Vulnerability in MHTML Could Allow Information Disclosure

Microsoft is investigating new public reports of a vulnerability in all supported editions of Microsoft Windows. The vulnerability could allow an attacker to cause a victim to run malicious scripts when visiting various Web sites, resulting in information disclosure. This impact is similar to server-side cross-site scripting (XSS) vulnerabilities. Microsoft is aware of published information and proof-of-concept code that attempts to exploit this vulnerability. At this time, Microsoft has not seen any indications of active exploitation of the vulnerability.

The vulnerability exists due to the way MHTML interprets MIME-formatted requests for content blocks within a document. It is possible under certain conditions for this vulnerability to allow an attacker to inject a client-side script in the response of a Web request run in the context of the victim’s Internet Explorer. The script could spoof content, disclose information, or take any action that the user could take on the affected Web site on behalf of the targeted user.

Source:
http://www.microsoft.com/technet/security/advisory/2501696.mspx

Fix-It page:
http://support.microsoft.com/kb/2501696

Posted in Internet, Privacy, Security, Windows | No Comments

Facebook allows apps to access user’s address and mobile number

In a move sure to have privacy advocates up in arms, Facebook will now allow apps to access a user’s current address and mobile phone number.

The new ”feature” was quietly introduced in a blog post by Facebook platform developer relations employee Jeff Bowen late last Friday night. The Atlantic spotted the post, in which Mr Bowen outlined the new ”user_address” and ”user_mobile_phone” permissions which developers can now hook into.

”Please note that these permissions only provide access to a user’s address and mobile phone number, not their friend’s addresses or mobile phone numbers,” he said.

According to Nicholas Jackson, associate editor at The Atlantic, the blog post was quickly inundated by users angry at another perceived invasion of privacy from a company already infamous for its lackadaisical attitude to user privacy. Curiously, Mr Bowen’s post was updated early Saturday afternoon and as of 1AM EST today no comments were visible, though it was possible to add a comment.

Sophos senior technology consultant Graham Cluley wasted no time in labelling the change a ”new level of danger” for Facebook users.

Source:
http://www.neowin.net/news/facebook-allows-apps-to-access-users-address-and-mobile-number

Posted in Internet, Privacy | No Comments

Security tool uncovers multiple bugs in every browser

Browser security specialist Michal Zalewski believes that Chinese hackers have long been aware of a security vulnerability in Internet Explorer which has only recently come to public attention. It is believed that this vulnerability could be exploited to infect computers, though current efforts have succeeded only in provoking crashes. The chain of events through which Zalewski found out about the vulnerability, which may have been circulating among Chinese hackers, is interesting.

Zalewski, who works for Google’s security team, reports that he discovered the vulnerability a while ago using his cross_fuzz fuzzing tool and reported it to Microsoft in July 2010. Zalewski also used cross_fuzz to discover bugs in other browsers, which he also reported to the relevant organisations. To allow developers to access information on the bugs, Zalewski took the practical step of placing the tool and the crash dumps produced using it on his server and sending a link to the files to the browser developers.

According to Zalewski, however, one developer accidentally posted the link to a bug database, with the result that Google indexed the link and specific details of the BreakAASpecial and BreakCircularMemoryReferences functions contained in mshtml.dll; both of these contained errors. In late December, Zalewski’s server was visited by a Chinese surfer who came across the site as a result of Google searches on these two functions.

Source:
http://www.h-online.com/security/news/item/Security-tool-uncovers-multiple-bugs-in-every-browser-1162911.html

Tool:
http://lcamtuf.coredump.cx/cross_fuzz/

Posted in Internet, Privacy, Security, Software | 1 Comment

New URL Shortener Hijacks Browsers for DDoS

In order to outline the dangers of implicitly trusting shortened URLs, a student has launched a service which generates links that take users to their destination, but also hijack their browsers for DDoS.  Called d0z.me, the service is the creation of Ben Schmidt (@supernothing307), a computer science major at University of Tulsa, who describes himself as a security enthusiast.  The URL shortener was inspired by the recent distributed denial of service (DDoS) attacks launched by Anonymous and in particular the Web version of the group’s Low Orbit Ion Canon (LOIC) tool.  This recently created JavaScript-based LOIC allows people to voluntarily join a DDoS effort by visiting a Web page instead of installing an application on their computers.  The tool works by modifying an image tag’s src attribute in order to force the browser to continuously send HTTP requests to the targeted server.  Another motivation for his project, according to Schmidt, was the increasing number of obscure URL shorteners available to users.

Source:
http://news.softpedia.com/news/New-URL-Shortener-Hijacks-Browsers-for-DDoS-173982.shtml

Posted in Internet, Security | No Comments

Gawker Media Hacked, Warns Users to Change Passwords

E-mail addresses and password details for 200,000 registered users of Gawker Media websites are now circulating on peer-to-peer networks after a weekend hack attack. The company warned users to change their passwords — including on other sites, if they use the same passwords elsewhere.

The websites affected include Lifehacker, Gizmodo, Gawker, Jezebel, io9, Jalopnik, Kotaku, Deadspin and Fleshbot. Users are required to register, providing their e-mail address and a password, in order to leave comments on those websites.

A group named “Gnosis” claimed credit for the attack. The compromised information is now available in a 487 MB file, which can be downloaded from peer-to-peer networks using a torrent now indexed on The Pirate Bay. Other information in the file includes something called “gawker_redesign_beta.jpg” as well as Gawker’s server kernel versions.

In the torrent release notes, Gnosis said “So, here we are again with a monster release of ownage and data droppage. Previous attacks against the target were mocked, so we came along and raised the bar a little.”

The stored passwords were encrypted although Gnosis said some of the passwords have already been cracked.

Source:
http://www.pcworld.com/article/213392/gawker_media_hacked_warns_users_to_change_passwords.html?tk=rss_news

Posted in Internet, Privacy | No Comments