Exploit for Microsoft flaw in the wild
Exploit code targeting a security hole Microsoft warned of in last week's patch release is in the wild, the Bethesda, Md.-based SANS Internet Storm Center (ISC) said Friday.
"We've received reports that the color management module ICC profile buffer overflow vulnerability has exploit code available and is being used out in the wild," ISC said on its Web site. "[To] mitigate this vulnerability, apply the appropriate patch. It appears that this version of the exploit code will only crash the browser, but it wouldn't be difficult to put in code for execution."
The French Security Incident Response Team (FrSIRT) has also put out an advisory on the exploit code.
Microsoft issued a bulletin for the vulnerability during its July patch release. The software giant said the problem is in how the color management module validates International Color Consortium [ICC] profile format tags. "Attackers could exploit this by constructing a malicious image file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious e-mail message," Microsoft said. "An attacker who successfully exploited this vulnerability could take complete control of an affected system."
The flaw affects Windows 2000 SP4, Windows XP SP1 and SP2; Windows XP Professional x64 Edition; Windows Server 2003; Windows Server 2003 SP1; Windows Server 2003 for itanium-based systems; Windows Server 2003 with SP1 for itanium-based systems; Windows Server 2003 x64 Edition; Windows 98; Windows 98 Second Edition [SE] and Millennium Edition [ME].
New security hole in IE
Microsoft already has its hands full trying to patch recently disclosed security holes. Now it appears there's more for the software giant to contend with.
Attackers may be able to exploit a vulnerability in Internet Explorer's image rendering capabilities to launch malicious code, according to CNET News.com, which attributes the discovery to security consultant and author Michal Zalewski. The problem is in how the browser software handles .JPG images. Zalewski told CNET that one of the flaws could be exploited for remote arbitrary code execution.
The researcher has reportedly posted four proof-of-concept images on the Web that could be used to exploit the flaws. Each could be used to crash Internet Explorer, even if users have XP SP2. Two of the exploit images also cause memory and CPU problems.
"Microsoft is investigating new public reports of possible vulnerabilities in Internet Explorer, but we have not been made aware of attacks," a Microsoft spokesperson told CNET News.com. "Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. Microsoft is concerned that this new report of possible vulnerabilities in Internet Explorer was not disclosed responsibly, potentially putting computer users at risk."
A new security hole for Firefox
Attackers could use a new flaw in Firefox to crash the browser, Silver Spring, Md.-based Security Tracker said in an advisory Thursday.
"A vulnerability was reported in Mozilla Firefox in the cross platform component object model (xpcom) implementation," the advisory said. "A remote user can create specially crafted HTML that, when loaded by the target user, will exploit a race condition in executing dom calls to delete objects in the page before they have been referenced. As a result, an access violation will occur and the target user's browser will crash."
Security Tracker credited James Bercegay of the GulfTech Security Research Team for discovering the flaw, and said an exploit demonstration is available on the GulfTech Web site.
"No solution was available at the time of this entry," Security Tracker said.
In an e-mail, Bercegay said Mozilla was notified of the glitch in April and they responded quickly.
"I am not sure I agree in not fixing this issue now, but those guys know a ton more about developing cross platform software than myself, so I trust their judgement for the most part," he said. "The xpcom library is used in many applications, so I can see why they want to be 100% sure before releasing an update that addresses what looks like an issue that is unlikely to be exploited in the wild."
More than 300 arrested for alleged e-mail scam
The arrest of 310 people in Malaga, Spain in connection with an alleged $363 million lottery scam shows that people have to be careful about the e-mail links and attachments they choose to open, Lynnfield, Mass.-based antivirus firm Sophos said.
According to media reports, the FBI worked with Spanish authorities in what is believed to be the biggest round-up of so-called 419 or "Nigerian e-mail" scammers. Sophos noted that officers raided 166 properties, seizing 2,000 cell phones, 327 computers, 165 fax machines, and 218,000 Euros ($263,000) in cash. The scam has reportedly victimized 20,000 people in 45 countries, including the United States, Britain, France, Germany, Australia and Japan.
"Anyone who has an e-mail account which isn't protected by antispam software will be all too familiar with e-mail scams which claim they have won fortunes, or offered rewards for anyone prepared to help move money from far-flung countries," Graham Cluley, Sophos' senior technology consultant, said in a statement. "The sad fact is that these scams are still managing to fool people, and organized criminal gangs are profiting from the naivety of Internet users. These arrests represent a significant victory for the computer crime authorities, but the battle is far from over."
Business rival sued for hacking into doctors' answering service
A Pawling, N.Y., man this week was charged with allegedly hacking into a competitors' network to disrupt doctors' answering services, preventing patients from reaching their physician during emergencies. Gerald Martin, 37, is also accused of making prank phone calls to employees at Statcomm Medical Communications Inc. of White Plains, N.Y., where Martin once worked. The Associated Press reports Martin left to form his new firm, Emergency Response Answering Service Inc. of Tarrytown, N.Y., but in November broke into Statcomm's computer systems so that when patients called their doctor they got either a busy signal or sexually-oriented groaning sounds. He's been charged with computer tampering and possession of a forged instrument. Possible penalties include up to seven years in prison if Martin's convicted.
Vendor criticized for vigilante-like antispam technique
Antispam advocates say a new initiative by California-based Blue Security Inc. is the wrong approach to fighting spam, amounting to denial of service attacks against Web sites associated with spam. "It's the worst kind of vigilante approach," John Levine, a member of the Coalition Against Unsolicited Commercial E-mail, told The Associated Press. Blue Frog, initially free, allows users to place themselves on a Do Not Spam list that also includes honeypots. When a site ignores the list and send spam to the honeypot, it triggers an avalanche of complaints send by everyone on the Do Not Spam list. This essentially creates enough traffic to overwhelm the Web site. In order to work, Blue Security CEO Eran Reshef said at least 100,000 users must join. He also denied any wrongdoing and said Blue Frog merely provides a way for users to collectively complain -- and be heard.