November 19th, 2009

Microsoft finds security hole in Google Chrome Frame

Posted by Ryan Naraine @ 9:49 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Google Chrome, Malware, Microsoft, Open source, Patch Watch

Tags: Google Inc., Microsoft Corp., Google Chrome, Web Browsers, Security, Viruses And Worms, Internet, Ryan Naraine

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections. Read the rest of this entry »

November 6th, 2009

High-risk flaw dings Google Chrome

Posted by Ryan Naraine @ 9:18 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Google, Google Chrome, Open source, Patch Watch, Responsible disclosure

Tags: Google Inc., Web Browser, Google Chrome, Arbitrary Code Execution, Details, Web Browsers, Security, Internet, Ryan Naraine

Google has pushed out a Chrome browser update to fix a pair of security vulnerabilities that expose uses to malicious hacker attacks.

One of the flaws carry a “high-risk” rating because of the threat of arbitrary code execution.  Read the rest of this entry »

October 20th, 2009

Google Voice mails exposed for all to see and hear

Posted by Ryan Naraine @ 7:52 am

Categories: Browsers, Google, Hackers, Locally Running Web Servers, Passwords, Phishing, Responsible disclosure

Tags: Google Inc., Telecom & Utilities, Ryan Naraine

A simple search query has exposed Google Voice mail messages (audio and transcript) for anyone to see and hear.

As first reported here, a user entering “site:https://www.google.com/voice/fm/*” into the Google search bar discovered random voice mail messages belonging to random Google Voice accounts (see screenshot below). Read the rest of this entry »

October 19th, 2009

Mozilla blocks (then unblocks) dangerous MS .NET Firefox add-on

Posted by Ryan Naraine @ 5:29 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Firefox, Google, Google Chrome, Malware, Microsoft, Mozilla, Open source, Patch Watch, Pen testing, Uncategorized

Tags: Mozilla Firefox, Microsoft Corp., Mozilla Corp., Add-on, Web Browsers, Spyware, Adware & Malware, Cyberthreats, Security, Viruses And Worms, Internet

FINAL UPDATE: In the Threatpost podcast above, Mozilla’s Mike Shaver explains what happened (.mp3)

[ UPDATE: Mozilla has now removed the extension from the blocklist after Microsoft clarified some information in its bulletin on how Firefox users were affected.  I'll attempt to get to the bottom of what appears to be a case of miscommunication ]

Mozilla has added the Microsoft .NET Framework Assistant add-on to its blacklist, a move that effectively disables the dangerous extension and plug-in for all Firefox users.

The move comes in the wake of an admission from Microsoft that the add-on was exposing users to drive-by malware downloads via a remote code execution vulnerability. Read the rest of this entry »

October 16th, 2009

Microsoft exposes Firefox users to drive-by malware downloads

Posted by Ryan Naraine @ 9:24 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Firefox, Flash, Google, Google Chrome, Hackers, Malware, Metasploit, Microsoft, Mozilla, Open source, Passwords, Patch Watch, Pen testing

Tags: Google Inc., Mozilla Firefox, Vulnerability, Malware, Microsoft Internet Explorer, Microsoft Corp., Attack Vector, Web Browser, Google Chrome, Plug-in

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?

Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads. Read the rest of this entry »

October 9th, 2009

Google patches Android DoS vulnerabilities

Posted by Ryan Naraine @ 11:17 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Google, Mobile (In)Security, Patch Watch, Pen testing, Phishing, Responsible disclosure, Reverse Engineering, Spam and Phishing, iPhone

Tags: Google Inc., Phone, DOS, Vulnerability, Patch Management, Cell Phone, SMS, SMS Message, Text Messaging/SMS/MMS, Telephony

Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.

According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless. Read the rest of this entry »

October 9th, 2009

Mozilla 'Plugin Check' keeps Firefox add-ons secure

Posted by Ryan Naraine @ 9:06 am

Categories: Adobe, Botnets, Browsers, Data theft, Exploit code, Firefox, Flash, Google Chrome, Mozilla, Open source, Patch Watch

Tags: Mozilla Firefox, Web Browser, Mozilla Corp., Plug-in, Web Browsers, Internet, Ryan Naraine

Mozilla has expanded its Plugin Check service to provide an easy way for Firefox users to pinpoint browser add-ons that might be vulnerable to hacker attacks.

The new service, available here, effectively scans the browser for all installed plug-ins and provides one-click options to apply patches if an outdated plugin is found. Read the rest of this entry »

October 8th, 2009

Click fraud facilitating Bahama botnet steals ad revenue from Google

Posted by Dancho Danchev @ 9:56 am

Categories: Anti Virus, Botnets, Browsers, Complex Attacks, Google, Hackers, Malware, Research, Web 2.0

Tags: Google Inc., Advertisement, Click Fraud, Domain, Computer, Security, Cybercrime, Dancho Danchev

Originally exposed as a botnet redirecting and monetizing hijacked traffic to over 200,000 parked domains primarily located in the Bahamas, researchers from ClickForensics have recently found evidence on active DNS hijacking of Google properties allowing cybercriminals to steal revenue from Google by pulling search results and displaying them on a bogus homepage (Cybercriminals promoting malware-friendly search engines) which serves ads from pay-per-click ad networks (Microsoft’s Bing invaded by pharmaceutical scammers) maintained by similar cybercrime enterprises.

Here’s how Bahama’s click fraud scheme steals ad revenue from Google and its advertisers according to ClickForensics:

Read the rest of this entry »

September 24th, 2009

Microsoft says Google Chrome Frame doubles IE attack surface

Posted by Ryan Naraine @ 7:00 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Google Chrome, Malware, Microsoft, Pen testing, Phishing

Tags: Google Inc., Microsoft Internet Explorer, Microsoft Corp., Google Chrome, Attack, Web Browsers, Cyberthreats, Spyware, Adware & Malware, Security, Viruses And Worms

Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond.

The Google Chrome Frame, which is presented as a  seamless way to bring Google Chrome’s open web technologies and speedy JavaScript engine to Internet Explorer, has increased the attack surface for IE users, Microsoft said today. Read the rest of this entry »

September 23rd, 2009

Google exec calls for ISPs to get tough on botnets

Posted by Ryan Naraine @ 8:01 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Data theft, Exploit code, Flash, Google, Malware, Passwords, Patch Watch, Pen testing, Responsible disclosure, Spam and Phishing, Spyware and Adware

Tags: Incentive, Google Inc., Advertisement, Internet Service Provider, Malware, Service Provider, Internet Service, Davis, Ad Network, Internet Service Providers (ISPs)

GENEVA — Head of Google’s Anti-Malvertising team Eric Davis wants Internet Service Providers (ISPs) to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.

During a keynote presentation at the Virus Bulletin conference here, Davis said competitors in the ISP space must look beyond profits and partner on new initiatives to deal with the “parasites” that have taken control of the Internet landscape. Read the rest of this entry »