Here’s a collection of recent security vulnerabilities and alerts, which covers a new social-engineering trick based on YouTube, a vulnerability in the Net::HTTPS module of the Ruby Scripting language, and news that the URI security vulnerability has finally been fixed by Microsoft in November’s Patch Tuesday.
- New YouTube social-engineering trick
It appears that a new social-engineering trick is in town, leveraging on the popularity of YouTube to persuade users into installing a that comes disguised as a Flash player.
The contaminant reaches computers via e-mails containing a link to an allegedly interesting YouTube video. But instead of landing on the YouTube website, victims end up at a site that looks incredibly similar to YouTube and tells visitors that the video cannot be played because a player has to be installed. Surfers are then asked if they want to download and install the Flash player. Need we add that the player is not what it seems to be?
- Flaw results in Ruby applications accepting arbitrary SSL certificates
Security services provider iSEC has an advisory about a vulnerability in the Net::HTTPS module of the Ruby scripting language.
A vulnerability results from the Net::HTTPS library failing to validate the name on the SSL certificate against the DNS name requested by the user. By not validating the name, the library allows an attacker to present a cryptographically valid certificate with an invalid CN.
An attacker could therefore use an arbitrary valid certificate issued by a public CA to infiltrate a connection using a MITM (man-in-the-middle) attack.
- URI security vulnerability patched by Microsoft
One of the two security bulletin in November’s Patch Tuesday finally resolves a vulnerability in the way that the Windows shell handles specifically crafted URIs passed to it by other applications.
To recap (SearchSecurity.com):
If the Windows shell doesn’t sufficiently validate these URIs, Microsoft said, it could enable an attacker to run malware on targeted machines. Microsoft said the vulnerability exists in a Windows file, Shell32.dll, which is included in all supported editions of Windows XP and Windows Server 2003.
It might be worth noting that a second bulletin in this month (MS07-062) resolves the potential for a spoofing vulnerability in Windows DNS Servers.