Firefox

Evgeny Legerov, founder of Intevydis in Moscow, has created an exploit that hits a previously unknown heap-corruption vulnerability in the Firefox browser. The code isn’t readily available though, since he’s put it in a module to the automated exploitation system he sells (reportedly at a considerable price.) Legerov has not provided information on the vulnerability to Mozilla. The Intevydis site says: “Exploitation frameworks are not new on the market, but only we may offer you hundreds of CANVAS modules for unpatched and unknown vulnerabilities in highly popular software products.” ...

The Google Chrome dev channel has been updated to 5.0.322.2 for Windows, Mac and Linux platforms All [r38242] Don’t crash when a theme specifies a nonexistent image. (Issue: 31719) Mac [r38319] Honor modifiers for clicks on home button – cmd-clicking the home button now opens your home page in a new tab. (Issue: 34900) [r38204] Implemented writing direction context menu in text input fields. [r38504] Add local storage nodes to the cookie manager (Issue: 33068) Linux ...

It has been barely two days since Google announced their new social integration and messaging tool called Google Buzz. Today we saw the first example of malware, W32/Zuggie-A, pretending to be Google Buzz. Analysis of W32/Zuggie-A gives the impression of a hastily assembled worm, really a modification of the W32/SillyFDC family of worms but with a twist. When W32/Zuggie-A is installed, it creates the following files: Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome\content\timer.xul Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\chrome.manifest Program Files\Mozilla Firefox\extensions{9CE11043-9A15-4207-A565-0C94C42D590D}\install.rdf System\googlebuzz.exe – copy of W32/Zuggie-A System\GoogleUpte.exe – copy of W32/Zuggie-A W32/Zuggie-A modifies the registry to autostart GoogleUpte.exe and googlebuzz.exe. A quick search shows that the CLSID: 9CE11043-9A15-4207-A565-0C94C42D590D has previously been seen in multiple worms. This supports my theory that this is a hastily assembled worm built from recycled malware. I fired up a copy of Firefox on the infected machine and, as determined from analysis, found an installed Firefox extension called Firefox security 2.0 – Internal security options editor under the extensions tab of Firefox Add-ons. This “security extension” has added a JavaScript (timer.xul), which is triggered when the browser queries: yahoo.com, bing.com, google.com, aol.com/aol/search, ask.com and executes JavaScript hosted on: searchrequest1 . com / request . php ? aid = blackout which will silently click all Google or Yahoo Ads. displayed on the search results page (hey why not make a few bucks while infecting eh?). Google Buzz is new and is garnering quite a bit of interest and adoption among Internet users including myself. Clearly the malware authors view Google Buzz as the fresh big lucrative social fruit to exploit much like they have done with Facebook, MySpace, Hi5 and others. So in the coming weeks and months I predict we will see a host of new malware exploiting or attempting to exploit Google Buzz as the malware authors figure out its internals. This may have only been an exploratory attempt or a quick response to the latest craze – only time will tell. ...

Our good friends at Broomfield, Colo., security firm eSoft have found an interesting scam to trick Internet users into installing the Hotbar adware: a fake Firefox download site. The eSoft researchers are theorizing that an affiliate of Pinball Publisher Network (PPB). is responsible. Pinball bought the Zango assets after that pestilent operation failed last spring. However Sunbelt Software Spyware Research Manager Eric Howes did some more digging and found that PPN offers the download file on a site they own so affiliates can send customers victims there for downloads. ...

Mozilla yesterday posted a notice on its AMO blog (that’s an acronym for their add-on site addons.mozilla.org) that two add-ons have been found infected with Trojan code: Sothink Web Video Downloader v. 4.0 and all versions of Master Filer. Version 4.0 of Sothink Web Video Downloader contained Win32.LdPinch.gen and Master Filer contained Win32.Bifrose. According to the blog, Masterfiler was downloaded 600 times before it was removed from the site Jan. 25 and Sothink was downloaded more than 4,000 times before it was removed Feb. 2. ...