Security

Microsoft has failed to remove a long-recognized Windows Explorer security risk from Windows 7, according to security company F-Secure.

The "hide extensions" feature, which was present in Windows NT, 2000, XP, and Vista, is also included in the Windows 7 release candidate, Mikko Hypponen, F-Secure's chief research officer, said Tuesday in a blog. The feature could allow virus writers to trick users into opening and running malicious files, he added.

Images: A peek at Windows 7 release candidate

View the full gallery

"In Windows NT, 2000, XP and Vista, Explorer used to hide extensions for known file types," Hypponen said. "And virus writers used this 'feature' to make people mistake executables for stuff such as document files."

For example, malicious code writers could name a "virus.exe" file as "virus.txt.exe" or "virus.jpg.exe," he said. Windows Explorer would then hide the .exe part of the filename, meaning that the user would only see "virus.txt" or "virus.jpg." Additionally, virus writers could change the icon displayed with the file in Windows Explorer so it looks like the icon of a text file or an image. Users might then click on the disguised file.

The blog post appeared on the same day that Microsoft had been scheduled to make the Windows 7 RC1 available for download to the public, although the OS release did in fact arrive early. Microsoft made its Windows 7 release candidate available to MSDN and TechNet subscribers Thursday. Microsoft hasn't yet given a release date for the final product.

Microsoft had not responded to a request for comment at the time of writing.

Tom Espiner of ZDNet UKreported from London.

Update at 8:45 a.m. PST: Information from security firm Symantec added.

Attackers are making the rounds and exploiting a critical security flaw in Adobe Reader 9 and Acrobat 9.

Earlier versions of the PDF-related software are also affected by the critical security flaw, which could cause the applications to crash and potentially let an attacker gain control of a person's computer, Adobe Systems warned Thursday.

Reports also surfaced that attackers have developed an exploit and are taking advantage of the flaw, the company said.

Adobe has yet to develop an update to address the vulnerability but noted it expects to have one ready for Adobe Reader 9 and Acrobat 9 by March 11. After that, the company expects to launch updates for the earlier versions of the software going back to Adobe Reader 7 and Acrobat 7.

Until then, Adobe advises, people should update their virus definitions and exercise caution when opening documents from unknown sources.

Security company McAfee noted in a blog that the current attacks appear to be targeted ones but that it expects new variants of the exploit to make the rounds as more information becomes public.

In its posting, McAfee said that malicious PDF documents began to surface at the start of the year, exploiting a vulnerability in Adobe Reader versions 8 and 9. The attackers can then take advantage of a bug in Reader to overwrite memory at gain control of executing code. After that, attackers can install a Trojan horse and from there add a proverbial backdoor to a person's computer to remotely control and monitor the infected system.

Symantec, meanwhile, reports seeing the exploit used against only a few government agencies and large corporations, and within those organizations, only a few people are targeted, said Kevin Haley, a Symantec Security Response director.

"We've seen it used in only a few small places, so it tells us it's a targeted attack and someone is not trying to use it in a widespread way," Haley said, noting fewer than 100 people have been affected since it noticed the attacks on February 12.

But he added it seems likely other attackers may try to exploit the Adobe vulnerabilities and that the range of exploits may grow beyond the malware that Symantec calls Trojan.Pidief.E.

In its blog on Trojan.Pidief.E, Symantec advices users to consider disabling JavaScript in Adobe Reader and has provided instructions in a blog on a different issue.

Apple has issued a critical security update for QuickTime media player, aimed at resolving vulnerabilities that could potentially allow a malicious attacker to take control of a person's computer, according to an Apple advisory released this week.

People running QuickTime 7 for Windows and for Mac OS X, are affected, as well as those who are using Mac OS X 10.4 or Mac OS X 10.5, according to Apple.

Apple is advising people to update to QuickTime 7.6 for Windows, QuickTime 7.6 for Leopard, or QuickTime 7.6 for Tiger.

The update seeks to address QuickTime security flaws that could potentially allow a malicious attacker to launch a buffer overflow and execute arbitrary code on a user's system.

The attack could potentially occur via a maliciously crafted movie file, AVI movie file, QTVR movie file, or an RTSP URL, according to Apple.

Security researcher Secunia, in an advisory released Thursday, noted the vulnerabilities are considered "highly critical."

Security experts from U.S. government agencies, multinational companies, and academia have released a list of what they consider to be the 25 most critical errors made while coding software.

Participants from more than 30 organizations worked together to agree on the 25 "most dangerous" errors, the SANS Institute said in a statement on Monday. They included experts from the U.S. National Security Agency, the U.S. Computer Emergency Response Team (US-Cert), Mitre, and the Sans Institute, as well as from Microsoft, Apple, and Oracle.

The list was released so programmers can check their code for the most common errors that produce security vulnerabilities.

"(The list) is going to change the way organizations buy software, right away," Alan Paller, director of the Sans Institute, told ZDNet UK.

The top two coding errors were improper input validation and improper encoding or escaping of output, according to Steven Christey of Mitre, who said those particular errors "earned the top rating for good reason."

"In 2008, hundreds of thousands of innocent, and generally trusted, Web pages were modified to serve malware by automated programs that burrowed into databases using SQL injection," Christey said in a statement. "The attack worked because countless programmers made the exact same (input validation and improper output encoding) mistakes in their software."

The full list of coding errors, and information on how to fix them, is available from the Sans Institute Web site.

Tom Espiner of ZDNet UK reported from London.

Mozilla has released updates to its popular Firefox browser, its Thunderbird e-mail client, and its SeaMonkey application suite, aiming to address highly critical security flaws that could expose users' sensitive information.

Users are advised to update to version 3.0.5 of Firefox, which was released Tuesday. They are also advised to update to version 2.0.0.19 of Thunderbird and version 1.1.14 of SeaMonkey.

The vulnerabilities were found in earlier versions of Firefox 3, as well as in versions of Firefox 2.

According to a research note released Wednesday by security researcher Secunia:

Some vulnerabilities have been reported in Mozilla Firefox, which can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system.

1. Errors in the layout and JavaScript engines can be exploited to corrupt memory and potentially execute arbitrary code.
2. An error when processing the "persist" XUL attribute can be exploited to bypass cookie settings and uniquely identify a user in subsequent browsing sessions.
3. Multiple errors can be exploited to bypass the same-origin policy, disclose sensitive information, and execute JavaScript code with chrome privileges.

One advisory addresses critical security flaws in all three programs (Firefox, Thunderbird, and SeaMonkey) that could arise from memory corruption and result in malicious attackers launching arbitrary code from users computers.

Mozilla also notes that another set of critical vulnerabilities in all three could redirect users from a legitimate site to a malicious one, where users' private data could be stolen. And a third set of critical flaws noted in all three could lead to the launching of arbitrary JavaScript within a different Web site.

Microsoft released a critical security patch on Wednesday to plug vulnerabilities in Internet Explorer, a move that comes amid malicious attackers taking advantage of the security flaws.

The patch is designed to prevent attackers from downloading malware onto users' computers if they visit a malicious Web site, or a legitimate Web site that has been infected.

This zero-day exploit has been in circulation since the first week of December and potentially could have infected a wide swath of users.

The vulnerabilities are found in not only IE 7, Microsoft's latest browser, but also Internet Explorer 5.01, Internet Explorer 6, and Internet Explorer 6 Service Pack 1.