Web Security


Bug in IE 8 Causes XSS Errors

The latest version of Microsoft’s Internet Explorer browser contains
a bug that can enable serious security attacks against websites that
are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site
scripting, errors on webpages that are otherwise safe. Read the full article. [The Register]

The Dangers of Firefox Extensions

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman offered insight into the substantial danger posed by Firefox extensions. Mozilla doesn’t have a security model for extensions and Firefox fully
trusts the code of the extensions. There are no security boundaries
between extensions and, to make things even worse, an extension can
silently modify another extension. Read the full article. [Help Net Security]


The latest release (PHP 5.3.1) features the addition of the “max_file_uploads” INI
directive, which can be used to limit the number of file uploads for
each request to 20 by default. By limiting the number of uploads
per-request, users can prevent possible denial of service (DoS)
attacks. Missing sanity checks around EXIF (exchangeable image file format) processing have also been added. Read the full article. [The H Security]

Three alleged members of the hacker gang Kryogeniks were hit with a
federal conspiracy charge for a 2008 stunt that replaced
Comcast’s homepage with a shout-out to other hackers. Prosecutors identified Christopher Allen Lewis, 19, and James Robert
Black Jr., 20, as the hackers “EBK” and “Defiant,” known for hijacking
Comcast’s domain name in May of last year — a prank that took down the
cable giant’s homepage and webmail service for more than five hours,
and allegedly cost the company over $128,000. Read the full article. [Wired] Read the Federal indictment.

Online,
the biggest battle these days is against botnets: networks of infected
computers which hackers can use — unbeknownst to the machine’s owner
— for online crimes including sending out spam or launching a denial
of service attack. The black-hat techniques
employed to snare users into a botnet web have evolved to a level that
makes them often undetectable by even the most sophisticated security
products. Combine that with a lack of user knowledge, and the threat of
infection becomes very high. Read the full article. [CSOonline.com]

Under Fedora 12, users are able to install software from repositories without being prompted for root password. The undocumented change in Fedora 12 has caused consternation amongst Fedora users. The change is part of PolicyKit’s policy for desktop users and was made to make the system easier for desktop users. Read the full article. [The H Security] 

Authorities in the U.K. have arrested two people in connection with using a notorious Trojan in a scheme to steal online banking information. The man and the woman, both 20, were arrested by the Metropolitan Police Service in Manchester, according to police. The duo is accused of using the Zeus Trojan, also known as Zbot, in a plot to steal information. It is believed the Trojan was configured to record victim’s online bank account information and passwords, as well as credit card numbers and other information. Read the full article. [eWEEK]

Mozilla will add a new lockdown feature to
Firefox 3.6 that will prevent developers from sneaking add-ons into the
program, the company said. The new feature, which Mozilla dubbed “component directory
lockdown,” will bar access to Firefox’s “components” directory, where
most of the browser’s own code is stored. The company has billed the
move as a way to boost the stability of its browser. Read the full article. [Computerworld]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.