My GMail password was stolen and my account taken over by Russian Hackers who tried to extort money out of me. This of course led me to ask HOW, on my system with my careful attitude to everything, they got hold of my password.
What I've found is that there are more security holes in software than even my paranoid mind suspected. I figured that a fully patched Vista, running Nod32 which is arguably the best antivirus around, Windows Defender, SpyBot S&D, a hardware firewall, firefox instead of IE, etc, I would be pretty safe. Then my Google & ICQ passwords got stolen from the Accounts.xml file of Pidgin, which is smartly stored right there all in plain unencrypted text, ripe for the picking. But I still wasn't sure how they got the file.
I'm not saying I will ever know WHICH security hole was used. But I've found several. Firefox 2.0.0.12 has a known "Directory Traversal" bug, but it is claimed to be limited to the extensions directory only so maybe it wasn't that. There's a keygen I used, but that keygen has been available for TWO YEARS, so if it had a trojan in it, you'd think it would come up when submitted to 32 different scanning engines, but they all found it clean. A Roadrunner technician required me to disconnect my hardware firewall/router before he would help diagnose my connection the day before my passwords were used to take over GMail & ICQ. I forgot to plug it back in for 12 Hours. Going without a firewall is bad, but that would imply there was a hole in a fully patched Vista system. If there is, it is unpublished. Published exploits are much more frequently used. So what software on my system contains published exploits?
Adobe Flash Player. In December, an update was released that upgraded users to version 9.0.115.0. The patch fixed several security flaws.
Unfortunately, version 9.0.115.0 of Flash Player also has a known bug - with certain ATI video cards, you cannot go full-screen with Flash Video. That means no full-screen YouTube, CBS Evening News, etc, because almost everyone uses Flash Video on the web.
So I had reverted to version 9.0.47.0 of Flash Player. It worked.
Apparently, it was also a veritable hacker's paradise. The short list of risks: "could lead to the potential execution of arbitrary code", "could potentially aid an attacker in executing a DNS rebinding attack", vulnerable to "privelege escalation attacks against web servers hosting Flash content", vulnerable to "potential cross-site scripting issues", "potential Universal Cross-Site Scripting attacks", "allow remote hackers to modify HTTP headers of client requests and conduct HTTP Request Splitting attacks", "a potential port-scanning issue", "(linux) a memory permissions issue that could lead to privilege escalation", and un unspecified issue on Mac.
Whoa. And all of these are PUBLISHED EXPLOITS. Let's see... cross-site scripting, header modification, privilege escalation, DNS rebinding, and arbirtrary code execution. Is there anything they missed?
Yet, Adobe is dragging their feet on fixing 9.0.115.0, and actually recommending people revert to 9.0.47.0.
I believe I have just become a convert: Flashblock.
