Infections At Medical Device Firm Lasted For Months

New evidence suggests that a Web site hosting software updates for life saving medical equipment was the victim of a massive SQL injection attack and may have been redirecting visitors to a site serving up attacks and malicious software for months before the company became aware of the compromise.

Microsoft Plans Nine Bulletins, Four Critical for February Patch Tuesday

Microsoft will issue nine security updates, four critical, for Patch Tuesday next week, fixing 21 different vulnerabilities in Windows, Internet Explorer, .NET, Silverlight and Office.Seven of the nine may lead to remote code execution, while the other two may lead to elevation of privilege, according to Microsoft’s advance notification bulletin yesterday.

Microsoft said in a post on the Technet Web site that it plans to release seven security bulletins on Tuesday, fixing eight security holes in a variety of products. Among them will be a fix for a new class of software vulnerability – the “Security Feature Bypass,” which could be used by attackers to make other exploits more potent, Microsoft said.

Remember that Microsoft .NET Framework Assistant add-on that Microsoft sneaked into Firefox without explicit permission from end users?
Well, the code in that add-on has a serious code execution vulnerability that exposes Firefox users to the “browse and you’re owned” attacks that are typically used in drive-by malware downloads.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla’s Firefox Web browser, according to a report [washingtonpost.com] by Brian Krebs
The Firefox add-on was silently added to Firefox when users downloaded a service pack for the Microsoft .NET Framework.  Annoyances.org explains why this is a security problem:

When Mark Dowd and Alex Sotirov demonstrated a technique for bypassing Vista’s memory protections at Black Hat last year, the security community was stunned. Microsoft officials said at the time they were working on ways to defeat the pair’s attack and now that protection has arrived, in the form of Internet Explorer 8.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.