beforeyoukillyourcomputer.com

Unknown miscreants had a good time two weekends ago when they posted hundreds of flashing animated images onto discussion boards hosted by the Landover, Md.-based Epilepsy Foundation. Flashing lights or bold moving patterns can trigger often violent seizures among 3 percent of the estimated 50 million epileptics worldwide.”I was on the phone when it happened, and I couldn’t move and couldn’t speak,” RyAnne Fultz, who has epilepsy, told Wired News about her reaction to viewing one of the images on March 23.

Fultz’s 11-year-old son walked over and closed the browser window after about 10 seconds. Fortunately, she suffered nothing more than a bad headache.

By then, the second day of vandalism on EpilepsyFoundation.org, the jerks had moved on to hijacking the browsers of anyone who clicked on certain forum posts, filling the screens with bright, flashing colors.

Technically, none of this was hacking, since it didn’t involve breaking into anyone’s Web site, and any snotty kid with a rudimentary knowledge of JavaScript could do it.

The Epilepsy Foundation shut off the discussion board on Sunday for about 12 hours, and the attacks stopped.

“This was clearly an act of vandalism with the intent to harm people,” said Eric R. Hargis, the foundation’s president and CEO in a statement released Monday.

However, it doesn’t seem to have been the first instance. A Texas-based discussion Web site called Coping With Epilepsy said it suffered a similar attack last November.

Source

Firefox_User sent us a link to a CNET News.com article about a security threat to Windows users with both Mozilla Firefox and Microsoft Internet Explorer installed. The issue can allow an attacker to remotely trick Firefox into executing potentially malicious code. However, a user has to be running Internet Explorer to actually get exploited.

Security researcher Thor Larholm has published a description of how the security flaw works, including a proof-of-concept (though some have reported that they cannot get this to work). When installed on Windows, Firefox registers a URL protocol handler to handle firefoxurl:// URLs (this works much like a http:// or ftp:// URL protocol handler). If an IE user visits a webpage that tries to call a firefoxurl:// URL (for example, using an iframe), IE will launch Firefox with no further prompting, passing it the URL. Neither IE nor Firefox escape or sanitise the URL, which allows an attacker to inject additional parameters into the command line used to invoke Firefox. Used in combination with the -chrome parameter, the attacker can make Firefox execute dangerous JavaScript code.

There's some debate as to where the blame lies — is it IE for passing untrusted data to another application or Firefox for not validating input properly? SecurityFocus refers to the problem as a Microsoft Internet Explorer FirefoxURL Protocol Handler Command Injection Vulnerability, placing the blame with Redmond, whileSecunia calls it a Firefox "firefoxurl" URI Handler Registration Vulnerability, pointing the finger at Mozilla. News.com quotes Oliver Friedrichs ofSymantec's Security Response Center, who says, "It's a little bit of both." continue reading…

Computerworld is reporting that a researcher at Juniper has discovered an interesting vulnerability that can be used to compromise ARM and Xscale based electronic devices such as many popular routers and mobile phones. According to the article, the vulnerability would allow hackers to execute code and compromise personal information or re-direct internet traffic at the router level. Juniper plans to demonstrate not only the researcher’s discovery, but also how he managed to use a common JTAG developed Boundary Scan to discover the vulnerability at this month’s CanSecWest conference in hopes of shifting more of the black hat community to looking at devices instead of software.

Source

Many web applications written using the popular AJAX programming technique are vulnerable to a JavaScript hijacking attack, security company Fortify Software has claimed.

Fortify said that the “pervasive and critical vulnerability” is present in 11 of the 12 most popular AJAX frameworks, and therefore in many Web 2.0 applications. It allows an attacker to pose as the application’s user and intercept data sent via JavaScript commands, by using the <script> tag to circumvent the ’same origin policy’ imposed by web browsers.

“JavaScript Hijacking appears to be a ubiquitous problem,” said Fortify. It claimed that only Direct Web Remoting (DWR) 2.0, a project which dynamically generates Java classes on the server from JavaScript, is immune to the attack, but said that fixes are available or feasible for other AJAX frameworks.

It added that even if apps do not use any of the vulnerable AJAX frameworks directly, they could be at risk if they contain AJAX components that use JavaScript as a data transfer method. continue reading…