Softpedia points out that counterfeit copies of Windows often come with a "free" bonus: malware.
For your chance to sound off on security for software pirates, join us after the jump.
Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site through infected links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"
Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. To get the real scoop, join us after the jump.
If you've been worrying about computer security for awhile, you might remember when macro viruses in Microsoft Word and Excel files were at the top of the exploit list. These file formats, along with the omnipresent Adobe Reader PDF format, are once again among the biggest threat vectors being exploited by today's malware, according to a new report from the Microsoft Malware Protection Center. Fittingly, the full report and a condensed key findings version are available in either PDF or Microsoft's own XPS formats. These reports cover the July-December 2008 period.
Some key findings include:
Scareware (which Microsoft calls "rogue security software") is on the rise, including the latest versions of our old friend Antivirus XP.
A slight reduction in unique vulnerability disclosures from 2007, but the High (most serious) category was larger in the second half of 2008 than in the first half of the year or the second half of 2007.
Applications continue to be the biggest target (86.7%, with browsers at 8.8%, and operating systems at only 4.5%)
The Conficker worm has been generating the big security headlines, but what The New York Times calls a "vast electronic spying operation" reveals an ongoing, very sophisticated cyberespionage campaign that may well represent an even more important threat than Conficker - especially to the Dalai Lama's Tibetan freedom movement.
Researchers at the University of Toronto Munk Center's Citizen Lab summarize GhostNet thus:
Documented evidence of a cyber espionage network— GhostNet—infecting at least 1,295 computers in 103 countries, of which close to 30% can be considered as high-value diplomatic, political, economic, and military targets.
Documented evidence of GhostNet penetration of computer systems containing sensitive and secret information at the private offces of the Dalai Lama and other Tibetan targets.
Documentation and reverse engineering of the modus operandi of the GhostNet system—including vectors, targeting, delivery mechanisms, data retrieval and control systems—reveals a covert, diffcult-to-detect and elaborate cyber-espionage system capable of taking full control of affected systems.
To find out more about how GhostNet works, join us after the jump.
Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technicareports. Conficker.C's designed to hide itself even more thoroughly than its older siblings, using tricks such as:
Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
Ouch! It's been a bad week for Adobe Acrobat and Reader users, DailyTech's Jason Mick reports. Some visitors to eweek.com viewed PDF-based ads that attempted to redirect readers to malicious websites and then tried to download Bloodhound.Exploit.213. This vulnerability affects only Acrobat and Reader 8.12 and earlier and was patched back in November with version 8.13, but not everyone's gotten around to updating their Adobe products yet. eWeek's pulled the offending ads, and Adobe was already offering a fix - and that's the good news.
The bad news? There's an even more serious flaw on the loose that targets all versions of Acrobat and Reader, including version 9.0. There are no updates yet (the update for version 9 is expected by March 11, but version 7 and 8 users must wait a bit longer). So, what can you do in the meantime? Lots of MaximumPC readers recommend the free Foxit Reader, but if you must use Adobe, join us after the jump for workarounds that can protect you in the meantime.