Numerous Critical Flaws Fixed in Latest Firefox Update
Firefox security update fixes five critical vulnerabilities, a hacker is arrested for cracking VoIP networks, Circuit City's Web site is hacked, and more.
Twelve security vulnerabilities were patched
in the latest Firefox security update
, v220.127.116.11. Five of the patched
vulnerabilities were deemed "critical," including those that would
allow an attacker to take control of the victim's system.
Firefox has been frequently touted as a secure alternative to Internet Explorer.
but without getting into a discussion of how many more vulnerabilities one has
versus the other, remember that all products have vulnerabilities.
Hacker cracked Net phone networks for gain, feds say: U.S. federal authorities
arrested Edwin Pena on charges he fraudulently
forwarded Voice over IP traffic from his customers through others to
avoid having to pay the charges required to fulfill the connections. One VoIP
completion provider completed 500,000 calls from Pena's customers, it's
It's difficult to determine from the story whether the attack exploited
a weakness in VoIP itself, or servers used to route VoIP calls to completion
providers (companies that link the VoIP traffic to the Public Switched Telephone
According to reports, Pena "modified" the identifier used in VoIP
packets to tell VoIP completion providers who to bill for the call. However,
the story also refers to Pena compromising the VoIP servers of a New York company
and using that server to re-route his calls.
It would seem to us that it is not a compromise of VoIP as a protocol, but
instead a compromise of a VoIP server implementation. In fact, it could be likened
to having your SMTP server open to SMTP-relay. If you are allowing VoIP clients
to use your server to route calls to completion providers, you must ensure adequate
steps have been taken to prevent any client other than your own trusted clients
from connecting to your server.
Circuit City warns of online forum attack: Part of the Circuit City
Web site was hacked and used in an attempt to install malicious code on PCs
of unwitting visitors, the electronics retailer said Thursday.
We at Cybertrust Inc. have cited PHP as a problem vector numerous times in
the past. In general, we do not believe our customers are using PHP widely on
their own Web sites. In this case, Circuit City itself was not using PHP, but
the third party that provided it with the forum site did use PHP. More importantly,
that company used PHP insecurely on behalf of Circuit City. It is important
to remember that when using third parties to host your brand, ensure you have
performed a reasonable audit of their security practices to prevent your brand
from being associated with such a security story.
Millions in danger from chip and pin fraudsters: According to experts
in the United Kingdom, chip and pin bank cards in the U.K. have been deployed
using Static Data Authentication. SDA reuses authentication information to sign
transactions, as opposed to Dynamic Data Authentication (DDA), which provides
a unique signature for each transaction. This fact, coupled with the fact that
shop terminals have a 1 in 5 chance of not actually connecting with the issuing
bank during the transaction, mean that cloned SDA cards could go unnoticed.
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
Well, the story would certainly seem to be reaching for a point. Given that
criminals will have no way of knowing whether their use of a cloned card will
or won't trigger a fraud alert, or in other words be one of the 4 out of 5 times
a fraud alert would be generated for a cloned card, we can hardly imagine that
millions of card holders are going to be subjected to cloning crime. Yes, theoretically
the experts are right, however, in practice would you take the risk? Unmanned
terminals are the only places where such risk could be deemed reasonable, but
one might assume such terminals will be backed up with cameras adequate to get
some other form of identification of the fraudster.
However, that all said, the only justifiable reason to opt for SDA instead
of DDA is if a terminal had to provide such a high volume of transactions that
the delay of having to repeat an authorization attempt could not be tolerated.
We're hard pressed to think of a good example of such a terminal.
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.