Vulnerabilities & attacks

One flaw not addressed in yesterday's Patch Tuesday is a heap overflow within the XML parser reported on Wednesday by Bojan Zdrnja of the SANS Internet Storm Center.

The exploit in the wild on Wednesday creates an XML tag, then waits 6 seconds in an attempt to thwart antivirus engines. The exploit could then crash the browser and run malicious code when the browser is restarted. The user must be running Windows XP or Windows Server 2003, and using Internet Explorer 7.

Zdrnja writes that "at this point in time, it does not appear to be wildly used, … Read more

Amid the global downturn in the economy, cybercrminals appear to be winning in the war against law enforcement. That's the sobering conclusion drawn by a panel of experts in a report from McAfee released Tuesday.

"We saw the cybercriminals take advantage of economic messaging very, very quickly," said Dave Marcus, director of security research and communications for McAfee Avert Labs. He said cybercriminals are cashing in on consumer anxiety, particularly around the holidays and noted that as more and more people go online looking for better deals, criminals are preying on their inexperience in order to lure … Read more

Microsoft on Tuesday released its December 2008 security bulletin. The "critical" bulletins affect Windows GDI, Word, Excel, Internet Explorer and Windows Search. The "important" updates affect SharePoint and Windows Media Components.

Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.

MS08-070: Critical

Exploitability index: 1-2. Microsoft recommends that customers apply the update immediately. Titled "Vulnerabilities in Visual Basic 6.0 Runtime Extended Files (ActiveX … Read more

Did your brother-in-law really send you a singing holiday card? Did a long-lost friend from college really include you on this year's list?

One inexpensive way to send holiday cheer may be to send e-cards, but security vendor AVG warned on Tuesday that online criminals are taking advantage of the fact most people don't know the difference between a legitimate e-card and one hosting malware.

Last week security vendors warned of a Trojan horse masquerading as holiday-themed e-cards from McDonald's, Coca-Cola, and Hallmark.

To better educate the public, AVG has launched a site, "Slam the Holiday Scam,", … Read more

Updated 4:30 p.m. PST with Google comment.

There will be no antiphishing feature in the final version of Firefox 2.0 when it is released later this month, according to Computerworld.

Google asked Mozilla to disable the feature in Firefox 2.0.0.19 that warns users of sites suspected of hosting identity fraud scams because the older browsers rely on an outdated SafeBrowsing protocol that Google is not supporting anymore, Mike Beltzner, director of Firefox, told Computerworld.

Firefox 2.0.0.19 is scheduled to ship December 16 and will be the final security update for the … Read more

A worm responsible for sending Facebook users malicious code appears to be limited in nature, although the social engineering attack may be used again, say experts.

Facebook representative Barry Schnitt said the worm isn't new; it dates back to August, although the variant that first appeared on Wednesday targets only Facebook users.

Craig Schmugar, threat researcher for McAfee Avert Labs, confirmed this in a call with CNET News and said that, in general, Koobface strikes only social-networking sites.

After receiving a message in their Facebook in-box announcing, "You look funny in this new video" or something similar, … Read more

The final Patch Tuesday for 2008 will be big, with six critical bulletins and two important bulletins due, according to Microsoft.

On Thursday, the company announced eight security bulletins set to go public December 9. The pre-announcement is intended as a heads-up for IT departments before Patch Tuesday. Six bulletins are considered "critical," the most serious ranking given by the software giant. Two are considered "important," the next level down.

Among the critical patches, two affect Windows, and there is one each that addresses issues in Word, Excel, Visual Basic, and Internet Explorer. All flaws could … Read more

Customers of CheckFree.com, an online bill paying site, were quietly redirected to servers in Ukraine early Tuesday morning, according to several reports.

Representatives of CheckFree told WashingtonPost.com that customers were redirected to a blank log-in page that attempted to install malware on the visiting PC. The company said it regained control at 5 a.m. EST Tuesday, so only customers using the site overnight were likely affected.

Mike Haro, senior security analyst at Sophos told CNET News, "The fact that they used a blank page to download a Trojan (not exactly subtle) says to me one of … Read more

On Tuesday security vendor WebSense issued an alert warning that holiday coupon e-mails from familiar companies may be malicious code in disguise, in this case a mass-mailing e-mail worm.

The warning cites one spoofed McDonald's e-mail that claims to present their latest discount menu, and asks the recipient to print out the attached coupon. A similar mailing pretending to be from Coca-Cola asks recipients to print out details about their new online game, and also offers recipients a chance to win Coca-Cola drinks for life. Websense says the attached zip file contains files named either coupon.exe or promotion.… Read more