05-06

      Two new flaws were reported in Internet Explorer on Thursday. Less than two days after a new flaw was reported in the popular browser by researcher Michael Zalewski, the French Security Incident Response Team (FrSIRT) posted information on two new unpatched flaws on its website. This brings the total number of unpatched IE flaws to three. Exploit code for the two new flaws is already available on the Internet. Zalewski?s flaw is an error in HTML tag processing that can allow attackers to launch malicous code. The first of the new flaws is a race condition in the way ActiveX controls are handled. The flaw could allow an attacker to install or execute a malicious ActiveX control on the victim's machine. The second flaw is a problem with the way "mhtml:" URL redirections are handled and could allow attackers to read content and data served from another domain in the context of a malicious Web page.

       Microsoft has confirmed that the firewall in Windows Vista will have half its protection turned off by default, because that is what enterprise customers have requested. The updated firewall will look at incoming as well as outgoing traffic, a improvement to the current firewall that only monitors incoming traffic. However the default on the firewall in Vista will be set to block incoming traffic only. The default level of protection will be lower to make life easier for the company's enterprise customers. Customers' concerns were mainly that configuring permissions for outbound traffic was a task that required a level of technical knowledge that the average user does not have.
        
       The Mozilla project next week plans to release an update to its Firefox browser. The update will fix a publicly disclosed security issue in the software. News of the update came as developers also confirmed that they were dropping a highly anticipated bookmarking feature, called Places, from the next major Firefox release, due later this year. Mozilla reported that the Firefox 1.5.0.3 update was scheduled to be delivered on Friday this week but was delayed. Developers have reduced the number of features in the update so that the security patch can be released more quickly.

       American Express has issued a warning about what it calls a false security measures pop-up screen that appears when users log in to its secure site. The credit card and travel services company posted an alert on its website about the pop-up which tries to lure the user into entering name, social security number, mother's maiden name and date of birth. The company has further stated that the pop-up is the not result of a compromise of its website. Rather, it appears to be caused by a virus residing on the user's machine. Researchers tracking malicious Internet activity say the fake pop-up is a classic example of a banking Trojan targeting specific financial institutions. Such Trojans are usually spammed as attachments or URLs to malicious Web sites and stealthily infect unpatched computers running without anti-virus protection.

      Oracle's old nemesis David Litchfield of UK based Next Generation Security Software (NGSS) has warned that April's update for Oracle 10g Release 2 does not fix a security flaw for which exploit code has been released. While experts initially believed that the exploit released last week targetted a flaw that Oracle had patched, it turned out that the code actually made use of a new problem. Intruders can gain higher privileges on a system via the new flaw in the database's (DBMS) export extension. According to Litchfield the flaw was reported to Oracle in February of this year and he has expressed frustration that it was not corrected.

        In another example of "ransomware," a new Trojan horse threatens to delete files unless the victim pays up. The Trojan horse, dubbed Ransom-A by antivirus company Sophos, displays some explicit images. It then shows an expletive message that demands a $10.99 payment, or it will delete one file every 30 minutes. The Trojan asks for payment via the Western Union money transfer service and promises delivery of a special disarming code after the ransom is paid. This is the second such piece of malware spotted in as many months, giving rise to fears that it could be the beginning of a growing trend of malware designed to extort money.

        Health insurer Aetna Inc. said a laptop computer containing personal information on about 38,000 of its members was stolen from an employee's car. According to Aetna, the data includes names, addresses and Social Security numbers but no personal banking information or health claim data was on the laptop. The members are employees of two companies that are Aetna customers. The two companies had asked that their names not be disclosed, until the potentially affected members were warned. Aetna, with about 27.9 million members, is one of the largest health care insurers in the U.S. The company said it is working to notify all affected members by letter and has offered to pay for credit monitoring services for the affected members to help prevent potential misuse of the information. To date, there is no evidence that the stolen information has been misused.