The proof of concept works in Firefox, but the security researchers state that other browsers are also affected by it. They explicitly mention Microsoft’s Internet Explorer and note that the Google Chrome may be vulnerable as well. They do however mention that an attack may not be as easy to implement for that browser due to the fact that Chrome does not “send keydown/keyup events to JS when the autocomplete drop down menu is focused”.

Here is how the issue can be exploited:

It is possible to get key down / up events via JavaScript when a drop down autocomplete menu is shown. This means that it is possible to lure a user to play a game and steal arbitrary values from browsers autocomplete feature.

The proof of concept page demonstrates how third party websites can steal autocomplete information from Firefox. The page can check if autocomplete information are available for sites such as Twitter, Facebook, Gmail, Microsoft or Yahoo logins as well as three different types of inputs.

According to the security researcher, browser vendors should implement a feature into their browsers that ties the autocomplete input to a particular website. The only way to protect the data from being stolen is to disable the browser’s autocomplete feature for forms and searches.

Firefox users can do that in the preferences under the Privacy tab.

Internet Explorer users can disable autocomplete under Internet Options > Content > AutoComplete > Settings.

Are you using your browser’s autocomplete feature for forms? Let me know what you think of the vulnerability in the comments. (Thanks Venkat)

The problems for OS X seem to stem from user privileges.  While Windows 7 isn’t perfect, OS X seems to have more “soft spots” according to a report by Network World.  “OS X networks are significantly more vulnerable to network privilege escalation” according to the researchers, who went on to say that “almost every OS X server service offers weak or broken authentication mechanisms.”

This news will come as a shock to some and a surprise to many.  While Apple still maintain that there is no malware threat on their desktop platform, despite the recent proliferation of the Mac Defender malware, OS X is still generally considered to be more secure than Windows 7 because of it’s Unix origins.

The fact that it’s user privileges and authentication, which is one of Unix’s strongest suits, will cause many great concern.

The researchers say that the latest version of OS X has gone some way to rectifying the problems with new sandboxing, that keeps programs isolated.

The research also looked at the vulnerability count for the two operating systems over the past few years.  In that time OS X has seen 1,151 vulnerabilities with Windows being not much higher, at 1,325.  While this is higher than the count for OS X it’s not significantly so.

On the upside, they also pointed out that Apple’s mobile operating system, iOS, is better at sandboxing applications.  It has a dynamic signing feature which the device has to approve before an application can run.  This is opposed to OS X which will accept certificates that it is given.

Whatever the outcome of this it is further proof that Apple have let their game slip in recent years by being complacent about security in their operating systems, especially OS X.  The line that it’s just secure by design is no longer true as malware these days works on the user rather than the OS itself.  It will be interesting to see how, or even if, Apple respond.

The programme, launched in October 2008 allows sharing of information about security vulnerabilities with security software vendors.  So far 65 companies have signed up to the scheme.

In a statement, Microsoft said…

“Adobe products are relied on by individuals and organizations worldwide. Given the relative ubiquity and cross-platform reach of many of our products, as well as the continued shifts in the threat landscape, Adobe has attracted increasing attention from attackers,” said Brad Arkin, senior director of product security and privacy at Adobe. “We are committed to our customers’ security at every level and are excited to leverage MAPP as an important part of our overall product security initiative. MAPP is a great example of a tried and proven model giving an upper hand to a network of global defenders who all rally behind a shared purpose — protecting our mutual customers.”

“Microsoft acknowledges that the constantly changing threat landscape requires a new approach to security — collaboration and shared responsibility are key as past individual efforts are no longer enough,” said Mike Reavey, director of the Microsoft Security Response Center at Microsoft. “We’re excited about extending the benefits of MAPP to Adobe users as we’ve seen clear evidence of its impact in advancing customer protections. We continue to encourage the collective industry — from security researchers and vendors to customers— to recognize the responsibility we all share in fortifying the broader computing ecosystem against online crime.”

The PC ecosystem is so complex these days that closer co-operation between software and security vendors is essential to help maintain stability and consumer confidence.  While many people will directly blame Microsoft for having insecure software, most trained observers will point out that it’s just not that simple, as the recent security scares for Adobe’s Flash and Acrobat software proved.

Microsoft took the opportunity to call on the “broader community” from security researchers to vendors, to all move more towards a co-ordinated disclosure.

With luck, this move will also finally allow third-party vendors to release their patches through Windows Update with the forthcoming Windows 8 in 2012.

The vulnerability afcects all versions of Windows including XP and Windows 7.   On Windows 7 the exploit can bypass the operating system’s security as it does not require administrative privileges to run.

In a statement Microsoft said…

Microsoft is investigating reports of limited, targeted attacks exploiting a vulnerability in Windows Shell, a component of Microsoft Windows. This advisory contains information about which versions of Windows are vulnerable as well as workarounds and mitigations for this issue.

The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the user clicks the displayed icon of a specially crafted shortcut. This vulnerability is most likely to be exploited through removable drives. For systems that have AutoPlay disabled, customers would need to manually browse to the root folder of the removable disk in order for the vulnerability to be exploited. For Windows 7 systems, AutoPlay functionality for removable disks is automatically disabled.

The exploit requires removable-media, such as a USB flash drive, and with auto-play enabled or with the user browsing manually to removable media. 

Affected Software

Windows XP Service Pack 3

Windows XP Professional x64 Edition Service Pack 2

Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP2 for Itanium-based Systems

Windows Vista Service Pack 1 and Windows Vista Service Pack 2

Windows Vista x64 Edition Service Pack 1 and Windows Vista x64 Edition Service Pack 2

Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2

Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Windows 7 for 32-bit Systems

Windows 7 for x64-based Systems

Windows Server 2008 R2 for x64-based Systems

Windows Server 2008 R2 for Itanium-based Systems

NeoWin have a video demonstrating the vulnerability which can be viewed here.

The patch, released through version 10.1 of the Flash player is available now from www.adobe.com and there is also a new version of Adobe Air as well.

The company may have managed to shoot itself in the foot with this patch however as you’ll see from the amusing screenshot below, where the news story about the patch in the new version of the Flash Player is accompanied by a picture of Homer Simplson asking “Ooh. They have the Internet on Computers now!”

Okay, so this is a banner advert for an Adobe Air app, but I had to share the irony of the event with you.

The patch fixes a critical vulnerability which could allow your PC to be hijacked remotely and it covers Windows, Mac and Linux users, so everybody should upgrade.  All PC users should upgrade their version of Flash as soon as possible to prevent their PCs being vulnerable to the flaw.

An update for Acrobat and Acrobat reader is due sometime in the next week or so to fix the same vulnerability.

To secure a computer system running Adobe Shockwave a user would therefor have to uninstall Adobe Shockwave, perform a system restart and install the latest version of Shockwave after the reboot.

The Security Bulletin that has been published at the Adobe website gives little information about the vulnerability other than it can be remotely exploited and that it only affects the Microsoft Windows operating system. Users are encouraged to download the latest version of Adobe Shockwave from the program’s website.

It should also be noted that this vulnerability targets only Adobe Shockwave and not Adobe Flash. Thanks goes to Dante for sending me the information via email.

Update: The latest version of Adobe Shockwave can be downloaded from the official website. It is always recommended to upgrade Shockwave to the latest version whenever an update is released by Adobe Software.

Maybe you are interested to know the difference between Shockwave Player and Adobe Flash? Shockwave Player includes Adobe Flash, it goes beyond what Flash offers. According to Adobe, the player is used to display destination Web content, interactive multimedia product demos, training, e-merchandising applications ad rich-media multi-user games.

Many file and image hosts filter dangerous file types. If you tried to upload a Jar file to most of them you would get an error message stating that the file type was not supported. Many however fail to analyze the file itself and simply reject files based on their extension which opens the door for this attack.

That’s a pretty dangerous exploit. Imagine someone who uses this to upload a new avatar to popular websites like Facebook or Myspace (two examples, I have not checked if the two use advanced upload filters). He could do all sorts of things with the Java Applet once users open up his profile page.

The only valid defense against this type of attack is to disable Java on the computer for the moment. Sun is already working on a fix although the researchers say that it is not Sun’s fault that this vulnerability exists.

According to their research Internet Explorer is leading the field with a market share of 78.3% followed by Firefox with 16.1%, Safari with 3.4% and Opera with 0.8%. This means in daily numbers 1108 million Internet Explorer, 227 million Firefox, 48 million Safari and 11 million Opera browsers.

If you analyze that data to find out how many of the users are using the latest version of the browser the picture changes drastically and provides another explanation why Internet Explorer is still the number one target for malicious software.

Only 52.5% of all Internet Explorer users are running the latest browser version compared to 92.2% of all Firefox users, 90.1% of the Opera users and 70.2% of the Safari users. The numbers are assuming that the latest version of the browser is the most secure one.

This leads to my initial question. Are you running the latest browser version of the browser that you are using ?

Sounds scary ? There is no fix for this vulnerability yet other than to disable Javascript or allow it only on trusted domains. Some researchers claim that other browsers are affected as well but have failed to deliver proof for those claims yet. It would not hurt however to use the Firefox add-on No Script for instance.

The vulnerability can be tested on this page if you visit it with Internet Explorer. It opens a new window and records the user input on that domain. There is an explanation from the same researcher available.

The solution given by the security company that discovered the vulnerability is to load only subtitles from trusted source or no subtitles at all until an official fix has been posted by the developers ov VLC.

Another option would be to switch to another player for the time being. SMPlayer, my favorite player, is another good choice which does not have this vulnerability.

Affected are all Real Player versions running under Internet Explorer. Microsoft has an article up that explains Killbits and what they do. They basically prevent Active X controls from being loaded in Internet Explorer. I still would recommend to either switch to Firefox or Opera temporarily or uninstall Real Player for the time until a security patch has been created.

Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers.

The killbits that should be disabled are the following:

• 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
• CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA

This will definitely have the effect that some Real Player functions will stop working properly.

Basically said, uTorrent will crash if a user connects to it that sends a software version that is to long to be handled. This results in a crash of uTorrent. The attacker does not need to use Bittorrent at all to do that, a connection to the port that is being used by Bittorrent sending the to-long software version and a valid torrent hash is enough.

Code execution on the other hand is not possible. The uTorrent team reacted in less than one day and published a new version of their software 1.7.6 that handles the DOS vulnerability and three minor issues as well.

While it is not very likely that someone will actually exploit the vulnerability it is still advised to update immediately.

via Torrentfreak

You might be interested in which Windows editions are effected and which are not. It would also be nice to know if your browsers and e-mail clients are vulnerable and can be used to exploit the system. Vulnerable are Windows Vista, Windows XP SP2 and Windows 2000 SP4. Several other Microsoft operating systems are affected as well like Windows Server 2003 but I think the first three cover most Windows editions that my readers use. Exploitation happens completely silently.

Take a look at the demonstration video below. It shows how Windows Vista enters a endless Crash-Restart loop caused by a malicious ani file which was dropped on the desktop. Attacks will most likely occur over the Internet.

A security company has released a temporary fix for the solution until an official Microsoft patch gets released.

SQL Injection Attacks by Example gives you a detailed view how experts used the technique to break into a customers system.

“There have been other papers on SQL injection, including some that are much more detailed, but this one shows the rationale of discovery as much as the process of exploitation.”