Microsoft


Microsoft sneaks Firefox add-on without user knowledge

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser, according to a report [washingtonpost.com] by Brian Krebs
The Firefox add-on was silently added to Firefox when users downloaded a service pack for the Microsoft .NET Framework.  Annoyances.org explains why this is a security problem:

A guide to the IIS WebDAV vulnerability

Even for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It’s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, Steve Friedl of Unixwiz.net has taken the time to make some sense of it all.


A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension  decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.

From Computerworld (Gregg Keizer)
After discovering attack code on a brand new Windows XP netbook, anti-virus vendor Kaspersky Labs warned users yesterday that they should scan virgin systems for malware before connecting them to the Internet.

When Kaspersky developers installed their recently-released Security for Ultra Portables on an M&A Companion Touch netbook purchased for testing, “they thought something strange was going on,” said Roel Schouwenberg [viruslist.com], a senior anti-virus researcher with the Moscow-based firm. Schouwenberg scanned the machine — a $499 netbook designed for the school market — and found three pieces of malware.  Read the full story [computerworld.com]

A new remotely-exploitable vulnerability has been found in the Microsoft IIS 6.0 Web server. The flaw is quite similar to one that was discovered eight years ago in earlier versions of IIS, and exploitation of the weakness could enable an attacker to upload content to the vulnerable server.

Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.

You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.

From eWEEK (Brian Prince)
Attackers pushing pirated, malware-laced copies of Microsoft’s upcoming Windows 7 operating system have been actively trying to build a botnet.

According to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet’s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. Read the full story [eweek.com]

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.
The MS09-017 update, rated “critical,” includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files. Read the full story [zdnet.com] Also see Microsoft’s explanation of the update [technet.com]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.