The Mozilla Foundation has published a check for web browser plug-ins. Just by visiting the web site you can immediately see if your plug-ins are up-to-date (green), outdated but without known vulnerabilities (yellow) or if they are known to have security holes and are outdated (red).

The check is supposed to work for Java, Adobe Reader, Flash, Shockwave, QuickTime, Windows Media Player and DivX. Supported operating systems are Windows, Mac OS X and Linux. If a plug-in is outdated, you can click on the button next to it to be sent to the manufacturer’s homepage and fetch the update.

Firefox 3 did warn of an invalid certificate. As the check isn’t final yet, this may be tolerable – but if the service gets official, Mozilla should definatly fix the certificate.

Update: Now the Mozilla Foundation has made this service official, you can reach it here. There is no warning of invalid certificates involved anymore!

Dirk Knop
Technical Editor

The developers of the Mozilla Foundation just released Firefox 3.5.2 to close two critical rated security vulnerabilities. One flaw in the web browser could be abused to spoof certificates for web servers. This could happen as the browser didn’t parse the domain name in the certificate correctly and would stop parsing at a NULL sign. A CA would issue a certificate for <domainname><0×00><mydomainname> and the certificate would be valid for <domainname>, thus allowing for a hidden man-in-the-middle attack.

The second vulnerability could get abused to inject malicious code – for example a Trojan – into the victim’s computer by putting certain regular expressions into a certificate for SSL communication. This happened due to code that was meant to provide backwards compatibility to the non-standard regular expression syntax used by Netscape clients and servers. Now Firefox uses the current industry-standard wild-card syntax.

Update your Firefox as soon as possible by clicking on the Help menu and choosing “Search for Updates”. As other Mozilla products like Thunderbird and SeaMonkey are vulnerable too, apply updates ASAP as well when they get available.

Dirk Knop
Technical Editor

As announced last week, Microsoft released two security bulletins out-of-band. They cope with critical vulnerabilities in all Internet Explorer Versions and with a flawed Active Template Library (ATL) for developers using Microsoft’s Visual Studio.

Due to the flaw in the ATL – which gets used to build ActiveX controls for example – it is possible to bypass the kill bit restrictions within the Internet Explorer (IE). Manipulated Websites thus can call ActiveX modules with security vulnerabilities and inject malware on affected computers. Microsoft now closes three security holes in IE and hardens it against abuse of the flaws introduced by the ATL.

The error is based on flaws within the ATL of Visual Studio. Thus components build with this development environment can be affected, too. Cisco for example released a security advisory and announces workarounds and updates for the Cisco Unity software. Expect other software developers to release updates soon, too.

Interestingly, according to Microsoft’s Security Bulletins, Windows 7 is not affected by these vulnerabilities.

Install the updates as soon as possible, and if you are a developer, rebuild your components with the new ATL. A knowledge-base article from Microsoft explains the issue for developers.

Dirk Knop
Technical Editor

There are security flaws within Adobe Reader and Acrobat and the Adobe Flash Player which are getting actively exploited on the net currently. The company has published a security advisory where it announces that they are currently investigating the problem and plan an update for the 30th of July.

Avira antivirus solutions already detect the malicious PDF files as EXP/Pidief.TH and the dropped malware by those documents as TR/Drop.Wmach and TR/Spy.WMach, respectively. Anyhow it is a good idea to take additional security measures until Adobe provides an update.

Adobe recommends to delete or rename the file authplay.dll that ships with the Reader and with Acrobat. Also, enabling Data Execution Prevention (DEP) and activating the User Access Control (UAC) in Windows Vista shall mitigate the risk according to Adobe.

Another solution would be using a different PDF reader and disabling Adobe PDF and Flash within the web browser via its add-ons-manager. The NoScript extension for Firefox also helps preventing Flash applications to run in the browser; it is possible that drive-by-downloads via malicious Flash applications embedded in web sites turn up soon.

Dirk Knop
Technical Editor

As we were predicting upcoming threats for 2009 in the end of last year we now checked whether our guesses were correct. Unfortunately, they were.

We predicted that the use of polymorphic file infectors will increase again. This became true: W32/Virut, W32/Sality and W32/Almanahe are celebrating a comeback. The authors spread new variants of their polymorphism-engines. It seems that even older versions of those polymorphic viruses are still widespread, but W32/Virut is releasing the most updates – several dozens in the first six months of the year. The good news is that our detection routines withstand these bypass attempts.

Spreading malware via manipulated PDF documents still is one of the top threats on the Internet. In the last months the amount of exploit PDFs showing up for the vulnerabilities in PDF readers significantly increased – in the first half of 2009 we received several thousand samples. Every week the malware authors spread around ten newly obfuscated exploits, which in turn got used for plenty of PDF files each. We’re regularly releasing updates for new modified PDF exploits when necessary. Users should update their PDF readers regularly anyhow as this mitigates most of the threats.

As attack vector for infections of computers web-borne malware is further increasing. The malware gets more and more installed via drive-by-downloads, where the attackers hack into web servers with legitimate content and add references to their malware servers. Those servers then install for example trojans and/or bots on the vulnerable computers. It seems that there are plenty of construction toolkits out there with which anyone can produce malicious JavaScript simply by the click with the mouse: Malware-features like encryption, heap-spraying and shellcode seem to be more modular and repeating in parts of the malicious web pages we analyzed.

The usage of a recent antivirus product will help protecting from these threats. The WebGuard of our premium products additionally very efficiently remedies the web-borne malware distribution.

Dirk Knop
Technical Editor

Browser developer Opera today introduced a new feature of its upcoming browser generation 10 with the code name Opera Unite. Basically Opera added a web server to the browser and offers a dynamic DNS service along with it. So everyone can provide content on the Internet from his own computer. And due to the dynamic DNS service with a fixed domain like http://<mycomputer1>.<myusername>.operaunite.com/.

This does sound great and many people would like such a feature. Anyhow, I got scared when reading the news about this feature. Imagine, other browser developers like Mozilla, Apple or Microsoft would add such a feature, too! Everybody would be able to share documents publicly. And executable programs. But who makes sure that those aren’t infected or Trojans themselves?

Plenty of malware uses for example the shared folders of file sharing programs to spread itself; there is no reason not to use a web server which is accessible by everyone with a web browser – and not just for users of a file sharing program. The spreading mechanism can be very simple: Users could get a mail or instant message with a (proper) link to the malware. Or such a link is on another web site.

One indicator for antimalware programs can be a suspicious IP-only address where the executable file is located. Now it can be served with a fully qualified domain name, disabling this indicator (as http://a.b.operaunite.com/malware.exe looks less suspicious than http://143.145.23.45/malware.exe even to the human eye). Before adding such a feature to the browser/server combination for example a so called fast-flux DNS was necessary for adding a domain name for the infected computers. Additionally, a malware author doesn’t need to code an own web server anymore – just reconfigure the browser!

The idea of adding a web server to the browser sounds nice. But it has to be done correctly. Else we might be facing a new dimension of drive-by-downloads (or -uploads) and hacked “servers” in the near future.

Dirk Knop
Technical Editor

Microsoft issued a warning about a security vulnerability in DirectX which is reportedly getting actively exploited. The affected component quartz.dll is removed in Windows Vista and 2008 Server (and also in Windows 7), so Windows 2000, XP and 2003 Server are vulnerable. With those operating systems, a user just needs to open a manipulated QuickTime file to infect her computer – independent of the Browser or Software used.

From Microsofts Security Response Center: “The vulnerability is in the QuickTime parser in Microsoft DirectShow. An attacker would try and exploit the vulnerability by crafting a specially formed video file and then posting it on a website or sending it as an attachment in e-mail. While this isn’t a browser vulnerability, because the vulnerability is in DirectShow, a browser-based vector is potentially accessible through any browser using media plug-ins that use DirectShow. Also, we’ve verified that it is possible to direct calls to DirectShow specifically, even if Apple’s QuickTime (which is not vulnerable) is installed.”

The company offers a solution in a knowledgebase article. Users can apply a fix by clicking on the “fix it”-link in that article with Internet Explorer – currently the fix is undergoing maintenance obviously though. Microsoft writes that it wants to ship a patch as soon as it is production stable. It is unclear weather this means that they want to ship an update out-of-band or if it is ready for the June Black Tuesday.

Dirk Knop
Technical Editor

The Mozilla Foundation has closed several security holes in its products which allow attackers to inject malicious code for example via manipulated web pages. Affected are Firefox, Thunderbird and the Seamonkey browser suite.

An overview of the vulnerabilities is available at the Mozilla website. As the Mozilla based web browsers are highly popular, the cybercriminals develop malware for them as well. So update your Firefox to the current version 3.0.9, Thunderbird to 2.0.0.22 and Seamonkey to 1.1.17 or newer as soon as possible!

Dirk Knop
Technical Editor

The developers from the Mozilla project just released an update for Firefox 3, bumping the version number to 3.0.4. The patch remedies 11 vulnerabilities of which 4 are considered crititcal by the Mozilla developers. They may lead to execution of injected code (like a trojan) so please update ASAP.

Microsoft published 3 patches for critical weaknesses in it’s operating systems and the office solutions on November Black Tuesday which also may allow attackers to remotely take over users’ machines. Two patches close holes in Microsofts XML-parser (XMLcore). Another update is available which helps with a security problem which is known for roundabout 7 yeras now, a so called SMB reflector attack: An attacker on a network sends back credentials which he sniffed earlier and gets access to the SMB client. Users and companies are well advised to install the patches soon.

Another story is making rounds in the media concerning an ISP from San Jose in the U.S., McColo. That ISP provided “bullet proof hosting” which is often used for Command&Control-servers for botnets. The two major internet carriers which were connecting McColo to the internet pulled the plug yesterday. Since then the spam rate on the net dropped down to half of the usual amount, sometimes even to 10%. Unfortunately, this won’t hold long as the criminals are loosing profit and for sure look for alternatives.

Dirk Knop
Technical Editor