Comcast says it is revamping the software that new customers need to install to start service with the ISP. The software is unfriendly to Mac users running Firefox: It changes the browser’s homepage to comcast.net, and blocks users from changing it to anything else.

I heard this from a friend who’d just signed up for Comcast’s Xfinity high-speed Internet service and soon discovered some behavior on his Mac that is akin to Windows malware  — something had hijacked his Internet settings. The technician who arrived to turn on the service said that a software package from Comcast was necessary to complete the installation. My friend later discovered that his homepage had been changed to comcast.net, and that Comcast software had modified his Firefox profile so that there was no way to change the homepage setting.

I contacted Comcast; they initially blamed the problem on a bug in Firefox. Mozilla denies this, and says it’s Comcast’s doing.

“This is NOT a Firefox bug or issue,” a Mozilla spokesperson wrote in an email. “It is a Comcast method that applies preference changes to Firefox.”

Some of the Mac files installed by Comcast's Xfinity software.

Comcast spokesman Charlie Douglas acknowledged that the Xfinity software hijacks Firefox’s settings. He said the problem is limited to Mac users, and that permanency of the change was unintentional. He added that the company is in the process of correcting the installation software.

“Customers absolutely should be able to change their preferred homepage anytime,” Douglas said. “We’re obviously apologizing for any inconvenience we’ve caused Mac users.”

Fortunately, there is a stopgap fix for this problem. Blogger Ryan Parman has published step-by-step instructions and screenshots showing how to remove the homepage hijack.

Adobe released an emergency security update today to fix a vulnerability that the company warned is being actively exploited in targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message.

The vulnerability — a cross-site scripting bug that could be used to take actions on a user’s behalf on any Web site or Webmail provider, exists in Flash Player version 10.3.181.16 and earlier for Windows, Macintosh, Linux and Solaris. Adobe recommends users update to version 10.3.181.22 (on Internet Explorer, the latest, patched version is 10.3.181.23).  To find out what version of Flash you have, go here.

Google appears to have already pushed out an update that fixes this flaw in Chrome. Adobe says it will ship an update to fix this flaw on Android sometime this week.

Adobe said it is still investigating whether this is exploitable in Adobe Reader and Acrobat X (10.0.2) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems, and that it is not aware of any attacks targeting Adobe Reader or Acrobat in the wild.

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows are available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Most Web sites use JavaScript, a powerful scripting language that helps make sites interactive. Unfortunately, a huge percentage of Web-based attacks use JavaScript tricks to foist malicious software and exploits onto site visitors. To protect yourself, it is critically important to have an easy method of selecting which sites should be allowed to run JavaScript in the browser.

It is true that selectively allowing JavaScript on known, “safe” sites won’t block all malicious scripting attacks: Even legitimate sites sometimes end up running malicious code when scammers figure out ways to sneak tainted, bogus ads into the major online ad networks. But disallowing JavaScript by default and selectively enabling it for specific sites remains a much safer option than letting all sites run JavaScript unrestricted all the time.

Firefox has many extensions and add-ons that make surfing the Web a safer experience. One extension that I have found indispensable is NoScript. This extension lets the user decide which sites should be allowed to run JavaScript, including Flash Player content. Users can choose to allow specific exceptions either permanently or for a single browsing session.

The NoScript extension makes it easy to place or remove these restrictions on a site-by-site basis, but a novice user may need some practice to get the hang of doing this smoothly. For instance, it’s not uncommon when you’re shopping online to come across a site that won’t let you submit data without fully allowing JavaScript. Then, when you enable scripting so that you can submit your address and payment information, the page often will reload and clear all of the form data you’ve already supplied, forcing you to start over. Also, many sites host content from multiple third-party sites, and users who prefer to selectively enable scripts may find it challenging to discover which scripts need to be enabled for the site to work properly.

Chrome also includes similar script- and Flash blocking functionality that seems designed to minimize some of these challenges by providing fewer options. If you tell Chrome to block JavaScript on all sites by default, when you browse to a site that uses JavaScript, the upper right corner of the browser displays a box with a red “X” through it. If you click that and select “Always allow JavaScript on [site name]” it will permanently enable JavaScript for that site, but it doesn’t give you the option to block third-party JavaScript content on the site as Noscript does. In my testing, I had to manually refresh the page before Chrome allowed scripting on a site that I’d just whitelisted.

To restrict scripting in Chrome, click the wrench icon in the upper right corner of the browser. Under “Options,” select “Under the Hood.” Click the “Content Settings” button at the top. Under JavaScript, select the button: “Do not allow any site to run JavaScript”.

Internet Explorer 9, which Microsoft released earlier this year, is by far the fastest and most advanced version of IE (it rivals Chrome in the speed with which it loads Web pages). IE9 also includes new security features, such as enhanced memory protection and Microsoft’s SmartScreen Application Reputation engine, designed to alert users when they try to download files from locations on the Web with an unknown or dodgy history.

But I found it somewhat difficult to believe that this new version of IE still doesn’t give the user much choice in handling JavaScript. In IE9, you can select among JavaScript on, off, or prompting you to load JavaScript. Turning JavaScript off isn’t much of an option, but leaving it completely open is unsafe. Choosing the “Prompt” option does nothing but serve incessant pop-up prompts to allow or disallow scripts (see the video below).

I like Chrome’s simplicity and speed, but I prefer Firefox because it offers the most options for dealing with JavaScript. But, whichever browser you use, be aware that running JavaScript can be the point of entry for intrusive and infectious malware. Use caution before deciding to allow it on any site that you visit.

Adobe has released another batch of security updates for its ubiquitous Flash Player software. This “critical” patch fixes at least 11 vulnerabilities, including one that reports suggest is being exploited in targeted email attacks.

In the advisory that accompanies this update, Adobe said “there are reports of malware attempting to exploit one of the vulnerabilities, CVE-2011-0627, in the wild via a Flash (.swf) file embedded in a Microsoft Word (.doc) or Microsoft Excel (.xls) file delivered as an email attachment targeting the Windows platform. However, to date, Adobe has not obtained a sample that successfully completes an attack.”

The vulnerabilities exist in Flash versions 10.2.159.1 and earlier for Windows, Mac, Linux and Solaris. To learn which version of Flash you have, visit this link. The new version for most platforms is 10.3.181.14; Android users should upgrade to Flash Player 10.3.185.21 available by browsing to the Android Marketplace on an Android phone; Google appears to have updated Chrome users automatically with this version of Flash back on May 6 (Chrome versions 11.0.696.68 and later have the newest Flash version).

Remember that if you use Internet Explorer in addition to other browsers, you will need to apply this update twice: Once to install the Flash Active X plugin for IE, and again to update other browsers, such as Firefox and Opera. Updates are available by browsing with the appropriate browser to the Flash Player Download Center. Bear in mind that updating via the Download Center involves installing Adobe’s Download Manager, which may try to foist additional software. If you’d prefer to update manually, the direct installers for Windows should be available at this link. If you run into problems installing this update, you’ll want to uninstall previous versions of Flash Player and then try again.

Adobe says Flash Player 10.3 includes a new auto-update notification mechanism for the Macintosh platform, which should alert Mac users to new Flash updates (this feature has been available on the Windows platform for a while now).

A new crimeware kit for sale on the criminal underground makes it a simple point-and-click exercise to develop malicious software designed to turn Mac OSX computers into remotely controllable zombie bots. According to the vendor of this kit, it is somewhat interchangeable with existing crimeware kits made to attack Windows-based PCs.

The Mac malware builder in action.

KrebsOnSecurity has spilled a great deal of digital ink covering the damage wrought by ZeuS and SpyEye, probably the most popular crimeware kits built for Windows. A crimeware kit is a do-it-yourself package of tools that allow users to create custom versions of a malicious software strain capable of turning machines into bots that can be remotely controlled and harvested of financial and personal data. The bot code, generated by the crimeware kit’s “builder” component, typically is distributed via social engineering attacks in email and social networking sites, or is foisted by an exploit pack like Eleonore or Blackhole, which use hacked Web sites and browser flaws to quietly install the malware. Crimeware kits also come with a Web-based administration panel that allows the customer to manage and harvest data from infected PCs.

Crimekit makers have focused almost exclusively on the Windows platform, but today Danish IT security firm CSIS Security Group blogged about a new kit named the Weyland-Yutani BOT that is being marketed as the first of its kind to attack the Mac OS X platform.

The seller of this crimeware kit claims his product supports form-grabbing in Firefox and Chrome, and says he plans to develop a Linux version and one for the iPad in the months ahead. The price? $1,000, with payment accepted only through virtual currencies Liberty Reserve or WebMoney.

The CSIS blog post contains a single screen shot of this kit’s bot builder, and references a demo video but doesn’t show it. I wanted to learn more about this kit, and so contacted the seller via a Russian language forum where he was advertising his wares.

The author said he is holding off on including Safari form-grabbing capability for now, complaining that there are “too many problems in that browser.” Still, he was kind enough to share a copy of a video that shows the kit’s builder and admin panel in action. Click the video link below to check that out.

ZeuS and SpyEye are popular in part because they support a variety of so-called “Web injects,” third-party plug-ins that let botmasters manipulate the content that victims see in their Web browsers. The most popular Web injects are designed to slightly alter the composition of various online banking Web sites in a bid to trick the victim customer into supplying additional identifying information that can be used later on to more fully compromise or hijack the account. According to the author, Web injects developed for ZeuS and SpyEye also are interchangeable with this Mac crimekit. “They need to be formatted and tagged, but yes, you can use Zeus injects with this bot,” he told me in an instant message conversation.

Fans of the movie series “Alien” will recognize the name Weyland-Yutani as the fictional corporation that was sent ahead to establish habitable bases and dwellings on extrasolar planets in advance of the arrival of new human colonies. If this crimekit takes hold, or is an indicator of a broader interest in attacking Mac users, we could soon witness cyber crooks starting to colonize the Mac user community as well. The author of this Mac crimekit said he knows of several other independent coders who are working on Mac malcode projects that aren’t quite ready for prime-time, although he declined to elaborate on that claim.

Each time this subject comes up, I am struck by how fervently the Mac community denies that Mac users might ever have to deal with anywhere near the level of malware that currently besieges the Windows world. The Mac, these apologists explain, is far more secure than Windows, and that is why we have not seen malware writers attack the platform with the same vigor and interest. As one commenter on this blog reasoned, OS X simply doesn’t allow programs to be installed without user permission. My response is, assuming for the moment that the above statement about the Mac’s superior security is true, the operating system does nothing to stop the user from being tricked or cajoled into installing malware. What’s more, social engineering attacks are one of the primary ways that Windows users get infected today, so why would it be any different for Mac users?

Consider the scourge of rogue anti-virus attacks: Each day, thousands of Windows users are tricked into running and installing a bogus security “scanner” foisted on them by some hacked Web site. The attackers’ goal with these “scareware” muggings is to not only trick the user into installing malicious software, but also paying for it with their credit cards!

Image courtesy Intego.com

Earlier today, MacRumors.com carried a story about a new threat discovered by Mac security software vendor Intego that uses social engineering in a bid to install scareware known as “MACDefender.”

The nice thing about social engineering attacks is that defending against them doesn’t require buying or installing some type of security software. As I noted in a column last week, it merely requires the user to accept the notion that “security-by-obscurity is no substitute for good security practices and common sense: If you’ve installed a program, update it regularly; if you didn’t go looking for a program, add-on or download, don’t install it; if you no longer need a program, remove it.”

With new security updates from vendors like Adobe, Apple and Java coming out on a near-monthly basis, keeping your Web browser patched against the latest threats can be an arduous, worrisome chore. But a new browser plug-in from security firm Qualys makes it quick and painless to identify and patch outdated browser components.

The Qualys BrowserCheck plug-in works across multiple browsers — including Internet Explorer, Firefox, Chrome and Opera, on multiple operating systems. Install the plug-in, restart the browser, click the blue “Scan Now” button, and the results should let you know if there are any security or stability updates available for your installed plug-ins (a list of the plug-ins and add-ons that this program can check is available here). Clicking the blue “Fix It” button next to each action item listed fetches the appropriate installer from the vendor’s site and prompts you to download and install it. Re-scan as needed until the browser plug-ins are up to date.

Secunia has long had a very similar capability built into its free Personal Software Inspector program, but I realize not everyone wants to install a new program + Windows service to stay abreast of the latest patches (Secunia also offers a Web-based scan, but it requires Java, a plug-in that I have urged users to ditch if possible). The nice thing about Qualys’ plug-in approach is that it works not only on Windows, but also on Mac and Linux machines. On Windows 64-bit systems, only the 32-bit version of Internet Explorer is supported, and the plug-in thankfully nudges IE6 and IE7 users to upgrade to at least IE8.

Having the latest browser updates in one, easy-to-manage page is nice, but remember that the installers you download may by default come with additional programs bundled by the various plug-in makers. For example, when I updated Adobe’s Shockwave player on my test machine, the option to install  Registry Mechanic was pre-checked. The same thing happened when I went to update my Foxit Reader plug-in, which wanted to set Ask.com as my default search provider, set ask.com as my home page, and have the Foxit toolbar added.

A new online resource aims to make it easier to gauge the relative security risk of using different types of popular software, such as Web browsers and media players.

Last month, I railed against the perennial practice of merely counting vulnerabilities in a software product as a reliable measure of its security: Understanding the comparative danger of using different software titles, I argued, requires collecting much more information about each, such as how long known flaws existed without patches. Now, vulnerability management firm Secunia says its new software fact sheets try to address that information gap, going beyond mere vulnerability counts and addressing the dearth of standardized and scheduled reporting of important security parameters for top software titles.

Secunia "fact sheet" on Adobe Reader security flaws.

“In the finance industry, for example, key performance parameters are reported yearly or quarterly to consistently provide interested parties, and the public, with relevant information for decision-making and risk assessment,” the company said.

In addition to listing the number of vulnerabilities reported and fixed by different software vendors, the fact sheets show the impact of a successful attack on the flaw; whether the security hole was patched or unpatched on the day it was disclosed; and information about the window of exploit opportunity between disclosure and the date a patch was issued.

The fact sheets allow some useful comparisons — such as between Chrome, Firefox, Internet Explorer and Opera. But I’m concerned they will mainly serve to fan the flame wars over which browser is more secure. The reality, as shown by the focus of exploit kits like Eleonore, Crimepack and SEO Sploit Pack, is that computer crooks don’t care which browser you’re using: They rely on users browsing the Web with outdated software, especially browser plugins like Java, Adobe Flash and Reader (all links lead to PDF files).

Researchers have discovered that dozens of Web sites are using simple Javascript tricks to snoop into visitors’ Web browsing history. While these tricks are nothing new, they are in the news again, so it’s a good time to remind readers about ways to combat this sneaky behavior.

The news is based on a study released by University of California, San Diego researchers who found that a number of sites were “sniffing” the browsing history of visitors to record where they’d been.

This reconnaissance works because browsers display links to sites you’ve visited differently than ones you haven’t: By default, visited links are purple and unvisited links are blue. History-sniffing code running on a Web page simply checks to see if your browser displays links to specific URLs as purple or blue.

These are not new discoveries, but the fact that sites are using this technique to gather information from visitors seems to have caught many by surprise: A lawyer for two California residents said they filed suit against one of the sites named in the report — YouPorn — alleging that it violated consumer-protection laws by using the method.

As has been broadly reported for months, Web analytics companies are starting to market products that directly take advantage of this hack.  Eric Peterson reported on an Israeli firm named Beencounter that openly sells a tool to Web  site developers to query whether site visitors had previously visited up to 50 specific URLs.

The Center for Democracy & Technology noted in March that another company called Tealium has been marketing a product taking advantage of this exploit for nearly two years.  “Tealium’s “Social Media” service runs daily searches of a customer’s name for news and blog postings mentioning the customers, and then runs a JavaScript application on the customer’s site to determine whether visitors had previously read any of those stories,” CDT wrote. “The service allows Tealium customers a unique insight into what sites visitors had previously read about the company that may have driven them to the company’s Web site.”

If you’d like see this history sniffing technique in action, check out this blog post (from 2008) and click the “Start Analyzing My Browsing History” button about halfway down the page. That site also will try to guess whether you’re a man or a woman by indexing the sites it finds against the Quantcast Top 10,000 sites. It guessed that there was a 99 percent likelihood I was male (phew!), but your mileage may vary.

Fortunately, the browser makers (most of them) have responded. These sniffing attacks — such as the proof-of-concept I linked to above — do not appear to work against the latest versions of Chrome and Safari.  Within Mozilla Firefox, these script attacks can be blocked quite easily using a script-blocking browser plugin, such as the Noscript add-on.

Mozilla addressed this history-sniffing weakness in a bug report that persisted for eight years and was only recently corrected, but the changes won’t be rolled into Firefox until version 4 is released. As a result, current Firefox users still need to rely on script blocking to stop this. Internet Explorer currently does not have a simple way to block scripts from within the browser (yes, users can block Javascript across the board and add sites to a whitelist, but that whitelist lives several clicks inside of the IE options panel).

Once or twice each year, some security company trots out a “study” that counts the number of vulnerabilities that were found and fixed in widely used software products over a given period and then pronounces the worst offenders in a Top 10 list that is supposed to tell us something useful about the relative security of these programs. And nearly without fail, the security press parrots this information as if it were newsworthy.

The reality is that these types of vulnerability count reports — like the one issued this week by application whitelisting firm Bit9 — seek to measure a complex, multi-faceted problem from a single dimension. It’s a bit like trying gauge the relative quality of different Swiss cheese brands by comparing the number of holes in each: The result offers almost no insight into the quality and integrity of the overall product, and in all likelihood leads to erroneous and — even humorous — conclusions.

The Bit9 report is more notable for what it fails to measure than for what it does, which is precious little: The applications included in its 2010 “Dirty Dozen” Top Vulnerable Applications list had to:

• Be legitimate, non-malicious applications;

• Have at least one critical vulnerability that was reported between Jan. 1, 2010 and Oct. 21, 2010; and

• Be assigned a severity rating of high (between 7 and 10 on a 10-point scale in which 10 is the most severe).

The report did not seek to answer any of the questions that help inform how concerned we should be about these vulnerabilities, such as:

• Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?

• How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?

• Which products had the broadest window of vulnerability, from notification to patch?

• How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?

• How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?

• Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?

The reason more security companies do not ask these questions is that finding the answers is time-consuming and difficult. I should know: I volunteered to conduct this analysis on several occasions over the past five years. A while back, I sought to do this with three years of critical updates for Microsoft Windows, an analysis that involved learning when each vulnerability was reported or discovered, and charting how long it took Microsoft to fix the flaws. In that study, I found that Microsoft actually took longer to fix flaws as the years went on, but that it succeeded in an effort to convince more researchers to disclose flaws privately to Microsoft (as opposed to simply posting their findings online for the whole world to see).

I later compared the window of vulnerability for critical flaws in Internet Explorer and Mozilla Firefox, and found that for a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. In contrast, I found that Firefox experienced a single period lasting just nine days during that same year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to fix the problem.

Bit9′s vulnerability count put Google Chrome at the Number 1 spot on its list, with 76 reported flaws in the first 10 months of this year. I’d like to propose that — by almost any objective measure — Adobe deserves to occupy the first, second and third positions on this grotesque vulnerability totem pole, thanks to  vulnerabilities in and incessant attacks against its PDF Reader, Flash and Shockwave software.

For one thing, Adobe appears to have had more windows of vulnerability and attack against flaws in its products than perhaps all of the other vendors on the list combined. Adobe even started this year on the wrong foot: On Dec. 15, 2009, the company announced that hackers were breaking into computers using a critical flaw in Reader and Acrobat. It wasn’t until Jan. 7 — more than three weeks later — that the company issued a patch to fix the flaw.

This happened again with Adobe Reader for 20 days in June, and for 22 days in September. Just yesterday, Adobe issued a critical update in Reader that fixed a flaw that hackers have been exploiting since at least Oct. 28.

True, not all vendors warn users about security flaws before they can issue patches for them, as do Adobe, Microsoft and Mozilla: In many ways this information makes these vendors easier to hold accountable. But I think it’s crucial to look closely at how good a job software vendors do at helping their users stay up-to-date with the latest versions. Adobe and Oracle/Sun, the vendors on the list with the most-attacked products today, both have auto-update capabilities, but these updaters can be capricious and slow.

Google and Mozilla, on the other hand, have helped to set the bar on delivering security updates quickly and seamlessly. For example, I’ve found that when I write about Adobe Flash security updates, Google has already pushed the update out to its Chrome users before I finish the blog post. The same is true when Mozilla issues patches to Firefox.

Marc Maiffret, CTO at eEye Digital Security, also took issue with the Bit9 report, and with Google’s position at #1.

“While many vulnerabilities might exist for Chrome, there are very few exploits for Chrome vulnerabilities compared to Adobe,” Maiffret said. “That is to say that while Chrome has more vulnerabilities than Adobe, it does not have nearly the amount of malicious code in the wild to leverage those vulnerabilities.”

There is no question that software vendors across the board need to do a better job of shipping products that contain far fewer security holes from the start: A study released earlier this year found that the average Windows user has software from 22 vendors on her PC, and needs to install a new security update roughly every five days in order to use these programs safely. But security companies should focus their attention on meaningful metrics that drive the worst offenders to improve their record, making it easier for customers to safely use these products.

Both Adobe and Apple have released security updates or alerts in the past 24 hours. Adobe pushed out a critical patch that fixes at least 20 vulnerabilities in its Shockwave Player, while Apple issued updates to correct 13 flaws in Mac OS X systems.

The Adobe patch applies to Shockwave Player 11.5.7.609 and earlier on Windows and Mac operating systems. Adobe recommends that users upgrade to Shockwave Player 11.5.8.612, available at this link. But before you do that, you might want to visit this link, which will tell you whether or not you need to update, and indeed whether you currently have Shockwave installed at all. If you visit it and don’t see an animation, then you don’t have Shockwave (and probably aren’t missing it either).

One other note about Shockwave: Firefox users may notice a “Shockwave Flash” entry when they click “Tools,” “Add-0ns,” and then the “Plugins” tab. For reasons that are too complicated to explain in one breath, this is actually Adobe’s name for its regular Flash player, which most people probably do want installed because can be difficult to browse and use the Internet without it.  By the way, if you haven’t updated your Flash Player in a while, Adobe issued a new version of that software on Aug 10 that plugged a half dozen security holes.

Apple’s update affects Mac OS X Server 10.5, Mac OS X 10.5.8 , Mac OS X Server 10.6 , Mac OS X 10.6.4 and is available via Software Update or from Apple Downloads.