My Anti Spyware

New malware poses as Windows Genuine Advantage Validation Notification

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named “Windows Genuine Advantage Validation Notification”, as seen in this line in the HijackThis log.

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

Suzi tested it on her virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On her virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Thanks to Suzi Turner, her post about it.

OpenOffice.org fixes three security vulnerabilites

OpenOffice.org 2.0.3 fixes three security vulnerabilites that have been found through internal security audits. Although there are currently no known exploits, They urge all users of 2.0.x prior to 2.0.2 to upgrade to the new version or install their vendor’s patches accordingly. Patches for users of OpenOffice.org 1.1.5 will be available shortly.

The three vulnerabilities involve:

• Java Applets, CVE-2006-2199

It is possible for some Java applets to break out of the secure “sandbox” in which they are normally constrained. The applet code could potentially have access to the entire system with whatever privileges the current user has.

A workaround is provided to temporarily disable support for Java applets. Instructions are provided for both 1.1.x and 2.0.x.

• Macro, CVE-2006-2198;
  A flaw with the macro mechanism could allow an atatacker to include certain macros that would be executed even if the user has disabled document macros. Such macros could potentially have access to the entire system with whatever privileges the current user has.There is no workaround for this issue
• File Format, CVE-2006-3117
  A flaw in the parsing of the XML file formats allows for possible buffer overflows in specially malformed documents. The buffer overflow can crash the OpenOffice.org application and might be exploitable for arbitrary code-execution.There is no workaround for this issue.

Update OpenOffice now.

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

Found new rogue antispyware – AdwareFinder

Found new rogue antispyware – AdwareFinder.

The program claims it detects and destroys spyware, yet it is part of engagemarketing(dot)com which is being bundled via Dollarrevenue.

URL: www(dot)adwarefinder(dot)com/AdwareFinder_download(dot)html

Thanks to Sunbeltblog.

Found Mailbot family that use ADS hidden streams to hide themselves

F-Secure reported Mailbot family that use hidden streams to hide themselves.

Let’s take Mailbot.AZ(aka Rustock.A) as an example.

Mailbot.AZ is a kernel-mode rootkit that modifies the kernel to hide its presence on the compromised system. It contains an encrypted payload that will be executed in the context of a process named “services.exe”. The payload is a Spamtool with backdoor capabilities.

There’s only a single component lying on the disk, and that is a kernel-mode driver. It’s stored as hidden data stream attached to the system32 folder (yes, folders can have data streams as well)! Saving your data into Alternate Data Streams is usually enough to hide from many tools. However, in this case, the stream is further hidden using rootkit techniques, which makes detection and removal quite challenging. Because Mailbot.AZ is hiding something that’s not readily visible, it’s very likely that many security products will have a tough time dealing with this one.

F-Secure have just released a new version of our BlackLight rootkit scanner (Build 2.2.1041) that can detect current variants of Mailbot.

To remove the infection, perform the following steps:

• Reboot your system using the Windows Recovery Console (using your Windows installation CD – click on the hyperlink for details).
• Copy a non-executable file from the Windows directory over the Alternate Data Stream.

For example, run the following command:

• copy c:\windows\win.ini c:\windows\system32:18467

Please note that the copy command will fail but the malicious file has actually been truncated to zero-length.

New worm disables Security Software

Sanbeltblog reported about new World Cup Soccer Worm. The worm arrives as an E-mail attachment with one of the following subjects and message bodys:

Subjects:

1. Soccer fans killed five teens
2. Crazy soccer fans
3. Please reply me Tomas
4. My tricks for you
5. Naked World Cup game set
6. My sister whores, shit i dont know

Message Bodies:

1. Soccer fans killed five teens, watch what they make on photos. Please report on this all who know.
2. Crazy soccer fans killed two teens, watch what they make on photos. Please report on this all who know.
3. I wait your photos from New York. I sent my pics where i naked for you. Please reply me. Linda Salivan
4. Nudists are organising their own tribute to the world cup, by staging their own nude soccer game, though it is not clear how the teams will tell each other apart. Good photos
5. Emily Carr was an artist know for her prudery, but now the Portrait Gallery of Canada has aquired a nude self-portrait. View photos.

Upon execution, the worm copies itself to the following location:

%Sysdir%\msctools.exe

Attempts to download additional malware:

http://couple{removed}.com/tumbs/dianaimg.exe

The worm also attempts to disable the following processes:

AVP32.EXE, AVPCC.EXE, AVPM.EXE, AVP.EXE, iamapp.exe, iamserv.exe, FRW.EXE, blackice.exe, blackd.exe, zonealarm.exe, vsmon.exe, VSHWIN32.EXE, VSECOMR.EXE, WEBSCANX.EXE, AVCONSOLE.EXE, VSSTAT.EXE, OUTPOST.EXE, REGEDIT.EXE, NETSTAT.EXE, TASKMGR.EXE, MSCONFIG.EXE, NAVAPW32.EXE, UPDATE.EXE, msctools.exe

Another rogue antispyware app for your blacklist – Trust Cleaner

Bleepingcomputer blog and Sunbelt blog reported about rogue antispyware – Trust Cleaner. At first view, this rogue anti-spyware application works the same way as the other ones that have been released lately like SpyFalcon and SpywareQuake as it uses trojans to display fake warnings that act as a goad to make you purchase the full commercial version of its software.

After the malware is installed the rogue anti-spyware program Trust Cleaner is set to to start automatically when your computer starts. It then scans your computer for supposed Spyware and malware and displays a list of the items found. It is quite funny, though, as it finds its own components and labels them as Spyware as shown in the image below.

After install, Trust Cleaner change your Internet Explorer homepage to a html page that is loaded from a file on your local computer called C:\Windows\local.html. This page will generate a home page that looks strikingly like Google. In fact, it states at the bottom of the page that it is powered by Google. In reality, though, this page that actually uses results from the site www.mswindowssearch.com and not from Google.

Trust Cleaner use these addresses, block them now:

mswindowssearch. com
trustcleaner. com
trustinbar. com
813aw0nr01jsxfj374ca. com
adelinatech. com
adsforsite. com
azebar. com
blablablablablablablablabla. com
fandl. net
finditanyway. com
globosoft. info
googlecaches. com
trustclicks. com
trustincash. com
trustincontextual. com
trustinpopups. com
trustinsearch. com

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

Found new vulnerability in Microsoft Excel

ISC and Microsoft reported about new vulnerability in Microsoft Excel. Also found exploit using the vulnerability for install malware.

Now Symantec can to detect this attack.

Trojan.Mdropper.J is a Trojan horse that drops Downloader.Booli.A on the compromised computer. It exploits an undocumented vulnerability in Microsoft Excel.

The Symantec website also reports … Downloader.Booli.A may arrive on the compromised computer, dropped by Trojan.Mdropper.J, with the following name: %System%\svc.exe

Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

When Downloader.Booli.A is executed, it performs the following actions:

• Attempts to run Internet Explorer and inject its code into Internet Explorer to potentially bypass firewalls.
• Attempts to download a file from the following location: [http://]210.6.90.153:7890/svcho[REMOVED]
• Saves the file as the following and if the download was successful, executes the file: c:\temp.exe
• Creates an empty file before exiting: c:\bool.ini

Now we recommend use the same defenses as for lastest Microsoft Word vulnerability: How to block Microsoft Word vulnerability, recommended defenses.

Update your systems

Microsoft released twelve updates addressing various issues yesterday. There are several for different flavors of Windows and IE, and others for Word (MS06-027), PowerPoint (MS06-028), and Media Player 10 (MS06-024).The patch for Word fixes an issue that was found in May.

Make update soon. ISC reported about newly released exploits for these vulnerabilities.

Here a quick lists of what we have seen so far:

MS06-024: Windows Media Player.

Exploit released by penetration testing vendor to customers.

MS06-025: RRAS

Exploit released by penetration testing vendor to customers.

MS06-027: Word remote code execution

Exploit available before release of patch.

MS06-030: SMB Priviledge Escalation.

Two exploits released to the public.

MS06-032: IP Source Routing Exploit.

DoS exploits released privately (trivial exploit)

Download the updates for your home computer or laptop from the Microsoft Update Web site now.

CleanCache – Clean Internet Explorer, Mozilla, Firefox, Opera and most Internet Explorer shells

CleanCache 3.0 is a free (for 1 – 2 systems), very powerful Internet Explorer 6.0, Mozilla, Netscape, Firefox and Windows 2000/XP cleaner.

Continue reading CleanCache – Clean Internet Explorer, Mozilla, Firefox, Opera and most Internet Explorer shells…

Automatic remove Titan shield

Good news, some days ago in the smitfraudfix have been added Titan Shield signatures.

[HKEY_CURRENT_USER\Software\ADV] (Soon removed with SpywareSheriff)

%USERPROFILE%\Application Data\Microsoft\Internet Explorer\Quick Launch\TitanShield Antispyware.lnk
%USERPROFILE%\Local Settings\Application Data\TitanShield\*.*
%STARTMENU%\Programs\TitanShield Antispyware\*.*
%STARTMENU%\Programmes\StartUp\titanshield.lnk
%DESKTOP%\TitanShield Antispyware.lnk
%PROGRAMFILES%\TitanShield Antispyware\*.*

If you have problems with TitanShield, download and try smitfraudfix.

Phishing scam and fake address bar

Viruslist blog reported about interesting Javascript.

This script runs maximized in the browser and presents the user with a window which looks like this:

As you can see, there is an Address field in the window which says “https://www.paypal.com/us”, but it is not the real browser address editbox! It’s a special field inside the Java applet which makes it look like it’s part of the browser window. Do note the real website address, as displayed by Opera – www.skycar.net.cn, in the blue bar. However, users who aren’t too careful about entering their PayPal data on websites might well be fooled.

Interestingly, Firefox doesn’t fall for this “trick” – it shows the fake “address bar” for a short time, then it hides it.

How to remove antispywarebox hijacker

Symptoms:

fake security warnings popup in the bottom right of screen. Examples:
“Your computer is working slowly!”
“Alert! You are receiving spam!”
“Warning! Your security and privacy are at risk!”
“You computer is not protected against spyware!”
“Danger! Spyware activity detected on your computer!”
“Alert! A minimum of 7 spyware items found!”

Explorer opens to about:blank and displays a Windows Security Center (remove spyware alert) & link directs to http://www[dot]antispywarebox[dot]com/index2.php?aff=0&wd=C:/WINDOWS

For fix your problems, make follow steps:

Download HijackThis and save the file to your desktop.
Double click on the file to extract it to it’s own folder on the desktop.

Download CCleaner. Double click on the file for install.
Download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Next, Download, install, and update the free version of Ewido security suite:

1. When installing, under “Additional Options” uncheck “Install background guard” and “Install scan via context menu”.
2. Run Ewido.
3. From the main ewido screen, click on update in the left menu, then click the Start update button.
4. After the update finishes (the status bar at the bottom will display “Update successful”)
5. Exit Ewido. DO NOT scan yet.

Next, please reboot your computer in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd. Press the number 2 on your keyboard and the press the enter key to choose the option Clean (safe mode recommended).

You will be prompted : “Registry cleaning – Do you want to clean the registry ?“; answer “Yes” by typing Y and press “Enter” in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer “Yes” by typing Y and press “Enter”.

The tool may need to restart your computer to finish the cleaning process; if it doesn’t, please restart it into Normal Windows.

Reboot your computer again in Safe Mode by doing the following:

1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the first option, to run Windows in Safe Mode.

Start HijackThis.

Click “Do a system scan only.” and put a checkmark next to the following items:

O2 – BHO: (no name) – {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} – (no file)

Now close all browser and other windows except for HijackThis, and click “Fix Checked” to have HijackThis fix the entries you checked.

Run Ewido

1. Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
2. If Ewido finds anything, it will pop up a notification. Please select “clean” and check the boxes “Perform action with all infections” and “Create encrypted backup” before clicking on OK.
3. When the scan finishes, click on “Save Report“. This will create a text file. Make sure you know where to find this file again.

Run CCleaner.

Click Analyze button. After scan your system, click Run Cleaner.

Restart your computer in normal mode.

Run the Panda online virus scan.

- Once you are on the Panda site click the Scan your PC button
- A new window will open…click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

If after that you have a problems, then please post a new HijackThis log, the Ewido log, the Panda ActiveScan log to the Spyware Removal Forum.

Found new rogue antispyware – Titan Shield

Found new rogue antispyware – Titan Shield.

Available at antispywarebox(dot)com (a new rogue site) and titanshield(dot)com

If you can`t uninstall or remove, ask about help: Spyware Removal Forum

Analyze it

ISC reader Robert detected one of his systems trying to connect to port 25 on various servers around the world. As this immediately screams: spam bot, Robert decided to analyze the box further.

He captured some packets and found an interesting binary that he submitted to ISC for analysis.

After analyzing this binary, they discovered a malware piramide. So, this is what’s happening:

extdrvr.exe is a spam bot that Robert detected. This malware is particularly nasty as, at the moment just one of the 26 anti-virus programs on VirusTotal finding it suspicious.
When executed, the spam bot connects to spm.freecj.com and asks for the list of e-mail addresses to send spam to, together with the e-mail body. Immediately after this is downloaded, it will try sending the spam.

But that’s not all. The malware also downloads other Trojan downloaders which, in turn, download other stuff.

First downloader that the main spam bot downloads is http://69.31.46.144/[REMOVED]/d1.html. This downloader will in turn download a pretty nasty dialer (so, making money *is* behind all this), from a well known malware network (that some of you probably already filtered): http://85.255.114.166/[REMOVED].exe.
The dialer will make itself persistent across reboots and will make services RasMan and TapiSrv automatically start at boot.
The dialer will also get the number it should call from http://216.80.7.64/[REMOVED]/getnumtemp.asp?nip=0.

If this wasn’t enough, prepare for more. The dialer will now download another downloader (are we getting lost in all this?), http://207.226.177.110/[REMOVED].

Back to the spam bot. What’s interesting is that it will download and replace the machine’s hosts file. Big deal, we’ve seen that a million times. Among all the standard AV vendors’ web sites, and Microsoft Windows Update, the newly downloaded hosts file prevents user from visiting about 50 .biz sites, well known for spreading malware (for example, www.iframebiz.biz, www.toolbarbiz.biz, etc.).

As always learning lessons is the most important part of handling incidents. Anti-virus doesn’t do much for you when the malware is not detected obviously. Monitoring your outgoing traffic, even in the absense of an IDS could do this trick. Looking for spikes in outgoing email is a good way to detect unexpected spam bots such as these. Use windows internal firewall or another free(pay) (look my Free Programs category). Also use Hosts Secure for block and manage HOSTS file.

More fake codecs – nvidcodec, media-codec

Found new fake codec – nvidcodec. The codec is malicious programecs that deliver popup advertisements and hijack search engine results. Some AV vendors detected the codec as Trojan.Downloader.Zlob
Continue reading More fake codecs – nvidcodec, media-codec…

Pornmagpass – free pass to get popups, rogue antispyware, toolbar.

Sunbeltblog reported about new adware – pornmagpass. There’s a new adware detected some AV engines as trojan:

AVG – Downloader.Zlob.AOI
ClamAV – Trojan.Downloader.Zlob-471
EtrustVet – Win32/Beovens.FT
Fortinet – suspicious
Ikarus – Trojan-Downloader.Win32.Zlob.ni

The EULA says:

SOFTWARE INSTALLATION: Components bundled with our software may report to Licensor and/or its affiliates the installation status of certain marketing offers, such as toolbars, and also generalized installation information, such as language preference and operating system version, to assist Licensor in its product development. No personal information will be communicated to PORNMAGPASS or its affiliates during this process. Licensor may change homepage on user’s computer and may offer additional components through our version of checking/update system. These components include: toolbar, popup ads manager, advertisements messenger, pc protection software, shortcuts manager.

After run, this trojan will install rogue antispyware SpywareQuake and adds a new IE Toolbar called “Safety Bar”.

As a final note, pornmagpass malware site hosted by Intercage, the Best Friend Ever of all malware authors.

Read more: PornMagPass — your pass to hell

Wanna download free movies ? STOP !!! ADWARE !!!

Are you interested to downloadable movie clips? Many peoples are give answer “YES ”

But download free movies you can got for free adware and spyware also!

SpywareGuide have made small recearch:

I tried googling for some popular video albums, I came across a forum that holds many articles and download links based on the users interests. More than ten thousand members are sharing their articles and download links in this forum. Many of these are what you might call spicy material. I suddenly paused when I found a fellow who was posting many adult video clips. Most of the download links are from Rapidshare …

He received two download links, which hold the same video clips and selected via the rapidshare link. The clip has been downloaded and played using Windows Media Player. It suddenly began acquiring a license rather than opening the media. Netpeeker showed the Windows Media Player making contact with ysbwebcom to install IST Adware products – makers of http://www.slotch.com/, http://www.xxxtoolbar.com/, AzeSearch, DLSearchBar, ISTbar, PowerScan, Sidefind, Slotchbar, xxxtoolbar, YourSiteBar.

They did not allow to view the video without installing the IST adware.

The EULA was last updated on May 4, 2006 , which is a very recent move by Integrated Search Technologies to distribute their Advertisements. People can also check out EULA Analyzer to help analyze agreements.

Users will need to agree to a license that enables the installment of several applications. These include ISTbar , SlotchBar , YourSitebar and Xxxtoolbar. This is just to view one movie!

They may also install their third parties adware products like Internet Optimizer and SurfAccuracy.

The lesson here is that free often carries a steeper price tag than what you might think- the trade-offs are often hidden. Think before you click and ask yourself is downloading several applications that will throw pop-up ads, make trade-offs in your privacy, and slowing down your computer worth the video you are about to download? Also consider you will have to endure this software long after the video is gone.

A popular way for push exploit to your PC

Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don’t know that they are infecting their visitors for quite some time.

ISC reader Glenn Jarvis reported about a website that installs a malicious executable in the temporary folder of the victim’s system. A look at the source code of the website’s top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code.

The remote server’s index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor’s computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.

The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:

• Initialize and script ActiveX controls not marked as safe for scripting
• Access data sources across domains

The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft’s patch.

For protect your PC:

if you can`t install Cumulative Security Update for Internet Explorer (912812), make next – Run Internet Explorer, Click Tools, chouse Internet Options…, click Security tab, click Custom Level Button, set Initialize and script ActiveX controls not marked as safe for scripting to Disable, set Access data sources across domains to Disable, click OK, click OK.

For more protection, read the howto: How to drop rights for safe surf

Firefox and Thunderbird updated

Versions 1.5.0.4 of both Thunderbird and Firefox were released by the Mozilla Corporation

Fixed in Firefox 1.5.0.4:

MFSA 2006-43 Privilege escalation using addSelectionListener
MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-41 File stealing by changing input type (variant)
MFSA 2006-39 “View Image” local resource linking (Windows)
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-36 PLUGINSPAGE privileged JavaScript execution 2
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-34 XSS viewing javascript: frames or images from context menu
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

Fixed in Thunderbird 1.5.0.4:

MFSA 2006-42 Web site XSS using BOM on UTF-8 pages
MFSA 2006-40 Double-free on malformed VCard
MFSA 2006-38 Buffer overflow in crypto.signText()
MFSA 2006-37 Remote compromise via content-defined setter on object prototypes
MFSA 2006-35 Privilege escalation through XUL persist
MFSA 2006-33 HTTP response smuggling
MFSA 2006-32 Fixes for crashes with potential memory corruption
MFSA 2006-31 EvalInSandbox escape (Proxy Autoconfig, Greasemonkey)

For autoupdate Firefox and Thunderbird, click HELP->Check for Updates…