Latest news
Mozilla is planning to implement silent background updates in the upcoming version of Firefox 10, which could be very bad news on the security front, according to Philip Lieberman, CEO of Lieberman Software.While many IT security systems will have to be reconfigured to allow background updates to Firefox – which is not a good thing in the first place – there is danger that hackers could subvert the update system to allow them backdoor access to the users’ computer.
“Auto-updating can be a welcome feature for many computer users, but the feature does need to let the user know what is happening. Having your software quietly update in the background - presumably on a modular code basis - is not something that all IT security professionals will welcome,” he said.
“If, as I think appears quite likely, hackers start reverse engineering the Firefox background updating system – and remember we are talking about open source software here – then it is only a matter of time before they subvert this auto-updating mechanism to inject malware,” he added.
Lieberman went on to say that, at the MalCon security conference taking place in Mumbai later this week, well-known code cracker Peter Kleissner – who developed the Stoned bootkit back in 2008 – is scheduled to reveal the first Windows 8 bootkit.
This Stoned Lite bootkit will reportedly allow code loaded from the Master Boot Record on the PC’s hard disk to remain in place all the way through the Windows 8 boot-up and loading purpose.
It is coding technology like this, says Lieberman, which could allow the Firefox background updating system to be subverted, as he notes that we are talking about ultra low-level code that actually sits under the Windows 8 operating system itself.
“It doesn’t take a programming genius to figure out that - against the backdrop of a Windows 8 bootkit – it shouldn't be difficult to subvert a background updater for a piece of open source software like Firefox 10,” he said.
“Having a Windows 8 bootkit that exists is bad enough, but at least IT security professionals can set up their system controls to only allow access to the update processes when a suitable admin account logs in. This is the principle of admin accounts – which need to be protected using privileged account management technology – that ensures an extra layer of security on corporate systems,” he said.
“But with the prospect of having to allow for Firefox 10 updating itself silently and in the background, I suspect that many IT security professionals will raise the alarm. And for the very good reason that this is a recipe for a hacker security incursion in the background,” he added.


Spotlight

A closer look at Mega cloud storage
Posted on 21 May 2013. | Once a novelty, nowadays many cloud storage services are fighting for their piece of the market in the virtual world. Mega offers 50GB of free space with great pricing on Pro accounts.

The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.

Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.

Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.

IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.





