Monthly Archives: July 2007

Firefox Released - Important Security Update

A new version of Firefox was released today, following the reports of several critical bugs that could allow remote code execution by clicking an URL. If you have automatic updating enabled in Firefox (it’s on by default) it should automatically update itself.

Release notes:

Vulnerability details from Secunia:

Prevent Color Copiers from Copying Your Files

Color copiers contain detection algorithms for bank notes, and will refuse to copy any documents they consider to be bank notes. The actual algorithm used by the copiers was documented by Markus Kuhn in this PDF file. A new perl program called eurionize allows you to embed a pattern into any Postscript file that will prevent color copiers from making copies of the file.

This is not fool-proof of course, but it is an interesting hack nonetheless. As the eurionize author notes, the technique might provide a small increase in security of documents like coupons and entertainment admission tickets.

Best Process Viewer for Windows (It’s even freeware!)

Here’s a useful utility you’ll want to have on hand when analyzing compromised or possibly compromised machines:

Process Explorer Screenshot

Process Explorer by SysInternals (recently acquired by Microsoft)

This is the most powerful process viewer, bar none, and what we use on our lab machines when analyzing trojans. Especially useful is the ability to search all handles and DLLs as this helps in locating trojan modules that are loaded into other processes.

Top 7 Tips to Secure Your Apache Web Server

In this post on Apache security, I will show you the 10 most important things you need to do to secure your server.

1. Edit your httpd.conf and remove any unused modules

This is very important as each additional module, such as for example mod_php will increase the security risk to your site. If there’s a security vulnerability in PHP, and you aren’t running with mod_php enabled, you won’t be exposed. If you only require mod_rewrite then the only uncommented module line in your httpd.conf should be

LoadModule rewrite_module modules/

(Bonus points if you spotted that the above line is only for Apache 2.x config files)

2. Stay up-to-date on security vulnerabilities for modules you have installed

This means subscribing to mailing lists and check blogs and web sites regularly for news on security vulnerabilities to modules you have installed.

3. Keep informed about the latest version of Apache httpd

Although Apache has an excellent security track record, you should still check for new versions regularly at

4. Turn off the server signature

There’s no need to tell anyone what web server and product version you’re running. To turn off server signatures both on error pages and in the HTML response header, add the following to httpd.conf:

ServerSignature Off
ServerTokens ProductOnly

5. Don’t allow directory index browsing

If a user types in their browser bar, and there is no index page for the images directory, the might be able to see all the files in that, or any other directory without an index page. To make sure this doesn’t happen, disable directory indexing by putting the following in your httpd.conf:

Options -Indexes

6. Run mod_security

This module, written by Apache guru Ivan Ristic, allows you to do such things as filter out SQL injection attempts from URI strings, detect shell code in POST or GET queries, and much, much more.

Get it at

7. Run apache in a chroot jail

This advanced configuration allows you to “jail” Apache to a specific root directory. The process won’t be able to access anything beyond the chroot’ed directory. For a tutorial, see this article.

FBI Trojan

FBI apparently has a trojan called CIPAV which it uses to obtain information about the computers used by suspects under investigation for computer crime.

This affidavit seeks permission to install the CIPAV through MySpace, which suggests something like a browser exploit embedded in a message sent to the suspect. It is interesting to speculate whether this exploit targets Internet Explorer or Firefox (or possibly even both).

The following quote from page 16 of the affidavit leads me to believe that the FBI has several ready-made exploits, each targeted at a different browser:

It is requested that this court issue a search warrant authorizing … the use of multiple CIPAVs until one CIPAV is activated by the activating computer.

The investigators could then simply try each one in turn, until one succeeds in activating the trojan and sending information back.Several news outlets have contacted AV vendors to get clarification on whether they will detect government trojans such as CIPAV. Some have declined to comment. Needless to say, TrojanHunter will always be detecting trojans, no matter what their source.