Week in Security: Year-end E-Card Drama, Foreign Spies and Sandboxes – Not So Safe After All?

An onslaught of spammy holiday cards ushered out a 2010 that saw spam, for the first time ever, in decline. Meanwhile, the DoD warned about foreign governments stealing military technology, while researchers warned that application sandboxes might not be so safe to play in, after all. Read on for the full week in review.

An onslaught of spammy holiday cards ushered out a 2010 that saw spam, for the first time ever, in decline. Meanwhile, the DoD warned about foreign governments stealing military technology, while researchers warned that application sandboxes might not be so safe to play in, after all. Read on for the full week in review.

What did you find interesting this week? Among the most trafficked stories of the week were Dennis Fisher’s report on Wednesday about a new method a researcher’s developed to bypass Adobe’s flash sandbox. Meanwhile Paul Roberts looked into a recent report from the U.S. Department of Defense that found that spying foreign governments have been focusing on the nation’s naval technology attracted considerable reader attention.

In other news: two prominent botnets made headlines in the waning days of 2010 and the first days of 2011. Zeus-related malware was detected spreading in e-greeting cards purporting to come from the White House. At the same time, the Storm botnet made a return under the same guise. Posing as a New Year’s greeting, the e-mail directed users to a series of unsafe domains, one which finally asked users to download a fake flash player.

Leading up to next week’s monthly “Patch Tuesday” release, Microsoft was in the headlines, offering both guidance and reminders to customers to apply previous patches. On Tuesday, the company encouraged its users to patch an old hole being exploited in its Office software. With the right RTF (Rich Text Format) file, an attacker can trigger an overflow and take control of the victim’s memory. From there, it’s easy for a hacker to hijack the system with their own code. Those who didn’t patch Office in November (with MS10-087) have left themselves vulnerable to this exploit.

Microsoft warned Windows users about another potential overflow vulnerability this week when it issued an advisory on Tuesday about a hole in the operating system’s Graphics Rendering Engine. The stack overflow vulnerability can happen when attackers send special thumbnail images in e-mails, exploit the vulnerability and in turn gain control of the machine.

Even more vulnerabilities greeted 2011 right out of the gate as Google researcher Michal Zalewski detailed a multitude of holes in several well-known browsers. Holes in Internet Explorer, Firefox, Opera and Safari were discussed in a blog entry post on January 1.

When it came to patches, both of Apple and Microsoft’s bulletins were surprisingly negligible. Microsoft announced they intended to patch just two bugs next week when it issues its monthly Patch Tuesday release. Neither of Zalewski’s previously mentioned bugs will be fixed it appears and instead the company will fix a critical flaw in Windows, along with another bug.  Of course, as Threatpost has noted, “important” security holes can look downright critical, depending on the context. Still, its likely that the two zero days will be left unpatched for a few weeks, at the least.

Apple’s fix was just as nominal, as the company simply pushed OS X 10.6.6 to fix a problem in PacketKit. Included was an enhancement for iTunes, allowing the online music depot to sell software via the Mac App Store. It remains to be seen if Apple’s new app store will open itself up to the problems of mobile app stores. Stores for Blackberry, Android and iPhones have received their fair share of scrutiny as of late as fake and malicious new applications have found their way into the stores.

Suggested articles