Friday, July 30, 2010

Friday Quick Links

This was the week for worrying about the Microsoft LNK 0-day exploit (I found at least one laptop with 54 instances of it), browser patches, and a nasty flaw in a banking app for the iPhone:

SophosLabs Released Free Tool to Validate Microsoft Shortcut
SophosLabs has just released a free tool that provides detection against the Windows shortcut exploit that we published last week here and here. Sophos has indicated it works with any antivirus software and it works with Windows XP/Vista/7 but not 2000. When Windows tries to display an icon with a shortcut, the tool will intercept the request in order to validate it and give back control to the user if not found to be malicious.

SophosLabs has made a video available on what is the exploit and how the tool works here and the tool is available for downloaded here.



Safari update fixes auto-fill flaw ahead of Black Hat talk - SC Magazine US
US-CERT Current Activity: Apple Releases Safari 5.0.1 and Safari 4.1.1
added July 28, 2010 at 01:35 pm
Apple has released Safari 5.0.1 and Safari 4.1.1 for Windows and Mac OS X to address multiple vulnerabilities in Safari and WebKit. These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, or obtain sensitive information.

US-CERT encourages users and administrators to review Apple article HT4276 and apply any necessary updates to help mitigate the risks.

Apple patches Safari Auto-Fill security hole | ZDNet
By Ryan Naraine | July 28, 2010, 12:30pm PDT
LAS VEGAS — Apple has shipped a major Safari browser update to fix 15 documented security holes, including a known flaw in the browser’s AutoFill Web Forms feature that can be hacked to steal data from the computer’s address book.

The update comes ahead of a presentation at this year’s Black Hat security conference where Web application security researcher Jeremiah Grossman is scheduled to discuss the AutoFill hack.



US-CERT Current Activity: Google Releases Chrome 5.0.375.125
added July 27, 2010 at 12:01 pm
Google has released Chrome 5.0.375.125 for Linux, Mac, and Windows to address multiple vulnerabilities. These vulnerabilities may allow an attacker to execute arbitrary code or obtain sensitive information.

US-CERT encourages users and administrators to review the Google Chrome Releases blog entry and apply any necessary updates to help mitigate the risks.

Google patches Chrome, sidesteps Windows kernel bug
Google on Monday patched five vulnerabilities in Chrome by issuing a new "stable" build of the browser.

The update to Chrome 5.0.375.125 fixed three flaws rated "high," Google's second-most-serious threat rating, as well as one pegged "medium" and another labeled as "low in Google's four-step scoring system. Danish vulnerability tracker Secunia judged the cumulative update as "highly critical" using its own ranking.

And earlier this week, already blogged here:
US-CERT Current Activity: Firefox Releases Firefox 3.6.8
added July 26, 2010 at 08:40 am
The Mozilla Foundation has released Firefox 3.6.8 to address a critical vulnerability. This vulnerability may allow an attacker to execute arbitrary code.

US-CERT encourages users and administrators to review the Mozilla Foundation security advisory MFSA 2010-48 and update to Firefox 3.6.8 to help mitigate the risks.


Is your iPhone backup file secure? - F-Secure Weblog : News from the Lab
Tuesday's edition of the Wall Street Journal reported on a security flaw in Citi's mobile banking application for the iPhone.

Customers are advised to update.

From the WSJ:
"Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users' iPhones."

...
The files are not difficult to locate. ... And they can be easily viewed with free software such as SQLite Database Browser.

iTunes offers encryption [of the backed-up files - ASF], but most people probably don't use it.


If you have an iPhone or iPod, make sure your backups are encrypted even if you don't run any banking apps.

No comments: