Dear Gmailer: I know what you read last summer (and last night and today)

The widespread takeaway from today's announcement that Google will start caching all remotely hosted images sent to Gmail users was that the move will hinder e-mail marketers and other nosy senders by preventing them from seeing recipients' personal information. But less reported was this: the move also promises marketers—and, indeed, other types of shady senders—a major silver lining.

That's because of two ways Google has gone about implementing the change. First, Gmail will begin displaying Web-based images by default, reversing the years-long practice of automatically hiding them unless a user clicks a button. And second, according to preliminary tests, the Google server that temporarily stores the image contacts the Web address where the image is hosted only after a user opens the message. And sometimes Google servers request the image each time the message is opened. That means for the first time in years, Gmail by default will allow senders who embed a unique image address in each message they send to know which ones are ignored, which ones are opened, and how many times they are viewed.

Rapid7 Chief Research Officer HD Moore sent several Gmail messages that contained Web-based images hosted on servers he controlled. Then he monitored the URLs of the images to see what happened. Each time, Google servers didn't download the images until after he opened the Gmail message and viewed the remote content. As Google promised Thursday morning, the new cached delivery system is safer and more secure, mainly because Web requests to view remote images are no longer made by the end-user computer. Having Google servers make the request instead prevents the image host from being able to see the receiver's IP address, browser version, or other system information.

Read 4 remaining paragraphs | Comments

Product Coverage and Mitigation for CVE-2013-5065

On November 27, Microsoft published Security Advisory 2914486, which covers an elevation of privilege vulnerability in certain versions of Windows XP and Windows Server 2003.

The flaw lies in the NDProxy component of the Windows kernel. Exploitation requires that an attacker holds local login credentials.

This threat is currently being exploited in limited and targeted attacks. Functional exploitation and malware artifacts have been identified in the wild.



Microsoft has provided a workaround to address this issue. Details are available at:

McAfee Labs
The following McAfee products/content provide coverage:

McAfee Vulnerability Manager
McAfee MVM/FSL Content Release of 11/28/2013
McAfee Antivirus
Coverage is provided in the 7276 DATs, released on 12/1/2013
Name: Exploit-CVE2013-5065


Further reading

Analyzing the Recent Windows Zero-Day Escalation of Privilege Exploit