Vulnerability Pits Firefox Against IE
A new zero-day vulnerability exists when both Firefox 2.x and Internet Explorer are installed on the same machine. The exploit is most likely to be available on PCs with Firefox 2.0.0.2 installed due to changes made for Microsoft Vista compatibility.
The general consensus of the comments are that both applications contribute the the exploit. Firefox is the attack vector and fails to validate the malicious code but Microsoft contributes by not properly passing quotes to the command line. You need to visit a malicious website using IE in order to trigger the exploit.
In a response to a user comment Thor Larholm responded:
… Firefox is the current attack vector but Internet Explorer is to blame for not escaping ” (quote) characters when passing on the input to the command line. I agree that Firefox could have registered its URL handler with pure DDE instead and thereby have avoided the possibility of a command line argument injection, but IE should still be able to safely launch external applications safely.
What I find interesting is the complexity of the requirements leading to the exploit. Neither product is vulnerable alone since both must be installed and both products have a flaw that contributes to the vulnerability.
Spam Counts for Week Ending June 24, 2007
My GMail spam count jumped 13% to 343 spam messages in the last 30 days. This was up from 303 last week. My second GMail account hasn’t received any new phishing emails and was spam free.
I continue to get a small number of spam emails to my ISP account. This is one that I’ve never used or given out. Based on other addresses in the email they seem to be spamming a sequential range of addresses.
Comment spam at The OS Quest continued to drop drastically. There were 331 comment spam attempts which is a 51% drop from the previous week and a 87% drop from the 2,458 attempts of two weeks ago. The slide started soon after I switched to the Spam Karma WordPress plugin. Spam Karma put two comments in moderation as possible spam and let two get through. All four of these comments were a format that didn’t include any URL’s in the comment itself, just linked to the name were WordPress allows an optional website address.
There were 10 comment spam attempts at this website which is a 67% increase from last weeks six attempts. The lifetime total for this site sits at 220 comment spam attempts.
Security Update 2007-006 for Apple OS X
Apple has released a security-only update for OS X. It’s the appropriately named Security Update 2007-006 as Apple has released one security update a month so far this year. This update is needed for 10.4.9 along with the just released 10.4.10. It’s also needed for 10.3.9. The security update addresses two vulnerabilities.
One is in Webcore and can allow cross-site scripting attacks.
The second patched vulnerability was in Webkit and could allow remote code execution.
The update is available through Software Update or as a standalone download and requires a reboot.
Apple Releases 10.4.10 for OS X
Apple has released OS X version 10.4.10. While it contains several enhancements and fixes for the operating system it also includes one security related update. This security update keeps Apple in the one-a-month category for security updates to OS X.
This security vulnerability is described by Apple as:
…the reception of specially crafted IPv6 packets may lead to a reduction in network bandwidth.
This is a relatively low risk vulnerability as it doesn’t include a potential loss of data and doesn’t allow the installation of malicious software. The update also includes security patches released since 10.4.9.
The update is available through the Software Update feature of OS X or as a standalone download. The Intel version of the update is a 49MB download when done through Software Update (click the thumbnail to see notification full size). The update is also available as a standalone installer in four forms. There are downloads for the Power PC (PPC) and Intel CPUs. Then each CPU has a “delta” update which requires that 10.4.9 already be applied and a much larger “combo” update which includes all previous updates to OS X 10.4.
I applied the update to two Intel Macs without incident. Like previous updates the first reboot after the patch is significantly longer than usual.
Apple TV Security Update
Apple has released their first security update for Apple TV. According the bulletin a remote attacker can cause a denial of service attack or arbitrary code execution.
This patches the same flaw that was plugged in OS X last month.
At first I thought this was interesting but probably not a problem. Apple TV’s seem limited in what they can do plus they usually reside on a home network behind a NAT router. Apparently this isn’t entirely true and will become even less true as features such as viewing YouTube videos and (maybe) movie rentals are added to Apple TV. Plus the vulnerability exists in UPnP IDG (Universal Plug ‘n Play Internet Device Gateway) which is used by many NAT routers to enable devices like Apple TV to get on the Internet. At least one security researcher was quoted as saying this is a serious flaw.
The update is only available through Apple TV’s self-update feature. Apple TV checks for updates on a weekly schedule so it may be up to a week before it receives the update. You can also manually trigger the update by selecting Settings -> Update Software from the menu.
After applying the update the software version will be 1.1. You can check the version by selecting Settings -> About from the menu.