TechBlog

Twitterers are still clogging the micro-blogging service with little messages about the cross-site-scripting problem earlier today. Twitter has announced that the problem has been fixed. A cross-site scripting vulnerability using “onmouseover” was being widely exploited to spread worms and redirect viewers to malicious sites. Story here from The Register.

We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”. The decrypted JavaScript consists of new JavaScript code. This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains. ...

On Twitter a new security flaw gets currently exploited. Hackers found a way to inject malicious JavaScript code into tweets with the onMouseOver event. This can lead to pop-ups appearing, redirecting to websites, re-tweeting spam, or even worse things like cookie stealing (compromising the user accounts). The problem is that Twitter doesn’t properly filter out some tags in tweets. Users should be very cautious when seeing colored text blocks (background and text colors are the same, called “rainbow tweets”) – these are currently mostly used to exploit the security vulnerability. Hopefully, Twitter closes the security hole soon! Until then, using the NoScript web browser extension or disabling JavaScript on Twitter helps against the attack. Also, using twitter applications which rely upon the Twitter API aren’t affected. ...

Adobe fixed the vulnerability in Flash Player in a record time again. Just one week after the 0-day became public and started to get exploited, an update is available to close the security hole. Even though Adobe Reader and Acrobat are affected (which are supposed to get an update in 2 weeks), until now we’ve only seen exploits against the Windows Flash Player. Users and administrators should update their Flash Player as soon as possible! The version 10.1.85.3 fixes the issue for Windows, Unix, Solaris and is available through Adobe’s download center. Android users can get the update to 10.1.95.1 on the Android Market Place. ...

Resident Evil. Man, those films are terrible. Frankly, I’m happy to end the writeup right there, but if I did you’d miss out on all the fun. Resident Evil Afterlife is now in cinemas (unfortunately) and scammers are all too happy to cash in. watchresidentevil4(dot)com is our port of call today: Try to watch the film, and you’re prompted to install ClickPotato (from Pinball Corp). There’s also four other items preticked, which is nice of them. Installing that lot gives you a prompt to “see premium content”. ...

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated. ...

Google released version 6.0.472.59 of its Chrome web browser. It fixes 10 security vulnerabilities; 1 is only affecting Mac OS X and critical, 6 are rated “high” in their severity. As usual, the update should get delivered and installed automatically – but it doesn’t hurt to check via the “Info about Chrome” option in the “settings” menu whether the new version is already installed. The Mozilla developers pulled the update to Firefox 3.6.9 due to some stability issues some users experienced. Now Firefox 3.6.10 is available which fixes the security vulnerabilities like 3.6.9 and also the instabilities. It is available via “Help” – “Check for Updates” and should be installed ASAP, too. ...

We have started to see again a large increase in the amount of emails pretending to come from Facebook. There are two types of emails which are being sent in large amounts currently. Both of them use classical types of social engineering techniques. The first type is using the old trick with “the photos”. The final target is a website where SMSes can be sent for “free” (note the quotes). I would like to emphasize again that there is nothing out there for free. Even if you don’t pay for it, those who offer the service (or whatever is given for “free”) do get something in exchange. It might be your telephone number, your email address or something similar which is worth a lot on the Internet. ...

The Anti-Botnet Initiative has now been started. The initiative is a cooperation of eco and The German Federal Bureau for Information Security (BSI) and has created a telephone hotline for persons which may have their computers infected and seem to be a part of a botnet. In order to be able to detect this, the major ISPs in Germany are also cooperating (1und1, Telekom, Kabel BW, NetCologne, QSC and Versatel). The ISPs monitor suspicious activity on all IP addresses in their pool. As suspicious activity is considered, for example, the sending of huge amounts of data on certain ports like 25 for SMTP (used to send spam emails), incoming HTTP connections (used to serve HTTP connections) and so on. Once the ISP detects this, the customer gets an email notification with information about the suspicious activity and various other information (like the telephone number of the hotline). The user is also instructed to have a look on the www.botfrei.de website. ...

A worm collectively dubbed by the security industry as the “Here you have worm” has been making its way onto corporate networks over the past 24 hours. The worm arrives via e-mail using the subject line “Here you have” or “Just For you“ along with an executable disguised as a PDF file. It first appeared last month sending spam e-mails from [email protected]. The worm creates the following files: (Note: See the full report in our sandbox -> http://x.maldb.com/?p=44309#more-44309) ...