Tuesday, July 21, 2009

Around The Horn vol.1,139

Firefox 3.5.1 released to patch TraceMonkey vulnerability

By segphault@arstechnica.com (Ryan Paul) on vulnerability

Mozilla has announced the availability of Firefox 3.5.1, the first minor point release in the 3.5 series. The purpose of this release was largely to patch a critical security vulnerability that was found in the browser's new TraceMonkey JavaScript engine.

Linux exploit gets around security barrier

By Tom Espiner

A security researcher has released zero-day code for a flaw in the Linux kernel, saying that it bypasses security protections in the operating system.

Adobe Offers Unpatched Version of Reader - But Don't Panic

In Vulnerability Research

Danish security firm Secunia issued an alert today that Adobe is pushing an out-of-date version of Adobe Reader to users through its Web site. But is it a false alarm?

Can Malware Help Erin Andrews?

In YouTube

ESPN reporter Erin Andrews got stung by a spy camera, but thanks to the work of an unexpected group of allies, malware scammers, she may get a small measure of justice.

Tweeters beware: All is not secure on the cyber front

Recent hacks of Twitter data and the misuse of the microblogging service for phishing and other malicious activities highlight the danger of adopting new technologies before they are business-ready.

FERC lays out priorities for Smart Grid standards

The Federal Energy Regulatory Commission said cybersecurity is among its priorities for standards being developed for the country's next-generation, technology-enabled electric grid.

Google Apps Contract In LA Hits Security Headwind

The City of Los Angeles faces worries about privacy and security as it considers moving to Google Apps.

Adobe Offering Insecure Reader Software

Plagued by a series of vulnerabilities in its Reader software, Adobe has been tightening its security. Yet the company hasn't gotten around to offering a secure version of Reader on its Web site.

Drivers Frown On Texting, Even As Practice Spreads

While 86% of study respondents support a ban on texting while driving, the incidence of drivers sending SMS messages increased by 40% in the past year.

A year after Terry Childs case, privileged user problem grows

One year after former network administrator Terry Childs made national headlines for locking up access to a crucial San Francisco city network, the issue of how to protect corporate systems against the very people who manage and administer them remains as thorny as ever.

McAfee getting more aggressive on cloud-based security

McAfee Monday said it intends to expand its security-as-a-service offerings in recognition that customers are opting more and more to adopt cloud-based deployments.

Could You be Hacked Like Twitter?

The French hacker who broke into Twitter's Google Apps and stole more than 300 private company documents has revealed in detail how he did it. Using a method known as "cracking," the man who goes by the name Hacker Croll was able to break down Twitter security by trolling the Web for publicly available information, according to TechCrunch.

IMPACT, ITU calls for borderless effort on cybersecurity

Concerted borderless cooperation is needed to tackle today's cyber-attacks, according to international agencies, the International Multilateral Partnership Against Cyber Threats (IMPACT) and International Telecommunication Union (ITU). This, in response to recent reports of more than two dozen attacks against prominent government websites in South Korea and the US.

McAfee unveils cloud-based security

McAfee has taken the wraps off its Security-as-a-Service (SaaS) strategy, a comprehensive set of security products delivered as a service in the cloud.

Report: Hacker broke into Twitter e-mail with help from Hotmail

The hacker who stole confidential Twitter documents used a feature of Microsoft's Hotmail to hijack an employee's work e-mail account, according to TechCrunch, the site that published some of the Twitter documents.

Bug in Firefox 3.5.1 isn't exploitable, Mozilla says

A bug discovered in the latest version of Firefox is not exploitable, Mozilla said on Sunday, responding to reports of another vulnerability in the browser.

Mac OS X gets rootkit coding manual
Filling the void

Over the past decade, the world has seen advances in rootkits running on Windows and Unix operating systems that few would have thought possible. Now, it's Mac OS X's turn, as a security researcher plans to share a variety of techniques for developing the ultra-stealthy programs for the Apple platform.…

Researcher raids browser history for webmail login tokens
Point, click, and hijack

In a disclosure that has implications for the security of e-commerce and Web 2.0 sites everywhere, a researcher has perfected a technique for stealing unique identifiers used to prevent unauthorized access to email accounts and other private resources.…

Digital Spy fights second malware attack
Oops we did it again

Celebrity and TV gossip website Digital Spy is investigating reports that its subscribers outside the UK have been exposed to malware. The latest reported outbreak follows an earlier malware infestation, later traced to tainted banner ads, that hit the site only six weeks ago.…

Anti-Sec spoof threatens s'kiddie mayhem
Interweb will be punked rather than pwned

Pranksters have latched onto Anti-Sec's quixotic crusade against full disclosure of security vulnerabilities by impersonating the group in a threat to unleash an OpenSSH exploit.…

Mozilla downplays risk from unpatched flaw
Nothing to exploit here. Please move along

There are conflicting reports as to whether a flaw in a new version of Firefox is exploitable or not.…

Wireshark Release 1.2.1, (Mon, Jul 20th)

One of our readers, Tommy, highlighted that the developers of Wireshark have released a bug fi ...(more)...

Mozilla Comments on Firefox 3.5.1 issue, (Sun, Jul 19th)

Yesterday we published a diary about a new vulnerability and POC that affected Firefox 3.5 ...(more)...

Former Admin Sentenced for Cyber Attack (July 15, 2009)

Lesmany Nunez was sentenced to one year in prison for a cyber attack on his former employers computer network.......

Five NHS Trusts Sign Undertakings to Comply with Data Protection Act (July 14 & 16, 2009)

Five NHS Trusts have signed formal undertakings with the Information Commissioner's Office (ICO) in which they agree to comply with the seventh data protection principle of the Data Protection Act, which states that appropriate technical and organisational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.......

Critical Flaw in Firefox 3.5 (July 14 & 15, 2009)

A critical memory corruption flaw in the Just-in-time JavaScript compiler in Firefox could be exploited to take control of vulnerable computers.......

Blackberry Update Found to Contain Spyware (July 14, 2009)

A United Arab Emirates service provider pushed out a BlackBerry update that contains spyware capable of intercepting user's email and text messages and sending them back to the server.......

Oracles Quarterly Security Release (July 16, 2009)

Oracle has issued its quarterly Critical Patch Update to address 30 security flaws in seven product lines.......

Microsoft Issues Six Security Bulletins (July 14 & 15, 2009)

On Tuesday, July 14, Microsoft released six security bulletins to address flaws in a variety of the company's products, including Windows, Microsoft Office, Internet Security and Acceleration Server, Virtual PC and Virtual Server.......

Twitter Company Data Compromised (July 15 & 16, 2009)

Twitter is consulting its legal team following a cyber attack that exposed internal documents.......

Eircom Investigating Attack (July 14 & 15, 2009)

Irish Internet service provider (ISP) Eircom is investigating an apparent distributed denial-of-service (DDoS) attack that prevented the majority of its 500,000 customers from accessing the Internet for about five hours earlier this week.......

Survey Finds One-Third of Users Respond to Spam (July 16, 2009)

Nearly one-third of 800 people surveyed by the Messaging Anti-Abuse Working Group (MAAWG) said they had responded to messages that were probably spam.......

Cisco 2009 Midyear Security Report (July 14, 2009)

Cyber criminals are taking their cues from the business world, according to a new Cisco report.......

Is Virtual Desktop Infrastructure (VDI) Right for Me? By Tim Proffitt and Emilio Valente

Virtual Desktop Infrastructure (VDI) is a solution for server-hosted, virtual desktop computing that leverages thin client architecture and centralizes endpoint images as virtual machines.......

Researchers Find IP Address of Command Server Used in US and South Korea Cyber Attacks (July 14, 2009)

A Vietnamese security company has reportedly identified the Internet protocol (IP) address of the command server that controlled the botnet responsible for the cyber attacks on US and South Korean government and commercial websites.......

Proposed Legislation Would Require State Dept. to Work on Global Cyber Crime Response (July 14, 2009)

In response to the recent cyber attacks on government and commercial web sites in the US and South Korea, US Senator Kirsten Gillibrand (D-NY) has introduced legislation that would require the Department of State to work with governments around the world to foster a united response to cyber attacks.......

Top Cyber Analysts See Denial of Service Attacks As Very Minor (July 16, 2009)

"The physical equivalent of this would have been an attack using hot-air balloons," said CSIS's Jim Lewis.......

Construction Blacklist Database Administrator Fined (July 16, 2009)

The man who maintained a blacklist database of builders in Britain has been fined GBP 5,000 (US $8,219) by the Crown Court.......

Former IT Director Sentenced for Cyber Damage (July 15, 2009)

Danielle Duann of Houston, TX has been sentenced to two years in prison for a cyber attack on her former employer's computer network.......

Proposed expansion of top-level domains generates security concerns

By Marcia Savage

Financial industry worried that ICANN plan could mislead consumers and lead to more cybersquatting and phishing attacks.

Oracle Secure Enterprise Search Linked XSS Vulnerability

Oracle Secure Enterprise Search (SES) has been found to contain a vulnerability in the "search" script.

Mobile Rediff Username and Password Disclosure

Rediffmail component of MobileRediff (Version 1.04) application allows username and password disclosure.

Microsoft Office Publisher 2007 Arbitrary Pointer Dereference Vulnerability (MS09-030)

Remote exploitation of an arbitrary pointer dereference vulnerability in version 2007 of Microsoft Corp.'s Publisher could allow an attacker to execute arbitrary code as the user running Publisher.

Microsoft Embedded OpenType Font Engine Heap Buffer Overflow (MS09-029)

Remote exploitation of a heap based buffer overflow vulnerability in Microsoft Corp.'s Embedded OpenType Font Engine (T2EMBED.DLL) could allow an attacker to execute arbitrary code with the privileges of the current user.

ILIAS LMS Multiple Artibrary Information Disclosure

Several functions in ILIAS LMS allow arbitrary information disclosure.

Cisco Unified Contact Center Express Administration Pages Multiple vulnerabilities

Cisco Unified Contact Center Express (Cisco Unified CCX) server contains both a directory traversal vulnerability and a script injection vulnerability in the administration pages of the Customer Response Solutions (CRS) and Cisco Unified IP Interactive Voice Response (Cisco Unified IP IVR) products.

Wyse Device Manager hagent.exe buffer overflow vulnerability

Buffer overflow vulnerabilities have been reported in WDM Server and the WDM HAgent. A carefully crafted packet sent to the WDM Server port or the WDM Agent would crash the service, and could potentially allow the attacker to take control of the affected system.

Virtualmin Multiple Vulnerabilities

Virtualmin is prone to multiple vulnerabilities: Unprivileged port use, XSS, Anonymous proxy, Information disclosure and Symlink attacks.

Microsoft DirectShow QuickTime Atom Parsing Memory Corruption Vulnerability (MS09-028)

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required in that a target must visit a malicious page or open a malicious video file.

Novell eDirectory iMonitor Accept-Language Buffer Overflow

Secunia Research has discovered a vulnerability in Novell eDirectory, which can be exploited by malicious people to cause a DoS (Denial of Service).

MimeTeX/MathTeX Buffer Overflows and Command Injection

The mimeTeX and mathTeX CGIs are widely used helper executables that allow mathematical equation rendering in the form of images. Both applications suffer from several buffer overflows as well as command injection which result in remote code execution .

Microsoft Office Web Components Memory Corruption Vulnerability

A memory corruption vulnerability exists in the ActiveX Controls of Microsoft Office Web Components which allows a remote attacker to compromise a system through a malicious site.

libtiff Tools Multiple Integer Overflows

The libtiff image library tools suffer from integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.

HP ProCurve Threat Management Services zl Module Unauthorized Access and DoS

Potential security vulnerabilities have been identified with HP ProCurve Threat Management Services zl Module (J9155A). These vulnerabilities could be exploited remotely to gain unauthorized access or to create a Denial of Service (DoS).

Mozilla Downplays New Firefox Bug

Mozilla is downplaying a reported bug in its Firefox browser. According to Mozilla, initially reports that the vulnerability could be exploited to execute code are false.

McAfee Outlines SAAS Security Plans to Challenge Rivals

McAfee lays out its plans to expand its software-as-a-service business with an eye toward gaining traction among enterprises. To back up its talk, McAfee announces the addition of Web filtering and vulnerability assessment to its SAAS portfolio.

The Growing Threat to Business Banking Online

In Latest Warnings

Federal investigators are fielding a large number of complaints from organizations that are being fleeced by a potent combination of organized cyber crooks abroad, sophisticated malicious software and not-so-sophisticated accomplices here in the United States, Security Fix has learned. The attacks also are exposing a poorly-kept secret in the commercial banking business: That companies big and small enjoy few of the protections afforded to consumers when faced with cyber fraud.

SB09-201: Vulnerability Summary for the Week of July 13, 2009

Vulnerability Summary for the Week of July 13, 2009

Cisco Security Center: IntelliShield Cyber Risk Report

July 13-19, 2009

Report Highlight: Twitter Account Intrusions Highlight Password Recovery Weaknesses

McAfee Updates Managed Cloud Security Service

McAfee's latest version of its managed security service includes a new feature that lets companies scan their Web sites for vulnerabilities.

Could You be Hacked Like Twitter?

Don't let hackers catch you all a-Twitter -- secure your e-mail accounts using these tips.

No comments:

Post a Comment

My Blog List