Earlier this year, Security Fix criticized Apple for making iPhone users wait for security updates that Apple had fixed in its other products four months earlier. Now, it appears that iPhone users may have received a patch for a critical security hole four months before Apple fixed the flaw in its other products.

Taking a look at the vulnerability summary from the update Apple released last week to fix critical vulnerabilities in Mac and Windows versions of its Safari browser, we can see that Apple corrected a serious flaw in WebKit, the rendering engine used by Safari on Mac OS X, Windows and the iPhone:

WebKit CVE-ID: CVE-2008-2303 Available for: Mac OS X v10.4.11, Mac OS X v10.5.5, Windows XP or Vista Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

It looks like Apple fixed this same vulnerability in the iPhone's version of Safari back in July, when it shipped its 2.0 version of the iPhone's software. From that vulnerability advisory:

Safari
CVE-ID: CVE-2008-2303
Available for: iPhone v1.0 through v1.1.4,
iPod touch v1.1 through v1.1.4
Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue in Safari's handling of JavaScript array indices may result in an out-of-bounds memory access. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue by performing additional validation of JavaScript array indices. Credit to SkyLined of Google for reporting this issue.

Apple hasn't responded to a request for comment. It's possible that Apple's security team failed to realize the problem reported by Google was not limited to Safari but extended also to WebKit. Still, it seems odd that Apple would not check for that possibility back when this was first reported. If I were a bad guy looking for a way to attack Safari users, I would have definitely been interested in that July advisory.

Update, 1:20 p.m. ET: Looks like this was just an anomaly. Apple today released version 2.2 of the iPhone software, and a number of the security updates included in it were fixed months ago in security updates for other software.

CVE-2008-2321 - Fixed Aug. 01 in Security Update 2008-005

CVE-2008-2327 - Sept. 15 in Security Update 2008-006.

CVE-2008-4211 - Fixed Oct 9, in Security Update 2008-007

One of the casualties from the unplugging of McColo Corp. is fraudcrew.com, a Web service that offered paying customers the ability to hide their identities online by routing their traffic through computers controlled by others.

Fraudcrew, which has not been charged with any crime, offered subscribers a point-and-click way to mask the source of their Internet connections, so that Web sites could not tell the true location of visitors using the service. The site was advertised heavily on Russian online forums catering to computer hacking and identity theft.

There are a number of services like those offered by Fraudcrew (Security Fix profiled another one earlier this year) that not only aid in hiding one's identity online, but could also defeat security measures put in place by financial institutions. Many online banks will check to see whether the customer's Internet address is coming from a location already associated with the customer's user name and password, or at least from a geographic location that is close to where the customer lives.

These masking services provide a software program that allows the user to pick from a drop down list of Internet addresses to proxy through. For example, if a user in Ukraine, has stolen the user name and password that Joe from St. Louis uses to access his bank online, that user can simply select a node in the proxy list that's in St. Louis, and the bank site will be none the wiser that the person logging in is not actually in St. Louis.

(I took this screen shot about a month ago, as I was visiting some of the more interesting properties hosted by McColo.)

While people have long used Web proxies to mask their real online location, these services allow the user to be much more specific, said Dave Marcus, director of security research and communications McAfee AVERT Labs.

"Probably the day after the Internet came around is when people started looking at ways to scrub their real Internet address," Marcus said. "Although this type of technology isn't new, it's the first time I've seen it used like this for obviously criminal reasons."

Fraudcrew's homepage boasted that potential customers should not be put off by previous experiences with other proxy services, and that their solution is unique. From their commercial pitch:

We are glad to present to you our new project whch was developing since 2005. It not the another clone of any proxy service, where the first half of proxies are low-speed dial-up users and the other half doesn't work at all. You will not deal with such a proplem with the Fraud Crew - Proxy Service. We offer only high speed proxies, easy-to-use service, and complete and high class anonymity.

Our software doesn't use any known public source codes, it is completely unique. Our team members are not some unknown people, we are well experienced people and we know what we do.

Fraudcrew's operations came to a screeching halt on Tuesday, after its hosting provider -- McColo -- was taken offline following the publication of allegations by the security community that McColo was serving as a gateway to organizations engaged in spam activity. (McColo has not been charged with any crime, and has not responded to requests for comment.) But Fraudcrew's owners appeared to have a sizable customer base, so it is likely this service will resurface at another hosting provider at some point.

Washingtonpost.com today published a follow-up story to the pieces we ran last week on the unplugging of a California Web hosting company and the subsequent worldwide drop in spam levels. Today's piece tries to answer the question we heard from so many readers: "How Can So Much Spam Come From One Place?"

Some of the less newsy but just as interesting stuff was cut from the piece for space and story flow reasons. One of those was a section on what security experts think the incident will mean for the evolution of botnet technology and its use by the bad guys:

Security experts worry that botnet creators will learn from the experience and make key changes to improve the security, stealth and resiliency of their herds. One of the largest and most advanced spam botnets ever designed, "Storm," was successful in large part due to its decentralized nature.

As the incident in my story demonstrates, botnets that have their control servers at a single hosting provider are at constant risk of being shut down, because that host or the host's Internet providers can always pull the plug. But Storm lacked this single point of failure in part because information relayed by the bot masters about new spam runs to execute or malicious software updates to install could be passed from one bot to the next, without the need for the bots to check in at a central server.

This type of peer-to-peer information sharing technology is not new, but it is still relatively rare to find in spam botnets. The development and public adoption of P2P technology first took off after the recording industry took on music swapping service Napster. Soon after legal pressure from the Recording Industry Association of America (RIAA) forced Napster offline in 2001, a host of P2P software titles and networks sprang up to fill the void, allowing users to share music, movies and files online without ever having to connect to a central server.

Then in January 2007, the Storm worm emerged and quickly became one of the largest botnets ever built, infecting millions of PCs almost overnight. The Storm worm used the "Overnet" protocol, a P2P communications medium that powered the popular Overnet and eDonkey music and file-trading networks.

In late 2006, the Web sites where users could download new copies of the file-trading software for both Overnet and eDonkey were forced offline, once again by RIAA. Yet, the Storm worm was able to continue using the Overnet communications language to pass new updates and communications among infected nodes, until its authors inexplicably allowed the botnet fizzle out in September.

Adam O'Donnell, director of emerging technologies at Cloudmark, an e-mail security company in San Francisco says the recording industry was directly responsible for the rapid evolution of P2P technology, and by extension the abuse of the technology by virus writers and spammers.

"The RIAA provided the evolutionary pressure for something that otherwise probably would have taken a lot longer to evolve," O'Donnell said. "If you want to see what the future of botnet command and control infrastructure is going to look like, it will probably be whatever the kids are using to trade music."

Vincent Weafer, director of development for Symantec Security Response, said the success of Storm, combined with so many criminal operations having been burned by the McColo takedown, strongly suggests botnets are going to continue adopting P2P technology.

"This incident will drive the botnet developers toward the continued use of peer-to-peer botnets, which are more resilient to any single point of failure," Weafer predicts.

A massive swath of some 65,536 unique Internet addresses that appear to have been swiped from early Internet pioneers by a convicted spammer has been reclaimed by Internet regulators, Security Fix has learned.

In April, Security Fix reported that a huge block of Internet addresses once assigned to San Francisco Bay Packet Radio -- an organization that was involved way back in the 1970s in testing the predecessor to the global commercial Internet that we all use today -- was being used to send e-mail for a company called MediaBreakaway. That company's chief executive is Scott Richter -- a self-avowed "spam king" who has been sued by a number of the Internet's biggest players -- including Microsoft and Myspace -- for sending spam.

When I was first presented with this information, I put the relevant questions to the American Registry for Internet Numbers (ARIN) -- one of five regional Internet registries worldwide that is responsible for allocating IP addresses. At the time, the ARIN people were very interested in the information I was reporting, but very reluctant to comment about it.

It seems ARIN is still shy. In a posting on Monday to the North American Network Operators Group (NANOG) -- a mailing list frequented mostly by geeks who run ISPs -- ARIN's current chairman left this nugget:

Media Breakaway and ARIN have cooperatively reached an agreement whereby Media Breakaway will be returning to ARIN the legacy address space 134.17.0.0/16 originally issued to San Francisco (SF) Bay Packet Radio.

Media Breakaway will be returning this space upon completion of renumbering to a new IPv4 allocation made based on their qualification under existing policy. ARIN is grateful for
Media Breakaway's cooperation in this matter.

Regards,
/John

John Curran
Chairman, ARIN Board of Trustees

Reached by cell phone shortly after his posting, Curran was reluctant to go into much more detail about the agreement, saying that nearly all of ARIN's dealings with any of its members are conducted under binding non-disclosure agreements on both parties.

Apple and Mozilla have each issued updates to fix a large number of critical security flaws in their respective Safari and Firefox Web browsers. The Apple update, which brings Safari to version 3.2, is reportedly causing many users to experience frequent browser crashes.

According to an article Friday at MacFixIt, some of the problems seem related to several Safari plug-ins, including "Concierge" bookmarks manager, "PithHelmet" ad-blocking software, and "AcidSearch" search enhancement software.

Other problems with this update may be related to a new anti-phishing feature built into Safari 3.2 (Firefox and Microsoft's Internet Explorer have had this feature for more than two years now). MacFixIt and other forums suggest those having trouble with the Safari update should disable the phishing filter and see if that helps. If not, check to see if removing any installed add-ons fixes the problem.

While the Safari update fixes more flaws in the version built for Windows (all 11 flaws fixed in this bundle affect Windows vs. just four on the Mac version), I haven't yet seen any reports of major problems with the Windows flavor.

The Firefox patch is an overall "critical" update that corrects at least nine security holes in the browsers. The update brings Firefox 3 users to 3.0.4, and Firefox 2 users to 2.0.0.18. It looks like Mozilla somehow skipped 2.0.0.17, and Mozilla has said that its last update for the 2.0 version would be 2.0.0.19, which is probably due out before the end of the year.

Yesterday, we published a story about Web hosting firm McColo being knocked offline after being accused by the computer security community of serving as a gateway to organizations engaged in spam activity.

In trying to get a sense of the activity attributed to McColo, I put together a flow chart, or mind map, showing McColo's relationship to various sites associated with botnet activity, spam, pharmacy domains, etc. I created the flow chart with the excellent and gratis FreeMind software. I've included a screen shot for those who don't have or want this software installed (click on the image to enlarge it).

For those who do have FreeMind installed, check out this file, which allows you to click any arrow in the graphic and view some of the source data for those citations. Others can view the source material at the end of this post.

The upper right-hand section of the graphic highlights the numeric Internet addresses assigned to McColo that experts, such as Joe Stewart, the director of malware research for Atlanta-based SecureWorks, say were used by some of the most active and notorious spam-spewing botnets -- agglomerations of millions of hacked PCs that were collectively responsible for sending more than 75 percent of the world's spam on any given day (for that sourcing, see the colorful pie chart at below, which is internet security firm Marshal.com's current view of the share of spam attributed to the top botnets -- again, click on it to enlarge). In the upper left corner of the flow chart are dozens of fake pharmacy domains that were hosted by McColo.

Bear in mind, this is by no means a comprehensive account of the sites and activity that experts say were funneled through this provider: I have redacted some of the data -- for example, the list of domains accused of hosting child pornography. Others, including additional domains allegedly offering fake anti-virus solutions, simply wouldn't fit on the map.

Additional Source Material:

Host Exploit: McColo Cyber Crime

Fireeye: Srizbi & Rustock

Fireeye: Rustock

SecureWorks: Mega-D

ThreatExpert: Pushdo/Cutwail

SecureWorks: Warezov

Matchent: Asprox

Security Fix: Virtual Heist Nets 500,000+ Bank, Credit Accounts

Dancho Danchev: Fake Security Software, Part 9

Dancho Danchev: A Diverse Portfolio of Fake Security Softwtware - Part Eleven

Robtex: McColo Corp. Autonomous System Report

The volume of junk e-mail sent worldwide plummeted on Tuesday after a Web hosting firm identified by the computer security community as a major host of organizations engaged in spam activity was taken offline. (Note: A link to the full story on McColo's demise is available here.)

Experts say the precipitous drop-off in spam comes from Internet providers unplugging McColo Corp., a hosting provider in Northern California that was the home base for machines responsible for coordinating the sending of roughly 75 percent of all spam each day.

In an alert sent out Wednesday morning, e-mail security firm IronPort said:

In the afternoon of Tuesday 11/11, IronPort saw a drop of almost 2/3 of overall spam volume, correlating with a drop in IronPort's SenderBase queries. While we investigated what we thought might be a technical problem, a major spam network, McColo Corp., was shutdown, as reported by The Washington Post on Tuesday evening.

Spamcop.net's graphic shows a similar decline, from about 40 spam e-mails per second to around ten per second -- if I'm reading that graphic correctly.

A number of other spam-fighters today reported a similar drop in junk e-mail volumes. I heard from a reader named Martin who works at a small hosting facility in Germany. He wrote in after noticing a lack of spam banging on his company's e-mail servers. He sent in this graphic and asked that we not use his full name or identify his employer.

Security Fix reader Ted wrote in to say his small Internet service provider also charted a massive collapse in spam volumes yesterday and into today. Ted, who also requested we use only his first name, writes:

Dear Mr. Krebs,

Thank you for your outstanding contribution to bringing down McColo Corp.

I can clearly see the impact you've had, by looking at the spam graph of the small ISP which hosts the web site [omitted] for me:

The daily 15 minute graph reports the rate of spam over a 29 hour period. Time is UTC. As I write, it is about 12:00 UTC, and detected spam is arriving at less than half the rate of the same time yesterday.

The world saw a similar -- if short-lived -- drop in spam volumes in September, following the demise of Intercage, a.k.a. "Atrivo," another Northern California based ISP that security experts identified as a major source of badness online. In that case, it only took the spammers a few days to find a new home. It seems likely that the same will happen in this case as well, and that this minor victory will be short but sweet.

Nilesh Bhandari, product manager with IronPort, said the company sees an average of about 190 billion spam e-mails each day. Then, at around 4:30 p.m. ET yesterday, IronPort saw a huge decline in spam levels. For the 24 hour period ending Tuesday, the company tracked about 112 billion spam messages.

Bhandari said he expects the spam volume to recover to normal levels in about a week, as the spam operations that were previously hosted at McColo move to a new home.

"We're seeing a slow recovery," Bhandari. "We fully expect this to recover completely, and to go into the highest ever spam period during the upcoming holiday season."

A U.S. based Web hosting firm that security experts say was responsible for facilitating more than 75 percent of the junk e-mail blasted out each day globally has been knocked offline following reports from Security Fix on evidence gathered about suspicious activity emanating from the network.

For the past four months, Security Fix has been gathering data from the security industry about McColo Corp., a San Jose, Calif., based Web hosting service whose client list experts say includes some of the most disreputable cyber-criminal gangs in business today.

On Monday, Security Fix contacted the Internet providers that manage more than 90 percent of the company's connection to the larger Internet, sending them information about badness at McColo as documented by the security industry.

On Tuesday afternoon, I heard back from Global Crossing, one of McColo's major Internet providers. Their spokesman declined to discuss the matter, except to say that Global Crossing communicates and cooperates fully with law enforcement, their peers, and security researchers to address malicious activity.

Two hours later, I heard from Benny Ng, director of marketing for Hurricane Electric, the Fremont, Calif., company that was the other major Internet provider for McColo.

Hurricane Electric took a much stronger public stance: "We shut them down," Ng said.

"We looked into it a bit, saw the size and scope of the problem you were reporting and said 'Holy cow! Within the hour we had terminated all of our connections to them."

As of this writing, McColo's Web site is no longer available. In fact, I pinged no fewer than three different researchers who have tracked activity at McColo for many months: None could find a single Internet address assigned to the hosting provider that was still reachable.

Officials from McColo did not respond to multiple e-mails, phone calls and instant messages left at the contact points listed on the company's Web site before the site was taken offline.

There's more to come with details about this story later tonight or early tomorrow, but I wanted to get this post published before we got scooped on our own story.

Express Scripts, the nation's third largest pharmacy benefits management company, is offering a $1 million reward for information leading to the arrest and conviction of the individual(s) responsible for trying to extort money from the company.

The St. Louis-based firm said last week that in early October it received a letter that included the names, birth dates, Social Security numbers and in some cases prescription data on employees from 75 of its customers. The authors also threatened to expose millions of consumer records if the company declined to pay up, Express Scripts said. Express Scripts handles roughly 500 million prescriptions a year for about 50 million Americans.

Since the company has said it has no intention of paying the ransom, the attackers appear to be trying new tactics. Express Scripts said the extortionists have now moved on to directly contacting companies who use their services, by sending letters to the companies, which include personal and medical information of their employees.

Express Scripts spokesman Stephen Littlejohn said the company is still working with the FBI to track down the extortionists, but that there were no new leads to report. He said the new round of extortion demands targeted a "small number of clients and some members for each of those clients," but he declined to disclose how many.

Express Scripts is among the largest pharmacy benefit management firms, which process and pay prescription drug claims. While it doesn't interact with consumers directly, the company's name is printed on prescription cards of health care plans that use its services.

The company has set up a Web site where consumers can go to learn more about the incidents. In announcing the reward today, Express scripts also said it had contracted with Kroll Fraud Solutions, a New York based risk consulting group, to offer consumers free identity restoration services if they become victims of identity theft as a result of these attacks.

Anyone with information about the extortionists can reach the FBI at 800-CALL-FBI.

Microsoft today released a pair of security updates to plug at least four security holes in its Windows operating systems and other software. The software patches are available through Windows Update or via Automatic Updates.

One of the patches earned Microsoft's most dire "critical" rating, while the other carries the less severe "important" label. Microsoft assigns a critical rating to vulnerabilities that hackers can exploit to break into vulnerable systems without any help from the victim. Important updates address flaws that usually require the victim to help the exploit along in some key way.

The critical update involves at least three flaws in a key component of Windows called Microsoft XML Core Services. This vulnerability is present in every supported version of Windows, as well as certain versions of Office. The second patch addresses an important flaw in the Microsoft Server Message Block (SMB), a component of Windows used to provide shared access to files, printers, and other communications over a network.

Microsoft says two out of four of the vulnerabilities fixed by these updates were publicly disclosed prior to today, so criminals may already have a head start in figuring out how to exploit them.

As always, please leave a note in the comments section below if you experience any problems after installing these updates.

As it does every Patch Tuesday, Microsoft also updated its "malicious software removal tool," which runs in the background looking for some of the most common strains of malware found on Windows PCs. This month's update includes Win32/Gimmiv, the malware first spotted last month that took advantage of a security hole for which Microsoft recently issued an emergency patch.