eWorld Translations

ControlScan is settling with the Federal Trade Commission (FTC) over charges that it misled customers about how it verified their security and privacy practices; according to the FTC, ControlScan performed “little or no verification” of whether or not their practices were protecting their site visitors’ security and privacy.

Furthermore, even though its seal displayed a current date, ControlScan did not perform reviews of the sites on a daily basis, per the FTC’s allegations.

More detailed coverage of the settlement is available at the FTC site.

For assistance in reviewing and updating your current policies and procedures, contact us today.

A zero-day flaw in both Visual Basic Scripting (VBScript) and Windows Help is under investigation by Microsoft since this vulnerability could be exploited to introduce malware on computers that are running the Windows 2000, Windows XP or Server 2003 operating system and which use Internet Explorer (IE) version 7 or 8.

Polish security analyst Maurycy Prodeus, with iSEC Security Research, who revealed the vulnerability and posted attack code last week, called the bug a “logic flaw.”

Another security researcher, Cesar Cerrudo, believes “that there is a high probability a regular user will press F1 key if asked, since an attacker can annoy the user with hundreds of messages telling the user to press F1 to continue.”

One of the workarounds offered by Microsoft, namely to not press the F1 key when prompted by a website to do so, is a no-brainer and boils down to common sense. Prodeus’ attack is successful, as Cerrudo points out, because it abuses the VBScript “MsgBox()” function.

According to Microsoft’s Security Advisory, Windows Vista, Windows 7, Windows Server 2008 and Windows Server 2008 R2 are not vulnerable to this attack.

Let us help you to assure that your products, policies and procedures are up-to-date. Contact us today.

RealDVD, the DVD copying software by RealNetworks, will no longer be supported by the company nor will any similar technology that enables the duplication of copyrighted content.

This is the result of settlement reached with the Motion Picture Association of America (MPAA) which had alleged that the product, in essence, allowed people to steal DVDs.

While RealNetworks argued that the product was intended and designed to allow people to make backup copies to their PC’s hard disk of movies they had purchased legitimately, the company probably did not want to drag this on any longer in court, risking even higher costs than the 4.5 million US dollars they have to pay under the settlement to cover the plaintiff’s legal fees.

The 2700 people who purchased RealDVD will each receive a reimbursement in the amount of 30 US dollars.

The general counsel of the MPAA, Daniel Mandil, asserts that copying DVDs amounts to “theft.”

According to security and vulnerability research company Secunia, a typical home user who is running Windows is facing the “unreasonable” challenge to patch one software or another every five days.

In the last week of January, of the users who ran Secunia’s Personal Software Inspector (PSI) application, half had at least 66 programs from more than 21 vendors on their machines, resulting in the need to master 22 or more different patch mechanisms.

While Secunia’s Chief Security Officer, Thomas Kristensen, is calling for software vendors to create a unified patching standard, he is not holding his breath for this to become a reality any time soon.

Therefore, the company is releasing a technical preview of PSI 2.0 which will include automatic updating functionality reminiscent of what Microsoft provides for Windows and other software. Their patch tool eventually will handle 70-80% of the software on consumers’ Windows machines.

You can read more about Secunia’s PSI findings in their white paper.

We’ll gladly help you to review and update your computer’s configuration, your security mechanisms and your policies. Contact us today.

Last week, Skype released version 4.2 of its Voice-over-IP (VoIP) and instant messaging client software, available for download here.

Among the new and improved features are

• Improved first-time user setup flow
• Call Quality Indicator
• Call Transfer
• Improved importing of contacts from other address books
• Client alerts
• Improved video quality in low bandwidth conditions
• Support for 720p video calls with the new encoding web-cameras that will be available soon
• Incoming authorization requests are now shown when a user returns to Skype after having been away for a while
• The Video call button is now always visible, even if there isn’t a web camera detected
• The default privacy settings for Instant Messages were changed from “anyone” to “people in my contact list only”
• The localization of Arabic and Brazilian Portuguese was also improved

For additional details as well as a comprehensive overview of known issues, please consult the release notes.

If you would like some help setting up and/or configuring Skype or to discuss your communications needs, contact us today.

A flaw in Adobe’s Download Manager (DLM) exposes users to the installation of arbitrary software on vulnerable Windows systems.

While the DLM ActiveX control and the corresponding Firefox plug-in under Windows normally is not installed permanently on personal computers, it stays on the system and remains active until said computer is rebooted.

The culprit is that Adobe’s DLM tells users what it is downloading but does not ask for permission before installing the download(s) on Windows XP computers. Under Windows 7 and Vista, on the other hand, the UAC steps in, requesting confirmation of the intention to install.

The aforementioned situation arises for example when a user has installed an update to the Adobe Flash Player, Adobe ShockWave, Adobe Reader or any of the other Adobe products.

If  you would like us to help you assess your exposure to these and other vulnerabilities, and to discuss and implement tools, policies and procedures to remedy them, contact us today.

Using a technique demonstrated last week by Ashley Towns, a 21-year-old unemployed Australian programmer, as a self-described “prank,” hackers have started pillaging personal and business data from jailbroken iPhones.

The vulnerability in question consists of the unchanged default password of the Secure Shell (SSH) Unix utility that users installed while or after jailbreaking their phone. SSH allows users to connect to their iPhone through an encrypted channel remotely over the Internet or a local area network (LAN).

Given that this “vulnerability” provides the attacker with root (superuser/full) access to the iPhone, various other scenarios are just as likely to occur soon, such as running up phone bills, sending bulk MMS/SMS messages, etc.

Let us help you assure that your valuable data is well-protected. Contact us today.

It seems likely that cyber criminals will soon start to exploit a Windows kernel vulnerability involving Embedded Open Type fonts. Microsoft released a fix for this vulnerability earlier this week.

Please take a few minutes to install this security fix as well as other recommended and security patches available. Otherwise a drive-by attack could exploit the way in which the kernel parses said fonts.

This means no user interaction whatsoever is required on a vulnerable system to become infected, other than visiting a website that contains infected or maliciously crafted content.

To find out more about this Windows Kernel flaw, take a look at the respective Microsoft Bulletin.

If you would like our help in reviewing the status of your present IT environment and assuring that you are well-protected, contact us today.

In the just released version 4.0.4 of its Safari web browser, Apple has fixed a total of seven vulnerabilities (of which two could have resulted in the execution of arbitrary code) and also improved the performance of the browser’s Nitro JavaScript engine.

Apple claims that only the Windows versions of Safari are affected by the critical issues. A specially crafted image loaded by the Safari browser would be sufficient, or accessing a maliciously crafted FTP server.

All Safari users are advised to update their browsers as soon as possible. Safari 4.0.4 is available to download for Windows XP, Vista, Windows 7, Mac OS X 10.4.11, 10.5.8 and 10.6.1.

If you would like us to help you assure that all your applications are at a secure release level and that your computer systems and resources are well protected, contact us today.

Mozilla recently updated its Firefox 3.5 browser to version 3.5.4, fixing 16 security flaws of which 11 were critical, e.g. posing a risk of remote code execution.

While Mozilla also released version 3.0.15, fixing nine flaws of which four were critical, Mozilla still plans to discontinue its support for Firefox 3.0 in January 2010.

For more details regarding the vulnerabilities, see:

• Security Advisories for Firefox 3.5
• Security Advisories for Firefox 3.0

To take a look at the respective release notes, visit:

• Firefox 3.5.4 Release Notes
• Firefox 3.0.15 Release Notes

If  you would like us to help you assure that you are properly protected from these and other vulnerabilities, contact us today.