Computer Security Articles

Microsoft tonight released a security advisory for a publicly-disclosed vulnerability in all versions of Windows. Security Advisory 2501696 describes a bug in the MHTML handler in Windows which could lead to information disclosure.

MHTML (MIME Encapsulation of Aggregate HTML) encapsulates HTML in a MIME structure. MIME (Multipurpose Internet Mail Extensions) is a data format for encapsulating more complex binary structures in a text-only format. Windows includes a pluggable protocol handler (MHTML:) that allows applications to render MHTML structures. Internet Explorer is one of these and it can be abused to exploit the bug in the context of a web page, causing script to be executed. The user would have click a link to an MHTML:// document.

The vulnerability is similar to a cross-site scripting bug on a web page, in which HTML and script from another site is executed in the web page context. In this case, script could be executed in the client-side context.

Microsoft has provided a “Fix it” link to disable the MHTML protocol handler. This is a rather radical move, but it’s probably the only thing Microsoft can do without an actual patch, which they will of course provide—when it’s ready. They are also working with other companies to develop server-side protections to prevent attacks.

The link above to the Fix it also includes what amounts to a proof of concept for the bug which you can use to test if you are vulnerable or if mitigating measures have worked.

Full story: Security Watch

With our recent update of the engine we added generic protection against exploitation of the thumbnail vulnerability in all current Microsoft Windows operating systems. Microsoft warned of this security hole in a security advisory. On the January Patchday, no update was available for this vulnerability, even though there is proof-of-concept code publicly available in the Metasploit framework.

Also, we released another generic detection for exploits against the Microsoft Office security vulnerability in processing manipulated .rtf documents, which is already exploited in a limited fashion. The Update MS10-087 from last November fixes this vulnerability, so it is advised to install the Microsoft Updates anyways.

The Avira update is delivered and installed automatically. In case the next update is still too far away, start the Product Update in the Update-menu of the Avira ControlCenter manually!

Dirk Knop
Technical Editor

Full story: Avira – TechBlog

The vulnerability in Internet Explorer that was first reported on 23 December 2010, has yet to be patched but Microsoft has updated its advisory which contains workarounds and mitigations for the issue.

For those who don’t use IE, it’d be wise to turn off the IE option until a permanent fix is released. Those who need to use IE are advised to implement the workarounds that involve:

• preventing the recursive loading of CSS style sheets in IE,
• deploying the Enhanced Mitigation Experience Toolkit (EMET), and
• setting internet and local internet security zone settings to “High”

Detailed instructions for implementing the workarounds can be found at the updated Security Advisory 2488013. Please take note that for these workarounds to be effective, the latest security update (MS10-090) must be installed first.

Keep posted for the latest news.

On 12/01/11 At 03:38 AM

Full story: F-Secure Antivirus Research Weblog

Another year, another vulnerability in Windows. Yesterday Microsoft confirmed it was investigating a ‘recently discovered’ vulnerability. Exploit code for this is reported to be already available.

According to the Security Advisory, the vulnerability involves the Windows Graphics Rendering Engine. Affected Windows versions are various flavors of XP, Vista, Server 2003 and Server 2008. Windows 7 is not affected.

Exploiting the vulnerability requires a specially-crafted thumbnail image (say of a folder or program). Successful exploitation can lead to the attacker pretty much taking control of said computer.

One note: whether the booby-trapped thumbnail is on a site or sent in an e-mail, the user still has to actively visit the site or click a link in the e-mail (or open an attachment) to be affected, so standard precautions about safe surfing and computer usage still apply.

For users on affected versions, the Advisory has a workaround that will at least “help block known attack vectors”, until a patch is released. Or since the new year is a time for fresh starts, this might be a good time to consider upgrading to Windows 7.

No out-of-band update release seems to be forthcoming, so the soonest a patch might be available is January 11. Stay tuned.

On 05/01/11 At 01:34 AM

Full story: F-Secure Antivirus Research Weblog

Last November, Microsoft released security bulletin MS10-087, which addresses a number of critical vulnerabilities in how Microsoft Office parses various office file formats. One of them is CVE-2010-3333, “RTF Stack Buffer Overflow Vulnerability,” which could lead to remote code execution via specially crafted RTF data. A few days before Christmas, we received a new sample (sha1: cc47a73118c51b0d32fd88d48863afb1af7b2578) that reliably exploits this vulnerability and is able to execute malicious shellcode which downloads other malware.

The vulnerability can be triggered by utilizing a specially crafted RTF file with a size parameter that is bigger than the expected one. The vulnerability is present in Microsoft Word. It attempts to copy RTF data to the stack memory without validating the size, which will lead to overwriting the stack. 

Figure 1.10 

After executing the code in figure 1.10, the stack memory is overwritten by first part of the shellcode. The challenge for the exploit writer here is to make sure that the shellcode gets control and is executed. In this sample, one of the return addresses was overwritten by another address, which can be found in any known DLL loaded in the memory. That address contains a single piece of code, “Jmp ESP”, that  transfer the control to the stack memory containing our first shellcode.

Let’s take a look at the first shellcode: 

Figure 1.20 

The code above uses a brute-force method to find the second shellcode entry-point by searching for the string “pingping” starting from hardcoded address 0×500000. To avoid causing exceptions while parsing these memory pages, it checks if the page is accessible by calling NtAccessCheckAndAuditAlarm() via Int 2Eh – passing EAX = 2h (NtAccessCheckAndAuditAlarm system call ordinal) and passing the page address in EDX. It returns STATUS_ACCESS_VIOLATION to EAX if the page is not accessible. 

The second shellcode starts by decrypting the rest of the codes and string using a XOR operation with constant keys. It retrieves the address of the needed APIs, downloads the malware from a remote location, and then executes it. In our sample, it attempts to download a file named svchost.exe and saves it as <system folder>\a.exe (detected as Trojan:Win32/Turkojan.C). 

Microsoft detects this exploit as Exploit:Win32/CVE-2010-3333.

We recommend customers that have not yet installed the security update MS10-087 to do so at their earliest convenience.

For reference, here’s a list of some SHA1s we’ve seen related to these targeted attacks:

• 00d9af54c5465c28b8c7a917c9a1b1c797b284ab
• 24ee459425020ea61a10080f867529ea241c51dc
• 2e6abd663337c76379ae26b8aa6cf4db98137b64
• 77637eccf9011d420cccc520bcb3ed0cf907dc00
• CC47A73118C51B0D32FD88D48863AFB1AF7B2578

– Rodel Finones

Full story: Microsoft Malware Protection Center

A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM.

The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system.

From the screenshot above, we can see that the malware employed a (NOP) sled to overflow the buffer and to execute codes in the context of Microsoft Word. The malware we encountered dropped another malicious file detected as TROJ_INJECT.ART.

One of the more serious concerns is that a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle email messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute.

Microsoft already released an update to address the said vulnerability. Users are strongly advised to download and install the patch, which can be found in the official bulletin MS10-087. This was issued as part of November’s Patch Tuesday.

Post from: TrendLabs | Malware Blog – by Trend Micro

Malicious .RTF Files Exploit Microsoft Office Vulnerability

– Karl Dominguez (Threat Response Engineer) on TrendLabs | Malware Blog – by Trend Micro

The number of software vulnerabilities (as measured by entries in the Common Vulnerabilities and Exposures (CVE) database) went down in 2010, although due to the complexity of modern programs they can never be completely eliminated. Criminals take advantage of this to drop their malware onto the systems of victims everywhere.

Because of this, there is a continued need for vulnerability defense solutions like Intrusion Defense Firewall (IDF), a plug-in for OfficeScan™ and Deep Security.

In recent years, both vulnerability researchers and criminals have been focusing their attacks on third-party applications. This is quite natural, as both Internet-exposed services (such as Web servers) and the OSs themselves have been made more secure. This focus on third-party applications increases the risk for typical end users, as they tend to ignore third-party programs as primary attack vectors. In addition, no common patching platform like Windows Update is provided, raising the risk of having vulnerable versions on user systems.

Let’s examine the number of publicly disclosed proof-of-concept (POC) exploits that allowed remote code execution in several applications that users commonly utilize (these are based on exploits posted on the Exploits Database site):

Out of these critical vulnerabilities in 2010, the ones which had the most impact in the wild were:

• Internet Explorer iepeer.dll code execution vulnerability (MS10-018; CVE-2010-0806)
• Java Web start vulnerability (CVE-2010-1423)
• Microsoft Windows Help and Support Center vulnerability (MS10-042; CVE-2010-1885)
• Windows LNK vulnerability (MS10-046; CVE-2010-2568)
• Adobe Acrobat/Reader cooltype.dll buffer overflow vulnerability (APSB10-21; CVE-2010-2883)
• DLL preloading attacks via remote network shares (Microsoft Security Advisory 2269637)

It’s also worth noting that the DOWNAD/Conficker threat, which dates back to late 2008, was still quite active during the first half of the year. DOWNAD isn’t quite dead yet.

What kind of malware are dropped or downloaded onto user’s systems by exploits? Variants of the ZeuS family of malware were favored payloads throughout 2010. In particular, exploits using .PDF files and ActiveX controls as infection vectors were frequently used for this purpose.

These threats highlight how important it is for users to properly protect themselves against vulnerabilities by patching their software. For that, readers should consult the previous blog post “Have You Patched Your System Lately?” The CTO Insights blog also talked about it in the video “Zero Day Vulnerabilities Risk Overblown.”

Post from: TrendLabs | Malware Blog – by Trend Micro

2010 in Review: The Vulnerability Landscape

– Abhishek Bhuyan (Senior Security Researcher) on TrendLabs | Malware Blog – by Trend Micro

Microsoft has released an urgent security advisory describing a new vulnerability in Internet Explorer that allows for malicious code to be run on user systems if they visit a malicious website. Internet Explorer 6 up to Internet Explorer 8 are confirmed to be affected; it is not clear if the Internet Explorer 9 beta is similarly affected as well.

Trend Micro offers a variety of solutions to help protect users. For home users, the free tool Browser Guard offers protection against this vulnerability without any need for updates. Browser Guard is a free add-on to Internet Explorer that protects users by preventing browser exploits and analyzes in-browser scripts for malicious characteristics and behavior. This provides users with proactive protection against vulnerabilities, as this incident demonstrates.

For enterprise users, both Deep Security and OfficeScan with the Intrusion Defense Firewall (IDF) plug-in also protects against this threat with the updated rules released earlier today.

Post from: TrendLabs | Malware Blog – by Trend Micro

New Internet Explorer Vulnerability Discovered

– Jonathan Leopando (Technical Communications) on TrendLabs | Malware Blog – by Trend Micro

Microsoft has issued an advisory for an unpatched vulnerability affecting all versions of Internet Explorer on all platforms. The vulnerability could allow a malicious web page to trigger a denial of service or remote code execution in the context of the IE user. Exploit code for the vulnerability has been published but there not yet any reports of active exploits in the wild.

The vulnerability is of a type known as “use-after-free” and is in the CSharedStyleSheet::Notify function in the CSS parser in mshtml.dll. Multiple @import calls in the attack document trigger the vulnerability. It was first reported by wooyun.org.

The exploit bypasses ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention) by taking advantage of a library it loads (mscorie.dll) which was not compiled with the /DYNAMICBASE option which enables ASLR and therefore loads predictably at the same address. Microsoft doesn’t say why this, and apparently other libraries weren’t compiled with this option, but suggests that you use their Enhanced Mitigation Experience Toolkit to force all loaded DLLs to dynamically rebase. This change should make the exploits highly unlikely to succeed. This video demonstrates the process.

Microsoft also stresses that protected mode in Internet Explorer 7 and 8 on Windows Vista, Windows 7 and Windows Server 2008 mitigate the vulnerability by limiting the privileges of attack code which succeeds in exploiting the vulnerability.

– on Security Watch

In early December, Kaspersky Lab experts detected samples of the malicious program TDL4 (a new modification of TDSS) which uses a 0-day vulnerability for privilege escalation under Windows 7/2008 x86/x64 (Windows Task Scheduler Privilege Escalation, CVE: 2010-3888). – on Securelist / All Updates

Michael Calce, the reformed hacker from Montreal who will forever be known as Mafiaboy, told a group of IT professionals Tuesday that he has serious concerns about the inherent vulnerabilities in the latest evolution of information technology: cloud computing. –
Jeff Jedras on Network World on Security

The malwares in wild are exploiting this vulnerability. This vulnerabilty allows remote code to be executed while a debugger loads a specially crafted executable using Microsoft’s Dbghelp.dll(ver 5.x).

When I was trying to load the malware that uses this trick it made olly debugger to exit. The below link has some interesting stuff about this vulnerability.

http://foolishpages.blogspot.com/2010/11/windows-dbghelpdll-export-name-stack.html

View full post on Offensive Computing blogs

Microsoft has released 3 updates to Office and the Forefront Unified Access Gateway (UAG) to address a total of 11 vulnerabilities. Just 1 of the 11 is rated critical, but it’s a doozy.

MS10-087—Vulnerabilities in Microsoft Office Could Allow Remote Code Execution— describes 5 remote code execution vulnerabilities in various versions of Microsoft Office, up to and including the new Office 2010. One vulnerability—RTF Stack Buffer Overflow Vulnerability (CVE-2010-3333)—stands out. A stack overflow in the RTF parser in these programs is hard to imagine in this day and age, but it just goes to show how hard it is to root out such things completely. Even the Mac versions of Office are vulnerable.

The really scary aspect of the RTF vulnerability is that it can be exploited directly through e-mail. If a user were running Outlook with a vulnerable version of Microsoft Word as their e-mail editor, the vulnerability could be used to exploit the recipient simply by reading the e-mail.

The other 4 vulnerabilities are all serious, but require use action, such as opening an attachment, to exploit. One of them is another instance of our old friend, the insecure library loading vulnerability. This isn’t the last we’ve seen of it.

MS10-088—Vulnerabilities in Microsoft PowerPoint Could Allow Remote Code Execution—describes two remote code execution bugs in older versions of PowerPoint, meaning 2003 and earlier. Both involve opening specially-crafted malicious files.

MS10-089—Vulnerabilities in Forefront Unified Access Gateway (UAG) Could Allow Elevation of Privilege—describes one spoofing and three cross-site scripting bugs in Forefront Unified Access Gateway. Microsoft Intelligent Application Gateway 2007 is also affected by some of these.

View full post on Security Watch

A new, potentially critical vulnerability in Adobe Acrobat Reader has come to our attention at Websense Security Labs. Quick analysis shows that malicious PDF documents invoke a function call to Doc.printSeps() to take advantage of the vulnerability. Proof of concept code plants shell code in memory using heap spraying to exploit the vulnerability.

Websense Security Labs is monitoring the situation, and we will update this blog post as we discover more. It is possible that malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. The vulnerability could be used for remote code execution, but we are still investigating these claims. Websense customers are protected by our ACE real-time analytics.

Adobe has published advice on how to avoid this vulnerability by blacklisting the vulnerable function call. The issue was unknown to Adobe PSIRT Team when Websense Security Labs informed them about it. Respecting their wish, we only disclosed the issue after their announcement. In the meantime, VUPEN also disclosed the issue.

In our test, Adobe Acrobat Reader crashed when the proof of concept document was loaded.

We will update this blog post with any interesting developments.

View full post on Security Labs

Note: Post authored by Larry Seltzer.

Microsoft has issued an
advisory on a vulnerability in Internet Explorer that could allow malicious code from a visited web site to execute.

The company reports in a blog entry that the code was found on a web site, but that site is no longer serving it and they are aware of no other instances of it in the wild.

The vulnerability is mitigated by DEP (Data Execution Prevention) which is turned on by default on all supported versions of Windows, and therefore is unlikely to be exploitable.

Microsoft is working on an update to patch the vulnerability but has no information yet on when that will be available.

View full post on Security Watch

Vulnerabilities (designated as CVE-2010-3915 and CVE-2010-3916) have been found in the popular Japanese-language word processor Ichitaro. If exploited, a specially crafted JTD document could be used to drop and execute files. Files exploiting these vulnerabilities are detected as TROJ_TARODRP.SM.

Currently, the payload of the attacks using this vulnerability is a dropper detected as TROJ_DROPPER.QVA. It checks whether the current user had administrative rights on the system or not; depending on the situation present it will use different means to ensure that it will run at every system startup. The end behavior, however, is identical: a backdoor (BKDR_GOLPECO.A) is dropped onto the affected system. It contacts a command-and-control server, and among the commands that a would-be bot herder could execute on an affected system are:

• perform shell commands
• overwrite/retrieve files on the affected system
• download and execute files from the Internet

Taken together, a system could be completely compromised by this malware. This is a non-trivial risk, as both this and previous Ichitaro vulnerabilities were used in targeted attacks, with correspondingly higher risks.

Trend Micro users have been protected since September 18, when patterns protecting against the above threats were released. Related malicious URLs have also been blocked since the same date. However, due to non-disclosure agreements we have been unable to discuss this threat until a fix for the vulnerability was released.

Justsystems, the publisher of Ichitaro, has released a patch fixing this vulnerability. Until users can apply the patch, Trend Micro product users are protected by the Smart Protection Network™.

View full post on TrendLabs | Malware Blog – by Trend Micro

A new vulnerability has been discovered in Internet Explorer that is currently being used in limited attacks. Websense Security Labs is monitoring the situation and will update this blog post as we discover more. Malicious hackers could set up rigged Web sites or insert malicious code into legitimate, compromised sites to infect visitors. This vulnerability could be used for remote code execution. Websense customers are protected by our real-time analytics in ACE.

Enabling DEP and Protected Mode in Internet Explorer can mitigate this vulnerability.

For more information see: Microsoft Security Advisory (2458511), CVE-2010-3962, US-CERT advisory

View full post on Security Labs

Last time we blogged about Ichitaro, it was during the cherry blossom season in Japan earlier this year. The season for autumn leaves is on the way as is a patch for a new Ichitaro vulnerability. Earlier today, JustSystems announced that its Ichitaro software has a vulnerability and instructed users to patch it with the latest update module available. At Symantec we have confirmed that there is malware in the wild exploiting this vulnerability. Symantec security software detects this malware as Trojan.Taradrop.K. It was previously detected as Trojan.Tarodrop.

The attack so far has been limited, but we recommend that Ichitaro users apply the update module as soon as possible. Affected systems include versions 2004 through to 2010.

View full post on Symantec Connect – Security Response – Blog Entries

Microsoft recently released a security advisory for a vulnerability in Internet Explorer which allows remote code execution. According to the report, the vulnerability—which affects Internet Explorer 6, 7, and 8–is caused by an invalid flag reference within Internet Explorer, and was initially found on a single website, which has since been taken offline.

Our researchers were able to acquire a sample of the exploit for the said vulnerability and have analyzed the threat. We detect the main page that delivered the exploit as HTML_BADEY.A. This page downloads a backdoor, which is detected as BKDR_BADEY.A. This backdoor, in turn, downloads various encrypted files. These encrypted files, when decrypted, contain the commands that the backdoor will perform.

Further attacks exploiting this attack are likely. We have seen a new hacking tool, HKTL_ELECOM which allows cybercriminals to generate pages that contain the JavaScript code which exploits this vulnerability. This makes exploiting the vulnerability easier, which means that attacks that target will probably become more commonplace.

It is not clear when this vulnerability will be patched, but until then users can take some steps to protect themselves. The beta version of Internet Explorer 9 is not affected by this vulnerability, and users can upgrade to this version to protect against this vulnerability. Other mitigating steps are mentioned in the advisory, but these mitigating steps will cause most, if not all, websites to load improperly.

The mitigating steps force the use of a user-specified CSS style sheet (breaking site formatting) and disabling scripting (disabling many site features). Users can also check that Data Execution Prevention (DEP) is enabled, which will help reduce the potential effects of any exploits. Instructions for these mitigation steps are found in the Microsoft security advisory.

Trend Micro users are well protected against this threat, with the malware threats used in this attack already detected. We also suggest downloading Browser Guard, an add-on for Internet Explorer that protects against IE vulnerabilities, including this particular attack – for free.

View full post on TrendLabs | Malware Blog – by Trend Micro

Microsoft has announced a vulnerability in all currently-supported versions of Internet Explorer (6 through that could all the execution of arbitrary code (advisory 2458511.) This would likely be leveraged in a drive-by-exploit scenario. They state that DEP (Data Execution Prevention) and Protected Mode are mitigating factors.
I’m still collecting more details so this will be updated as more details become available.
CVSS Base: pending

Exploit code: non-public, but reported to have attacks in the wild.

Workarounds: available

Patches: unavailable

IDS signatures: pending

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

CVE-2010-3654: A critical vulnerability exists in Adobe Flash Player 10.1.85.3 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems; Adobe Flash Player 10.1.95.2 and earlier versions for Android; and the authplay.dll component that ships with Adobe Reader 9.4 and earlier 9.x versions for Windows, Macintosh and UNIX operating systems, and Adobe Acrobat 9.4 and earlier 9.x versions for Windows and Macintosh operating systems.

Read more detail

View full post on Web Security Weblog

Adobe released today APSA10-05 advisory, which shows a 0-day vulnerability that can be exploited remotely for Adobe Flash Player, Adobe Reader and Acrobat. Adobe says the update will exist hopefully by the Nov 15 week.

The following are the mitigation measures recommended by adobe:

Adobe Reader and Acrobat 9.x – Windows

Deleting, renaming, or removing access to the authplay.dll file that ships with Adobe Reader and Acrobat 9.x mitigates the threat for those products, but users will experience a non-exploitable crash or error message when opening a PDF file that contains Flash (SWF) content.

The authplay.dll that ships with Adobe Reader and Acrobat 9.x for Windows is typically located at C:Program FilesAdobeReader 9.0Readerauthplay.dll for Adobe Reader or C:Program FilesAdobeAcrobat 9.0Acrobatauthplay.dll for Acrobat.

Adobe Reader 9.x – Macintosh

1) Go to the Applications-Adobe Reader 9 folder.

2) Right Click on Adobe Reader.

3) Select Show Package Contents.

4) Go to the Contents-Frameworks folder.

5) Delete or move the AuthPlayLib.bundle file.

Acrobat Pro 9.x – Macintosh

1) Go to the Applications-Adobe Acrobat 9 Pro folder.

2) Right Click on Adobe Acrobat Pro.

3) Select Show Package Contents.

4) Go to the Contents-Frameworks folder.

5) Delete or move the AuthPlayLib.bundle file.

Adobe Reader 9.x – UNIX

1) Go to installation location of Reader (typically a folder named Adobe).

2) Within it browse to Reader9/Reader/intellinux/lib/ (for Linux) or Reader9/Reader/intelsolaris/lib/ (for Solaris).

3) Remove the library named libauthplay.so.0.0.0.

More information at http://contagiodump.blogspot.com/2010/10/potential-new-adobe-flash-player-zero.html

– Manuel Humberto Santander Pelez | http://twitter.com/manuelsantander | http://manuel.santander.name | msantand at isc dot sans dot org

(c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.

View full post on SANS Internet Storm Center, InfoCON: green

Yesterday we received reports about a critical vulnerability in Firefox browser that has been detected in the wild. According to the reports, this flaw can potentially allow an attacker to exploit the user's machine through the browser by making it run arbitrary code without user interaction – a classic drive-by vulnerability. Our customers are protected from this latest vulnerability by ACE, our Advanced Classification Engine.

The vulnerability was discovered when Nobel Peace Prize's web site got compromised. The attacker used multiple iframe redirections on the same compromised site, with the last chain pointing to a dynamic DNS provider to get to the malicious page.

Mozilla community also confirmed the vulnerability in a blog where they state that they are investigating the issue and working on a fix. 

Websense Security Labs are currently investigating the vulnerability in detail. Initial analysis shows that the attacker references an object in the web page that has been removed, leaving the reference pointing to an invalid memory space. The malicious code uses heap spray technique to exploit the vulnerability and run arbitary code in user's computer. In addition, part of the exploit code checks the version of the browser and the operating system, and constructs the shellcode accordingly to initiate a successful exploit.

View full post on Security Labs

Details here:
http://blog.mozilla.com/security/2010/10/26/critical-vulnerability-in-firefox-3-5-and-firefox-3-6/

View full post on Spyware Sucks