Update Firefox and DNS servers - URGENT
Once people find a hole they continue to digg, just as gold-diggers never stop after the first inch of gold in the believe that there maybe lots more. And sometimes this gives new exploits that are far more interesting, dangerous and exploitable than the first one that seemed more difficult and theoretical. Firefox seems now prone to an exploit by which any program on your computer (and if you surf under administrator privileges that means telnet - so anything on the computer) can be started externally to download whatever code necessary to make a zombie of your computer simply by visiting a website with some code on it (that you won't see. So update your firefox as fast as possible.
http://www.furl.net/item.jsp?id=23170875 find the URI's on your system
http://www.furl.net/item.jsp?id=23170953 control all scripting while surfing with Firefox
The DNS servers are the most critical parts of our internet infrastructure. They translate the domainnames you put into your browser into the IP adresses of the servers that host them. Since a good year there has been much talk about cache poisioning and pharming but except from some attacks it wasn't that easy to do. Pharming means that a user will type the domainname in his browser for example www.TRAVEL.com after which his computer will contact a DNS server to get the right IP address of the server where that site is hosted. The DNS server will first look into his cache but if it isn't he will try to get it on the internet. Pharming means that with a now launched simple trick the DNS server will find in its cache another IP address for the server www.travel.com than the legal one and will redirect the user (who will see all the time www.travel.com in his browser) to a perfect copy of the site on a russian site. So any transaction he does will be intercepted or the computer can be scanned for vulnerabilities and infected and put into a botnet. Luckily the security researcher has contacted the organisation responsable for the DNS BIND software and there is a very important upgrade available. Because untill now it hasn't been so simple to do pharming and pharming is the industralisation of phishing because imagine what it would do to banking, egov and ecommerce ?
You can subscribe to the RSS feed of my furld information