Firefox 3.5.1 Vulnerability

Oh no, not again..

Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5.1 that has had exploit PoC released. When exploited, the vulnerability can lead to system compromise or induce a DOS. No Patch is available.

Interestingly the SecurityFocus BID for this says it’s FF 3.5, but the ISC SANS post above does say 3.5.1 (and they do know what they’re talking about). There is also a CVE number allocated to it, but I’m having problems reaching that at present to check what it says. One possible explanation is that Mozilla pushed out 3.5.1 to fix the 3.5 0day that appeared recently, but this bug was found beforehand and Mozilla weren’t aware of it prior to releasing 3.5.1 (or they thought it was more important to get the other fix out whilst they worked on this).

Firefox 3.5 0day Vulnerability

Oh joy, within 24 hours of the MS IE/ActiveX exploit we have a remote vulnerability against Firefox 3.5.

The vulnerability is caused due to an error when processing JavaScript code handling e.g. “font” HTML tags and can be exploited to cause a memory corruption. Successful exploitation allows execution of arbitrary code. The vulnerability is confirmed in version 3.5. Other versions may also be affected.

Currently Mozilla have no “known vulnerability” page for Firefox 3.5 security issues, I presume once it’s created it’ll be here.

There is a sample exploit available already, so it’ll be in the wild soon if not already. 🙁

Yet Another ActiveX/Internet Explorer Exploit Being Exploited

For those people who have to care about Windows systems SANS ISC has info on a scary new ActiveX remote exploit doing the rounds that allows an attacker to run code on a Windows box rendering HTML via Internet Exploder or (presumably) Outlook, etc if you have virtually any version of MS Office installed..

This vulnerability exists in the ActiveX control used by IE to display Excel spreadsheets. The CVE entry for the vulnerability is CVE-2009-1136. Microsoft mentions that they are aware of active exploits against this vulnerability

There is no fix at present, though a workaround is available to disable those ActiveX controls. Attackers are actively targeting people with this too:

A highly targeted attack against an organization earlier today who received a Microsoft Office document with embedded HTML. This one was particularly nasty, it was specifically crafted for the target – with the document being tailored with appropriate contact information and subject matter that were specific to the targeted recipient. Analysis of the document and secondary payload found the attacker used a firewall on the malicious server so that all IP traffic outside of the targeted victim’s domain/IP range would not reach with the server.

Remember Microsoft isn’t the answer, Microsoft is the question. “No” is the answer.

T-Mobile compromised – data for sale ?

Apparently someone claims to have pinched all of T-Mobile’s data..

The U.S. T-Mobile network predominately uses the GSM/GPRS/EDGE 1900 MHz frequency-band, making it the largest 1900 MHz network in the United States. Service is available in 98 of the 100 largest markets and 268 million potential customers. Like Checkpoint Tmobile has been owned for some time. We have everything, their databases, confidental documents, scripts and programs from their servers, financial documents up to 2009.

They claim to have hawked it around their competitors (who seem to know better than to buy it) and now are offering it on the open market.. 🙁

(Via ISC)

Phishing by Phone

This got caught by the spam filters:

To speed up the process, you are required to call us at our free toll free number (+61) 731-235-996 to verify your Commonwealth Maestro Card.

First time I’ve seen a phishing attack that uses (presumably VOIP) phone numbers (in this case allocated to GoTalk in Brisbane, they own 0731230000 to 0731239999 according to the search you can do here) rather than a web site (though I suspect it’s been around for a while).

Bad Bus Security

Joseph Reeves has an interesting little story about how a badly designed e-commerce system results in both an obvious security flaw and a missed opportunity for better customer relations over in Oxford. This all started when the bus driver refused to accept the email displayed on a phone, but wanted a paper copy, even though he had no way of verifying either as being legit! Quite how the driver thinks that printing out a copy of an email you have makes it more legitimate than the electronic version is left as an exercise for the bemused.

Exploiting the hole in the Oxford Bus Company’s awful system is easy; print a genuine looking email that contains the details of any bus journey you want to take. The bus driver only wants to see an email and your ID, they have no access to any passenger lists; should anyone with a passenger list board the bus (some kind of ticket inspector, I guess), you can remind them that the customer is always right; furthermore, act mortified at the fact that they blame a failing of the booking processing system to register your journey as some sort of criminal action on your behalf.

Josephs suggestion of how this should work is straightforward:

Fixing this bus ticket problem would be very simple – the Oxford Bus Company just needs to generate a unique ID number that it includes in emails to customers and to provide drivers with access to a passenger database. Buses are already fitted with Internet connections to be used by passengers on the journey, so all that needs to be provided is a very simple device to the driver.

Leading to possible improvements in service, like:

A passenger boards the bus, hands over their ID and says “my number is 546672”, the driver taps this into the machine and replies “ah yes, hello Mr Reeves, I’ll let you know when we’re at Heathrow Central bus terminal”.

It may be that the Oxford Bus Company has done a risk assessment and believes that the loss due to the fraudulent use of the service is lower than the cost in equipment and time taken for the driver to validate a ticket, but I doubt it. In contrast the Melbourne SkyBus service (from memory) lets you buy online, you then have to print out a ticket which has a barcode on it which the driver scans to validate it. Of course that means that you can’t carry it around electronically (well, not easily on a phone I guess) but does have the advantage that the barcode scanners are pretty quick, much faster than having to have someone type it in (and maybe get it wrong).