In Brief

Continuing Internet Explorer vulnerabilities; FTC sweep for GLBA compliance snares two companies

Continuing Internet Explorer Vulnerabilities

Security advisory service Secunia warns multiple drag-and-drop vulnerabilities in Microsoft Internet Explorer version 6.0, discovered in October 2004, are worse than previously thought. Secunia also released an online test for users to see if their particular IE browser is vulnerable.

The vulnerability arises because of “insufficient validation of drag-and-drop events,” says Secunia, specifically of images or media files with embedded HTML code. When such files are moved from the “Internet” zone to a local zone, they bypass security in Microsoft Windows XP SP2. In fact, the vulnerability “has been confirmed on a fully patched system with Internet Explorer 6.0 and Microsoft Windows XP SP2,” says Secunia.

Using the vulnerability, and attacker could run attack code in a user’s local zone, bypassing SP2’s restriction on Active Scripting in the local zone.

Secunia recommends using a different browser, disabling the “drag and drop or copy and paste files” option in user preferences, or setting “Internet” zone security to the “high” level.

- - -

FTC Steps Up GLBA Compliance

While Sarbanes-Oxley has been garnering a lot of press lately, it’s not the only compliance game in town.

In fact, this past fall, the Federal Trade Commission charged two U.S. mortgage companies—and one of their presidents—with violations of the Safeguards Rule of the Gramm-Leach-Bliley Act, alleging the organizations didn’t have “reasonable protections for customers’ sensitive personal and financial information,” according to an FTC statement.

The two organizations are Fairfax, Virginia-based Nationwide Mortgage Group Inc., and Sunbelt Lending Services Inc., a subsidiary of Cendant Mortgage Corp. Already Sunbelt, headquartered in Clearwater, Fla., agreed to settle the charges.

According to the FTC, the GLBA safeguards rule “requires financial institutions to have reasonable policies and procedures to ensure the security and confidentiality of customer information.” To comply with the rule, organizations must implement a written security program, assign employees to oversee it, conduct a security risk assessment, install safeguards to guard against those risks, require its service providers to also comply with information-protection standards, and then periodically update the security program.

Sunbelt and Nationwide were found to not be in GLBA compliance as part of “a nationwide sweep of automobile dealers and mortgage companies, to assess compliance with the rule,” says the FTC. “Although the sweep showed compliance by many of the companies targeted, it also showed significant failures to comply by Nationwide and Sunbelt.” In particular, Nationwide didn’t “train its employees on information security issues; oversee its loan officers’ handling of customer information; and monitor its computer network for vulnerabilities.” Sunbelt also failed to ensure its service providers and loan officers protected sensitive customer information.

In addition, both organizations failed to properly distribute privacy notices to customers—a GLBA requirement. According to complaints lodged with the FTC, “Nationwide did not provide the privacy notices to its customers, and Sunbelt did not provide the notices to its online customers.”

A settlement with Sunbelt is pending, says the FTC.

- - -

Mozilla Vulnerable to Buffer Overflow

Mozilla version 0.x through 1.7.3 is vulnerable to a buffer overflow. Its NNTP (network news transport protocol) code-handling is to blame.

An attacker, using a malicious Web site, can craft a special “news://” URI (universal resource identifier), which causes a heap-based buffer overflow. Secunia says the vulnerability is specifically due to “a boundary error in the ‘MSG_UnEscapeSearchUrl()’ function in ‘nsNNTPProtocol.cpp’ when processing NNTP URIs.”

Secunia rates the vulnerability as “highly critical.”

ISS X-Force notes affected versions of Mozilla run on a variety of platforms, including Apple Macintosh, Hewlett-Packard’s Compaq Tru64, Linux, Sun Solaris, and Microsoft Windows.

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.