AllAboutShare.com

It would appear that running any of 600 add-ons in Mozilla Firefox opens up a terrible hole. When exploited, this hole allows a hacker to steal “session information, including session cookies and session history”. Mozilla promises a fix by February 5th, with the release of Firefox version 2.0.0.12. While Mozilla classifies this threat as a “high risk”, there is some controversy in the hacker world as to how bad this threat really is. According to a hacker, via “hiredhacker.com”, this isn’t as big a problem as people have made it out to be. However, it is certainly more serious than “leaking a few variables”, and should definitely be patched as soon as possible.

Security researcher Aviv Raff has discovered and demonstrated a flaw within Skype that allows malicious code to execute when the software embeds video into chat. The problem is caused by Skype’s web control. The program uses Internet Explorer to render internal and external HTML, but does so using “Local Zone” security settings. Full information on the “Skype cross-zone scripting vulnerability” is posted here. There, you can also watch a proof-of-concept footage of Skype launching Windows’ calculator. The bug currently effects Skype v.3.6.0.244, and may be present in older versions of the client as well. At this point, the solution is to avoid running the “Add Video to Chat” Skype feature. Simply having the program installed or using its various other functions will not expose a system to potential infection.

Microsoft Corp. will change how users activate Windows XP when Service Pack 3 launches in the first half of 2008, a company white paper said. New installations of Windows XP SP3 will give users the same 30-day grace period currently offered to Windows Vista customers before they’re required to enter a product activation key, the 25-character code that proves the copy is legitimate. “As in Windows Server 2003 SP2 and Windows Vista, users can now complete operating system installation without providing a product key during a full, integrated installation of Windows XP SP3,” the Microsoft paper stated. “The operating system will prompt the user for a product key later as part of Genuine Advantage.” With earlier editions of Windows XP, users must enter the activation key during the installation process itself; failing to do so, or using an invalid key, would result in the installation being blocked. The white paper, however, noted that the change does not apply to existing Windows XP installations upgraded to SP3. Those copies, which have presumably passed the activation stage previously, will not request the key again, Microsoft said.

Source: Computerworld

HP has fixed flaws in a patch-management program bundled with its computers, printers and other hardware that could be used by hackers to ‘brick’ HP or Compaq PCs. In an alert sent to customers who subscribe to its security warning service, HP said users should run Software Update to patch the flaws disclosed last week by a Polish researcher known only by his alias, ‘porkythepig’. A pair of bugs in the update service’s ActiveX control can be used to execute remote code or gain additional access rights, porkythepig said then. He also posted proof-of-concept exploit code that showed how to use one of the vulnerabilities to overwrite and corrupt crucial Windows’ system files, an attack that would leave any affected PC unbootable. That would essentially ‘brick’ the system, since many HP and Compaq PCs do not include a restore CD or DVD, but instead place operating system and application restore files on the hard drive. HP’s advisory on Friday instructed users to run Software Update on any machine that has the application, even if the update service is never used. Running Update presumably disables the flawed ActiveX control by fixing the Windows registry.

Source: PC Advisor

Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors. The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across the web. Also known as SWF files, they are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS. Currently there are no patches for the vulnerabilities, which are found in sites operated by financial institutions, government agencies and other organizations. “Lots of people are vulnerable, and right now there are no protections available other than to remove those SWFs and wait for the authoring tools and/or Flash player to be updated,” says Alex Stamos, an author of the Hacking Exposed Web 2.0 book. “In the mean time, people will have to think: ‘What kind of flash am I using on my site,’ and manually test for vulnerabilities.”

Source: The Register

Apple has shipped a major Security Update 2007-009 (10.4.11 Universal), recommended for all Mac OS X v10.4.11 and Mac OS X v10.5.1 users. This update corrects multiple critical flaws and improves the security of many Mac OS apps. Those wanting to know more about the updates may click here.