Microsoft confirms new vulnerability in Internet Explorer

Microsoft has confirmed the existence of a security vulnerability revealed at the Black Hat DC security conference on Tuesday and itself issued a warning. The vulnerability allows a crafted website to access and read the content of arbitrary files on a PC. Although an attacker needs to know the specific path and file name, for a standard Windows installation these are usually known default paths.
All versions of Internet Explorer from 5.01 to 8 on all supported Windows platforms are reportedly affected. Windows XP Home users, however, appear to be unaffected by the problem, as XP Home does not include a hidden C$ administrative share for websites to access. For Internet Explorer 7 and 8 running under Windows 7, Vista or Server 2003/2008, the vulnerability cannot be exploited as long as protected mode is activated in the browser (as it is by default).
Microsoft has said that it is looking into how it can solve the problem. However, solving it is not going to be straightforward, as Jorge Luis Alvarez Medina of Core Security Technologies, who discovered the vulnerability, has repeatedly stressed. The crux of the problem is that security zone settings in Internet Explorer do not always bite if a path is entered in the browser in UNC (Uniform Naming Convention) format (e.g. file://127.0.0.1/C$/.../index.dat). This means that under specific conditions JavaScript from the Internet Zone can access (and render) local files, despite the zone model being intended to prevent this.
Core Security reported two similar cross-domain vulnerabilities to Microsoft in 2008 and 2009, for which Microsoft released updates. However, until now, Microsoft has always merely patched things up, without addressing the actual core problem. As a result Medina has been able to discover a new means of reading local files. To overcome the hurdles set up by Microsoft, he takes advantage of a bug in the way the MIME type of local files is determined and a weakness when processing OBJECT tags.

As an interim solution, Microsoft has released a downloadable fix-it tool which disables the Internet Explorer file protocol. This could, however, cause problems for some other applications.

China: We are biggest victim of hacking

China has denied any role in alleged cyberattacks on Indian government offices, calling China itself the biggest victim of hackers.
When asked about Google's allegation that cyberattacks launched from China hit the US search giant, foreign ministry spokesman Ma Zhaoxu said Chinese companies were also often hit by cyberattacks.
"China is the biggest victim of hacking attacks," Ma said, citing the example of top Chinese search engine Baidu.com being hacked last week.

Google last week said it might exit China after being hit by recent hacking attempts largely aimed at accessing the Gmail accounts of Chinese human rights activists. It also said it planned to hold talks with Chinese authorities about whether it could offer an uncensored version of its local search engine.
Ma said he did not know if Chinese authorities had started talks with Google. A Google spokeswoman did not confirm a Bloomberg news report that Google and China had already started the talks. "That's not what we've been saying," she said in an email.
An Indian official has reportedly said local government offices including that of India's National Security Advisor were also targeted last month by hackers believed to be from China.

Google invites attacks on Chrome

Google has launched an experimental programme to encourage external security researchers to find and report vulnerabilities in its browser. Borrowing from the Mozilla Foundation's 2004 Security Bug Bounty Program, $500 will be awarded for each bug found. In special cases, a committee will decide whether to increase the amount to a maximum of $1,337 – however, this reward is only for vulnerabilities which are particularly critical, or particularly smart reports on vulnerabilities and their exploitation.
According to Google, it doesn't matter whether the vulnerability is in the open source Chromium version or the binary Chrome version. The two differ only marginally anyway – Chrome additionally contains GoogleUpdater and sends an RLZ parameter which is forwarded to Google when a search term is entered in the Chrome address bar. The company will not be offering rewards for reports of bugs in third-party plug-ins.
Google is hoping that this will improve the security of its browser and therefore security for its users. Any bug found can be reported via the bug tracking system. Further information and a list of Q&As can be found in Google's blog entry announcing the programme

Windows hole discovered after 17 years

Microsoft isn't having an easy time of it these days. In addition to the unpatched hole in Internet Explorer, a now published hole in Windows allows users with restricted access to escalate their privileges to system level – and this is believed to be possible on all 32-bit versions of Windows from Windows NT 3.1 up to, and including Windows 7. While the vulnerability is likely to affect home users in only a minor way, the administrators of corporate networks will probably have their hands full this week.

The problem is caused by flaws in the Virtual DOS Machine (VDM) introduced in 1993 to support 16-bit applications (real mode applications for 8086). VDM is based on the Virtual 8086 Mode (VM86) in 80386 processors and, among other things, intercepts hardware routines such as BIOS calls. Google security team member Tavis Ormandy has found several vulnerabilities in this implementation that allow an unprivileged 16-bit program to manipulate the kernel stack of each process via a number of tricks. This potentially enables attackers to execute code at system privilege level.

The workaround requires users to start the group policy editor and enable the "Prevent access to 16-bit applications" option in the Computer Configuration\Administrative Templates\Windows Components\Application Compatibility section. When tested with these settings by the heise Security team, the exploit no longer functioned. The settings reportedly don't cause any major compatibility problems for most users while no 16-bit applications are being used.

Update - The above option is only available through the group policy editor on Windows 2003 systems. Some versions of Windows do not include a group policy editor. As an alternative, users can also create a registry key under \HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat with a D-Word value of VDMDissallowed = 1. Under Windows XP, to prevent the system from being vulnerable to the exploit, users can place the following text:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\AppCompat]
"VDMDisallowed"=dword:00000001
into a file called vdmdisallow.reg and double click the file. Windows will then automatically import the key (admin rights are required to perform this action).

Twitter disables ‘widget’ function

Twitter has temporarily disabled one of the features on its website after a security researcher warned of a programming flaw that left the login credentials of its users vulnerable to hackers.

Twitter co-founder Biz Stone said in an email that the company had temporarily cut off access to a feature that lets users display Twitter updates on their websites by using Flash technology.
“Our team has disabled the Flash widget while we look into the problem,” Stone said.
Mike Bailey, a senior security analyst with Foreground Security of Orlando, Florida, said that the problem exploits a widely known vulnerability in Adobe Systems Inc’s Flash programming language.
Adobe has told programmers how to address the vulnerability, which was first discovered in 2006, Bailey added, but noted the operators of many websites have failed to respond to those warnings.
The microblogging site’s huge popularity has made it a prime target for hackers looking to spread malicious software to Twitter’s millions of users.
“As simple as the attack is, I’ve been finding them all over the place,” Bailey said.
Officials with Adobe declined to comment.
A hacker last month briefly hijacked the Twitter site and redirected it to one that claimed to represent a group calling itself the Iranian Cyber Army. That high-profile attack — by a perpetrator who stole credentials to the account that Twitter uses to route its traffic — did not compromise credentials of any Twitter users.
Bailey said his analysis of the Twitter site showed that it could have been vulnerable to attacks for more than a year, but that it was impossible to know whether hackers had actually exploited the Adobe flaw.
He is scheduled to discuss his research on the Twitter flaw at the Black Hat DC security research conference in Washington, which begins on Feb. 2.

Motorola seeks to ban BlackBerry

The patents relate to some early-stage innovations developed by Motorola in key areas such as Wi-Fi access, application management

Motorola Inc is seeking to ban imports of Research In Motion Ltd's BlackBerry smartphones into the US that it claims infringe its patents.
Motorola, the largest US mobile-phone maker, said it filed a complaint with the US International Trade Commission, citing unfair trade practices and infringement of five patents.
The patents relate to some early-stage innovations developed by Motorola in key areas such as Wi-Fi access, application management, user interface and power management, that are now being used by RIM, Motorola said in a statement. The technology allows better connectivity at a lower cost, the company claims.

Litigation
"We've not been able to convince RIM over two years in litigation elsewhere to reach a reasonable settlement so we've taken it to the ITC to stop its infringement," Jonathan Meyer, Motorola's senior vice president of intellectual property law, said in an interview.
He said the two companies had a licence agreement in place from 2003 to 2007 and haven't been able to reach terms since then. Motorola and RIM have been suing each other in recent years.

Surge in e-crimes in Dubai

Sixty-two per cent of phishing in the UAE last year targeted local banks
Surge in e-crimes in DubaiSixty-two per cent of phishing in the UAE last year targeted local banks
By Sharmila Dhal, Senior Reporter Published
Dubai Most cyber attacks in the UAE last year targeted banks and were perpetrated by electronic criminals from outside the country, a government report has revealed, adding that the number of hacking and defacement incidents quadrupled in 2009 from 2008.
It added that of all the electronic breaches during 2009, "phishing" comprised the main offence - 62 per cent of which targeted local banks, followed by UAE branches of international banks and other institutions at 19 per cent each.

Emergency plan
The report was presented by Mohammad Geyath, Executive Director, Technology Development Affairs, Telecom Regulatory Authority (TRA), at the Crises and Emergency Management Conference in Abu Dhabi which concluded on Wednesday. The report was put together by the Computer Emergency Response Team (CERT), a consultative body that advises TRA. The total number of cyber-related offences recorded by CERT was 51 in 2009, up from 47 in 2008, while incidents of phishing and defacement had increased to 26 in 2009, from six in 2008.
Meanwhile, the TRA announced at the conference an Emergency Plan for the country's telecom sector. Making the announcement Mohammad Nasser Al Ganem, Director-General of TRA, said the plan has been developed in co-operation with the National Crisis and Emergency Management Authority (NCEMA) and in consultation with key stake-holders, telecom operators and service providers.
Designed to protect critical infrastructure for communications, the plan encompasses various stages to deal with crises which cover all aspects of security and protection on the one hand and the preservation of a sustainable network during emergencies on the other.
Earlier, Richard Clarke, former security adviser to the US government, said of all the future risks that the world faces today, the threat of a cyber war could not be wished away, just as the potential crises arising out of climate change and pandemic diseases.

Global issue
He said nations need to ask themselves what national functions depend on cyberspace and conduct an analysis of the risks such utilities as power, water, banking, airports and oil supplies face.
He said countries should spend time to put audits and back-up systems in place to meet any contingency.
"Somewhere on the curve of low probability and high consequence, we should be prepared to spend time on these matters," he said, pointing to cyber wars in some parts of the world like Estonia and Georgia.

Telecom Emergency Plan Announced
Meanwhile the TRA has announced an Emergency Plan for the country's telecom sector.
Making the announcement at the concluding day of the Crises and Emergency Management Conference in Abu Dhabi on Wednesday, Mohammad Nasser Al Ganem, Director-General of TRA, said the plan has been developed in co-operation with the National Crisis and Emergency Management Authority (NCEMA) and in consultation with key stake-holders, telecom operators and service providers.
Designed to protect critical infrastructure for communications, the plan encompasses various stages to deal with crises which cover all aspects of security and protection on the one hand and the preservation of a sustainable network during emergencies on the other.
The stages covered include prevention, preparedness, response and recovery.
Earlier, Richard Clarke, former security adviser to the United States government, said of all the future risks that the world faces today, the threat of a cyber war could not be wished away, just as the potential crises arising out of climate change and pandemic diseases.
He said nations need to ask themselves what national functions depend on cyberspace and conduct an analysis of the risks such utilities as power, water, banking, airports and oil supplies face.
He said countries should spend time to put audits and back-up systems in place to meet any contingency. "Somewhere on the curve of low probability and high consequence, we should be prepared to spend time on these matters," he said, pointing to cyber wars that had proven to be a reality in some parts of the world like Estonia and Georgia.