Mozilla addresses fresh flaws
Mozilla has addressed a vulnerability in Mozilla and Firefox attackers could exploit to trick users into downloading malicious files.
The problem, discovered by a researcher with Danish security firm Secunia, is that the browser uses the URL to determine the file type association in the "save link as" download dialog, but uses the filename from the "content-disposition" HTTP header when saving the downloaded file.
An attacker could exploit the flaw using a malicious Web site to spoof file types in the "save link as" download dialog. This could lead to malware being saved to the download directory. Secunia noted that exploitation requires that the option "hide extension for known file types" is enabled in Windows, however.
The firm confirmed the vulnerability in Mozilla 1.7.3 and Firefox 1.0 for Windows and said other versions may also be affected. Mozilla has issued updated versions to fix the problem.
PHPNews flaw addressed
Secunia this week also noted that a vulnerability in PHPNews 1.2.4 has been fixed in version 1.2.5.
Researcher Filip Groszynski reported the flaw, in which input passed to the "path" parameter in "auth.php" isn't properly verified before it's used to include files. Attackers can exploit this to include arbitrary files from external and local resources. Successful exploitation does require that "register_globals" is enabled, Secunia said.
PHPNews is a free PHP-based news content manager that uses a MySQL backend database.
Symantec gets patent for AV technology
Cupertino, Calif., antivirus giant Symantec has been granted a new patent for antivirus technology by the United States Patent and Trademark Office.
In a statement, Symantec said it was granted U.S. patent number 6,851,057 for a system "that enables the detection of complex viruses, worms, and spyware." The technology, "data driven detection of viruses," is used throughout Symantec's product line.
"The invention represents a fundamental component of modern threat detection software, and is applicable to all operating systems and classes of malicious code," the statement said. "By establishing a mechanism that enables researchers to write simple detection scripts to allow for complex scanning and emulation of executable files, complex threats such as self-mutating viruses, worms, and spyware can be detected. Furthermore, researchers are able to aim an antivirus scanner at specific regions of each file for inspection, rather that having to scan larger regions of files and slowing down the operation of a computer."
The company said the technology was developed and patented by Carey Nachenberg, chief architect with Symantec Research Labs. This is Nachenberg's 16th information security-related patent award in the last eight years.
"Over the years, viruses, worms and spyware have evolved considerably, making detection by traditional antivirus software increasingly difficult and time-consuming," Nachenberg said in the statement. "This invention fundamentally reduces the complexity of detecting malicious software and shortens the response time needed to address new threats without the need for new product updates or patches."
Financial services ISAC partners with security vendor to enhance its alert system
The Financial Services Information Sharing and Analysis Center (FS-ISAC) this week announced a unique partnership with Reston, Va.-based iDEFENSE, which will provide ISAC members with cyberintelligence reports quickly. iDEFENSE issued a news release that called the arrangement "the first time the industry group has leveraged proprietary threat data to protect the sector." The FS-ISAC has been held up as among the best of the public-private partnerships to develop the past several years to combat cyberterrorism. However, during last month's RSA conference, former 9-11 Commission member Jamie Gorelick criticized the government for not investing enough in its partnership with the private sector. "The government needs to decide if it is going to rely on the ISACs," she said. "If it is not, it should put them out of their misery."
Nation's first spam conviction overturned
A Virginia judge this week overturned the conviction of Jessica DeGroot, 28, of North Carolina after deciding a jury had no "rational basis" to find her guilty of conspiring with her brother, Jeremy Jaynes, 30, to send spam to thousands of America Online customers in 2003. DeGroot and her brother were believed to be the first to be convicted of violating Virginia's antispam law, among the earliest legislations to address penalties for those who send unsolicited junk e-mail. Loudon County Circuit Court Judge Thomas D. Horne said he believed the jury got "lost" trying to understand all the technical terms associated with the case. Instead, Horne believed DeGroot's attorneys' claim that the credit card issued in DeGroot's maiden name, Jessica Jaynes, used to purchase Internet domain names could not be linked to her. Her brother, however, will serve his nine-year sentence for the same crime.