Apple finally issues patch for "critical" Java vulnerability
By jacqui@arstechnica.com (Jacqui Cheng) on vulnerability
Apple has finally issued a patch for a critical Java vulnerability in Mac OS X that made headlines last month. The update comes as part of Java for Mac OS X 10.5 Update 4, a 158MB download from both Apple's website and Software Update and requires Mac OS X 10.5.7.
According to Apple, the update "delivers improved reliability, security, and compatibility for Java SE 6, J2SE 5.0 and J2SE 1.4.2." This includes one vulnerability related to de-serializing certain Java objects, which could result in arbitrary code running outside of the JVM's sandbox with the same privileges as the current user. It was reported to Sun in August 2008, and in December 2008 Sun disclosed the vulnerability and issued a patch. Despite recent security updates from Apple, however, researchers blasted Apple for not having patched the vulnerability in Mac OS X yet.
Article: 'Setting the appropriate security defect handling expectations in development and QA
By Robert A. on Vulns
I have just published the following article on handling application security defects (vulnerabilities) in development and QA. "If you've worked in information security you've likely had to report a security defect to development in an effort to remediate the issue. Depending on your organization and its culture this can be a...
3 Top Issues in Information Security
By Rik Ferguson on patches
1 – Lack of awareness, both at a corporate level and at an end user level. I am always banging on about a company’s most effective security tool being education, and it’s true. Organisations need to make sure they understand the threat as it really is today, not as they think it is. They need to [...]
Researchers Build Anonymous, Browser-Based 'Darknet'
Black Hat USA presentation will demonstrate how the latest browser technology makes underground, private Internet communities simpler to form, more secretive
Apple Swats Old Java Bug
In Vulnerability Research
Apple got around to plugging a security hole in Java for Mac that left users open to attack.
Navy wants proposals on cyber research
The Office of Naval Research said today it plans to award more than $14.5 million for research on software engineering, networks, social networks and critical infrastructures.
Official: Gates still considering cyber command
A new Defense Department cyber command would not lead to a military takeover of cyberspace, says Deputy Defense Secretary William Lynn.
The limits of a cyber czar
The cybersecurity coordinator needs support from the White House to to the job effectively.
DHS resists security clearance improvements
The inspector general recommended several ways for DHS officials to improve the security clearance process, but agency leaders have objected.
Pointers
As open-source boosters soak up the positive signals they hear from new federal CIO Vivek Kundra, it’s worth noting how much the open-source world has – and has not – changed in the past few years.
DOD cyber command won't militarize cyberspace
Deputy Defense Secretary William Lynn III stressed the need for cooperation between the Pentagon’s new cyber command and the organizations with primary responsibility for the .gov and private-sector domains.
Wisen up to handheld security
As the use of handheld devices in government has vastly expanded during the past eight years, so have the security risks. Agencies need to know the risks and take steps to protect sensitive data and communications.
Homeland Security keeps cybersecurity role
The Homeland Security Department's proposed budget for fiscal 2010 and recent public statements show the Obama administration's new cybersecurity strategy isn't cutting out DHS.
Sensitive information protection remains tough
The government is exploring policy and technology solutions to improve the way it shares sensitive but unclassified terrorism-related information with state, local and industry officials.
Senate bill would loosen IT requirements under Real ID
Senators introduced a bill today that would loosen some information technology requirements under the REAL ID law.
Apple Fixes Java Security Hole
The flaw could have allowed a Java applet to execute malicious code on affected Macs, potentially leading to information theft or a compromised system.
Twitter Security Heating Up In July
In an effort to raise awareness of browser security flaws, one researcher wants to post a vulnerability every day that shows the soft underside of the Fail Whale.
China's Green Dam Software May Pose Legal Risk To U.S. Computer Makers
A research report indicates that the Web-filtering software mandated by the Chinese government contains unauthorized, proprietary code from a Green Dam competitor.
Lawmaker: Power Grid Vulnerable To Cyberattack
Hackers could bring down electrical grids serving entire regions of the U.S., leaving homes and businesses dark for months, Congressman says.
Lawmaker: Power Grid Vulnerable To Cyberattack
Hackers could bring down electrical grids serving entire regions of the U.S., leaving homes and businesses dark for months, Congressman says.
China 'Green Dam' Censorware Called Security Risk
Chinese authorities claim the software is necessary to protect people from pornography, but the software has been found to block politically sensitive terms.
DDOS Is Not The Most Political Way to Protest
By Pedro Bueno on Malware Research
So, Iran had elections this weekend. Some people don’t agree with the results. As consequence, some people are organizing DDoS attacks against Iranian websites, more precisely: http://www.leader.ir/ http://president.ir/ http://www.irib.ir/ http://www.iribnews.ir/ and some specific URLs on those domains. No guys, that’s not the right path, and as it is a malicious activity, we are detecting the tools being distributed to create this [...]
Real ID opposition sparks revisions to national driver's license standard
Widespread opposition to a 2005 bill designed to create a national standard for driver's licenses has prompted a revised version of the bill that no longer contains its most controversial provisions.
With unrest in Iran, cyber-attacks begin
An apparently ad-hoc cyber protest against the results of recent Iranian elections has knocked key Web sites off-line.
Apple Java update fixes security hole
Apple on Monday released Java for Mac OS X 10.5 Update 4 and Java for Mac OS X 10.4 Release 9, two updates that "deliver improved reliability, security and compatibility." Both are available through the Software Update system preference, or for download from Apple's Web site.
Microsoft Issues Record 31 Patches for Bugs in Windows, IE, Office Apps
Microsoft last week issued 10 security updates that patched a record 31 vulnerabilities -- 18 marked "critical" -- in Windows, Internet Explorer, Excel, Word, Windows Search and other programs.
Open Government Could Lead to Data Leaks
The Obama administration's goal of making government data more open and accessible is elevating the need for standardized data classification and information management approaches across federal agencies, security experts say.
Lawmakers Fear White House Cybersecurity Czar Would Undercut DHS Role
Just days after President Obama announced his plan to appoint a new White House cybersecurity coordinator, lawmakers questioned the impact the move might have on the Department of Homeland Security's role.
Universities Cope with New Anti-Piracy Requirement
David Reis, director of IT security and policy at Thomas Jefferson University in Philadelphia, has been on what he calls a "nine-month journey" to figure out exactly how he's going to make sure his school doesn't break the law --even though they were never in trouble in the first place
GP surgery loses thousands of unencrypted patient records
A GP surgery in London has lost the details of 7,000 patients after burglars stole an external hard drive and backup tapes.
A Safe That Looks Like a Calculator
Safe Calculator is a neat little utility that pretends to be the basic Window calculator when you launch it. In actuality, it's a safe that can take a single file and encrypt it, disappearing it into the application itself. This tiny, free utility would be useful on the go or when sharing a public computer, when you need to write something down and then hide it.
Security spending down in Asia-Pac
According to research firm Frost & Sullivan, the size of the Asia-Pacific network security market has dropped two-thirds in comparison to 2008's stellar figures.
Working with consultants
When the client and consultant are discussing problems and how the consultant could help, both parties must be conscious that a consultant always has two allegiances: to the manager hiring her and to the firm employing the manager.
UK E-Crime unit busts online iTunes, Amazon music scam
An international fraud ring, in which a gang allegedly made thousands of pounds downloading its own records from iTunes and Amazon with stolen credit cards has been cracked by the Metropolitan e-Crime Unit and the FBI, the Met claimed.
UK.gov to create central cybersecurity agency
A job for Jim Hacker
Secret operations currently carried out by parts of the intelligence and security services will be centralised in Whitehall as part of an ongoing major review of cybersecurity, according to a report.…
Drive-by Blackouting ?, (Mon, Jun 15th)
Talk about critical infrastructure protection. ...(more)...
Security pros find corporate firewall rules tough to navigate
By Eric Ogren
Tweaking rules could result in disrupting business communications or opening a hole for unauthorized traffic. Firewall management tools ease the burden.
Twitter Security in Spotlight with Month of Twitter Bugs
Security researcher Aviv Raff is launching a Month of Twitter Bugs in July to call attention to security issues affecting the microblogging service. As part of the initiative, Raff says he will publish a new third-party Twitter service vulnerability every day.
- A security researcher has painted a bull's eye on Twitter starting July 1 in the quot;Month of Twitter Bugs. quot; The project is a spin on the quot;Month of Browser Bugs quot; initiative launched in July 2006. Three years later, Israeli security researcher Aviv Raff who also participated in...
Apple's Mac Isn't as Secure as Some Want Us to Believe
NEWS ANALYSIS: Mac OS X is widely considered the most secure operating system around. But is it really as secure as Apple and its supporters want us to believe?
- Apple and its supporters want everyone to know that Mac OS X is a secure operating system that easily bests Microsoft's Windows platform. They contend that because Mac OS X hasn't had nearly the number of security outbreaks that Windows has, it's more secure. And some contend that Mac OS X do...
Chinese Web Filtering Plans Come Under Attack
The Chinese government has ordered the makers of the Green Day Youth Escort Web filtering program to fix any software vulnerabilities. The Chinese government's plan to mandate that all PCs sold in the country include the software has come under fire from critics accusing the software's designers of stealing code from a U.S.-based vendor. Other critics have raised concerns about censorship.
- A Chinese company behind an Internet filtering program backed by the Chinese government is fighting back against critics as it looks to address reported software vulnerabilities. The company, Jinhui Computer System Engineering, has been accused of using pirated technology from U.S.-based Soli...
Re-evaluating IT Security
In this eWEEK podcast hosted by Mike Vizard, Sophos Chief Marketing Officer Rainer Gawlick talks about how the security landscape is changing in the face of new economic realities and more complicated threats.
- Audio Podcast Content....
Apple Patches Java Flaws, At Last
In New Patches
Apple on Monday shipped updates to plug more than two dozen security holes in its version of Java, including a particularly dangerous flaw that Java maker Sun patched back in early December. Last month, Security Fix and others took Apple to task for taking too long to fix Java vulnerabilities. In fact, I found that Apple patches Java flaws on average about six months after Sun had shipped its own updates to fix the same vulnerabilities. At least two different researchers even released proof-of-concept exploits to shame Apple into quickly fixing an easy-to-exploit vulnerability that potential attackers had known about for six months. This Java update appears to address most of the outstanding Java vulnerabilities. From looking at the common vulnerabilities and exposures (CVE) numbers attached to each of the flaws fixed by Apple's Java rollup, it looks like this update brings Mac OS X systems to the equivalent of
SB09-166: Vulnerability Summary for the Week of June 8, 2009
Vulnerability Summary for the Week of June 8, 2009
MS09-027 - Critical: Vulnerabilities in Microsoft Office Word Could Allow Remote Code Execution (969514)
Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Word file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Related Searches
on Ask.com
MS09-026 - Important: Vulnerability in RPC Could Allow Elevation of Privilege (970238)
Bulletin Severity Rating:Important - This security update resolves a publicly disclosed vulnerability in the Windows remote procedure call (RPC) facility where the RPC Marshalling Engine does not update its internal state appropriately. The vulnerability could allow an attacker to execute arbitrary code and take complete control of an affected system. Supported editions of Microsoft Windows are not delivered with any RPC servers or clients that are subject to exploitation of this vulnerability. In a default configuration, users could not be attacked by exploitation of this vulnerability. However, the vulnerability is present in the Microsoft Windows RPC runtime and could affect third-party RPC applications.
Related Searches
on Ask.com
MS09-025 - Important: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege (968537)
Bulletin Severity Rating:Important - This security update resolves two publicly disclosed and two privately reported vulnerabilities in the Windows kernel that could allow elevation of privilege. An attacker who successfully exploited any of these vulnerabilities could execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Related Searches
on Ask.com
MS09-024 - Critical: Vulnerability in Microsoft Works Converters Could Allow Remote Code Execution (957632)
Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability in the Microsoft Works converters. The vulnerability could allow remote code execution if a user opens a specially crafted Works file. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Related Searches
on Ask.com
MS09-023 - Moderate: Vulnerability in Windows Search Could Allow Information Disclosure (963093)
Bulletin Severity Rating:Moderate - This security update resolves a privately reported vulnerability in Windows Search. The vulnerability could allow information disclosure if a user performs a search that returns a specially crafted file as the first result or if the user previews a specially crafted file from the search results. By default, the Windows Search component is not installed on Microsoft Windows XP and Windows Server 2003. It is an optional component available for download. Windows Search installed on supported editions of Windows Vista and Windows Server 2008 is not affected by this vulnerability.
Related Searches
on Ask.com
MS09-022 - Critical: Vulnerabilities in Windows Print Spooler Could Allow Remote Code Execution (961501)
Bulletin Severity Rating:Critical - This security update resolves three privately reported vulnerabilities in Windows Print Spooler. The most severe vulnerability could allow remote code execution if an affected server received a specially crafted RPC request. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Related Searches
on Ask.com
MS09-021 - Critical: Vulnerabilities in Microsoft Office Excel Could Allow Remote Code Execution (969462)
Bulletin Severity Rating:Critical - This security update resolves several privately reported vulnerabilities that could allow remote code execution if a user opens a specially crafted Excel file that includes a malformed record object. An attacker who successfully exploited any of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Related Searches
on Ask.com
MS09-020 - Important: Vulnerabilities in Internet Information Services (IIS) Could Allow Elevation of Privilege (970483)
Bulletin Severity Rating:Important - This security update resolves one publicly disclosed vulnerability and one privately reported vulnerability in Microsoft Internet Information Services (IIS). The vulnerabilities could allow elevation of privilege if an attacker sent a specially crafted HTTP request to a Web site that requires authentication. These vulnerabilities allow an attacker to bypass the IIS configuration that specifies which type of authentication is allowed, but not the file system-based access control list (ACL) check that verifies whether a file is accessible by a given user. Successful exploitation of these vulnerabilities would still restrict the attacker to the permissions granted to the anonymous user account by the file system ACLs.
Related Searches
on Ask.com
Microsoft Internet Information Services
MS09-019 - Critical: Cumulative Security Update for Internet Explorer (969897)
Bulletin Severity Rating:Critical - This security update resolves seven privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The more severe of the vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Related Searches
on Ask.com
MS09-018 - Critical: Vulnerabilities in Active Directory Could Allow Remote Code Execution (971055)
Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Microsoft Security Bulletin Summary for June 2009
Revision Note: V1.1 (June 10, 2009): Corrected the rating and key notes for CVE-2009-1138 in the Exploitability Index.Summary: This bulletin summary lists security bulletins released for June 2009.
Cisco Security Center: IntelliShield Cyber Risk Report
June 8-14, 2009
Report Highlight: T-Mobile Data Extortion Attack
With Unrest in Iran, Cyber-attacks Begin
Iran,Activists have taken down key media and state Web sites in Iran, using denial of service attacks.
Apple Java Update Fixes Security Hole
Apple on Monday released Java for Mac OS X 10.5 Update 4 and Java for Mac OS X 10.4 Release 9, two updates that "deliver improved reliability, security and...
Tuesday June 16, 2009 - Google Alerts
"cyber security" | cyber security | information security | computer security
Gartner to outline security trends in upcoming Information ...
NetworkWorld.com - 15 hours ago
By Ellen Messmer , Network World , 06/15/2009 When it comes to information security, should companies be buying best-of-breed products from a number of ...
Green Dam Maker Ordered to Fix Security Holes
Wall Street Journal - 21 hours ago
“We are specialists in producing Internet filtering software rather than security,” Zhang said, according told the China Daily. Last week, researchers at ...
China says unpopular filtering software optional The Associated Press
Cracks appear in China's Green Dam Asia Times Online
China backs down over controversial censorship software guardian.co.uk
Apple Fixes Java Security Hole
InformationWeek - 13 hours ago
In a patch summary posted Monday, Apple states, "Java for Mac OS X 10.5 Update 4 delivers improved reliability, security, and compatibility for Java SE 6, ...
Apple Fixes Six-Month-Old Java Bug For Leopard, Tiger ChannelWeb
Apple finally patches musty old Java for Mac vulnerabilities ZDNet
Apple Issues Java Security Updates For OS X 10.4, 10.5 InformationWeek
Homeland Security keeps cybersecurity role
FCW.com - 21 hours ago
By Ben Bain President Barack Obama's decision to appoint a cybersecurity coordinator in the White House doesn't appear to be the Homeland Security ...
IG: DHS Intel folks need cyber education Nextgov
Lawmakers fear White House cybersecurity czar would undercut DHS role Computerworld
Oversight Challenges of DHS Intelligence HSToday
SYS-CON Media (press release) - Christian Science Monitor
Beware of the Information Security Inertia Syndrome
TechNewsWorld - 1 hour ago
His extensive background in computer security includes experience in forensics, application penetration testing, information security audit and secure ...
Add Data Security to the Menu
Restaurants & Institutions - Jun 15, 2009
Aside from performing background checks and hiring honest employees, restaurateurs need to establish an information security policy and ensure the systems ...
Ecommerce Know-How: Be Ready to Go Beyond PCI DSS Compliance Practical Ecommerce
AP IMPACT: Weak security enables credit card hacks The Associated Press
Credit Card Processors Fail To Ensure Security For Consumers RedOrbit
Business Wire (press release) - Las Vegas Sun
US, Mexico pledge increased border cooperation
Bizjournals.com - 12 hours ago
US Homeland Security Secretary Janet Napolitano signed an agreement Monday with Mexican Minister of Finance and Public Credit Agustín Carstens that promises ...
US may help train Mexican customs agents CNN
US and Mexico agree to improve customs The Associated Press
Secretary Napolitano and Mexican Finance Minister Agustín Carstens ... 7thSpace Interactive (press release)
Earthtimes (press release) - Bizjournals.com
Miami-Dade Metrorail security guard shot to death
MiamiHerald.com - 5 hours ago
BY JOSE PAGLIERY For much of his life, security guard Chevor Wint had trained for that one moment. The one where he'd stop the bad guys, save a life, ...
Security Guard Shot, Killed WPLG
Miami-Dade police investigate security guard shooting Sun-Sentinel.com
Murder Miami Style: Earlington Heights Metrorail Station Miami New Times
F5 Offers FIPS Security on Its Big-IP App Delivery Controller
eWeek - 20 hours ago
F5 Networks is enhancing the performance and security around SSL-encrypted data to meet the FIPS specifications. The move means that the F5 product is ...
F5 Networks Announces BIG-IP 6900 Application Delivery Controller TMCnet
F5's New BIG-IP Solution Enables Global Organisations to ... CIO Australia
F5 Helps Government, Financial, and Healthcare Customers Uphold ... MarketWatch
US Creates Military Cyber Command to Defend Computer Networks
Voice of America - 14 hours ago
That effort will be led by a Cyber Security Coordinator - a new position President Barack Obama says he will soon create at the White House. ...
Wanted: 10000 Security Experts Enterprise IT Planet
DOD sees clear lines of authority for cybersecurity Nextgov
Cybersecurity Poses 'Unprecedented Challenge' to National Security ... Australia.TO
Posts
No comments:
Post a Comment