30th Week of Security Podcast for CERTSTATION

Hello and welcome to the CERTStation Podcast for the 30th week of 2010. I am Jay Johnson and these are the headlines:

Mozilla releases Firefox 3.6.8 to close critical vulnerability (pause)
DEFCON will be featuring a wireless network security weakness demo while
vBulletin vulnerability gifts admin credentials to anyone (pause)
Zeus bot latches onto Windows shortcut security hole and Finally
Some critical vulnerability to be aware of in QuickTime 7.6.6

And now for this week's newswire details
Just a couple of days after the arrival of Firefox 3.6.7, the Mozilla development team has released version 3.6.8 of its popular open source web browser to close a single, critical rated, vulnerability. According to the developers, a previous fix in 3.6.7, aimed at addressing a plug-in parameter array crash, can itself cause a crash that could lead to memory corruption. The developers say that, in certain circumstances, properties in the plug-in instance's parameter array could be freed prematurely leaving a dangling pointer that the plug-in could execute, potentially calling into attacker-controlled memory. Further information about the vulnerability has yet to be detailed in the change log, which currently shows Zarro Boogs found. All users are advised to upgrade as soon as possible. A number of Firefox users are reporting that the built-in update service used by Firefox is still initially being flagged by Symantec's Norton Anti-Virus and Norton Internet Security 2010. The same problem occurred shortly after the release of Firefox 3.6.7 but took care of itself after a sufficient number of Norton users downloaded the browser and marked the file as trustworthy. Following the 3.6.6 update, Norton generates a false positive indicating that some of the applications files are infected with malware, resulting in various files being quarantined after the Firefox update was installed. More details about the release can be found in the release notes. Firefox 3.6.8 is available to download for Windows, Mac OS X and Linux. Alternatively, Firefox 3.6 users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting "Check for updates" from the Help Menu.

(pause)
Security researchers have discovered security shortcomings in the WPA2 protocol that threaten the security of wireless networks, even if they are running up-to-date security software. The hack involves generating arbitrary broadcast packets from a spoofed node that trick legitimate nodes in a targeted network into responding with queries that give away information about their secret keys. The traffic does not, of course, give away the private key directly, but it does provide enoguh clues for this information to be extracted by subsequent cryptanalysis and high-end number crunching. The attack was discovered by wireless security experts at AirTight Networks, who found it was possible to spoof the MAC address of a kosher access point by adding just 10 lines of code to the open source Madwifi driver and running this software on a standard PC. WPA2 Wi-Fi Protected Access 2 protocol is the strongest security algorithm for wireless network currently available. It's already widely used in enterprises and increasingly popular in Wi-Fi hotspots. WPA2 is the successor to the earlier WPA standard, which itself followed WEP Wired Equivalent Privacy, an amateurish first stab at wireless security that was riddled with serious security holes and easy to break right from the start. Sohail Ahmad, senior wireless security researcher for AirTight Networks, is due to demo his findings at the Black Hat and later DEFCON18 conferences in Las Vegas this week.

(pause)
Websites using software from vBulletin have been stung by a critical vulnerability that makes it trivial to steal credentials needed to administer site panels. The flaw in version 3.8.6 of vBulletin makes it possible for anyone with a web browser to infiltrate a forum's back end, where sensitive data about users is often stored. The forumware giant issued a patch on Wednesday, but a simple Google search on Friday revealed that scores of users have yet to apply it, meaning their administrative user names and passwords are wide open. Exploiting the bug is as easy as entering database in the search box of a forum's FAQ page. Vulnerable sites respond by returning everything that's needed to view sensitive user information or make administrative changes. The patch updates users to version 3.8.6 PL1. Users who want to make sure the fix has worked should check for the string database_ingo, which is removed once the new version has correctly been installed.

(pause)
Miscreants behind the Zeus cybercrime toolkit and other strains of malware have begun taking advantage of an un-patched shortcut handling flaws in Windows. It was first used by a sophisticated worm to target SCADA-based industrial control and power plant systems. Isolated strains of mainstream malware that took advantage of how the zero-day Windows flaw first exploited by the sophisticated Stuxnet worm began appearing late last week. The same approach has since been applied by the dodgy sorts behind Zeus, a family of sophisticated toolkits frequently used to steal bank login credentials and the like from compromised systems. Security firm F-Secure reports the appearance of strains of Zeus that take advantage of the same security hole exploited by the Stuxnet worm. Zeus-contaminated emails pose as security messages from Microsoft, containing contaminated ZIP file attachments laced with a malicious payload that utilizes the lnk flaw to infect targeted systems. Microsoft is advising users to apply temporary workarounds while its security researchers investigate the shortcut flaw, a process likely to eventually result in a patch.

(pause)
According to security services provider Secunia, the latest version of Apple's QuickTime 7 media player for Windows contains a critical vulnerability that could be exploited by an attacker to compromise a user's system. The security specialist says that the issue is caused by a boundary error in the streaming component used by QuickTime and can be used to initiate a stack-based buffer overflow. For an attack to be successful, a victim must first open a specially crafted web page. QuickTime 7.6.6 , released at the end of March, 2010, is the latest version of the 7.x branch. It was released to close a total of 16 critical vulnerabilities, all of which could be used by an attacker to inject and execute arbitrary code with the user's current privileges. It's currently unclear if previous versions of QuickTime for Windows or Mac OS X are affected. Apple has yet to respond to respond to the advisory.

If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.