New exploit published for Mac OS X

A security researcher has posted proof-of-concept code for a 'highly critical' vulnerability in Apple's OS X operating system.

The exploit targets a component used to run Apple's .dmg disk images files. The .dmg format is commonly used to compress programs for download and is similar to the .iso format used in Windows.

A security researcher using the initials 'LMH' posted details about the vulnerability as part of the Month of Kernel Bugs project.

The author claimed that the exploit could easily be executed in Apple's Safari web browser through a specially crafted .dmg file launched when a user visits a web page.

According to LMH, the threat can be mitigated in Safari by disabling a setting in the browser's preference panel that reads 'Open 'safe' files after downloading.'

Disabling the setting will prevent .dmg files, images, movies and PDF files from automatically opening after they have been downloaded.

Security firm Secunia rates the vulnerability as 'highly critical', its second-highest threat level. It is the highest alert level given to a Mac OS X vulnerability since the publication of an official Apple security update in early October.

The Mozilla Foundation is warning of a critical bug in the new Firefox 2.0 browser that could leave passwords vulnerable to hackers.

The new flaw is in the Password Manager feature of the browser, which stores log-in details for websites so that users do not have to input them every time they visit a protected website.

Users are vulnerable because the Password Manager fails to verify that the URL is legitimate.

The flaw was discovered by Robert Chapin of Chapin Information Services and seems to affect all versions of Firefox, and may also affect Microsoft's Internet Explorer.

"Given the new nature of this type of attack, Chaplin has named this a Reverse Cross-Site Request [RCSR] vulnerability," said the company.

"This flaw could affect anyone visiting a blog or forum website that allows user-contributed HTML code to be added."

Chaplin claims that the attack has already been used to steal the log-in details of MySpace users, who were redirected to a false log-in page where their details were harvested.

The bug is as yet unpatched and Mozilla is advising users to turn off the Password Manager feature until a fix is available.

Adobe Flash Player 9.0.28

Platform Windows 98, Windows NT, Windows 2000, Windows XP
Type freeware
Manufacturer Adobe
Size 683Kb
Download here

Flash Player provides a more secure, lightweight, robust runtime environment for rich media and enterprise-ready rich internet applications.

Flash Player 9 achieves up to 10 times faster performance through ActionScript 3.0 and a new ActionScript Virtual Machine, which features a Just In Time compiler that translates ActionScript bytecode to native machine code for maximum execution speed.

Skype 3.0.0.123 beta

Platform Windows 2000, Windows XP
Type freeware
Manufacturer Skype
Size 18.9MB
Download here.

This is the first beta of the forthcoming major Skype v3 and there are some cool new features. If you're an existing Skype user, the first thing you'll notice is that the interface has had a makeover. Another key addition is the use of public chats, so you can now start a conversation between a group of people, whether you know those people or they're random users who happen to join your topic of conversation.

Six Security Bulletins Update Next Week (141106)

Microsoft is planning to release six security bulletins next Tuesday as part of the company's monthly security patch cycle.

Each bulletin covers one or more software vulnerabilities. Five affect the Windows operating system. The maximum severity rating for these bulletins is 'critical'.

The software giant also plans to issue one bulletin covering Microsoft XML Core Service that is rated 'critical'. This is likely to cover a flaw that surfaced earlier this week in the XMLHTTP 4.0 ActiveX Control component of the technology.

Security researchers have detected a limited number of attacks targeting the vulnerability in the wild. The bug could allow an attacker to take control of a system by luring users to a specially crafted website.

Both the XML Core Service and Windows patches require a system restart.

In addition to the security bulletins, Microsoft also is preparing to issue two high-priority non-security updates.

Microsoft issues security updates on a monthly cycle on the second Tuesday of each month. The company provides early notification on the Thursday before the release to allow systems administrators to prepare for the event.

*Windows hit by 'extremely critical' zero-day flaw
* Consumer Vista to launch on 30 January

Mozilla has released updates for its Firefox browser, Thunderbird e-mail application and the SeaMonkey application suite to fix "critical" security vulnerabilities.
The vulnerabilities affect 1.5 versions of Firefox and Thunderbird as well as version 1 of the SeaMonkey suite, Mozilla said in its security advisories. The bugs do not affect Firefox 2.0, the latest version of the browser released late last month.

"The security vulnerabilities could be exploited by malicious people to bypass security restrictions, conduct cross-site scripting attacks and potentially compromise a vulnerable system," Secunia said in its alert.

Mozilla plans to support Firefox 1.5 until April 24, 2007, six months after it shipped Firefox 2. The security flaws are fixed in Firefox 1.5.0.8, Thunderbird 1.5.0.8 and SeaMonkey 1.0.6. The previous Firefox security update was released in September.

Windows hit by 'extremely critical' zero-day flaw

Microsoft has issued a warning about a new exploit in all Windows versions except Windows 2003 that is actively being exploited by attackers.

The flaw affects a part of the Microsoft XML Core Services 4.0, referred to as the XMLHTTP 4.0 ActiveX Control.
Attackers could exploit the flaw to take control of a system by luring victims to a specially crafted website or a page on a social service such as MySpace.

Microsoft is currently investigation the flaw. The company will decide whether a security update is released as part of its patch cycle on the second Tuesday of each month or as an out-of-cycle update.

* Microsoft Security Advisory (927892)

Google accidentally sends out e-mail worm

Google on Tuesday inadvertently sent the Kama Sutra e-mail worm to the 50,000 subscribers of a Google Video e-mail group.

Three messages were posted Tuesday evening to an e-mail list that sends out alerts about additions to the Google Video blog. "Some of these posts may have contained a virus called W32/Kapser.A@mm--a mass-mailing worm," Google said in a note on its Web site

apologizing for the incident.

W32/Kapser.A is better known as the Kama Sutra worm. Some antivirus companies raised an alarm about the threat in February, but it ultimately shriveled. Kama Sutra was designed to overwrite files on infected computers on a specific date. However, the worm, which spread under the guise of pornographic content, caused virtually no damage.

Google advises people who may have received the worm in e-mail or downloaded it from the group's Web site to run an antivirus program to remove it. The company is taking steps to make sure it doesn't make the same mistake again, it said.

The Google Video e-mail group is open to anyone. It had 50,025 subscribers as of Wednesday afternoon. The contents are advertised as interesting and fun videos from Google Video.

Google has had several mishaps lately. Its corporate blog has been hacked and, at one point, the company also accidentally deleted its official blog.

Dref-N email worm promises breaking news

A new email worm is using bogus news headlines to lure users into opening its payload, security firm Sophos has warned.

The emails contain links to headlines such as the 'outbreak of nuclear war' and the 'death' of George W Bush and Vladimir Putin to allow hackers to infect computers and steal information.

The Dref-N worm arrives attached to emails with subject lines such as 'White house news!', 'Incredible news' or 'ATTN TO EVERYBODY!', and tries to dupe recipients by claiming that the attachment contains details of a major global news story.

Opening the attached file disables the Windows firewall and allows hackers to gain access to the PC in order to spy on or steal data.

Sophos said that the text of the email could include any of the following:

'3rd Glogal War Just Started!!! Read more in file!'
'Nuclear War in Russia! Read news in file!'
'President Bush DEAD! Read attached file!'
'Putin and Bush starts NUCLEAR WAR! Check the file!'
'Nuclear WAR in USA! Read attached file!'

'GLOBAL NUCLEAR WAR JUST STARTED! News in file.'
'President Putin dead! Read more in attached file!'

'Macarena' virus hits Apple Mac OS X'

Security experts have detected a virus that targets Apple's Mac OS X systems.

Although largely harmless, researchers are referring to OSX.Macarena as a "wake up call to Mac users".

Symantec has classified the virus as a level-one 'very low' threat, as it lacks a 'payload' or any sort of malicious instructions other than simply to replicate itself.

The security firm said that, once OSX.Macarena is launched, it infects every file located in the same folder. At the time this article was written, Symantec confirmed that there were fewer than 50 confirmed cases of infection..

Maxthon 2 Preview

Platform Windows 2000, Windows XP
Type freeware
Manufacturer Maxthon International Limited
Size 1.6MB
Download here.

Maxthon is one of the more popular Internet Explorer replacement browsers and is constantly updated.

This is the public preview of the forthcoming Maxthon 2. The new version is far from complete, but contains a brand new streamlined interface, which looks a bit like a mix of the Mac OS X Safari web browser and Firefox. Other features include multi-user support from the same web browser, so each user has their own preferences. There are tons of other minor updates, with more information on the Maxthon 2 preview page.

Fasterfox 2.0-Speed up Mozilla Firefox

Platform Windows 2000, Windows XP
Type freeware
Manufacturer Tony Gentilcore
Size 115Kb
Download Here.

Firefox 2.0 is fast, although there’s an option to make it even faster. By using pre-fetching technology, when you load a web page, Fasterfox will quietly go and fetch the content from the links on the web page, assuming that you’re more than likely to visit a link from that page.

For instance, if you saw a news story on the index page of the VNUnet.com website, click on the news story and it will appear instantaneously. This is down to Fasterfox pre-loading the content so that Firefox doesn’t need to wait for the web link to load (and load all the relevant images). It can show the page immediately.

Fasterfox enables you to customise your setup, so that this pre-fetching technique works effectively on your system. You can choose the number of pages you want to keep in memory, the pipeline requests (keep this low to prevent the server from banning your IP address as it may think your attempting to flood their system with IP requests) and the DNS cache expiration settings.

Apple iTunes 7.02

Platform Windows 2000, Windows XP
Type freeware
Manufacturer Apple
Size 35.1MB
Download Here.

Version 7.02 contains a number of improvements in addition to the provision of full movie downloads (currently US only). You can now flip through your cover CD artwork as if you’re skimming through your CD collection. Better still, if you’ve imported your music from your audio CDs, iTunes 7 now enables you to download cover art, free of charge. The interface has had an overhaul, with different categories and the ability to navigate through your media collection. You’ll also find a graphic view of your iPod contents, so you can see how much space is taken up you’re your video, audio and podcasts.

Note that the Mac OS X version is available to download from the Apple iTunes website.