5 Vulnerabilities and a Scam
There are several* vulnerabilities to be aware of that have cropped up over the past couple of weeks involving Internet Explorer, iTunes Store account holders, Foxit Reader, Wordpress Blogs, Trillian, and older versions of Firefox.
- Microsoft's Internet Explorer (multiple versions) has a vulnerability that can affect you when you print a web page.
Bottom-line: When printing out a web page in Internet Explorer don't use the “Print Table of Links” option (until it's fixed).
From the article "Internet Explorer "Print Table of Links" Cross-Zone Scripting Vulnerability" on Aviv Raff's blog.
- People with iTunes accounts need to be aware of an email scam. According to an article by Gregg Keizer in Network World:
"People began receiving spammed messages [Link removed] Monday telling them that they must correct a problem with their iTunes account, said Andrew Lochart, an executive with e-mail security vendor Proofpoint."
"A link in the spam leads to a site posing as an iTunes billing update page; that phony page asks for information including credit card number and security code, Social Security number and mother's maiden name."
Note: One site I always recommend for good guidelines/tips/news about various Internet hoaxes and email scams is Hoax-Slayer .
- Foxit Reader (one of the free, faster loading and less bloated alternatives to Adobe's PDF Reader) has a vulnerability (in all of it's current versions) that will be fixed in it's next version. The vulnerability was discovered by Dyon Balding at Secunia Research, and the rest of the following report can be read at this page on the Secunia site:
===================================================================
1) Affected Software
* Foxit Reader 2.3 build 2825
NOTE: Other versions may also be affected.
===================================================================
2) Severity
Rating: Highly critical
Impact: From remote
Where: System access
===================================================================
3) Vendor's Description of Software
"Foxit Reader is a free PDF document viewer and printer, with
incredible small size (only 2.55 M download size), breezing-fast
launch speed and rich feature set. Foxit Reader supports Windows Me/
2000/XP/2003/Vista. Its core function is compatible with PDF Standard
1.7.".
Product Link:
http://www.foxitsoftware.com/pdf/rd_intro.php
===================================================================
4) Description of Vulnerability
Secunia Research has discovered a vulnerability in Foxit Reader, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error when parsing
format strings containing a floating point specifier in the
"util.printf()" JavaScript function. This can be exploited to cause a
stack-based buffer overflow via a specially crafted PDF file.
Successful exploitation allows execution of arbitrary code.
==============================================================
5) Solution
The vulnerability is fixed in upcoming version 2.3 build 2912.
==============================================================
- If any of you have a Wordpress blog here's a new vulnerability I read about at SecurityFocus.
- Three vulnerabilities have been discovered in Trillian.
Trillian allows you to chat with users of AOL Instant Messenger (AIM), ICQ, Yahoo Messenger, and IRC.
Users should immediately upgrade to/download version 3.1.10.0
- The Firefox vulnerability is only for version 2.0.0.12 and before. I would hope that no one would still be using version 2.0.0.12 (current version is 2.0.0.14) or older, but just in case someone is here's a good reason to update.
BTW, the next version of Firefox (3.0) is slated to come out sometime towards the end of June. I've been testing various 'beta' versions of it and found it to be much faster and uses a lot less memory than the previous 2.0 versions did. It also has some new and improved features.
In my next blog post I plan to bring you some of my favorite Firefox add-ons/extensions that I've found incredibly useful and fun. As time goes on more and more of my favorites are being updated to work with the the latest version 3.0.
- So I'm going to submit this post, get some more coffee, and put together another post for you straight away. Stay tuned..
While I'm gone don't fall for any scams, OK? Of course I have faith that anyone who reads this blog regularly is too smart for that, and always THINKS before they click on a link, RIGHT?
*There are over ten times this many that are found and listed (in various places) each month, but most involve 'non-mainstream' software.
