Microsoft investigates public IE CSS XSS flaw; Twitter, Hotmail vulnerable

Late last week, a security flaw in Internet Explorer 8 was publicly disclosed to the Full Disclosure mailing list. The flaw allows attackers to steal private information from online services such as web mail and Twitter, allowing attackers to, for example, delete e-mails or send tweets from their victims' accounts.

The post was made by Google employee Chris Evans. He stated that the reason for going public was to try to persuade Microsoft to fix the problem—the new flaw is a variant on an older attack, and the details of the flaw were made public in a paper authored by Carnegie Mellon students that Evans reviewed. While the other major browser vendors have made fixes to their browsers to prevent attack—Chrome 4.0.249.78, Safari 4.0.5, and most recently Firefox 3.6.7 and 3.5.11 all include protection against the flaw—Microsoft has thus far failed to update Internet Explorer to provide protection.

Read the comments on this post

Week in Microsoft: here mousey mousey, best fake malware ever

Microsoft unveils shape-shifting Arc Touch Mouse: Microsoft has officially announced the $70 the Arc Touch Mouse. The device is available for presale now, starts shipping in December, and officially goes on sale in January.

New malware detects browser, shows fake malware warning page: There’s a clever new piece of malware that goes to extreme lengths to pass itself off as genuine software.

Read the comments on this post

New malware detects browser, shows fake malware warning page

Microsoft is warning about a new piece of malware, Rogue:MSIL/Zeven, that auto-detects a user's browser and then imitates the relevant malware warning pages from Internet Explorer, Firefox, or Chrome. The fake warning pages are very similar to the real thing; you have to look closely to realize they aren't the real thing. The ploy is a basic social engineering scheme, but in this case the malware authors are relying on the user's trust in their browser, a tactic that hasn't been seen before. 

Beyond the warning pages, the actual malware looks like the real deal: it allows you to scan files, tells you when you're behind on your updates, and enables you to change your security and privacy settings. Performing a scan results in the product finding malicious files, but of course it cannot delete them unless you update, which requires paying for the full version. Attempting to buy the product will open an HTML window that provides a useless "Safe Browsing Mode" with high-strength encryption. To top it all off, the rogue antivirus webpage looks awfully similar to the Microsoft Security Essentials webpage; even the awards received by MSE and a link to the Microsoft Malware Protection Center have been copied.

Read the comments on this post

Windows DLL-loading security flaw puts Microsoft in a bind

Last week, HD Moore, creator of the Metasploit penetration testing suite, tweeted about a newly patched iTunes flaw. The tweet said that many other (unspecified) Windows applications were susceptible to the same issue—40 at the time, but probably hundreds.

The problem has been named, or rather, renamed, "Binary Planting," and it stems from an interaction between the way Windows loads DLLs and the way it handles the "current directory." Every program on Windows has a notion of a "current directory"; any attempt to load a file using a relative path (that is, a path that does not start with a drive letter or a UNC-style "\\server" name) looks in the current directory for the named file. This concept is pretty universal—Unix-like systems have the same, called a "working directory"—and it's a decades-old feature of operating systems.

Read the comments on this post

Next Page »