IE 7 exposed to phishing attacks
Attackers could exploit a new
flaw in Internet Explorer 7 (IE 7) to launch
phishing expeditions, Israeli vulnerability researcher Aviv Raff
warned in a posting on his blog Wednesday. Microsoft said it is
investigating his findings.
Raff said IE 7 running on Windows XP and Vista is susceptible to
cross-site scripting attacks. That combined with a design flaw in
the browser could allow digital miscreants to launch phishing
schemes against users, he added.
"I think it is a serious vulnerability, because it allows a
phisher to take advantage of the user without the need to create a
look alike URL," Raff said in an instant message exchange. "The
user will see the trusted URL in the address bar and the fake
content provided by the phisher."
Raff said he is unaware of any exploits in the wild. Microsoft
issued a statement saying that it's investigating the flaw but has
seen no evidence of active exploits to date.
BlackBerry flaw repaired
IT administrators are being advised to
upgrade to BlackBerry Device Software 4.2
Service Pack 1 to fix a flaw in earlier versions attackers
could exploit to cause a denial of service. According to the
French Security Incident Response Team (FrSIRT), the problem is
an error in the BlackBerry browser that fails to properly handle
overly long URLs.
Attackers could exploit this to cause a vulnerable device to
become slow or to stop responding by tricking a user into following
a specially crafted link. The problem affects BlackBerry Device
Software version 4.2 and prior. The solution is to upgrade to
BlackBerry Device Software 4.2 Service Pack 1.
OpenBSD flaw patched
Several recent versions of the popular
OpenBSD operating system contain a remotely
exploitable buffer overrun vulnerability that security
experts say could give attackers complete control over
vulnerable machines.
The flaw was found in OpenBSD's kernel and involves the way the
OS handles certain kinds of IPv6 packets, according to the
researchers at Core Security Technologies Inc. who discovered the
problem. The vulnerability affects versions 3.1, 3.6, 3.8, 3.9, 4.0
and 4.1 of OpenBSD. Also, all other versions that support the IPv6
stack are thought to be vulnerable.
The OpenBSD team has released a patch and a workaround for the
flaw . Because this is a kernel-level vulnerability, administrators
will need to rebuild their kernels after installing the patch.
In order to exploit the flaw, an attacker need only be able to
send fragmented IPv6 packets to a target system. This requires
direct access to the target network, however the attacker's machine
does not need to have its own IPv6 stack in order to make the
exploit work, Core said. Users who don't need to route IPv6 traffic
can block those packets using OpenBSD's native firewall.
Apple makes massive Mac fix
Apple Computer Inc. issued a security update
Tuesday addressing 45 flaws found within the operating system
and some third-party applications.
The Cupertino, Calif.-based company addressed some critical
issues with the software maker's software, which were discovered as
part of the Month of Apple Bugs and the Month of Kernel Bugs. It
also fixes some third-party applications, such as Adobe Systems
Flash Player and the MySQL database.
Several flaws could be exploited by an attacker to conduct a
denial-of-service DDoS attack or elevate privileges to access data,
according to a security alert issued Tuesday by Apple. Other flaws
could allow an attacker to gain full control over a victim's
computer.
Apple Mac OS X and Mac OS X server versions 10.4.8 and earlier
are affected. The software vendor said its automatic update would
fix the issues.