Security Watch

This Firefox Flaw Bytes

Plus: MPACK goes wild; Trojans on YouTube; 419 scammers busted in Holland; insecure SSL v2.

Firefox contains a vulnerability when parsing URLs that contain a null byte character. According to this article, the null character can be used to fool Firefox into thinking that one file type is actually another, such as providing a URL that points to an executable but ends in a 0x00.html. Firefox will think such a URL is pointing to an HTML file, not an executable. When clicked, the file will run the executable. Patches are unavailable.

This was a vulnerability in IE a long time ago, so it's certainly surprising to see the same flaw cropping up in Firefox today. However, it should be pointed out that it is only a vulnerability when the URL prefix is either file:/// or resource:, which may explain why it is just being discovered now.

MPACK Exploit Goes Wild
According to information from Panda Software, MPack authors are infecting thousands of legitimate Web sites with script code that redirects visitors to MPack-infected Web sites, or they're installing MPack on the site and infecting visitors directly. Various reports claim the number of infected sites to be in the region of 10,000. MPack contains modules that can exploit IE, Firefox and Opera. All exploits attempted are patched vulnerabilities.

The victims must visit sites that are infected, and, have reasonably long-lived unpatched vulnerabilities. The PandaLabs Report, "MPack uncovered," shows statistics -- presumably, on a single server -- that indicate some more than 14,000 infections. One does have to wonder at the purpose of such statistics. Possibly they’re being used to advertise the package’s capabilities, in which case the numbers may be seriously inflated. We’re certainly not going to take the claim of a criminal as fact as to how many systems have been infected.

Trojans Lurking In Fake Video Postings On YouTube
Secure Computing says that two Trojan videos were put up on YouTube within the past week. Both videos then infected susceptible victim viewers with the zlob Trojan. Secure Computing credits YouTube staff with being quick to remove such malicious code, according to this article in InformationWeek.

The article goes into all sorts of speculation, including Sophos’ claim that they are seeing 9,500 newly infected Web pages per day (without saying how many old, infected Web pages are being cleaned or blocked). It also points out that people aren’t suspecting malicious code when visiting YouTube.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

We will point out that the most likely way a criminal is going to use YouTube to infect you is by calling for a video codec that isn’t on your system. That codec download will actually be a Trojan. If you’re prompted to install a codec, don’t be duped into downloading it via the video. Instead, check the Web for the official location of the codec -- assuming it’s a real codec -- and install it from there. Then go back to YouTube and see whether you are still being prompted for the codec. If you are, then you know it’s malicious.

Dutch Police Nab 419 Scammers
Dutch police have arrested more than 100 West Africans, initially on the basis that they are in the country illegally. They are also being investigated for participating in what is commonly called the "Nigerian 419" fraud, where e-mails are sent promising respondents millions of dollars if they simply help complete a transaction for a fee. Thus far, this Yahoo article says only eight have been arrested, all on immigration charges.

Considering there are probably thousands of people involved in these scams, the arrests seem like a drop in the bucket. We certainly haven’t seen a noticeable decrease in 419 scam messages.

Who's Secure Now?
Check out blog entry from AmberSail, which offers a reminder: According to the latest PCI DSS documentation, as of June 30th, 2007, all SSL servers must be running SSL version 3 or higher. Earlier versions are not acceptable as compliant.

This is unlikely to be much of an issue for anyone with any reasonable customer base, as most current browsers disable the use of SSL v2. If you're running SSL v2, you likely have had quite a few complaints from customers.

We have an old saying that goes like this: "If SSL v2 is your worst problem, you don’t have much to worry about." On the other hand, if your system doesn’t support SSL v3, then it must be fairly out of date and possibly has other issues that need to be updated also.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq,, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular