29th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 29th week of 2010. I am Jay Johnson and these are the headlines:

Adobe plans to use sandbox to protect Acrobat Reader users from hackers (pause)
Toy Story 3 gets enough popularity for scammers to fake websites and software while
Security Researcher found a flaw which could expose millions of home routers (pause)
Microsoft confirms Windows shortcut zero-day flaw and Finally
Mozilla offers $3,000 for their bug reports

And now for this week's newswire details
Under criticism for being the world's most exploited application, Adobe Systems' Reader program will soon include a security design that's intended to thwart malicious attacks against end users. Borrowing a page from engineers at Microsoft and Google, Adobe is adding the so called sandbox feature to Adobe Reader for Windows operating systems. The protected mode will run by default to force the document reader to run in a highly restricted environment that prevents the underlying PC from carrying out sensitive functions. Installing and deleting files, modifying the system registry and launching other programs will no longer be possible under most circumstances. Over the past 18 months, Reader users have been repeatedly hammered by hackers pushing attack code that targets un-patched security bugs in the application. In March, Reader edged out Microsoft Word as the most exploited application, according to anti-virus provider F-Secure. Three weeks ago, Adobe pushed out an emergency update to patch at least two vulnerabilities that were being actively attacked in the wild to install malware on end user machines. Adobe has been working on the new design in earnest for almost a year. In addition to Microsoft and Google, it has also sought help from third-party security consultancies and customers. Adobe has no plans at the moment to deploy a sandbox feature for Reader versions running on Max OS X or Unix. There are no plans to add a similar feature to Flash Player, the other Adobe application that has come under repeated attack, although users of Windows Vista and Windows 7 have a protected mode for Internet Explorer plug-in that includes Flash.

(pause)
Scammers have taken advantage of the buzz around the recent release of Toy Story 3 to bait bogus survey sites and pop-up software scams. The bogus sites ostensibly punting complete, steaming media downloads of the latest adventures of Buzz and Woody actual redirect the credulous through a thicket of potentially harmful and time wasting material. Variants of the scam offer Toy Story 3 games. Some of the sites even invite users to download executables of dodgy provenance while other redirect surfers to smut movie sites, a especially malicious touch given so many kids will be attracted to the initial false offer. In some cases, marks are invited to sign up for subscription-based SMS services of dubious utility.

(pause)
Millions of household routers are susceptible to a flaw that creates a handy means for hackers to hijack surfing sessions or hack into home networks. Craig Heffner, a researcher at security consultancy Seismic, is due to detail the flaw and releases a proof-of-concept tool at the Black Hat conference in Vegas later this month. The DNS rebinding-related security flaw affects kit from Linksys Belkin and Dell, among others. DNS rebinding have been around for years. Heffner claims he has discovered a new variant of the theme, which initially involves luring a surfer into visiting a website containing malicious code. This code uses a Jedi mind trick this is what he calls that trick which circumvent the same origin policy, thereby allowing JavaScript based malware to penetrate private home networks supported by vulnerable hardware.

(pause)
Microsoft has confirmed the presence of zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw. Security shortcomings in the Windows shortcut .lnk files are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware which has been detected in the wild executes automatically if an infected USB stick is accessed in Windows Explorer. The same vulnerability might also lend itself to exploitation via Windows file shares and WebDav as well as infected USB sticks, net security firm F-Secure says "Disabling the displaying of icons for shortcuts and turning off WebClient service are offered by Microsoft as workarounds against possible attacks, ahead of the completion of Microsoft's investigation and the possible publication of a more comprehensive security fix." These workarounds would also work on end of life Win XP SP2 systems.

(pause)
Starting the 1st of this month, the Mozilla Foundation will reward users who discover and report security vulnerabilities in its software with $3,000 for each vulnerability. Until now the reward, distributed under the Mozilla Security Bug Bounty Program which launched in 2004, has been limited to just $500. Bug finders can now also look forward to receiving a free T-shirt as part of the scheme. Eligible security vulnerabilities must be remotely exploitable over the web or a local network and not previously have been publicly documented. The campaign is limited to the latest version of Firefox, Thunderbird, Firefox Mobile and any other Mozilla service which could allow a hostile takeover of any of these applications. Bugs in third party software such as browser add-ons also known as extensions and plug-ins are not eligible. Google has been following the example set by Mozilla since the start of this year and rewarding users who discover previously unknown security vulnerabilities with $500. In particularly serious cases, Google bumps the reward up to $1,337. However, Google is not yet offering T-shirts.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.