Personal Information Easily Harvested on Facebook

Facebook is currently the most popular social networking site on the Internet. With the ability to find friends, communicate with them, and play games, the site can be addictive. But the BBC’s program Click this week showed that your personal information - the information in your Facebook profile - can be harvested easily by applications you choose to add to your profile.

It turns out that when you allow an application to access your personal information - something that many applications require - that application can get at not only your information, but that of your friends, without their knowing it, and in spite of their security settings.

The Click team created a simple application that could masquerade as a game or a test.

“We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?”

The solution? Alas, there is none for no. The only thing you can do is make sure that you don’t include, in your Facebook profile, information that you don’t want non-friends to find out about. Or, as the Click team says, “In fact, the only way we can see of completely protecting yourself from applications skimming information about you and your friends is to erase all the applications on your profile and opt to not use any applications in the future.”

To learn more about this, watch this segment of Click on the program’s website.

Security Updates for Mozilla Firefox and Thunderbird

Yet another update for Firefox, the open-source web browser. This fixes a security problem with the program’s JavaScript engine. The Mozilla Foundation calls this critical, yet says, “We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”

The same flaw exists in Thunderbird, so users should update both programs. The latest version of Firefox and Thunderbird can be downloaded here.

Security Update for Adobe Flash Player

You probably use the Adobe Flash Player regularly, at least if you watch online videos or play basic web games: both of these use Flash to display graphics and images. Adobe has announced that the latest version of Flash Player corrects a vulnerability, “that could allow an attacker who successfully exploits these potential vulnerabilities to take control of the affected system. A malicious SWF must be loaded in Flash Player by the user for an attacker to exploit these potential vulnerabilities. It is recommended users update to the most current version of Flash Player available for their operating system.”

It is recommended that all users update Flash Player immediately. This software is used often, and usually transparently, so most users don’t even realize that it’s a web browser plug-in. You can download the latest version of Flash Player here.

New Scareware Targets Mac

Back in January, we wrote about a scareware program targeting Mac OS X. The “rogue tool”, Macsweeper, claimed that “The imbibed set of features locates all the junk and useless data on your computer and deletes them to reclaim the wasted space.” In addition to questionable English in the description, the program itself was not only a rip-off, but it was dangerous: while it may have cleaned out some files such as caches, it also deleted more important files, without users even knowing what it removed.

Another program, called iMunizator, has been spotted, and this is nothing more than the same program (with exactly the same interface, features and code) with a new name. The program’s website (which we will not link to) has the same layout and the same description as Macsweeper. Needless to say, there must be some gullible people ready to pay $30 for this program, in spite of the fact that it is a scam, and is dangerous.

VirusBarrier X5, in its virus definitions dated March 27, 2008, blocks this program (which we have called OSX.AngeloScan), so even if you accidentally get a copy of it and try to run it, you will be alerted that the program is dangerous.

Intego will continue to be on the alert for future versions of this program, which doesn’t seem like it’s going away any time soon.

New Firefox Security Update

The Mozilla Foundation has released a new update to Firefox for Mac OS X. Version 2.0.0.13 contains a half-dozen security fixes, two of them for critical vulnerabilities, as well as some other bug fixes. You can download the latest version of Firefox here.

Microsoft Patches Office 2004 and 2008

It’s security update time for Microsoft Office, both the 2008 and 2004 versions. If you use Office 2008, you’ll need this 114 MB download, which fixes, among other things, “vulnerabilities in Office 2008 that an attacker can use to overwrite the contents of your computer’s memory with malicious code”, as well as an installer problem, whereby the Office installer wrote files with an incorrect user ID, meaning that many users couldn’t access the programs and support files correctly. The update also fixes general reliability and a number of bugs.

For Office 2004, a 13 MB download, fixes bugs and two security issues: one for Excel, and a critical vulnerability

“that could allow remote code execution if a user opens a malformed Office file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”