This week's security roundup includes a new vulnerability discovered in Firefox, Microsoft admitting to a mistake with a recent Bluetooth patch, the lack of any progress at cracking the Gpcode.ak ransomware, and the loss of NHS laptops that could expose the personal particulars of up to 30,000 patients.
- New vulnerability affects Firefox 3
A researcher sold information pertaining to a critical vulnerability in Firefox 3 to TippingPoint's bug bounty program mere hours after its launch. Little information is available at this point, though it is known that the problem also affects Firefox 2 and has been classified as "critical."
"Successful exploitation of the vulnerability could allow an attacker to execute arbitrary code. Not unlike most browser based vulnerabilities that we see these days, user interaction is required such as clicking on a link in email or visiting a malicious web page."
The bug has been reported to Mozilla, who are currently working on a fix.
- Microsoft admits to mistake as it re-releases Bluetooth fix
Microsoft has admitted that a Patch Tuesday fix that was supposed to resolve a security vulnerability in the Bluetooth implementation of Windows failed to perform as expected. The MS08-030 update was supposed to resolve a security hole rated at "critical," the highest ranked threat in Microsoft's scoring system. It did not appear to have worked, at least for Windows XP SP2 and SP3.
Two separate instances of human error appears to have been the root cause, though investigations are still ongoing. Christopher Budd, a spokesman for the Microsoft Security Response Center (MSRC), noted in an email that, "When we're done with our investigation, we'll take steps to better prevent it in the future."
In the meantime, Microsoft MS08-030 has been re-released and seeded to the usual distribution channels, including Windows Update. You can read the revised MS08-030 bulletin for more information.
- 1024-bit ransomware resisting efforts to crack it
The improved version of the Gpcode ransomware -- dubbed Gpcode.ak, continues to frustrate attempts to crack it. To be clear, "cracking" this new version of the ransomware is more of finding implementation flaws than finding the private key via brute force. In this aspect, it appears to have eliminated the flaws that reverse engineers were able to leverage upon for the original version.
As mentioned by Kespersky's VitalyK, "It's not possible to decrypt files encrypted by Gpcode.ak without the private key."
All is not lost if you are infected however. It appears that Gpcode.ak makes a copy of a targeted file before actually encrypting it. Though the copy is ultimately deleted from disk, it is possible to retrieve the deleted file(s) using recovery utilities. You can check out more detailed instructions here.
- NHS laptop thefts exposes personal particulars of up to 30,000 NHS patients
Details of more than 30,000 National Health Service (UK) patients could have been exposed following the theft of a number of NHS laptops in two separate incidences. While existing Department of Health requirements require confidential patient data to be encrypted when stored on a laptop, it was understood that the stolen laptops were only protected by passwords.
All patients involved were notified that the lost information included names, addresses, medical notes, dates of birth and medical histories.
What is worrying is the possibility that some of the laptops could have been deliberately targeted by someone seeking information on child patients, which are also in the stolen laptops. Six of the stolen laptops was taken by a "determined thief" who apparently forced open a filing cabinet and locked drawers to get to them.