Browser patches galore

Patches from Mozilla, Google, Apple, others A Smart Worm for a Smartphone - WinCE.PmCryptic.A 10 IT security companies to watch , and other interesting reading

Mozilla fixes 11 new flaws in Firefox, six critical
Mozilla on Wednesday patched 11 vulnerabilities in Firefox 3.0 -- and 12 bugs in the older Firefox 2.0 -- that could be used to compromise computers and steal information. Firefox 3.0.4, the fourth update since Mozilla launched the browser in June, fixes six flaws marked "critical," two "high," two "moderate," and one "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to introduce their own malicious code into a vulnerable system. Computerworld, 11/13/2008.

Mozilla advisory
**********

Apple plays catch-up, adds anti-fraud safeguard to Safari
Apple Friday added anti-phishing protection to Safari, the last major browser to receive the feature that blocks known identity-stealing sites. The company also patched 11 security bugs in the program, the bulk of them specific to the Microsoft Windows version. Released Thursday, Safari 3.2 includes a new feature, dubbed "Fraudulent sites" in the browser's options listing. Computerworld, 11/14/2008.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Mozilla fixes 11 new flaws in Firefox, six critical
Mozilla on Wednesday patched 11 vulnerabilities in Firefox 3.0 -- and 12 bugs in the older Firefox 2.0 -- that could be used to compromise computers and steal information. Firefox 3.0.4, the fourth update since Mozilla launched the browser in June, fixes six flaws marked "critical," two "high," two "moderate," and one "low" in Mozilla's four-step scoring system. Most of the critical bugs could be used by hackers to introduce their own malicious code into a vulnerable system. Computerworld, 11/13/2008.

Mozilla advisory
**********

Apple plays catch-up, adds anti-fraud safeguard to Safari
Apple Friday added anti-phishing protection to Safari, the last major browser to receive the feature that blocks known identity-stealing sites. The company also patched 11 security bugs in the program, the bulk of them specific to the Microsoft Windows version. Released Thursday, Safari 3.2 includes a new feature, dubbed "Fraudulent sites" in the browser's options listing. Computerworld, 11/14/2008.

Apple advisory
**********

Google patches Chrome file-stealing bug
Google has patched Chrome to prevent attackers from stealing files from PCs running the open-source browser. The update, however, has not been pushed out to most users yet. Google quashed the bug in a developer-only version of Chrome that has not been sent to all users via the browser's update mechanism. Chrome users, however, can reset the browser to receive all updates, including the developer editions, with the Channel Chooser plug-in. Computerworld, 11/14/2008.

Google Chome release blog: Dev Release: 0.4.154.18
**********

Three new patches from Mandriva:

ClamAV (denial of service, code execution)

Firefox (multiple flaws)

GnuTLS (identity spoofing)
**********

Two new updates from Ubuntu:

VMBuilder (improperly set root password)

gnome-screensaver (multiple flaws)
**********

Today's malware news:

A Smart Worm for a Smartphone - WinCE.PmCryptic.A
We have already seen a file infector working on smartphones (see WinCE.Duts.A) and a worm that could spread by infecting storage cards (see WinCE.Infomeiti). Now, we have the first polymorphic worm (although some refer to it as a companion virus) that affects smartphones running Windows CE platform on ARM processors -- it is known as WinCE.Pmcryptic.A. It spreads by generating new polymorphic copies of itself each time, and can cause a severe nuisance on a compromised phone (including unwanted phone calls to toll numbers). Symantec Security Response blog, 11/13/2008.

Paypal Phish Wants Your Social Security Number
The page is a typical Paypal phish, though they're not actually interested in obtaining your Paypal login in the slightest. They're after something a little more personal. The SpywareGuide Greynets Blog, 11/17/2008.

Give Me Your Login, Please
When I saw the name of this Web site - "The Habbo Movie" - I thought it might be quite inventive. Alas, it appears to be a more standard type of "enter your login and hope you get something for free" affair. The SpywareGuide Greynets Blog, 11/13/2008.
**********

From the interesting reading department:

10 IT security companies to watch
Our picks for this year's 10 IT security companies to watch offer products and services that involve everything from video surveillance to application whitelisting to malware blocking, and you can view samples of their products in this slideshow. But if there's a common theme among most of these vendors, as with 2007’s top 10, it's that trusted personal relationships forged in universities, business and the military played an essential role in inspiring their founders and convincing employees to join them. And that's not to mention the millions in seed money not just from venture capitalists but also angel investors, and yes, family. Network World, 11/17/2008.

A sneaky security problem, ignored by the bad guys
Frank Boldewin had seen a lot of malicious software in his time, but never anything like Rustock.C. Used to infect Windows PCs and turn them into unwitting spam servers, Rustock.C is a rootkit that installs itself on the Windows operating system and then uses a variety of sophisticated techniques that make it nearly impossible to detect or even analyze. IDG News Service, 11/14/2008.

McColo Mole Wacked
Kudos to Brian Krebs, whose excellent investigative reporting produced some rather dramatic results. What's the story? McColo Corp. -- major source of spam -- was knocked offline earlier this week. And now there's a large decrease in the amount of spam being distributed. F-Secure, 11/13/2008.

Washington Post: Major Source of Online Scams and Spams Knocked Offline

Targeted E-Mail Attacks: The Bull's-Eye Is on You
Far more dangerous than a normal e-mail attack, targeted at­­tacks choose a particular person as the prospective victim and tailor their message to that recipient. Since their creators craft the messages carefully (with few spelling and grammatical errors, for example), these attacks lack tell-tale indicators and thus stand a far greater chance of snaring a victim. PC World, 11/13/2008.

Read more about security in Network World's Security section.