Critical Firefox update released

The injudicious have touted Firefox as the replacement browser of choice 'because it is more secure than IE'. That was always arrant nonsense, and I was always one to say so. But don't get me wrong - I also generally recommend the alternate browser, while noting that although its security has not been put through the wringer to anything like the extent IE's has, whatever security flaws it did have were still largely unknown, and thus were not being used (to any discernible extent) by the bad guys.

This issue's topics:

Introduction:

* New Sober; critical Firefox update; OS X updates

Virus News:

* Missed e-mail delivers much more

Security News:

* Critical Firefox security update released

* Mac OS X 10.3.9 and iSync 1.5 security updates released

* Sumitomo Mitsui e-heist enabled by hardware key loggers

Introduction:

Because Monday is ANZAC Day, we have reverted the Virus & Security Watch newsletter to its old Friday 'slot this' week. The next issue will be back in the now usual Monday posting slot Monday-week.

The injudicious have touted Firefox as the replacement browser of choice 'because it is more secure than IE'. That was always arrant nonsense, and I was always one to say so. But don't get me wrong - I also generally recommend the alternate browser, while noting that although its security has not been put through the wringer to anything like the extent IE's has, whatever security flaws it did have were still largely unknown, and thus were not being used (to any discernible extent) by the bad guys.

Well, that party is over. Almost a week ago (late last Friday in the US) Firefox 1.0.3 was released along with the news that, among fixes for several other nasty security flaws, it included a fix for a remote, silent, arbitrary code execution vulnerability. Since then proof of concept code showing exactly how to (quite trivially) exploit this vulnerability has been published, and use of such exploits has been seen in the wild.

Because of the thoroughness of the cross-platform support provided by Firefox, all platforms that can run the browser can be readily targeted by exploits of this vulnerability, and the proof of concept exploit showed just how to do so for Windows, OS X and Linux targets. The greatest ignominy of all this? All those 'holier than though' Linux bigots are as much in the brown sticky stuff as the Windows users they are accustomed to scoffing at...

Aside from worrying about obtaining the latest Firefox release, if they run it, Mac OS X 10.3.x users also have new security updates to consider, with the release of OS X 10.3.9. Further still, OS X 10.2.8 and 10.3.x users should be looking at the iSync update, especially if proper user privilege separation is important to their setup.

There have been very many new viruses through the past week, but really none especially worth commenting on. That said, the latest Sober variant gained a greater deal of success than any virus for several weeks, so we have chosen to cover it.

Finally, we round out the newsletter this week with a followup report on the attempted Sumitomo Mitsui bank heist, initially reported here a few issues back.

Virus News:

* Missed e-mail delivers much more

Variously named Sober.M, Sober.N and Sober.O, the latest Sober variant achieved a degree of 'success' earlier this week, with most antivirus vendors, at least briefly, rating a 'medium' level threat. Technically, this Sober variant is just another mass-mailer. However, its success (as in some other, earlier Sober variants) may be due to is deliberate use of broken English. This is not a new tactic, also having been used in some earlier Sober variants. The first sentence of its message is 'First, Very Sorry for my bad English' and it then proceeds to explain that the sender believes they have been receiving e-mail messages actually intended for the recipient of this new (viral) message.

Of course, the "missed" messages have been attached and the claim about the contents of the attachment is just a ruse to trick the unwary into running the attachment...

Computer Associates Virus Information Center

F-Secure Security Information Center

Network Associates Virus Information Library

Sophos Virus Info

Symantec Security Response

Trend Micro Virus Information Center

Security News:

* Critical Firefox update released

A cross-platform arbitrary code execution vulnerability in Firefox is among the security flaws in this popular alternative web browser fixed in the 1.0.3 release. As a proof of concept exploit which shows how to exploit this vulnerability and target Windows, Linux and OS X has been released, and as an adaptation of that exploit has been seen in the wild, obtaining and installing this update should be of critical concern to all Firefox users.

Archived Bugtraq list messages - securityfocus.com

Archived Bugtraq list messages - securityfocus.com

Firefox home page - mozilla.org

* Mac OS X 10.3.9 and iSync 1.5 security updates released

Aside from consolidating previous Mac OS X security updates, the 10.3.9 release of OS X includes several new security updates. Whilst strongly recommended for all OS X 10.3.x users, before installing this update take careful note of the potential issues with Java applications and Java-enabled websites described in the 'Java and Safari issues after updating to Mac OS X v10.3.9' item linked below.

Also, OS X 10.2.8 and 10.3.x users should obtain the iSync 1.5 update released a few days after the OS X 10.3.9 release. This update fixes a locally exploitable buffer overflow in iSync that allows any local user to elevate their privileges to root. An exploit achieving just that was released in late January, so OS X sites that depend on restricting user privileges (such as schools, public access sites) have potentially been exposed to this for about three months.

The 'Apple security updates' page linked below has links to both downloads if you have not already received them through the OS X Software Update process.

Archived Bugtraq list message - securityfocus.com

Java and Safari issues after updating to Mac OS X v10.3.9 - apple.com

Apple security updates - apple.com

* Sumitomo Mitsui e-heist enabled by hardware key loggers

A few weeks back we reported the UK's National Hi-Tech Crime Unit (NHTCU), with the co-operation of the Israeli police, had arrested an Israeli man who attempted to fraudulently transfer money from the Sumitomo Mitsui bank. Early reports suggested that key loggers had been installed at the London offices of the bank, but both the bank and NHTCU were tight-lipped about the details of the operation.

Now reporters at VNU claim sources have revealed that the initial snooping on Sumitomo was done with small, physical key loggers. These devices are fairly readily available, costing around GBP20 (approximately NZ$60) each. Typically they are the shape and approximately the same size as AA or AAA batteries, with one end plugging into the monitored computer's keyboard port, with the keyboard plugging into the other end of the device. Common models can record about 100,000 key presses as the connected keyboard's signals pass through the device.

VNU claims that some of these devices were found in place, tipping the bank off to the plot sometime last year. The key loggers were installed (and presumably retrieved) by cleaning staff, or people posing as cleaners according to VNU.

Bank attack used key-loggers costing just GBP20 - vnunet.com

Join the newsletter!

Error: Please check your email address.

More about AppleCA TechnologiesF-SecureLinuxMitsuiSophosSumitomo AustraliaSymantecTrend Micro AustraliaVNU

Show Comments
[]