Security Bytes: Mozilla flaw allows SSL cert abuse, while Trojan poses as Terminator

Firefox vulnerability rated "moderately critical" while NIST discourages DES and Nokia decides to address "bluesnarfing."

Vulnerability in Mozilla Firefox
A "moderately critical" vulnerability in Mozilla and Mozilla Firefox could allow malicious sites to abuse SSL certificates of other sites, according to Secunia. The Copenhagen, Denmark-based IT security firm said in its advisory that "It is possible to make the browser load a valid certificate from a trusted Web site by using a specially crafted 'onunload' event. The problem is that Mozilla loads the certificate from a trusted Web site and shows the 'secure padlock' while actually displaying the content of the malicious Web site." The vulnerability has been confirmed using Mozilla Firefox 0.9.2 and Mozilla 1.7.1 on Windows and Mozilla Firefox 0.9.1 on Linux. Other versions may also be affected. Secunia recommends users steer clear of untrusted Web sites and "verify the correct URL in the address bar with the one in the SSL certificate."

Trojan hides in Terminator 'suicide' message
Last week it was a file claiming to include pictures of a dead Osama Bin Laden. Now, malware writers are trying to infect computers with a Trojan horse-laced file posing as a suicide note from actor-turned-California Gov. Arnold Schwarzenegger. Lynnfield, Mass.-based antivirus firm Sophos said the latest message claims Schwarzenegger committed suicide at his home. It reads: "Early this morning Arnold Schwarzenegger was found hanging by his neck from the large oak tree in his Californian garden. In a suicide note found at the scene he tells of his sordid sex life and lack of will to live. A copy of the suicide note which was found by journalists has been included here (url removed)." Graham Cluley, senior technology consultant for Sophos, said, "Anyone downloading and running the file on their computer will be opening it up for access by hackers. They are exploiting people's interest in celebrity news to break in, and possibly steal financial information or launch spam or denial-of-service attacks against other users of the Internet. Everyone should exercise extreme caution about what they run on their computer, and keep their antivirus and firewall defenses up-to-date." Schwarzenegger is the latest in a long line of celebrities to be used as bait by malware authors and hackers. The promise of glimpses of pin-ups like Anna Kournikova, Jennifer Lopez, and Britney Spears has been used to help viruses spread.

Nokia releases 'bluesnarf' fix
Nokia says it will soon release an update to help prevent attackers from hijacking data on Bluetooth-enabled cell phones, a practice known as "bluesnarfing." The Finland-based handset maker did disclose a specific date for the release but told CNet.com it would be at the end of the summer. Sony Ericsson, whose phones also were vulnerable to such attacks, already has issued an update. Bluesnarfing allows an intruder to read and change data in the phone's address book and calendar without no evidence of a breach.

NIST wants to retire DES
The National Institute of Standards and Technology wants the federal government to discontinue using the 56-bit DES algorithm to encrypt data. First earning FIPS certification 25 years ago, NIST now says the algorithm is obsolete, according to Government Computer News. "DES is now vulnerable to key exhaustion using massive, parallel computations," NIST said. By contrast, AES, the latest algorithm to win FIPS approval, uses 128-, 192- or 256-bit key sizes.

Dig deeper on Web Browser Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close