News Blog

Grisoft, maker of AVG antivirus and Internet security software, on Wednesday announced the acquisition of Exploit Prevention Labs, maker of the LinkScanner family of safe Web-browsing applications.

Unlike other safe-surfing applications, which tend to rely on databases, LinkScanner uses technology that determines, as the page is downloaded onto your browser, whether it is tainted with malicious software.

In CNET Reviews testing, LinkScanner has detected recent changes on Web pages where other safe surfing applications, such as McAfee SiteAdvisor, has not. One limitation of LinkScanner is its inability to determine whether a page is fraudulent; LinkScanner determines only whether the page has malicious content.

Grisoft plans to host Exploit Prevention Labs' products on its site. According to Grisoft, Exploit Prevention Labs' 18 employees will join Grisoft. Roger Thompson will become chief research officer, Greg Mosher will become vice president of engineering, and Chris Weltzien will become vice president of business development.

Security researchers on Tuesday found PHP exploit code embedded in a GIF on a major image hosting site. The exploit code slipped through the proverbial gates with the aid of a legitimate image at the beginning of the file, according to a posting on the Sans Internet Storm Center.

"It is a clever way to pass exploit code to others without it setting off alarms or attracting attention all while bypassing network security tools," the Sans security blog noted.

Malicious attackers planted PHP coded exploit script within an image file. PHP is often used as a programming language to create dynamic Web sites.

Once this type of malicious GIF is uploaded to a server, it can create havoc by remotely allowing more exploits to be deployed on the system, said Johannes Ullrich, chief research officer for the Sans Institute.

When users download the image to view it, the server parses the PHP code and the exploit is executed, as it serves the image to the user.

Over the past six months, this type of technique has been cropping up with greater frequency--from small family Web sites to, more recently, a major image hosting site, Ullrich said.

As the automated Mpack attack continues to turn thousands of legitimate Web sites into compromised sites offering drive-by downloads of malicious software, security researcher Roger Thompson over at Exploit Prevention Labs reminds us there are other exploits compromising legitimate sites, and some are as easy to find as entering a simple search string on Google. For more than a week (starting before the current Mpack attack), Thompson has been posting a list of dangerous search strings on his blog site. I've collected these and indicated in parentheses some of the known exploits associated.

• atlas mountains country (WebAttacker 2 or MPack)
  
• rotweiller rescue
  
• North Padre Island (WebAttacker 2 or Mpack)
  
• arches national park (WebAttacker 2 or MPack)
  
• canyonlands national park
  
• mass lottery
  
• air disasters in Florida (WebAttacker 2)
  
• cd key windows xp profesional
  
• batmobile for sale
  
• victoria's secret (fake codec)
  
• pokemon ruby gamesharks
  
• blue book (mdac exploit)
  
• IBM stock
  
• pallet fire
  
• Nigerian economic and financial crimes
  
• who's a rat

Exploit Prevention Labs makes LinkScanner, a browser plug-in that will identify and block known exploits on tainted sites before you download the page. There are other safe surfing tools available as well; some are free.

At least two sets of exploit code have been posted on the Internet for the security flaws in Yahoo Messenger 8 first disclosed on Wednesday by the security vendor eEye on Tuesday. The two exploits were posted on the Full Disclosure mailing list on Wednesday. One set of code shows how to cause buffer overflow in the Webcam ActiveX component. Another causes a buffer overflow in the viewer ywcvwr.dll. Both exploits were written by Danny.

This morning Yahoo released a patch for Yahoo Messenger, however, update is voluntary. Users will be prompted each time the application loads until the update is installed. Given these public exploits all Yahoo Messenger users should update to the latest release as soon as possible.