We have confirmed a bug in Firefox 1.5.0.3 with DoS possibilities. When you download the source of the following page you will see what it does. It will open 100 mailforms, so be cautions when you open the link!

Source: http://www.securityfocus.com/archive/1/433534/30/30/threaded
Update:

One way to mitigate this: set
“network.protocol-handler.warn-external.mailto’ to ‘true’ (its false by
default). This will show a popup dialog whenever a mailto link is
clicked (or opened in your case) instead of launching the mail
application right away. You still need to click the button 100 times,
but at least the system stays responsive.
Thanks to the guys at isc.sans.org for this workaround!

Update 2: Guys, this is a PoC, do you understand what it can do? Now it opens ~100 mailwindows, but what if it does a lot worse, just because the img xsrc= tag can be used to open allmost everything?

IntelliAdmin has discovered a flaw in RealVNC 4.1 which makes it possible to connect to any machine without autorisation. They have a PoC available at their site, but because of a article at slashdot they have taking it down. 

For the fourth time in the past 30 months, Wells Fargo & Co. has begun notifying customers about the potential compromise of confidential information following the theft of a company computer containing data on mortgage customers and prospective clients. The San Francisco-based bank on Friday posted a statement on its Web site saying that a computer belonging to its mortgage group had been reported as missing while being transported between Wells Fargo facilities by a global express shipping company.The stolen system contained information such as names, addresses, Social Security numbers and mortgage loan account numbers of Wells Fargo customers. “The computer has two layers of security, making it difficult to access the information,” the bank said. So far, at least, there is no indication that the information kept on the computer has been misused in any way, said Alejandro Hernandez, a company spokesman.

Read here (if the site works again)

A non-critical bug has been found in Firefox 1.5.0.2, and possible earlyer versions. Normally an Internet website should not been allowed to link to local resoures (e.g. a file on the harddisk). However, in Firefox it is possible that a malicous website opens local content in the browser, by tricking a user to right-click and choose “View Image” on a broken image.

This doesn’t pose any direct security impact but may be exploited in combination with other vulnerabilities.

A silly design error is waiting to be exploit in OpenVPN 2.0.7 and lower. By default the Remote Management Interface can be set at a public internetinterface, making possible to login in to the interface without any credentials being asked. Important to know is that by default, the management interface isn’t enabled.

Of course, it is a documented feature/bug/whatever, but still, I find it very stupid…

The US-FTC is asking a court to bar the sale of the phone records and force the companies to give up the money they made with their operations, Reuters’ news feed tells us. The FTC is calls selling of private phone records a outrageous thing, because it aims at customers privacy.

The FTC’s lawsuits follows after great concern about websites offering to get phonenumbers from visiters. The FTC chardges the companies behind the website “false pretenses, fraudulent statements, fraudulent or stolen documents or other misrepresentations, including posing as a customer of a telecommunications carrier”.

The companies who are being brought to justice are:

* Integrity Security & Investigations Services Inc
* 7 Investigations Inc.,
* Reginald Kimbro
* AccuSearch Inc.(Abika.com),
* Jay Patel
* CEO Group Inc., (Check Em Out)
* Scott Joseph
* Information Search Inc.
* David Kacala

We are aware of some public exploit code for an unpatched vulnerability in Oracle Export Extensions. Explotion of the vulnerability may give a remote attacker the possibility to execute arbitrary SQL statements with elevated privileges. This may allow an attacker to access and modify sensitive information within an Oracle database.

You can take the following actions to mitigate the security risks:

* Restrict access to Oracle:

Only known and trusted users should be granted access to Oracle. Additionally, user accounts should be granted only those privileges needed to perform necessary tasks.

*Change login credentials for default Oracle accounts:

Oracle creates numerous default accounts when it is installed. Upon installation, accounts that are not needed should be disabled and the login credentials for needed accounts should be changed.

With many thanks to the guys at US-CERT.

I want to share something with you. Everytime when I see my bank using SSL-certificates, I feel fooled. Why? Because even when you don’t use Windows, SSL-certificates can lie.

They aren’t allways what they say. Offcourse, as a securityprofessional, you know this allready. But why are banks all over the world telling us that their site is secure, because they use SSL? I mean, I can make a SSL-certificate with a simple CLI-command, and Windows-users can make it with a few mouseclicks.

What worries me the most is this: a lot of phisingattempts are made from websites with a SSL-certificate. The hurting will stop when banks start using (like most of the Dutch banks are) some other certificationutilities (like Securejava).

Off course, as allways, the problem is that customers need to check if the company that issued the SSL-certificated is a valid Certificate Authority, but let’s be honest, does your mother know how to do that? Isn’t it the task of your bank to make sure that security is really security and so they have to make sure that their customers are not (or at least as little as possible) exposed?

According an advisory posted by Frsirt, 28 vulnerabilities has been identified in Ethereal “which could be exploited by remote attackers to compromise a vulnerable system or cause a denial of service.” So it’s time to update again. Here are the downloads for Windows and Linux

At the Internet Storm Center (isc.sans.org) the handlers have their new Top 20 list ready. One of the biggest things is the (not so surprisely) high amount off Mac OS X exploits. They are allso mentioning the high amount of IE-exploits. After all, the WMF-exploit has made it to the second place, not bad for a exploit where MS did take a not so long time to fix.