Earlier today Wesley Kerfoot reported on the Full Disclosure mailing list that a page in the Paypal.com domain is susceptible to a non-persistent reflected cross site scripting attack (XSS). While non-persistent XSS bugs are somewhat common, this is quite serious for a site like PayPal, where user accounts are linked directly to bank accounts, debit, or credit cards and payment can be made to third parties without any additional authentication after user access is gained.
Archive for March, 2010
Refusing to maintain and follow a good termination checklist that walks through what access rights to decommission when someone leaves your company can put the brakes on your customers’ good will. Texas Auto Center in Austin Texas demonstrated the headaches that ensue when in February they left more than 80 customers who financed cars unable to get to school, work, and stuck with charges for towing and unnecessary repair work.
Originally diagnosed as mechanical failures in the cars, the problems stopped as soon as all the passwords for the WebTeckPlus system used by the firm were reset. A recently terminated employee, twenty year old Omar Ramos-Lopez, had used still active credentials to login to the web administration portal of the Auto Center’s payment incentive vendor and used it to disable vehicle starters or, according to police reports, have horns honk through the night.
The agitation in the voice on the phone shook me from sleep early Saturday morning: My Uncle the surgeon had a computer problem and he was concerned enough to call. He explained he had been trying to view pictures of a newly renovated base in South Korea when all of a sudden McAfee popped up and did a scan, revealing 28 viruses. But for some reason the new module McAfee wanted him to install wasn’t working because the site wouldn’t accept either of his credit card numbers.
The announcement came out earlier today that SecurityFocus, a long standing security news portal started in 1999 and home of a number of popular mailing lists including the well known Bugtraq is being shuttered by Symantec. While aspects of the site will continue (the mailing lists will remain and some content will be moved to Symantec Connect), the loss of the news portal and site itself is a significant loss of historical perspective on the information security industry from what was a long standing news and research source.
We posted an aside yesterday referencing Microsoft’s recent blog post for new security advisory 981374 referencing a new zero day vulnerability in Internet Explorer versions 6 and 7. New details have emerged since, and the exploit has moved from being what was described as part of “limited targeted attacks” to being widely accessible and available as a new module for the Metasploit framework.
A blog post on the MSRC web site warned of a new zero-day in Internet Explorer versions 6 and 7 running on Windows XP, Windows 2000, or Windows 2003. The post references Security Advisory (981374), and at this time there aren’t many details about the vulnerability other than what MS has stated in the advisory.
Today is patch Tuesday for March 2010, and Microsoft has released two security bulletins for this round of updates, neither of which are deemed critical. The second bulletin addresses seven different vulnerabilities across various versions of Microsoft Office Excel.
Microsoft published security advisory 981169 yesterday in response to the zero day vulnerability reported a few days prior. The vulnerability is in the help system and can be triggered by luring an Internet Explorer user into pressing the F1 key. Windows 2000, Windows XP SP2 & SP3, and Windows 2003 SP2 with Internet Explorer 7 [...]