|
Sharing Security Developments, and Best Practices for corporate and home users
October 2006 - Posts
-
Sharing an article on Stration, which is on the watchlist for developments, as it's now one of the leading email worms. 
Stration Worm -- Tricky new malware unnerves security vendors
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004601
quote: October 30, 2006 (IDG News Service) -- A tricky malicious program has become more prevalent in spam, but experts don't know what its creators plan to do with it. Many vendors are rating the malware -- called "Warezov," "Stration" and "Stratio" -- as a low risk. But they also say that it is tricky to deal with.
The malware is a mass-mailing worm that affects machines running Microsoft Corp.'s Windows OS. When the malware infects a computer -- usually after the user has opened an attachment containing the worm in a spam e-mail -- it sends itself out again to other e-mail addresses found on the computer. The code is then capable of downloading new versions of itself as frequently as every 30 minutes from a batch of Web sites, said Mikko Hypponen, chief research officer at F-Secure Corp., a security company in Helsinki.
Those new versions are created by a program on a server controlled by the hacker, Hypponen said. In the past, malware has been known to create variations of itself, but the code to create those variations was contained inside the malware. So when a sample was obtained, security analysts could study it and identify potential new versions, he said. Coincidently, I just got a leading edge Stration variant where McAfee, Symantec, and Microsoft didn't detect this (as of 2pm EDT) 
EMAIL SUBJECT TITLE: This is not shown on TV.
ATTACHMENT: picture0000.zip (0000=number)
quote: Complete scanning result of "picture1656.zip", processed in VirusTotal
at 10/31/2006 19:37:49 (CET).
[ file data ]
* name: picture1656.zip
* size: 13321
* md5.: 17653f8f867ef7a6f5b9dd4be2f55902
* sha1: c0c70aead05814cb35097fc2358615868fd67f42
[ scan result ]
AntiVir 7.2.0.34/20061031 found [TR/Dldr.Stration.C.6]
Authentium 4.93.8/20061031 found [W32/Warezov.GA]
Avast 4.7.892.0/20061031 found [Win32:Warezov-MF]
AVG 386/20061031 found [I-Worm/Stration]
BitDefender 7.2/20061031 found [Win32.Warezov.EW@mm]
CAT-QuickHeal 8.00/20061031 found [I-Worm.Warezov.ev]
ClamAV devel-20060426/20061031 found [Worm.Stration.YY]
DrWeb 4.33/20061031 found [Win32.HLLM.Limar.based]
eTrust-InoculateIT 23.73.41/20061031 found
[Win32/Stration.Variant!Worm]
eTrust-Vet 30.3.3170/20061031 found nothing
Ewido 4.0/20061031 found nothing
F-Prot 3.16f/20061031 found [W32/Warezov.GA]
F-Prot4 4.2.1.29/20061031 found [W32/Warezov.GA]
Fortinet 2.82.0.0/20061031 found [W32/Stration.DU@mm]
Ikarus 0.2.65.0/20061031 found [Email-Worm.Win32.Warezov.gen]
Kaspersky 4.0.2.24/20061031 found [Email-Worm.Win32.Warezov.ev]
McAfee 4884/20061030 found nothing
Microsoft 1.1609 /20061031 found nothing
NOD32v2 1.1845/20061031 found [a variant of Win32/Stration]
Norman 5.80.02/20061031 found [W32/Stration.AOH]
Panda 9.0.0.4/20061031 found nothing
Sophos 4.10.0/20061026 found nothing
TheHacker 6.0.1.109/20061030 found [W32/Generic!zip-dobleextension]
UNA 1.83/20061031 found nothing
VBA32 3.11.1/20061031 found [MalwareScope.Worm.Warezov.1]
VirusBuster 4.3.15:9/20061031 found [Trojan.Opnis.Gen.14]
|
-
Many projects, including those centered around security, have failed due to folks not listening properly. It's an important skill to always keep in mind when gathering input, coordinating tasks, or in simply reading our email. Listening - One of the most important communication skills
http://blogs.techrepublic.com.com/tech-manager/?p=213 QUOTE: Failure to listen is the first step in miscommunication. Technical folks, even technical project managers, are not always the best communicators. If we do not listen, and listen carefully, to one another things get lost. More importantly, other successful people who share that crazy spark which keeps us going, feel the lack of attention. They start to feel ignored, undervalued, and unappreciated. So, what's a poor listener to do? In my case I ask myself four questions before I go into a conversation. These questions have become my mantra, something I repeat over and over again throughout the day.
1. Who am I really going to listen to, the person or my own inner voice?
2. What can I learn from this person by being brave enough to listen?
3. When will I need to accept help from this person again?
4. How can I tell this person that I believe in them as much as they believe in themselves?
|
-
My settings are a little more secure than the IE 7 defaults. So far, IE 7 has passed 2 of the 3 tests noted for IE 7 at Secunia. The one area related to an Outlook Express vulnerability is not in the wild and would be mitigated through phishing controls and best practices. Secunia: Internet Explorer 7 Window Injection Vulnerability
http://secunia.com/advisories/22628/ QUOTE: A vulnerability has been discovered in Internet Explorer 7, which can be exploited by malicious people to spoof the content of websites. The problem is that a website can inject content into another site's window if the target name of the window is known. This can e.g. be exploited by a malicious website to spoof the content of a pop-up window opened on a trusted website. TEST for vulnerabilities
http://secunia.com/multiple_browsers_window_injection_vulnerability_test/ MORE INFORMATION
http://msmvps.com/blogs/spywaresucks/archive/2006/10/30/228561.aspx
|
-
This new blog resource evaluates SOX IT requirements and has several informative posts: Sarbanes Oxley Blackbelt 404 - Excellent Blog Resource
http://www.sarbox404.com/
|
-
Below are additional links to follow-up on the earlier good info Bill and Richard shared with us over the weekend. Microsoft Windows NAT Helper Components DNS Denial of Service Vulnerability
http://www.frsirt.com/english/advisories/2006/4248 QUOTE: A vulnerability has been identified in Microsoft Windows, which could be exploited by malicious users to cause a denial of service. This flaw is due to a NULL pointer dereference error in the NAT Helper Components ("ipnathlp.dll") when processing requests via the "DnsProcessQueryMessage()" and "NatCreateRedirect()" functions, which could be exploited by attackers on the LAN to crash the Service Host Process by sending a specially crafted DNS request to a vulnerable system with Internet Connection Sharing enabled. Note : A proof of concept exploit has been published. ISC: Remote DoS released targets Windows Firewall/Internet Connection Sharing (ICS) service component
http://www.incidents.org/diary.php?storyid=1809 Microsoft ICS DoS FAQ
http://blog.ncircle.com/archives/2006/10/microsoft_ics_d.htm Am I vulnerable Checklist:
1) Are you running Windows XP
2) Are you sharing your internet connection? If the answer is yes to both of those, then you are vulnerable. Mitigation:
1) Disable Internet Connection Sharing.
2) Block UDP port 53 (DNS) on the computer that is sharing the internet, manually set the DNS Server to your ISPs DNS address.
|
-
While this is humorous, there are some good tips in better IT security controls for organizations Halloween: User Tricks and Security Treats
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004538 QUOTE: Thirteen malevolent spirits may haunt the halls and cubicles of your company, and if you're going to scare them into security compliance, you may need to get a little bit spooky yourself. Have a few treats up your sleeve to return for these goblins' sinister tricks.
|
-
-
All WinAmp users should update to the latest WinAmp release to correct two critical security issues WinAmp Media Player - Critical Security Update
http://www.kb.cert.org/vuls/id/449092
http://www.winamp.com/player/version_history.php#5.31
http://secunia.com/advisories/22580/ Two vulnerabilities have been reported in Winamp, which can be exploited by malicious people to compromise a user's system. 1) An error in the Ultravox protocol handler during processing of the "ultravox-max-msg" header can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI. 2) An error during the parsing of certain Lyrics3 tags can be exploited to cause a heap-based buffer overflow via either a specially crafted playlist or a "shout:" or "uvox:" URI. The vulnerabilities are reported in versions 2.666 through 5.3. SOLUTION -- Update to version 5.31
http://www.winamp.com/player/
|
-
I've found George Ou to provide some good technical writing for Tech Republic. He also shares that IE 7 is a "must have" upgrade and positive comments from a security perspective. George Ou - Bottom line on IE7
http://blogs.techrepublic.com.com/Ou/?p=349 QUOTE: So what does IE7 really mean to individuals and companies? If you're using IE6 as your primary browser, IE7 is a must have. For IE6 users, IE7 will offer a huge improvement in the user interface though it is highly recommended that you follow the welcome tutorial to get acquainted with it. The UI is much more streamlined and the traditional file-edit-view menu is always hidden though you can still make it show up by hitting the ALT key. You will still have compatibility with IE-only webpages but the browser is also a lot more compatible with the web standards. Everyone one of my friends I've talked to has had a very positive experience with IE7 and we can thank Firefox for forcing Microsoft to deliver IE7 on Windows XP for free. From a security standpoint, IE7 offers a huge improvement over IE6. The two most recent zero-day exploits from last month for example only affected IE6 and not IE7 because the code auditing on IE7 was rigorous. The ActiveX footprint in IE7 is about 90% smaller than IE6 because almost all of the ActiveX controls were completely disabled by default and only the most critical ActiveX controls for things like Media Player and Adobe Flash were kept on. Even if you're running an alternative browser like Firefox, you're still going to want to get rid of IE6 by installing IE7 if you ever need to use IE for anything.
|
-
Currently most malicious software is designed to hide silently on infected PCs. This study discusses findings from a recent study by Microsoft. Microsoft MSRT Study on Malicious Software hiding in PCs
http://articles.techrepublic.com.com/2100-1009_11-6129235.html QUOTE: More than 43,000 new variants of such insidious software were found in the first half of 2006, making them the most active category of malicious software, Microsoft said in a Security Intelligence Report published Monday. In June Microsoft also flagged zombies as the most prevalent threat to Windows PCs. "Attackers, with financial gain in mind, are clearly concentrating a significant amount of development focus on this category of malware," Microsoft said in the report. Of 4 million Windows PCs found to be infected with some kind of malicious software in the first half of this year, about 2 million were running malicious remote control software, Microsoft said. The data is collected by Microsoft's free Windows Malicious Software Removal Tool, which runs when security updates are installed on Windows PCs. While the number is high, it is actually a decrease from the second half of 2005, when Microsoft found that 68 percent of infected PCs contained a backdoor Trojan. Meanwhile, hackers are trying harder to make their networks of hijacked computers go unnoticed by moving to new Web-based techniques.
|
-
-
Final Review: The Lowdown on Office 2007
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003994 QUOTE: Simplify, simplify, simplify. The challenge for Microsoft in revamping Office was to better organize all the options available without negatively impacting productivity. For new users, that's a particularly important goal, since the menus and toolbars in current versions may appear to be a mishmash. The overriding design goal for the new user interface, Microsoft says, is to make it easier for users "to find and use the full range of features these applications provide" while preserving "an uncluttered workspace that reduces distraction for users so they can spend more time and energy focused on their work." The redesign makes most Office 2007 applications look completely fresh, clean, new -- and more colorful. From Ribbons that offer clearly labeled buttons to thumbnail previews of most graphic features, the applications bear only a slight resemblance to their former selves.
|
-
A positive review on IE 7 from both a security and functional standpoint. The just say "YES" encourages users to accept this when it is offered to them via Microsoft Updates in November. Review: Just Say Yes to Internet Explorer 7
(see page 4 for a positive review on security) http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004205 QUOTE: IE7 is a considerable improvement over IE6, and with new features such as tabbed browsing, RSS support, improved security and an integrated search box, it's well worth the upgrade.
|
-
This information is preliminary and based on the SP Roadmap. Article: Windows XP SP3 Pushed to 2008
http://www.betanews.com/article/Windows_XP_SP3_Pushed_to_2008/1161282900 QUOTE: Windows XP SP3 will be the first major upgrade to the operating system since XP SP2 debuted in August 2004. SP2 was an extensive upgrade, bringing a new security center and improvements in wireless networking and Internet Explorer. However, with SP3 arriving three years later, the update will focus security patches and bug fixes rather than feature enhancements. Microsoft's SP Roadmap
http://www.microsoft.com/windows/lifecycle/servicepacks.mspx QUOTE: SP3 for Windows XP Professional is currently planned for 1H CY2008. This date is preliminary.
|
-
-
-
This is a good older article reflecting the real costs associated with "junk email" from the Internet. While it's difficult to ascertain costs, there are expenses in handling SPAM and junk email. I'm suspecting if other costs were factored in (e.g., lost user productivity, help desk calls, spam blocking software, etc), the costs would be significantly more than just the bandwidth costs noted in this research. How much does unwanted Internet traffic cost an organization?
http://articles.techrepublic.com.com/5100-1009-5967393.html QUOTE: A few weeks ago, a coworker asked me a simple question: How much of the Internet traffic coming into our network was "junk," and how much was this unwanted traffic costing us? Statistics: * Approximately 2.8 million distinct IP addresses from all over the world were responsible for junk traffic on my organization's network in the past month. And keep in mind that this doesn't include delivered junk e-mail. * Roughly 40,000 networks that were responsible for junk traffic on my organization's network in the past month. * Statistically, the majority of junk IP addresses came from inside the United States * Second on the list for junk Internet traffic was China. Rounding out the top five on my list of junk Internet traffic sources were France, Belgium, and Germany * Approximately 7 percent of all incoming Internet traffic to my organization's network fell under the junk traffic classification. * Estimating the cost for bandwidth at about $50 per megabit per second, the junk traffic costs my organization about $255 per month—or about $3,060 annually.
|
-
I had been actively using the beta versions of IE 7 on all my home and work PCs, and was pleased especially with the more secure implementation. Think of a browser as being a compiler of objects at a web-site and how it has to protect us from a "sea of malware" out there.
Moving to IE 7 represents a positive step for improving home or corporate security. From a corporate standpoint, it's important to test, pilot, and certify this with all your apps before rolling it out.
IE 7 - Recommended installation approach
* Use only the official download from Microsoft's site
* Reboot PC for fresh start (e.g., advanced users should take a system restore point)
* Shut down all started applications and Disable AV scanner
* Do not run anything else during the complete install process
* Wait patiently as some processes are long-running and might seem to hang, (overall this required about 5 to 10 minutes for me).
* Reboot as prompted (twice)
* Select the "run" to continue the process after 1st reboot.
* Keep lucky charms and a celebration kit handy, e.g., plenty of Mountain Dew 
Internet Explorer Home Page
http://www.microsoft.com/windows/ie
Install the latest build of Internet Explorer 7
http://www.microsoft.com/windows/ie/downloads/default.mspx
Prepare your organization using the Internet Explorer 7 Readiness Toolkit
http://go.microsoft.com/fwlink/?linkid=64421
If needed, install the Internet Explorer 7 Blocker Toolkit to block automatic delivery
http://go.microsoft.com/fwlink/?linkid=65788 Another excellent resource for tips and techniques 
http://aumha.net/viewtopic.php?t=22165
|
-
Below are ideas that might help on "what to do" if your web servers are compromised: 1. Isolate immediately to prevent further damage (unplug servers from Internet)
2. Identify the intruder (based on Firewall logs)
3. Preserve any evidence (swap out hard drives or take a good backup)
4. Report to authorities (usually starting with local police or FBI)
5. Identify vulnerability (why did this happen)
6. Assess potential damage (e.g., accounts, altered web pages, data compromised, perform a thorough AV scan, etc.)
7. Always Rebuild the system from scratch
8. Change all passwords and thoroughly assess file shares and security permissions
9. Return systems back to operation
10. Closely monitor the returned web environment (as crackers or hackerss may try to return - but usually don't once discovered) PRIOR POST
http://msmvps.com/blogs/harrywaldron/archive/2004/05/17/6679.aspx
|
-
-
This article summarizes a presentation from the recent Virus Bulletin conference for this potential threat to possibly grow in the future. Message Labs estimates 7 of it's 3,000,000 intercepted malware messages per day are currently targeted attacks.
Future Malware Trends - Targeted Trojan Horses attacks
http://articles.techrepublic.com.com/2100-1009_11-6125453.html QUOTE: Worms, viruses, and Trojan horses spammed out in general are not a grave concern anymore. Instead, especially for organizations, targeted Trojan horses used for industrial espionage have become the nightmare scenario. The problem, according to security experts, is that security technology can stop common attacks, but targeted attacks fly under the radar. What security procedures do you have in place to prevent targeted attacks?
|
-
I respectfully disagree with this article, as information security is a responsibility of all employees in an organization. Ultimately, security is a joint effort by IT and all business professionals in the company. Article: Security expert: User education is pointless
http://news.zdnet.com/2100-1009_22-6125213.html QUOTE: In Gorling's view, the answer to those questions is yes. In corporations in particular the security task belongs with IT departments, not users, he argued. Just as accounting departments deal with financial statements and expense reports, IT departments deal with computer security, he said. Users should worry about their jobs, not security, he said. COMMENTS: When I used to perform security awareness in our company (emails, website, newsletter, formal presentations, etc), I saw it making a difference. The keys to success for successful user education include: - Keep it simple, using non-technical language and simplified concepts where possible
- Make it interesting (e.g., war stories)
- Give them advice that helps them at home as well (e.g., privacy protection, avoidance concepts, etc)
- Keep the program updated for emerging threats (e.g., phishing, fraud, e-commerce protection, etc)
- Have an Intranet website as a referential resource
- Security goes beyond just malware protection (e.g., business travelers with laptops, the need to protect reports or data in an entrusted capacity, etc.)
I agree that we need the best technological controls to complement the protective process. Still, each person in an organization logically has to "think security". I've used a slide with simply SEC-U-R-IT-Y on it to illustrate "you are it" when it comes to safeguarding the companies security and your own at home.
|
-
-
 Internet Explorer 7 represents a much improved browser when compared to IE 6. In beta testing this over the past several months (esp. after beta 3), I have found improvements with both security and functionality. While it requires some testing and configurations to the browser for all sites to work properly, IE 7 represents a worthwhile upgrade from version 6.
IE 7 for XP to be released during October QUOTE: The final release of IE7 is fast approaching … and I mean really fast … and will be delivered to customers via Automatic Updates a few weeks after it’s available for download.
|
-
In the following post, some guidelines were shared that can help meet SOX requirements more effectively and efficiently as it relates to implementing new systems. http://www.sarbanes-oxley-forum.com/modules.php?name=Forums&file=viewtopic&t=1791 RECOMMENDATIONS FOR FINANCIAL SYSTEMS DEVELOPMENT IN THE SOX ENVIRONMENT 1. Formal Project Plan
2. Formal write up of SOX controls to be used - make this a standard for the team
3. Formal and rigid change control on source promotions (e.g., alpha to beta to QA to production)
4. Very Detailed and complete accountability of all financials in the conversion from old to new
5. Appoint SOX coordinator (I've been that on a few projects)
6. Invite Internal Audit to participate and give guidance up front
7. If applicable, invite external Auditors to participate and give guidance up front
8. Documentation standards
9. Create an e-Library of documentation (contrary to popular belief you can do SOX using a paperless aproach.
10. Look at low-cost tools if needed
11. Educate the team in SOX standards, basics, and in-depth as needed
12. Streamline workflows for efficiency ... Do it right so you don't have that 30% overhead as a drag on the project. You still might have some (e.g., 5-10%) as doing the extra work for SOX ain't gonna happen by itself.
13. Have an emphasis of SOX being an important deliverable to the team in the development process as well as the application
14. Work with the users to design and use the best practices for workflow.
etc ...
15. Obtain senior managements support for the extra time and requirements ... That will do wonders for your project.
16. Security, Security, Security ... Best the best controls, autonomy levels, protect workstations and servers, etc.
17. Reconciliation Reports - plan on developing a # of these to compare old v. new systems
18. Make signoffs on the financials a part of the user approval process (it puts the best interest on users to matilously examine test material)
19. Log project history (Promotions, Change control history, correspondence, test plans) in the e-library
20. Revisit your SOX standards and progress at least quarterly.
|
-
The Vista operating system will be implemented with tighter licensing and registration controls to prevent piracy. Vista to get new antipiracy measures
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003864 QUOTE: New technologies strengthen detection, lockdown features Microsoft Corp. will introduce a new system for fighting software piracy with its upcoming Windows Vista and Windows Longhorn Server operating systems, the company said Wednesday. Called the Microsoft Software Protection Platform, it's a collection of technologies aimed at improving the detection of pirated versions of Windows. It will also force unauthorized versions of its software into a limited-functionality mode, encouraging users to obtain a legal copy, according to Microsoft.
|
-
-
While probably most of the areas of Myspace.com are probably safe, this site is one of the most popular and highly visited sites on the Internet. A site that is highly popular will attract cyber-crooks and malware writers. As this individual shares, it's important to recognize security risks at Internet sites you might visit and ensure you are up-to-date on protection and have the best security settings for Windows and your browser. Most importantly, avoid the risk where you can. There are no free lunches on the Internet as traps are planted everywhere to temp folks into opening URLs or files that could contain malware. QUOTE: im sorry to bug you with this info, but its major. on myspace.com, they have a download so adults may see some adult type of profiles on there. this download however is infected with trojans and virus', i downloaded and installed the program without knowledge of the hazards. my computer was then infected with a trojan and a program that opens your computers ports without you knowing, please research this issue, and inform people about this problem with myspace.com. sincerely,
|
-
Most mornings before going to work, I check the latest security news on my PC and tune into CNBC to keep up with business developments. Yesterday, McAfee CEO George Samenuk and Microsoft's Ben Fathi both spoke on the topic of whether security vendors should have access to the Vista kernel. There are interesting viewpoints from both sides. I personally like McAfee's corporate version, as it has improved with version 8 during the past couple of years. AVERT, a division of McAfee is very timely in releasing new signature files for evolving threats (e.g., usually among the 1st companies to provide protection). Both Symantec and McAfee have publicized issues in not being allowed access into the Vista kernel, which is the control system for the entire OS. I'm guessing that they may want access to the low-level functions of the OS that the kernel is protecting, (e.g., tweeking Data Management and I/O routines to gain better performance than going thru an API?) Also, it's important that AV services not be stopped or disabled easily so there may be special hooks to ensure AV protection stays resident until a true shutdown of the software occurs. We're all hoping that the good security we see in Vista holds up in the future. On paper, the security architecture is significantly superior to Windows XP SP2. It should hold up fairly well, although no software can be considered completely perfect. In some respects, altering kernel mode routines might impact Windows functionality as future security updates or Service Packs are issued. For example, if a security vendor develops specialized routines for the original version of Vista and Microsoft changes the code, it might affect the specialized routines written by the vendor? One disadvange in allowing special hooks into the kernel might be the potential to leak source code or other critical information to the public. What if a laptop with sensitive code were stolen for example? Also, if the 3rd party security product is compromised and has some exclusive rights in the Vista kernel, it could expose the OS to further dangers. Hopefully, a good compromise for this issue be forthcoming. Microsoft has significantly improved security in some of it's latest implementations (e.g., Vista, XP SP2, W/2003, IIS 6, and IE 7). Still, it's nice to have great 3rd party software to cross check for any possible security issues. Some companies are highly experienced in security and are worth paying for, as long as the software is reasonably priced. I personally hope that security APIs Microsoft has provided will allow for good 3rd party implementations of security, without having to alter routines or trusts within the Vista kernel itself. I've been using corporate McAfee AV protection for over a decade now and look forward to testing their future implementation of Vista.
|
-
The NoScript extension can be added to point out potentially hostile JS scripts. Safe email processing (avoid all URLs) and browsing only at trusted sites and will also help. The ZDNET article also notes that this could be a fairly complicated and lengthy fix. 0day vulnerabilities in Firefox, with source
http://blogs.securiteam.com/index.php/archives/657 This quote describes why no browser can be considered completely safe: QUOTE: Browsers are inherently insecure by design, not because of any one vendors particular implementation. Their objective is to retrieve arbitrary textual content from an untrusted network location, parse that text into a set of processing instructions and then render a visual representation of the document. Browsers are semi-compilers with a range of legacy deviations that all add up to enormously complex parsing environments, the perfect hunting ground for vulnerabilities caused by developer oversight. Adding Javascript on top of that only increases the complexity linearly instead of exponentially.
Hackers claim zero-day flaw in Firefox
http://news.zdnet.com/2100-1009_22-6121608.html
QUOTE: The flaw is specific to Firefox's implementation of JavaScript, a 10-year-old scripting language widely used on the Web. In particular, various programming tricks can cause a stack overflow error, Spiegelmock said. The implementation is a "complete mess," he said. "It is impossible to patch." The JavaScript issue appears to be a real vulnerability, Window Snyder, Mozilla's security chief, said after watching a video of the presentation Saturday night. "What they are describing might be a variation on an old attack," she said. "We're going to do some investigating." Snyder said she isn't happy with the disclosure and release of an apparent exploit during the presentation. "It looks like they had enough information in their slide for an attacker to reproduce it," she said. "I think it is unfortunate because it puts users at risk, but that seems to be their goal." At the same time, the presentation probably gives Mozilla enough data to fix the apparent flaw, Snyder said. However, because the possible flaw appears to be in the part of the browser that deals with JavaScript, addressing it might be tougher than the average patch, she added. "If it is in the JavaScript virtual machine, it is not going to be a quick fix," Snyder said.
|
More Posts Next page »
|
|
|