Thursday, July 16, 2009

Maturing cybercriminal economy buoyed by business savvy hackers

Buying and renting tools used by cybercriminals to conduct attacks and steal credentials is becoming much easier for the average person. "For Rent" signs hang on botnets, automated hacking toolkits are sold at bargain prices, and the data reaped by the criminal activity is sold and traded in online forums on a daily basis.

Researchers at networking giant Cisco Systems Inc. are warning of the increasingly sophisticated cybercriminal underground economy and how it could be attractive to those having trouble finding work or facing layoffs in a troubled global economy. Meanwhile, cybercriminals are borrowing some of the best strategies from legitimate companies and forming partnerships with one another to help make their illegal activities more lucrative, according to Cisco.

Read more about this info at:,289142,sid14_gci1361752,00.html?track=sy160

Mozilla warns of critical Firefox JavaScript vulnerability

Mozilla warned Tuesday that a critical flaw in its new Firefox 3.5 browser could be used to execute malicious code. 

The vulnerability is in Firefox 3.5's Just-in-time (JIT) JavaScript compiler, Mozilla reported on its security blog. The flaw, which was disclosed Monday, can be exploited by an attacker who dupes a user into viewing a webpage with the malicious code, according to Mozilla. 

Danish vulnerability clearinghouse Secunia rated the vulnerability highly critical in its security advisory. 

Mozilla is working on a fix for the flaw, but said it can be mitigated by disabling JIT in the JavaScript engine and provided instructions in its blog post. "Note that disabling the JIT will result in decreased JavaScript performance and is only recommended as a temporary security measure," the organization noted.

Researchers Rate All Six Microsoft Patches as Critical

Microsoft rated three of six Patch Tuesday issues as critical, but security researchers say the other three can quickly escalate. Wolfgang Kandek of Qualys said the ISA, Publisher and virtualization vulnerabilities can give a remote attacker control of a computer. Andrew Storms of nCircle hopes for a more complete ActiveX patch later.

Microsoft on Tuesday released six bulletins as part of its monthly patch cycle. Three of the bulletins cover critical flaws, including two unpatched zero-day vulnerabilities. Three other bulletins address important risks that security researchers said can quickly escalate to critical. 

Wolfgang Kandek, CTO of Qualys, said Microsoft's advisories should be addressed immediately because they allow an attacker to take complete control of a victim's computer.

Read more about this info at: