February 2006

Java Trojan RedBrowser-A Targets Cell Phones

Evildoers have created a Trojan that targets cell phones running Java. Found by Kaspersky Lab this puppy infects any device capable of running Java applications. The text is only in Russian so far so the chance of running into this outside of that country is small. The threat is that someone may reverse engineer it for other countries so keep on your toes. This Trojan pretends to be a WAP browser offering free browsing via SMS messages. Since many companies the world over offer cheap or free SMS the victim is tricked into believing they are able to browse the Web for free. In reality the trojan sends SMS messages to one specific number that will charge back a premium amount on the victims cell phone bill. Best Practices circa 1878: If it sounds to good to be true it probably is. Best Practices circa 2006: If it sounds to good to be true Google it.

Mac Safari Browser Vulnerabilty

Secunia is reporting on a vulnerability in the Safari browser caused by an error in the processing of file association meta data (found in the "__MACOSX" folder) in .ZIP archives. This could cause users to execute a malicious shell script that has been renamed to a safe file extension stored in a .ZIP archive.

Worse, it can also be exploited automatically when Safari visits an evil web site.

Secunia has a test available to confirm if your system is vulnerable: http://secunia.com/mac_os_x_command_execution_vulnerability_test/

The vulnerability can be lessened by disabling the "Open safe files after Downloading" option in Safari.

Later? NO . . . NOW!

According to InfoWorld evildoers have already released Malware that targets flaws in Microsoft products that were patched yesterday. So, those of who have your Windows Update on Automatic are safe but those of you who manually initiate the downloads or who casually thought, "Nah, I'll do it Sunday when I have time" may already be in a world of bad.

It is a good idea to set your Windows Update to anything but 'Turn off Automatic Updates'. In fact, if you are the procrastinating type then you should not use 'Notify me but don't automatically download or install them' because by the time you get around to it it may be too late.

If you frequently start up and shut down your PC it may be that even 'Download updates for me, but let me choose when to install them' won't work for you but please try it.

Your best bet is to use 'Automatic (recommended)' so there is no delay in patching your box. If your routine is to boot up your PC every morning at 7:00 AM and start downloading your email whle you brew the coffee why not set your update time to coincide with it? No muss, no fuss. Don't you feel better all ready?

Start - Settings - Control Panel - Security Center: Click Automatic Updates ;-)

Automatic Updates Dialogue Box:

Basic Mac Security

Remember the old adage, security is a process not a product? Well, process this Macheads: A simple list of items you should know/do/avoid when using OS X 10.4 courtesy of user codeport at Mac Geekery.

Mac OS X Bluetooth (Proof of Concept) Worm

When it rains it pours for you Macheads. F-secure received a sample virus, Inqtana.A, that spreads via the Bluetooth OBEX Push vulnerability described here: http://www.osvdb.org/displayvuln.php?osvdb_id=16074. The exploit is not in the wild and will expire on February 24, 2006 but to be safe from this threat now and in the future you are advised to install the latest patches for your OS X version 10.4 ASAP.

First Mac OS X Virus

The first virus for Mac OS X has been encountered today. Called OSX/Leap.A. by F-Secure the Malware was posted via a link to MacRumors forum. Supposedly a screenshot for Mac OS X v10.5 Leopard the virus spreads through iChat.

It appears the victim must be running in Admin. mode to be infected. As with any OS you should generally not be swaning around while in Admin. mode because of the risk of compromising your PC at the "root level" where all the important processes live. If these processes are taken over by rogue software you can lose complete control without even knowing it.

Do yourself a favour and make a new user on your Windows box with less than Admin. privileges before you go wandering off into the Interweb.

Windows Defender Released

Microsoft has released the second beta version of Windows Defender. Formerly called Windows AntiSpyware, the new version can be downloaded here: http://www.microsoft.com/athome/security/spyware/software/default.mspx

We trust this beta version won't pooch anyones Norton Antivirus . . . a recommended download.

MS Anti-Spyware Deleting Symantec's Norton Anti-Virus?

A report in the Washington Post claims that Microsoft support has had complaints that its (Beta) Anti-Spyware application is deleting parts of Symantec's Norton Anti-Virus. Oops. The latest virus definitions seem to believe that Norton is the password stealing Trojan called "PWS.Bancos.A" and so corrupt the Norton install.

Remember folks BETA means, "it should work, but don't count on it for mission critical usage".

For now, I suppose run one or the other until they sort this out. Or use AVG instead ;-)

IE7 beta released + weird behaviour

The beta version of Microsofts Internet Explorer 7 is available for download. Please note that as a beta release this experimental software could cause untold havoc on your PC so unless you are OK with that wait until the first real version is released. I have done so and am impressed by the anti-phishing tool and with the inclusion of the ever popular 'Spoofstick'. Along with tabbed browsing and a sort-of decent RSS feed detector this browser will at least help to protect the hundreds of thousands of folks who are as yet clueless to the fact that IE6 is a security hole that you will eventually fall into!

One strange bit of action I am unhappy with is the occasional behind the scenes execution of a scheduled task called "System_Feed_Sync_Scheduler.job" which is I assume the RSS feed checking for updates except I don't have IE7 running when it happens!

If you check your %Windir%tasks\ directory you will see two new jobs:

1. System_Feed_Rescheduler
2. System_Feed_Sync_Scheduler

Both jobs accesses "rundll32.exe" and "msfeeds.dll" which appears to be how Bill updates yer feeds.

I am no expert but it seems registering new scheduled events with privileges could be a problem?

Firefox 1.5.0.1 Update

At around 6:00 EST the following appeared on my screen:

Woo-hoo! Firefox is doing its first auto-update. I had plum forgot that it was going to happen.
After Firefox restarted the following loaded showing all is well:

Excellent!