Right on schedule a new Adobe Flash vulnerability was announced today. Version 9.0.28.0 is available to fix the problem.
This allows an attacker to perform cross-site scripting, cache poisoning, or session hijacking.
Archive for November 2006
HTTP Header Injection Vulnerabilities in Adobe Flash Player
Overheard in the helpdesk
I was in the helpdesk today trying to makes sure the lead guy in there and I were on the same page with a password reset website I’m going to be putting out there.
One of the temps comes over and asks someone right behind me, so and so is on the phone and he wants to know if he can use the Intel Wireless Driver on his Dell Truemoble card.
TheReg noise on IE7
A couple of graduate students have written an article in The Register reporting that the IE7 critical update is causing headaches for managed environments.
If these really are managed environments how is it that patches are being deployed without the I.T. departments knowledge? Why wasn’t the IE7 blocker deployed? It was available a long time before IE7 was released to Windows
Update.
The authors make a weird comment:
“For those organizations wishing to hold back a little further until these potential issues are sorted out by a later IE service pack (we are already on SP2) “
So in their world we’re running IE7 SP2? That’s kind of strange. Further the authors imply that Microsoft released the IE7 automatic updates blocker as a result of this problem. In reality they released it in July.
The problem they are reporting is that the home page can be changed by the user, it isn’t locked down. Because the article is poorly written we don’t know how the home page was originally locked. So we really don’t know if there is actually a problem. Again, in a managed environment, you deploy the blocker (which admittedly only prevents accidental installs) or you don’t provide your users with local administrator rights. Either way, you would have tested this desired functionality (preferably in the year long beta of IE7) so you’re not surprised.
I wonder what method they used to try to lock the IE home page? Did they lock it with the IEAK for IE6, and then they are surprised it doesn’t work with IE7? Or did they attempt to lock it with Group Policy and it doesn’t work. I’m kind of curious.
I haven’t seen this myself. In our environment we’re just beginning to work with the internal application administrators to verify that IE7 will work with our HR, Finance and Payroll websites.
In a managed environment, you should deploy the Toolkit to disable automatic delivery which oh by the way was released in July, and use the Internet Explorer Administrators Toolkit 7 to deploy with the correct settings.
Vista Security Guide
Microsoft has posted the Vista Security Guide.
Its been reviewed by NIST and the NSA.
The IM Blocker is working
Getting hit with some spyware laden links here at work. Our blocker got it no problem. But for everyone without IM protection watch out for
hxxp://nsl-school.org/?id=18388
hxxp://nsl-school.org/?id=winning_list
hxxp://mytermex.com/?news_id=18388
hxxp://mytermex.com/?id=virus_shield
hxxp://nsl-school.org/?id=news X-(
http changed to hxxp to avoid anyone accidently infecting themselves. If you go to the sites, you’re on your own.
Banking is getting too complicated
My Credit Union was purchased by a larger credit union earlier this year, and they implemented a hard cutover on November 1st so the old account was no longer valid on that date. To make it a really hard cutover the new account wasn’t available until that date as well. As a result, it was impossible to pre-arrange the new account information on all my bills. But enough about their poor transition plans, this is an infosec blog.
I had heard that with the new bank, we would now be able to use Microsoft Money to automatically download account information just as I would do with a credit card account. But after getting my new account information, I didn’t see anything about the Microsoft Money access.
I asked the customer service and they replied with the following:
In regards to Microsoft Money, we recently upgraded the security and login procedures for our Online Account Access system. These procedures comply with the new security guidelines recommended by the Federal Financial Institutions Examination Council (FFIEC) at the beginning of 2006. All financial institutions are required to meet these guidelines before the end of 2006.
Quicken and Microsoft Moneys current automatic update interface asks you for a user ID and password to allow them to access your xxxxxxxxxx FCU accounts. According to the FFIEC guidelines, that information alone is no longer sufficient to allow Quicken or Money to gain access to your xxxxxxxxx FCU account information. Our Online Access provider is currently working with Quicken, Microsoft and other providers who include an automatic update feature in their products in a forum called the OFX working group to find a universal solution to this issue.
You may still download your xxxxxxxxx FCU account information into Quicken or Microsoft Money from inside Online Account Access. To do so, click on the “Account Access” tab and click the “export” link.
If you have any questions or concerns, please feel free to let us know.
Very stringent requirements.
Firefox Remote Code Execution Vulnerability
Mozilla has announced a multiple remote code execution vulnerabilities in Firefox.
These vulnerabilities allow attackers to:
- – execute arbitrary machine code in the context of the vulnerable application
- – crash affected applications
- – run arbitrary script code with elevated privileges
Other attacks may also be possible.
References
- ———-
Web Page:Mozilla Foundation Security Advisory 2006-65 (Mozilla) Mozilla
http://www.mozilla.org/security/announce/2006/mfsa2006-65.html
Web Page:Mozilla Foundation Security Advisory 2006-67 (Mozilla) Mozilla
http://www.mozilla.org/security/announce/2006/mfsa2006-67.html
Fixed in: Firefox 1.5.0.8
Thunderbird 1.5.0.8
SeaMonkey 1.0.6
Stration Spam Connection
iDefense is connecting the Stration virus with the recent rise in spam volume according to an article in Information Week.
Picking the Lock for Fun and Profit
Article originally from the Wall Street Journal on lockpicking as a growing hobby and how the locksmith union and lock manufacturers want that knowledge to remain secret.
Obvious parallels to the disclosure debate with computer software vulnerabilities.
Symantec earns top spot in customer loyalty report
Symantec earns top spot in customer loyalty report, but one has to wonder if they would fair as well in a report of enterprise antivirus admins.
Some of the key evaluation points were overall value, overall product, and company reputation.
Doesn’t Symantec routinely have deals where you can get the home suite for practiaclly free, or free with buying something like Taxcut that you were going to buy anyway? If so, I’d say “free” is a pretty good value. The company reputation is perceived as good based on advertising and shelfspace. The average home computer user doesn’t read AV-Comparatives or Virus Bulletin. They aren’t qualified to determine the quality of the product other than their own subjective judgement.
Tip of the cap to Donna’s SecurityFlash since I first saw the study reported there.
