Monthly Archive for July, 2009
Microsoft may soon be taking the unusual step of issuing an out-of-band security update to address multiple weaknesses that stem from a Windows security flaw that the software giant tried to fix earlier this month, Security Fix has learned. Last week, on its regularly scheduled Patch Tuesday (second Tuesday of the month), Redmond issued software updates to plug nine security holes. Among those was a patch for a flaw in Windows and Internet Explorer that hackers were exploiting to break into PCs. However, it soon became clear that Microsoft had known about this vulnerability since at least April 2008. On July 9, noted security researcher Halvar Flake published a blog post suggesting that the reason Microsoft took so long to fix the bug may be because the flaw was caused by a far more systemic problem in Windows. According to Flake, the problem resides in a collection of code that
A few readers have asked me why their installation of Norton Internet Security 2009 won't play nice with their copy of Firefox 3.5. Symantec now has an update to fix this compatibility issue. The problem was with the Norton Toolbar, a component of NIS2009 that Symantec markets as a way to encrypt and securely store your passwords and logins, and other sensitive data. I know many people who use this feature, so if you're one of them, follow the instructions here to get this feature to work with Firefox 3.5. If you use NIS2009 but don't store your personal data with the toolbar, there is no need to install this update. NIS has earned a bad rap over the years for being a slow, resource-hogging beast of an anti-virus program, but when I trialed the program for a few months, I found NIS2009 to be very fast and unobtrusive. Still,
Federal investigators are fielding a large number of complaints from organizations that are being fleeced by a potent combination of organized cyber crooks abroad, sophisticated malicious software and not-so-sophisticated accomplices here in the United States, Security Fix has learned. The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud. Earlier this month, I wrote about Bullitt County, Kentucky, which lost $415,000 after criminals planted malicious software on the county treasurer's PC. That rogue program allowed the crooks to initiate wire transfers to more than two dozen so-called "money mules," people duped into laundering the money and wiring it to the perpetrators in Ukraine. A few days after that story ran, I heard from a source in federal law enforcement who said the attack against Bullitt County was only the
Mozilla has pushed out an update to Firefox 3.5 to plug a critical security hole that Security Fix warned about this week. According to the SANS Internet Storm Center, there have been reports of public exploits for this flaw being used in the wild. The update brings Firefox 3.5 to version 3.5.1, and can be installed by selecting "Help," and then "Check for Updates," (3.5 users may also have the update auto-installed upon restarting the browser). This update appears to fix a number of other stability and security issues as well. If you took my advice to blunt the threat from the public exploit for this flaw, take a moment to undo the setting you changed earlier. That's because my advice was disable the vulnerable component -- Tracemonkey -- which dramatically speeds up the rendering of Javascript in Web pages, and is among the most-touted improvements in Firefox 3.5. To
Most people are familiar with the notion that a computer virus can be passed from PC to PC, but many folks would probably be surprised to learn that a sick PC can often pass its infection on to Web sites, too. Some of the most pervasive malicious software circulating today (e.g., Virut) includes spreading capabilities that hark back to the file-infecting methods of the earliest viruses, which spread by making copies of themselves, or by inserting their code into other files on the host system. Malware often modifies existing files on the victim's PC to maximize the chances that infected files will be shared with and downloaded onto new host systems. One of the most effective ways of doing that is for malware to inject copies of itself into all of the HTML files found on a victim's computer. The end result could be this: If the victim is also
Purveyors of spam and malicious software are taking full advantage of URL-shortening services like bit.ly and TinyURL in a bid to trick unwary users into clicking on links to dodgy and dangerous Web sites. Fortunately, with the help of a couple of tools and some common sense, most Internet users can avoid these scams altogether. According to alerts from anti-virus vendors McAfee, Symantec and Trend Micro, the latest to abuse these services is the Koobface worm, which targets users of social networking sites like Facebook (Koobface is an anagram of Facebook) and Myspace. It's now also spreading via microblogging service Twitter. Koobface arrives as a message that urges users to click on a link to a video, which invariably leads to a site that prompts the visitor to install a missing video plug-in. The fake plug-in turns the user's system into a bot that can be used for a variety
Microsoft Corp. today issued software updates to plug at least nine different security holes in its various Windows operating systems and other software. Today's patch batch includes fixes for two very serious flaws that are actively being exploited by attackers to break into vulnerable PCs. Redmond issued patches to fix the vulnerability in its Video ActiveX Control for Internet Explorer, as well as the DirectShow flaw in Windows. Criminals currently are using both security holes to plant rogue software on PCs when users visit certain hacked or malicious Web sites. Contrary to what Microsoft itself said, the company did not release an official patch to plug the other ActiveX flaw hackers are actively exploiting -- which I first wrote about yesterday. Instead, it has released an interim workaround to blunt the threat from that weakness. Unfortunately, someone at Redmond seems to be a little confused about this point. In its
Instructions showing hackers how to exploit an unpatched, critical security hole in Mozilla's new Firefox 3.5 Web browser have been posted online. So, until Mozilla can ship an update to quash this bug, Security Fix is posting instructions to help readers protect themselves from this vulnerability. The security hole has to do with a flaw in the way Firefox 3.5 handles Javascript, a powerful programming language heavily used on popular Web sites. Specifically, the vulnerability was introduced with the addition of the Tracemonkey, a new feature in 3.5 that is designed to dramatically speed up the rendering of Javascript. Vulnerability watcher Secunia rates this flaw "highly critical," noting that it is the type of flaw that criminals could use to remotely install rogue software, merely by convincing users to visit a hacked or booby-trapped Web site. Fortunately, there is a relatively easy fix for this that can be reversed once
For the second time in a week, Microsoft is warning that criminals are exploiting a previously unknown security hole in its software to break into Windows computers. The company has released a stopgap fix to help protect users until an official software update is available. The problem stems from yet another insecure ActiveX component, this time one made to manage Excel spreadsheets between Internet Explorer and various Microsoft Office products. In an advisory released today, Microsoft said it is aware of attacks exploiting this vulnerability, which is the sort that could give criminals complete control over a vulnerable Windows PC merely by tricking users into visiting a booby-trapped Web site with IE (yes, this means if you use Windows but consistently use a non-IE browser to surf the Web and open e-mail links, then you have little to worry about from this flaw). According to Microsoft, your system is vulnerable
