JAR: protocol vuln – targeting to Google now

According to the report of pdp several Web sites supporting open redircts are vulnerable to recent JAR: protocol vulnerability.

More information about these XSS vulnerabilities (hey, these are serious now!) is available at GNUCITIZEN entry here:

Severe XSS in Google and Others due to JAR protocol issues

Update 26th Nov: The author of Beford Blog has shared information that his “jarjarbinks.htm” PoC type link still works – when entering it manually to browser’s address bar. Google is still affected to JAR flaw.


JAR: protocol vulnerability in Firefox, word processor applications reported

An unpatched vulnerability in handling of JAR: protocol handler URL’s has been reported recently.

Information is available at GNUCITIZEN Blog. Link: Web Mayhem: Firefox’s JAR Protocol Issues.

Information was publicly disclosed by Petko D Petkov (aka pdp).

The issue was originally reported in Bugzilla document #369814 by Jesse Ruderman of Mozilla community. I.e. Mozilla security group is aware of the vulnerability.

The vulnerability is due to same origin and XSS issues when opening .JAR packages. The following file formats are known attack vectors: .zip, .doc, and .odt.

The blog entry states Mozilla Firefox and unspecified widely known Google and Microsoft products as affected. OpenOffice.org Writer, StarOffice Writer, NeoOffice Writer and AbiWord support opening these file types. Microsoft Office 2007 support is provided by an add-in.

Update: This has been assigned to CVE-2007-5947.


These days of several XSS vulns on known sites

The role and seriousness of cross-site scripting (XSS) vulnerabilities has been a subject of recent FD discussion.

The fact is that since Saturday 3rd Nov there are the following widely known targets:

www.paypal.com (two issues)
Additionally, several Yahoo domains have unpatched XSS issues. Mastercardfrance.com has its own XSS vulnerabilities as well.

According to the Xssed.com archives most of these are still unpatched. Some examples:

Symantec: XSS in search function at Enterprise section

Apple Developer Connection: XSS in search function
FBI: XSS in redirect-type URL (try www.fbi.gov/filelink.html?file=//google.fr manually)

Bank of America: XSS on Sign In page (https)
Paypal.com has fixed both of its issues.


Cryptome: NSA has access to Windows Mobile smartphones

First time in history Cryptome.org has released information about the characteristics of NSA’s network surveillance.

According to the newest IP address listing

IP ranges published by Cryptome are used by NSA, by NSA’s private sector contractors, and by NSA-friendly non-US national government agencies to access both stand-alone systems and networks running Microsoft products.

The post continues:

This includes wireless wiretapping of “smart phones” running Microsoft Mobile. Microsoft remote administrative privileges allow “backdooring” into Microsoft operating systems via IP/TCP ports 1024 through 1030.

The site has published NSA-affiliated IP addresses since July ’07. It’s not known if this mysterious source ‘A’ has connections to National Security Agency.


Symbian S60 3rd edition hacked – and Nokia’s October response

A blog called Symbaali.info has released information about hacking of S60 3rd edition firmware with Flash update.
According to the blog a new Nokia Software Updater prevents this Symbian hack from working.

It appears that the point in this case is the editing of swipolicy.ini file.

By adding AllFiles capability to the file it’s possible to explore the entire file system.

The author has released several screenshots confirming the access to the Sys folder too.

The previous entries released earlier this month are located at symbaali.info/2007_10_01_archive.html.The site is registered to Mr. Roger Muhmu using a contact address of local Peekpoke company. Their Web site lists a P.O. Box address in Jyväskylä, Finland.

Security professionals here in Finland have confirmed the issue and Nokia’s Corporate Security department is aware. The following devices have been verified: Nokia N73, E61 and E90.

Ron Liechty of Forum Nokia confirmed the issue on Monday 29th Oct.


New Netscape Navigator 9 ships security fixes and is multi-platform

Netscape Navigator 9 has been released recently. The previous Netscape Browser 8.1 was released in April and it was Windows-only version. It is worth of noticing that the latest version is not Netscape Browser 9 or Netscape 9 – it’s Netscape Navigator 9.

The new version was released at browser.netscape.com/downloads/.

It appears that an official Security Alert page is not available, but Release Notes document and the UA string confirm that the new version is based to Mozilla Firefox codebase.

The latest fixed vulnerability in Firefox is this QuickTime issue (CVE-2006-4965). The Gecko level of previous version (Netscape 8.1.3) was Gecko rv 1.7.5 (20070321), in turn.

The typical WinXP User Agent is the following: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20071015 Firefox/ Navigator/9.0


XSS at Cnn.com – again

In August we saw a cross-domain injection type XSS report from CLPWN related to Cnn.com.

The target was Search.cnn.com.

This week, Xssed.com reports about the new issue.

According to the ‘Additional information’ field of the report

XSS in the “Get your local weather and news” form

No exact string was given.

Additionally, the Xssed database lists the issue as Unfixed.


Left your Citrix .ICA files to public server and let the hacker in

Mr. Petko D. ‘Acrobat-Gmail’ Petkov has reported about very interesting Citrix issue:

When querying for public .ICA files (Independent Computing Architecture) you can do serious things in the remote system with this information. Opening Cmd.exe and listing the file system works etc. etc.

Report here and YouTube video of 1:28min here.
Googledork and Yahoodork(!) included, it appears there are many .mil and .gov sites. And hospitals too.
A real life example: A Finnish high school in Jyväskylä town fixed its problem in less than 20 minutes after receiving my e-mail this morning. Fine!


Hey, don’t touch to my Gmail filters with XSRF

The good news are that Google has fixed a serious cross-site request forgery vulnerability in Gmail.

The exploitation technique was interesting – modifying Gmail’s Forwarding settings with JavaScript.

US-CERT Vulnerability Note VU#571584 is located here.


These bad days of Google’s security team

First this week started with news of three serious vulnerabilities in Google’s services and products – via hacademix.net post GoogHOle (XSS pwning GMail, Picasa and almost 200K customers).

But it appears information was public on Sat 22nd Sep already.

The report says Google security team was contacted before the release process. The exact date is not known, however.


Flayer is Google’s step to Web application security testing

Google has introduced the tool recently via its Online Security Blog.

The tool is released under GNU General Public License v2.

The home of the new project is here: code.google.com/p/flayer/

The visitors of WOOT ‘07 conference are aware already.


JFFS2 ACL security issue in OLPC project – the first one?

Let the CVE describe the vulnerability:

JFFS2, as used on One Laptop Per Child (OLPC) build 542 and possibly other Linux systems, when POSIX ACL support is enabled, does not properly store permissions during (1) inode creation or (2) ACL setting, which might allow local users to access restricted files or directories after a remount of a filesystem…

The only references available are:

from Linux MTD mailing list
from the ticket system of Laptop.org

It appears that the CVSS score assigned last week is 4.4., i.e. Medium.

OVPC – One Vulnerability Per Child or do we have any others?

Hey, this is post #1000 ;-) and there are 925 posts in the archive.


13-year old MBR virus – and shipped with Medion laptops

A German company Medion has confirmed that it has shipped laptops containing a MBR virus – public since 1994.

According to Sunbelt the virus is Stoned.Angelina.

Symantec write-up here and F-Secure write-up here (the same name in use).
It appears that the affected model is Notebook Medion MD 96290. Link to the FAQ page of the vendor (German language):

Please check the entry ‘Wichtige Produktinformation zum Notebook MD 96290′.

Update: Or the following permalink www.medion.de/popup_md96290.htm

The number of infected laptops and how the master boot record virus can find its way to the brand new machines (without a floppy drive, I believe) is not known.
But this is not the first time.

Exactly two years ago Creative shipped several thousands Zen Neeon MP3 players containing Windows worm Wullik.B.

And back to 1995 (from F-Secure’s Angelina description):

In October 1995 [Stoned.Angelina] was found on new Seagate 5850 (850 MB) IDE hard disks.

Update #2: There is no a floppy drive included.


Tor – a onion which discloses your military and embassy secrets

If someone missed this:

Rogue Nodes Turn Tor Anonymizer Into Eavesdropper’s Paradise reporting about very interesting finding of Swedish IT security consultant Dan Egerstad.

The original blog entry here: Time to reveal…


Sony about rootkits: Not many USM-F sticks were sold

New information is available related to the rootkit issue of Sony MicroVault USB sticks including fingerprint reader.

One of the stories is this Computer Weekly article which states:

A Sony spokesperson said: “While relatively small numbers of these models were sold, we are taking the matter seriously and conducting an internal investigation. No customers have reported problems related to situation to date.”

And earlier, F-Secure’s Mikko Hyppönen has reported that this issue has a lot of reasons which make it less serious than Sony BMG’s XCP issue was.


Bank of India: We’re back – with pop-ups

The Web site of Bank of India is up and working again after the very serious attack last week.

From the pop-up generated by


In reference to our RFP BOI/HO/IT/FIS/1 dated 1.8.2007for providing Financial Inclusion solution the due date for submission of the bid is extended upto 8th September 2007

But after the delay of some seconds the following error message appeared (Safari in use:)

Server Error in ‘/’ Application.
The resource cannot be found
Description: HTTP 404
Requested Url: /home/OpinionPoll/opinionpoll.aspx

On Monday 3rd Sep the format of main page URL was different:

generating a 404 today.

Since last Saturday they have shared the following statement without information about Trojan/spyware risks:

This site is under temporary maintenance till further notice.
Kindly bear with us

BTW: Their online banking system Star Connect uses pop-ups as well.