This Week in Security: Phantom Firefox Menace, Mass Domain Ownage and The Curious Case of IE6

There’s old, and there’s old. Internet Explorer 6 clearly falls into the latter category, but despite its advancing age, IE6 still holds a lot of sway in the enterprise, as new data that came to light this week. That’s not the only weirdness that reared its head this week, though. There was the Firefox bug that wasn’t, the revelation of hundreds of thousands of infected parked domains and a mysterious bug that affects as many as 40 Windows apps. The dog days of summer are upon us. Read on for the full week in review.

There’s old, and there’s old. Internet Explorer 6 clearly falls into the latter category, but despite its advancing age, IE6 still holds a lot of sway in the enterprise, as new data that came to light this week. That’s not the only weirdness that reared its head this week, though. There was the Firefox bug that wasn’t, the revelation of hundreds of thousands of infected parked domains and a mysterious bug that affects as many as 40 Windows apps. The dog days of summer are upon us. Read on for the full week in review.

The week started with news that there was a new bug in Firefox that could let an attacker use a combination of iFrames and URL obfuscation to trick users into visiting a malicious Web site. It turned out, though, that the bug is in fact a couple of months old and that exploiting it would be pretty difficult, making it a fairly low risk for users. “Pretty early on we looked at it and thought that it wasn’t a major bug.
The real defense there is that Firefox isn’t fooled by it,” Johnathan
Nightingale, director of Firefox development, said in an interview
Wednesday. “I think in this case, the alert would actually confuse
people because they’d look in the address bar and the URL would look
fine. The users who might see this in the iFrame are not the kind of
people who would be fooled by it.”

The weirdness continued when news came out later in the week that despite the fact that the browser is nearly 10 years old, IE6 still has quite a bit of representation in the enterprise. Data compiled by zScaler showed that 23 percent of the traffic that they monitor comes from machines running IE6. IE6! This is the same browser that was an integral part of the attack on Google last year and it doesn’t include any of the memory protections that later versions, especially IE8, have. That makes it an attacker’s dream.

Not good times.

“Enterprises tend to be much more concerned about backward compatibility
than security,” said Mike Sutton, Vice President of Security Research
at zScaler. “They’re worried about not breaking that Web application they
built five years ago.”

The week also brought a continuation of the recent focus on smartphone attacks and security. It seems not a week goes by now without the appearance of a new attack or threat targeting iPhones, Android devices or BlackBerrys, and researchers say that the attacks we’re seeing now are a clear indication that attackers are turning their full attention to mobile devices now. And there’s money to be made. The recent appearance of the Android SMS Trojan, which infects devices and then sends off SMS messages to a premium rate number at $10 a pop, made that abundantly clear. But the real concern, experts said, is the weakness of the security controls on the mobile app stores.

“There’s no question it’s easy to slip something into the app store. Why
discover a new vulnerability in Webkit to exploit and load up a rootkit
when you can do this?” researcher Jon Oberheide said. “We’ve learned a lot about
secure platform design in the last few years, but we have the same
traditional problem of getting features out the door instead of focusing
on security. We could have started with a very secure platform, a
hardened kernel and application stack. We could’ve done it. But in
reality, no one cares what we do. It’s depressing.”

And then there’s the story about a Network Solutions widget being compromised and leading to something in the neighborhood 120,000 parked domains being owned. The domains represent one of the hidden corners of the Internet and an attack vector that had not been on most security professionals’ minds. Some security experts say that one of the things that needs to be done to address this problem is for Google and other search providers to stop indexing these parked domains so that unwitting users won’t stumble upon them.

A spokesperson for Google said that the company has systems to help
detect parked domains, and will often not show them in the company’s
search index. “If they do appear in the index, they are scanned with the
same technology we use on other sites to help detect and flag malware
and phishing attempts,” the spokesman said.

Others said that there are bigger problems facing Web users than a bunch of relatively obscure domains being owned.

“Gumblar infected 80,000 servers in a few weeks. Any one of those Web
sites is getting more traffic than parked domains,” said Dasient’s Neil Daswani. “I think
the community should focus on where the biggest threat is.”

Others receiving votes

Owning Virtual Worlds for Fun and Profit

HD Moore: Critical Flaw Found in 40 Windows Apps

Root Privileges Through Linux Kernel Bug

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.