Security Watch

Browsers, Browsers, Browsers!

IE still vulnerable, but hackers are heat-seeking on other browser targets. Plus: Browser makers making "no tracking" a feature priority; Wordpress plug-in threatened by SQL injection attack.

• By Jabulani Leffall
• 01/24/2011

Browser security and bells and whistles that make Web sessions safer and smoother are on the agenda this week. So are bugs that go bump in the night (and day) on the Internet.

First up: As January comes to a close, it's clear that Microsoft won't be releasing an out-of-band patch for several known IE vulnerabilities. Having to wait until next week has security gadflies buzzing about whether Redmond will handle its IE-fixing business in February either with a specific patch for the zero-day issues or the type of cumulative fix common during a regular release cycle. And some say Microsoft faces additional pressure, as additional IE issues are expected between now and then.

IE isn't the only one that is being targeted. Paul Henry, security analyst for Lumension opines that aside from IE, "other browsers including Chrome, Firefox, Opera and Safari are in the crosshairs too since the release of Michal Zalewski's 'cross_fuzz' Browser Fuzzing Tool that will need to be addressed quickly."

This month's light patch load, according to Henry, was nothing to be excited about as these outstanding issues surrounding Internet Explorer are, in Henry's words, "poised to wreak havoc in enterprise environments."

No Trackback with Google, Redmond, Mozilla
Speaking of browsers: Following a Federal Trade Commission suggestion for privacy protection on the Internet, Microsoft, Mozilla and Google are all either in the planning stages or have rolled out security controls for cookies on their respective browsers.

It's not necessarily a nefarious bug or network-threatening exploit that the browser makers are defending against; rather, they are answering the call of Web surfers wary of tracking cookies that monitor site visits, online behavior and e-commerce preferences.

But there are definitely security implications when it comes to the integrity of a browser session. The various "do not track," features in IE 9 and those being developed by Mozilla and Google enables users to skirt personalized advertising and, by extension, spam, spoofed sites and adware.

Popular Blog Template Subject of SQL Injection
According to this post on the SANS Institute's Application Street Fighter blog, this Wordpress plug-in needs a patch -- and fast.

News is emerging that Wordpress, a common template for bloggers, has a couple of SQL injection bugs popping up in the Short URL Plugin for WordPress. This means if you're a blogger and want to add a TinyURL or BitLY link in your Wordpress blog about that really important subject you're blogging about via the plugin, you may be end up getting hit by SQL injections.

The SQL injection occurs when hackers drop corrupt code into a URL or application-level command language. This can trigger malfunctions or weaknesses at the database level of an application. These plug-ins could leave the average blogger open to experiences they may not want to blog about.