The reports of the vulnerability first surfaced after researcher Laurent Gaffie detailed the alleged threat and furnished the proof-of-concept code to make his case. Gaffie’s decision to go public with his findings without informing Microsoft hasn’t gone down well with the company.
After investigating the claims Microsoft acknowledged, in a blog post, that the proof-of-concept code does force WMP to crash but it can not be used for remote code execution.
Before you drop in on the American Express website to see how much damage you did to your credit line with holiday shopping, you should know it's vulnerable to an XSS (cross-site scripting) exploit. As The Registerreports, this news comes after a bungled attempt to fix the problem. As El Reg puts it,
The cross-site scripting (XSS) error that makes it trivial for attackers to steal americanexpress.com user's authentication cookies is alive and kicking. The confusion stems from a mistake made by many application developers who incorrectly assume that the root cause of a vulnerability is closed as soon as a particular exploit no longer works.
So far, only proof-of-concept exploits have been written to show how easy it would be to pilfer login credentials, but until AmEx really eradicates this problem, keep a careful eye on your website transactions. For a list of precautions you can take to stop XSS exploits, see our 2007 article.
Have you been victimized by an XSS error? Join us after the jump and sound off.
Once again, Internet Explorer (aka "Internet Exploder") has been attacked through a "zero-day" remote code execution vulnerability. That might not seem like MaximumPC.com-worthy news, except for two factors: the flaw is affecting thousands of websites, and this time, it isn't just Firefox fans who are saying "time to switch browsers, already!" - security experts at Trend Micro, the Spamhaus Project, and the UK's PC Pro magazine are all recommending making a switch, according to the BBC. And here's why:
The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.
Switching Browsers? Choices Abound!
Attacks against IE7 have been verified, but all versions of IE (including IE 8 Beta 2) have the same underlying vulnerability; a vulnerability not present in IE's competitors (Firefox, Opera, Chrome, and Safari). Switching browsers makes sense for most web surfing, but, alas, some websites and (of course) Windows Update and Microsoft Update for Windows XP won't work with anything but IE.
Redmond Readies Security Update
Since the vulnerability was detected on December 10th, Microsoft code jockeys have been working hard to patch the flaw (Redmond doesn't want you to switch, naturally, and given the way that IE and Windows work together, a broken IE isn't good for anybody), and a patch will be available tomorrow (December 17th) for all versions of IE from 5.01 up, applying to all versions of Windows and Windows Server from Windows 2000 on up. It's rare for Microsoft to perform a security update between Patch Tuesdays, but when a "Critical" vulnerability (the most dangerous category of vulnerability) is discovered, there's no time to waste.
If you must use IE and you're looking for workarounds until you can get the update, join us after the jump for details.
Earlier in the week, reports of a supposed newly discovered Gmail vulnerability started making the rounds on the web. The proof of concept was first posted on GeekCondition.com and showed how a hacker, with a bit of effort and persistence, could potentially infiltrate a user's Gmail account, create a malicious filter to forward emails to the hijacker, and top it off by stealing any domains the victim may have registered. But is the proof of concept truly indicative of a security flaw in Gmail?
While it's true that there have been users affected by the scheme, Google ascertains the root cause has more to do with phishing than it does with Gmail.
"With help from affected users, we determined that the cause was a phishing scheme, a common method used by malicious actors to trick people into sharing their sensitive information," Google wrote in a blog post. "Attackers sent customized emails encouraging web domain owners to visit fraudulent websites such as 'google-hosts.com' that they set up purely to harvest usernames and passwords. These fake sites had no affiliation with Google, and the ones we've seen are now offline."
As is often the case when it comes to security issues, a combination of common sense and safe computing habits remains your best defense.
If you’re a Gmail user and you’ve got a domain that’s registered through GoDaddy, you’ve been put in danger – from yourself.
A new security flaw in Gmail has caused a new exploit to run wild. The exploit essentially makes you to create a filter all on your own, allowing unwanted eyes to get access of your Gmail account.
In a nutshell, the exploit steals a cookie from you. Once this cookie has been swiped some malicious code creates a hidden iframe with a url that contains the variables required for Gmail to create a filter for your account. Once this is done, the hacker has free reign over your personal emails and whatever else you might associate with your Gmail account.
While this is clearly the shorthand version, be sure to check out the full rundown. If you’re one of the many that uses both Gmail and GoDaddy, we’d suggest that you take some time to check it out.
Redmond usually releases security patches once a month, on Patch Tuesday, but Microsoft's security experts are worried enough about a newly reported vulnerability in the Server service to post an "out-of-band" security update, MS08-067, yesterday for all versions of Windows from Windows 2000 SP4 through Windows Server 2008 and Windows 7 pre-beta. Microsoft hasn't issued a security update between Patch Tuesday releases since April 2007, so this is a significant security issue.
Although all supported versions of Windows are vulnerable, Windows 2000 SP4, Windows XP, and Windows Server 2003 versions are especially vulnerable to this flaw, which can permit remote code execution via a specially crafted RFC request.
To find out what makes this vulnerability so critical, and to learn how to get the update, join us after the jump.
Several security vulnerabilities were reported in Google’s Chrome web browser after its beta version was launched earlier this month with much ado. Google has quickly responded with a security update that fixes four vulnerabilities. The update addresses two buffer overflow vulnerabilities, both rated critical by Google, and two other minor bugs. However, the carpet-bombing threat, first brought to light by security researcher Aviv Raff, still looms.
This holiday weekend many of you will be kicking back with a cold one, firing up the grill, spectating your local fireworks display, and perhaps catching up on a videogame or two when the festivities all come to an end. But while you're busy unwinding, hackers continue to look for ways to distribute malicious code and exploit vulnerabilities. Don't let what's supposed to be a relaxing weekend turn into a hair-pulling experience because you were caught off guard.
Update to Opera 9.5.1
Opera Software unveiled version 9.5 of its flagship browser less than a month ago, and the first major update is now available. Patching Opera to version 9.5.1 addresses several bugs and stability issues, and at least one "highly critical" vulnerability that could be used to execute arbitrary code. And it's not just Windows users that should install the update, but Mac OS X and Linux lovers too. Areas addressed in the update include:
Display and Scripting
View the 9.5.1 changelog for a detailed list of changes, and then hit the jump to see why you should be extra cautious about using the VLC Media Player.
Framed web pages are everywhere - but IE isn't ready to handle iFrame hijacking. ZDNet's Zero Day blog repots that exploit code is now available online to demonstrate how to perform malicious attacks against IE7 as well as IE6 and even IE8 beta 1. Even if your version of IE is fully patched, it's not ready to handle this vulnerability.
To find out how the threat works, join us after the break.