Browser

Check out this roundup of recent security threats

No single major security threat has emerged recently, so John McCormick's taking the opportunity to concentrate on a hodgepodge of various important threats. Get the details on the latest security threats out there, including troubles with Netscape 8, a new form of online extortion, and more.

Thanks to no single major vulnerability this week, here's a roundup of the latest security threats out there, including troubles with Netscape 8, an update to Mac OS X, rumblings in open source heaven, a new form of online extortion, and even a Prius warning.

Details

No single major security threat has emerged recently, so I've decided this week to concentrate on a hodgepodge of various important threats. While all of these threats are equally significant, there's no real underlying thread to unify them all. Nevertheless, these vulnerabilities are important to someone, so I'm using a different format this week to address all of the threats equally.

Apple update

Apple has released the Mac OS X 10.4.1 Update, part of which confirms the existence of a file disclosure vulnerability in the Bluetooth implementation of Mac OS X 10.4. A pair of file access vulnerabilities has also surfaced, but they're less critical because they only expose files locally. In addition, the update addresses a Dashboard widget vulnerability in Mac OS X 10.4, which can allow a malicious site to download Dashboard widgets without warning.

Browser woes

Netscape has apparently found the perfect way to combat Internet Explorer. According to Dave Massey's blog reports, the recently released version 8 of the browser appears to break XML rendering if you try to run IE. Some people say this is unimportant; however, they apparently don't know about RSS.

In addition, a report on Anglefire points out that Netscape 8 relies on some IE code to render trusted pages—now that's taking an independent stand!

The same report includes a note that the author tried to run Netscape 8 on an old Windows version without IE installed, and Netscape won't work. So, that apparently means that Netscape is dependent on IE and therefore is likely vulnerable to Internet Explorer bugs, as well as Firefox and Mozilla bugs it hasn't yet patched (it's always a generation behind Mozilla and Firefox)! Can you say the worst of both worlds?

Also, users who rushed to download Netscape 8 (someone out there must have) need to download version 8.0.1—released one day later—to fix the already known holes in Firefox 1.0.3, which served as the basis for Netscape 8. The moral here is that if you want to have the latest patches, you should probably stick to Firefox. And all of this comes out after AOL/Netscape bombarded users with ads about how secure the new Netscape version was going to be.

For Firefox fans (count me in), Internet services company Netcraft has released an anti-phishing toolbar for Firefox—a welcome security feature that Mozilla.org seems to have left out of an otherwise reasonably solid Firefox. For more details, check out the News.com report. And, in case you missed it, News.com also offered an analysis of why Firefox adoption appears to be slowing down, as well as a nice slideshow about Netscape 8's new features.

Open source switch

Over on the open source front, according to a Forbes report, Larry McVoy, BitMover CEO and long-time open source ally of Linus Torvalds, has jumped the open source ship, proclaiming, "Open source as a business model, in isolation, is pretty much unsustainable."

Spam and scams

I received some interesting spam the other day from Harrison Direct on behalf of DeVry University, essentially offering to teach me best practices in IT so I can get ahead. I wonder what they say about spam and HTML-only e-mails in their courses on e-commerce and security?

Whatever it is they have to say, I don't think I want to hear it. In fact, I'm doing a quick check because I think the message violates the CAN-SPAM Act—particularly since I've never had the slightest association or contact with DeVry.

Meanwhile, CipherTrust has built an online ZombieMeter that shows how many PCs (probably unknown to their owners) spammers are currently using to spread unsolicited e-mail. In addition, the ZombieMeter also shows any trends and the geographic location.

Encryption: It's not just for security anymore! Reports are emerging about crooks who are using malicious Web sites to penetrate systems—not to steal data but to encrypt files. They then offer to decrypt the information for a fee. In legal terms, that's what we call extortion.

Bugs on the move

And finally, just when you thought it was safe to get away from the office and go for a nice relaxing drive with no worries about software bugs, the U.S. National Highway Transportation Safety Administration has received 13 reports of Toyota's Prius gas-electric hybrid cars (2004 and 2005 models) stalling or shutting down at highway-driving speeds. The problem appears to be a software glitch in the car's complex computer system. Wow, talk about a software crash! To be fair, there have been no reports of injuries associated with this problem, but there have also been no reports about whether this glitch has caused any crashes.

I hope all my loyal readers—as well as those who just read this to catch me in a mistake—have an enjoyable holiday weekend.

Want to stay on top of the latest security updates? Automatically sign up for our free IT Locksmith newsletter, delivered each Tuesday!

John McCormick is a security consultant and well-known author in the field of IT, with more than 17,000 published articles. He has written the IT Locksmith column for TechRepublic for more than four years.

0 comments

Editor's Picks