Dec 28 2010

Mozilla site exposed encrypted passwords

addons.mozilla.org disclosure
12.27.10 – 10:35pm

On December 17th, Mozilla was notified by a security researcher that a partial database of addons.mozilla.org user accounts was mistakenly left on a Mozilla public server. The security researcher reported the issue to us via our web bounty program. We were able to account for every download of the database. This issue posed minimal risk to users, however as a precaution we felt we should disclose this issue to people affected and err on the side of disclosure.

The database included 44,000 inactive accounts using older, md5-based password hashes. We erased all the md5-passwords, rendering the accounts disabled. All current addons.mozilla.org accounts use a more secure SHA-512 password hash with per-user salts. SHA-512 and per user salts has been the standard storage method of password hashes for all active users since April 9th, 2009.

It is important to note that current addons.mozilla.org users and accounts are not at risk. Additionally, this incident did not impact any of Mozilla’s infrastructure. This information was also sent to impacted users by email on December 27th.

Chris Lyon
Director of Infrastructure Security – Mozilla

Dec 26 2010

Man quits job, makes living suing e-mail spammers

Daniel BalsamSan Fracisco : Daniel Balsam hates spam. Most everybody does, of course. But he has acted on his hate as few have, going far beyond simply hitting the delete button. He sues them.

Eight years ago, Balsam was working as a marketer when he received one too many e-mail pitches to enlarge his breasts.

Enraged, he launched a Web site called Danhatesspam.com, quit a career in marketing to go to law school and is making a decent living suing companies who flood his e-mail inboxes with offers of cheap drugs, free sex and unbelievable vacations.

“I feel like I’m doing a little bit of good cleaning up the Internet,” Balsam said.

From San Francisco Superior Court small claims court to the 9th U.S. Circuit Court of Appeals, Balsam, based in San Francisco, has filed many lawsuits, including dozens before he graduated law school in 2008, against e-mail marketers he says violate anti-spamming laws.

His many victories are mere rain drops in the ocean considering that Cisco Systems Inc. estimates that there are 200 billion spam messages circulating a day, accounting for 90 percent of all e-mail.

Still, Balsam settles enough lawsuits and collects enough from judgments to make a living. He has racked up well in excess of $1 million in court judgments and lawsuit settlements with companies accused of sending illegal spam.

His courtroom foes contend that Balsam is one of many sole practitioners unfairly exploiting anti-spam sentiments and laws. They accuse him of filing lawsuits against out-of-state companies that would rather pay a small settlement than expend the resources to fight the legal claims.

By Paul Elias
Associated Press – Seatle Post-Intelligencer

Dec 23 2010

All versions of Internet Explorer under threat

Internet ExplorerToday Microsoft released a new security advisory to help protect users from a vulnerability affecting Internet Explorer versions 6, 7, and 8. Exploiting this vulnerability could lead to unauthorized remote code execution inside the iexplore.exe process.

Internet Explorer loads mscorie.dll, a library that was not compiled with /DYNAMICBASE (thus not supporting ASLR and being located always at the same base) when processing some HTML tags. Attackers use these predictable mappings to evade ASLR and bypass DEP by using ROP (return oriented programming) gadgets from these DLLs in order to allocate executable memory, copying their shellcode and jumping into it.

Although Microsoft is currently not aware of any attacks, given the public disclosure of this vulnerability, the likelihood of criminals using this information to actively attack may increase.

Users of Windows Vista and later versions of Windows are strongly encouraged to protect themselves against this issue by installing the free Enhanced Mitigation Experience Toolkit (EMET) and proceed to protect the iexplore.exe process.

When EMET is in place, this type of exploit will most likely fail. This is because of at least three mitigations:

  • Mandatory ASLR: This mitigation will force the mscorie.dll to be located on random addresses each time.
  • Heap Spray pre-allocation: Some of these exploits use some common used heap pages for placing ROP data such as 0x0c0c0c0c.
  • EAT Filtering: Running shellcode can potentially be blocked by this mitigation.

Additionally, users should be aware that protected Mode in Internet Explorer on Windows Vista and Windows 7 helps to significantly limit the impact of currently known exploits. Protected Mode is on by default in Internet and Restricted sites zones in Internet Explorer 7 and 8, and prompts users before allowing software to install, run or modify sensitive system components.

Microsoft continues to investigate the vulnerability and will release a comprehensive security update once available.