Security tool uncovers multiple bugs in every browser

Browser security specialist Michal Zalewski believes that Chinese hackers have long been aware of a security vulnerability in Internet Explorer which has only recently come to public attention. It is believed that this vulnerability could be exploited to infect computers, though current efforts have succeeded only in provoking crashes. The chain of events through which Zalewski found out about the vulnerability, which may have been circulating among Chinese hackers, is interesting.

Zalewski, who works for Google’s security team, reports that he discovered the vulnerability a while ago using his cross_fuzz fuzzing tool and reported it to Microsoft in July 2010. Zalewski also used cross_fuzz to discover bugs in other browsers, which he also reported to the relevant organisations. To allow developers to access information on the bugs, Zalewski took the practical step of placing the tool and the crash dumps produced using it on his server and sending a link to the files to the browser developers.

According to Zalewski, however, one developer accidentally posted the link to a bug database, with the result that Google indexed the link and specific details of the BreakAASpecial and BreakCircularMemoryReferences functions contained in mshtml.dll; both of these contained errors. In late December, Zalewski’s server was visited by a Chinese surfer who came across the site as a result of Google searches on these two functions.

Source:
http://www.h-online.com/security/news/item/Security-tool-uncovers-multiple-bugs-in-every-browser-1162911.html

Tool:
http://lcamtuf.coredump.cx/cross_fuzz/

Posted in Internet, Privacy, Security, Software | 1 Comment

New URL Shortener Hijacks Browsers for DDoS

In order to outline the dangers of implicitly trusting shortened URLs, a student has launched a service which generates links that take users to their destination, but also hijack their browsers for DDoS.  Called d0z.me, the service is the creation of Ben Schmidt (@supernothing307), a computer science major at University of Tulsa, who describes himself as a security enthusiast.  The URL shortener was inspired by the recent distributed denial of service (DDoS) attacks launched by Anonymous and in particular the Web version of the group’s Low Orbit Ion Canon (LOIC) tool.  This recently created JavaScript-based LOIC allows people to voluntarily join a DDoS effort by visiting a Web page instead of installing an application on their computers.  The tool works by modifying an image tag’s src attribute in order to force the browser to continuously send HTTP requests to the targeted server.  Another motivation for his project, according to Schmidt, was the increasing number of obscure URL shorteners available to users.

Source:
http://news.softpedia.com/news/New-URL-Shortener-Hijacks-Browsers-for-DDoS-173982.shtml

Posted in Internet, Security | No Comments

Gawker Media Hacked, Warns Users to Change Passwords

E-mail addresses and password details for 200,000 registered users of Gawker Media websites are now circulating on peer-to-peer networks after a weekend hack attack. The company warned users to change their passwords — including on other sites, if they use the same passwords elsewhere.

The websites affected include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot. Users are required to register, providing their e-mail address and a password, in order to leave comments on those websites.

A group named “Gnosis” claimed credit for the attack. The compromised information is now available in a 487 MB file, which can be downloaded from peer-to-peer networks using a torrent now indexed on The Pirate Bay. Other information in the file includes something called “gawker_redesign_beta.jpg” as well as Gawker’s server kernel versions.

In the torrent release notes, Gnosis said “So, here we are again with a monster release of ownage and data droppage. Previous attacks against the target were mocked, so we came along and raised the bar a little.”

The stored passwords were encrypted although Gnosis said some of the passwords have already been cracked.

Source:
http://www.pcworld.com/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html?tk=rss_news

Posted in Internet, Privacy | No Comments

Google Releases Chrome 8

The Chrome team is happy to announce our latest Stable release, 8.0.552.215. In addition to the over 800 bug fixes and stability improvements, Chrome 8 now contains a built in PDF viewer that is secured in Chrome’s sandbox.

Get it here:
http://www.google.com/chrome

Posted in Internet, Security | No Comments

Ransomware Attack Resurfaces to Hold Files Hostage

Malware is all about money. Spyware stealthily captures keystrokes and sensitive data to compromise accounts. Phishing attacks lure users into unwittingly surrendering account credentials and other crucial information. Ransomware uses a much less subtle tactic of demanding the money directly in exchange for the safe return of your own data.

The ransomware attack uses a Trojan to encrypt your data, then notifies you that you must pay a ransom if you want the hostage data returned to you. A SecureList blog post explains, “this type of malware is very dangerous because the chances of getting your data back are very low. It is almost the same as permanent removal of the data from your hard drive.”

The latest ransomware attack seems to be a variant of the GpCode Trojan that has made seemingly annual reappearances to extort money for the past few years. A compromised system will show a Notepad pop-up, or change the desktop background to display a message that reads “Attention!!! All your personal files were encrypted with a strong algorithm RSA-1024 and you can’t get an access to them without making of what we need!” This grammatical nightmare is followed by more broken English instructions directing you to read a text file explaining that a ransom of $120 is required to get the decryption key.

Source:
http://www.pcworld.com/businesscenter/article/211874/ransomware_attack_resurfaces_to_hold_files_hostage.html

Posted in Internet, Security | No Comments