CERTStation Week In Review Transcript: week 33, 2008
A pair of critical vulnerabilities in Sun Microsystems’s Java technology for mobile devices has been identified. Hackers could use the vulnerability to secretly make calls, record conversations and access information on Nokia Series 40 cell phones, reported by a Polish researcher. Adam Gowdiak, a researcher who has found numerous bugs in Java 2 Micro Edition in the past, reported the two vulnerabilities to Sun andNokia last week about the security issues. Nokia did not respond to a request for comment on this while Sun did not have any immediate information about the vulnerabilities according to their spokesman.
A tool that automatically steals IDs of non-encrypted sessions and breaks into Google Mail accounts has been presented at the Defcon hackers’ conference in Las Vegas. Last week Google introduced a new feature in Gmail that allows users to permanently switch on SSL and use it for every action. Users who did not turn it on now have a serious reason to do so. Mike Perry, the reverse engineer from San Francisco who developed the tool is planning to release it in two weeks. If you are logging in to your Gmail account from different locations and you would like to benefit from this option only when you are using unsecured networks, you can force it by manually typing https before you log in. This will access the SSL version of Gmail and it will be persistent over your entire session and not only during authentication.
VeriSign has adapted its fraud protection service to help safeguard against a common form of stock trading fraud. The new module for the VeriSign Identity Protection Fraud Detection Service, the Stock Trading Module, uses a self-learning behavioral engine to spot a form of trading fraud known as 'pump-and-dump' fraud. Pump-and-dump fraud is a process whereby criminals buy large amounts of shares in a company with a low stock price then use various techniques to 'pump up' the share price. The VeriSign suite has been designed to help prevent accounts from being breached and reduce traders' losses from pump-and-dump scams.
Microsoft Corp. this week released its largest security update in 18 months to patch 26 vulnerabilities in Windows, Office, Internet Explorer, Windows Messenger and other software. At least two of the vulnerabilities have already been exploited in the wild according to Microsoft. Microsoft also issued a separate security advisory that announced it had set the "kill bits" for a pair of third-party ActiveX controls from Hewlett-Packard and Aurigma Inc. The practice, which started in April, lets Microsoft disable vulnerable ActiveX controls remotely through its Windows Update service.
Version 1.9 of the highly popular Flashget download manager for Windows apparently displays a buffer overflow that could be exploited to download code and execute it. The error occurs when Flashget contacts an FTP server and the latter responds to the PWD command with an overlong string. An exploit that has already been published contains no shellcode, but test shows that it can crash current Flashget, version 1.9 as claimed. No patch or corrected version is available to date.
If you enjoyed this podcast why not visit CERTStation.com and check out our free Internet Security Dashboard. In the meantime this is your host Jay Johnson wishing you a safe and secure week.
