By emil.protalinski@arstechnica.com (Emil Protalinski) on Office Web Components
Microsoft has posted Security Advisory 9737472 to warn its users that it is responding to a privately reported flaw in Microsoft Office Web Components (OWC) that hackers are actively attempting to exploit. The vulnerability could allow for an attacker to gain the same user rights as the local user. To make matters worse, if the user is using Internet Explorer, code execution is remote and therefore may not require any user intervention. The list of Office software that this affects is as follows: Office XP, Office 2003, Office XP Web Components, Office 2003 Web Components, Internet Security and Acceleration Server 2004, Internet Security and Acceleration Server 2006, and Office Small Business Accounting 2006. The company also noted that it is currently working on a security update for Windows to address the flaw and will release it broadly once it has reached an appropriate level of quality.
By emil.protalinski@arstechnica.com (Emil Protalinski) on Windows
Microsoft Chairman Bill Gates likes bringing technology to as many people as possible. A computer on every desk? Done (more or less). Now Project Natal is one of those out-of-this-world technologies that is about to come to the masses (if you count gamers as the masses).
By jacqui@arstechnica.com (Jacqui Cheng) on WTF
Be honest: have you ever responded to a spam e-mail? Do you know anyone who has? If you're like most of us at Ars, you can't fathom why anyone would respond to most of the messages we get, but a new study released by the Messaging Anti-Abuse Working Group (MAAWG) shows that there are just enough people responding to make spamming worthwhile—especially since most spam these days is sent by botnets.
By emil.protalinski@arstechnica.com (Emil Protalinski) on Stirling
At this year's Worldwide Partner Conference, Microsoft announced pricing and the naming for its Forefront security solution (codenamed Stirling), the company's next version of a comprehensive protection solution across endpoints and servers. Stirling will be officially known as Forefront Protection Suite (FPS) and will include the products in the current suite, plus the Forefront Protection Manager (formerly known as the Stirling management console) and the Forefront Threat Management Gateway Web Security Service.
By Tom Espiner
The Symbian Foundation has acknowledged that its process for keeping malicious applications off Symbian OS-based phones needs improvement, after a Trojan horse program passed a security test.
The botnet-building Trojan, which calls itself "Sexy Space," passed through the group's digital-signing process, Symbian's chief security technologist Craig Heath said ...
By Seth Rosenblatt
New versions of Google Chrome are out, fixing bugs and patching security holes in both the stable build and the beta build.
Two serious security flaws have been plugged. One had allowed for malicious code exploitation within the Chrome tab sandbox. Found by the Google security team, the threat was ...
By Stephen Shankland
Mozilla updated Firefox to version 3.5.1 for Windows, Mac, and Linux on Thursday, fixing a security problem, improving stability, and speeding launch time on some Windows systems, according to the release notes.
"We strongly recommend that all Firefox 3.5 users upgrade to this latest release," browser director ...
By Lance Whitney
CEOs and their senior executives don't see eye to eye on key security issues, according to a new survey.
Many CEOs don't consider their own companies vulnerable to security attacks and are confident in their ability to combat those attacks, says a survey released Wednesday. However, those findings ...
By Josh Lowensohn, Caroline McCarthy
Twitter's latest security hole has less to do with its users than it does with its staff, but lessons can be learned on both sides.
In the case of Jason Goldman, who is currently Twitter's director of product management, the simplicity of Yahoo's password recovery system was enough to let a hacker get in and gain information from a number of other sites, including access to other Twitter staff's personal accounts.
The aftermath of the hack, which took place in May, is just now coming to fruition. Documents that a hacker by the alias of Hacker Croll recovered from Goldman's account and others (including Twitter co-founder Evan Williams) could be a treasure trove of inside information about the company and its plans.
While Croll was planning to release the entire batch publicly (and at once), tech blog TechCrunch posted news late Tuesday that it had received them and was considering posting the details of at least some of them.
Although it seems that Twitter has been thrust into this situation a bit unfairly, a hack along these lines could have happened to the executives of more Web companies than anybody would like to admit. What it really highlights is the extreme interconnectedness of the social Web: with the likes of e-mail contact importing and data-portability services like Facebook Connect now commonplace, a savvy hacker can have access to multiple accounts simply by accessing one.
A post Wednesday on Twitter's official blog highlights just how far-reaching this can be.
"About a month ago, an administrative employee here at Twitter was targeted and her personal email account was hacked," the post from co-founder Biz Stone read. "From the personal account, we believe the hacker was able to gain information which allowed access to this employee's Google Apps account which contained Docs, Calendars, and other Google Apps Twitter relies on for sharing notes, spreadsheets, ideas, financial details and more within the company."
Following that attack, Twitter conducted a security audit, and Stone's post says that there was not a security vulnerability in Google Apps and that Twitter continues to use the suite internally. A separate hack targeted the account of CEO Evan Williams' wife, and from that some of Williams' personal accounts were accessed as well, Stone explained.
But Twitter is front and center in the news these days, and is now talked about as a communications protocol as much as a Web start-up. Not only does that make it a particularly appealing target, but also...
By Lance Whitney
Most people may think they're smart enough not to answer an obvious spam message. But is that really the case?
Almost one third of consumers questioned admitted answering e-mails they suspected were spam, says a survey released Wednesday by the Messaging Anti-Abuse Working Group (MAAWG).
By Tom Espiner
There is a critical JavaScript vulnerability in the Firefox 3.5 Web browser, Mozilla has warned.
The zero-day flaw lies in Firefox 3.5's Just-in-time (JIT) JavaScript compiler. Proof-of-concept code to exploit the vulnerability has been posted online by a security research group, Mozilla said in a post on its security blog ...
By Elinor Mills
Microsoft on Tuesday issued patches to fix critical vulnerabilities in DirectShow and Video ActiveX that have been targeted in attacks, as well as fixes for holes in Embedded OpenType Font Engine and Microsoft Publisher that could allow someone to remotely take control of the PC.
Overall, the six "Patch Tuesday" ...
By Elinor Mills
Cyber scammers are banking on the notion that many people who might not fall for a phishing scam via e-mail may still be easy targets through their mobile phone, according to security report released Tuesday from Cisco Systems.
Text message scams are on the rise, particularly fake messages that appear ...
By Rik Ferguson on web
In a politically motivated attack, the Home and About Us sections of the front page of the Royal Australian Air Force website have been defaced by someone calling himself Atul Diwevedi.
By Rik Ferguson on VMware
“Security and virtualisation” as a concept covers a wide variety of implementations, software virtual appliances, virtual machines running on third party virtualisation servers, Software as a Service (SaaS) and the virtual appliances designed to run on blades in chassis-based solutions. As a result of the breadth of offerings, this technology is being adopted from the small [...]
By Darknet on sql-injection-tool
This perl script allows extraction of data from Blind SQL Injections. It accepts custom SQL queries as a command line parameter and it works for both integer and string based injections. We reported bsqlbf when it first hit the net back in April 2006 with bsqlbf v1.1, then the v2.0 update in June 2008. This new [...]
By Darknet on worms
We need more companies like this that acknowledge hoarding data isn’t doing anything for the greater good, to really stamp out the core problems you have to share the data you’ve correlated across the World so everyone can put together what they have and do something about it. It seems like with China pumping out the [...]
By Darknet on web-security
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goals are to be light weight, easy to use and full of vulnerabilities to exploit. Used to learn or teach the art of web application security. Vulnerabilities SQL Injection XSS (Cross Site Scripting) LFI (Local File Inclusion) RFI (Remote File Inclusion) Command Execution Upload Script Login Brute [...]
In Rootkits
Security researcher Dino Dai Zovi discusses his research on a new rootkit for Mac computers, and sizes up Apple and Microsoft when it comes to security.
In Virus and Spyware
Security researchers are pointing to a recent SMS spam-bred attack as evidence that malware gangs may have finally begun attempting to launch botnets that target mobile devices.
In Virus and Spyware
Trojan outbreaks are evading signature-based AV systems in larger numbers again, according to a new research report.
In Vulnerability Research
Sample exploit code for a vulnerability in Firefox 3.5 is circulating the Web. Here are some resources for information on workarounds.
In Risk Management
Cisco's midyear report on cyber-crime highlights the importance of keeping tabs on insider threats.
The Government Accountability Office says agencies' information security policies aren't good enough and OMB needs to improve its guidance under FISMA.
Backers of the Real ID Act and proposed PASS ID Act have been debating the extent to which states need to make expensive information technology investments to improve the security of driver's licenses.
Recent RFIs focus on virtualization-based security strategeies and commercial solutions for defending against denial-of-service attacks.
The Public Interest Declassification Board has been gathering public recommendations for how the Obama administration should improve policies for classifying national security data.
Although the program is controversial, 27 states are likely to meet milestones.
The Homeland Security Department wants information from companies on their solutions that could be used to protect the government's domain used by civilian agencies.
Backers of a new driver's license security program say the current Real ID program's costly IT requirements are unnecessary and won't work for states.
A new storefront is designed to let federal agencies buy technology in real time.
Virtualization technology may be used to deal with the Defense Department's network security problems.
Program will make cybersecurity software available to agencies.
Mozilla's latest Web browser is a solid step forward, with features including private browsing, geolocation, and support for the latest audio, video, graphics, and HTML 5.
Security flaw allows attackers to gain access to all files on HTC's Windows Mobile phones running the 6.0 or 6.1 versions.
Security flaw allows attackers to gain access to all files on HTC's Windows Mobile phones running the 6.0 or 6.1 versions.
The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing. But Google wants everyone to know that security tools are available for those who want to use them.
The distribution of internal Twitter documents by a hacker has revived doubts about the security of cloud computing. But Google wants everyone to know that security tools are available for those who want to use them.
The hacker who hijacked a Twitter admin account in May has been distributing sensitive files taken from the company, ostensibly to educate people about the risks of poor computer security.
The hacker who hijacked a Twitter admin account in May has been distributing sensitive files taken from the company, ostensibly to educate people about the risks of poor computer security.
Proposed legislation seeks to halt the use of illegal cell phones in prisons but is countered by public interest agency officials.
Exploit code for a vulnerability in Firefox was posted online on Monday. Mozilla says it is working on a fix.
Exploit code for a vulnerability in Firefox was posted online on Monday. Mozilla says it is working on a fix.
Two zero-day vulnerabilities are addressed in Microsoft's July patch cycle, but a third flaw that was revealed on Monday remains.
The main Web site of the Department of Defense was a target of a recent distributed denial of service attack.
They sometimes call national security the third rail of politics. Touch it and, politically, you're dead.
An organised cybercrime strategy, published by the Home Office, has promised to beef up law enforcement's e-crime strategy in an effort to curb the threat.
HTC released a software update on Thursday that fixes a Bluetooth vulnerability disclosed earlier this week by a Spanish security researcher.
Mozilla has issued a patch for a Firefox 3.5 bug that was disclosed on Monday and called "self-inflicted by one contributor.
A security expert has warned that organisations should prepare for more politically motivated Web site attacks, as hackers seek more effective vehicles for gaining large-scale media attention.
Business leaders have more confidence in cloud computing than the organisation's technical managers. That is according to business Internet service provider Star, which found that U.K. CIOs have dismissed security concerns about cloud computing.
Storage vendor Freecom has come up with a new external USB hard drive that can only be accessed using an RFID (radio frequency identification) swipe card.
The Information Commissioner's Office (ICO) has issued more warnings to NHS bodies after five Trusts have been found to breach the Data Protection Act, with one trust leaving patient notes on a bus.
If Twitter goes ahead and sues Web sites that posted proprietary information that was stolen by a hacker, it would be moving into murky legal waters, experts said today.
Microsoft has sued a Hong Kong seller of mobile ringtones, saying the company used phishing techniques to flood Microsoft Live Messenger users with spam messages.
The U.S. Department of Energy is starting to deploy what it describes as a network neighborhood crime watch that pools attack data from intrusion detection systems at disparate DoE sites to facilitate faster response times.
Confidential online connections like banking transactions made from public wireless hotspots remain vulnerable to attacks despite improved security that was supposed to fix the problem, researchers will demonstrate at the Black Hat security conference.
The first worm that spreads between mobile devices by spamming text messages has developed a new communications capability that one security vendor says signals the arrival of mobile botnets.
Researchers at Carnegie Mellon University report that they can sometimes guess a person's Social Security number and the press goes nuts. This is actually a good thing (the press going nuts that is).
It's no easy task implementing a data loss prevention (DLP) program when there's so much disagreement in the security community over what DLP entails. But those who've been through it have good news: It can be done.
Security vendors have decided to take on the plague of bogus anti-virus software circulating on the Internet by creating a public list of legitimate vendors and programs.
TrustDigital has released an updated version of its mobile device management software, with improved support for the Apple iPhone, including the new 3GS model, and iPod Touch.
Nearly half of Brits never pay to download music, video or games, says Telindus.
Recent visitors to the Web site of Malaysia's Ministry of Foreign Affairs may have come away with something other than a better understanding of Malaysian foreign policy or the country's visa requirements. The Web site was compromised by an unknown attacker and used to redirect visitors to another site containing malicious code.
Lawyers from the U.S. Department of Justice and the Electronic Frontier Foundation squared off in a San Francisco courtroom Wednesday over a warrantless wiretapping program instituted by the Bush administration.
Whenever Michael Arrington posts anything on TechCrunch with a theme of "Ethics 101," you know you're in for some unintentional high comedy. Such was the case today when someone calling himself "Hacker Croll" dumped a carton of internal Twitter documents on TechCrunch's doorstep.
Chief Executive Officers are likely to hold different views on corporate data security issues than other C-level executives, according to the results of a Ponemon Institute survey.
A decision by India's central bank to mandate another level of authentication for card use for online transactions will deter such transactions in the country, according to an association of India's e-commerce industry.
Three brothers were sentenced to prison on Tuesday in a London court for creating counterfeit credit and debit cards, defrauding victims of more than £600,000 (US$978,000), according to the Metropolitan Police.
IronKey reckons it has made its super-secure S100 crypto USB drive family even harder to crack.
Check Point customers will this week get their hands on the latest version of the company's endpoint security client, R72, which features a new security-boosting 'sandbox' browsing mode.
Mozilla has confirmed the first bug in the Firefox 3.5 browser that was launched about two weeks ago.
In one of the first talks at this year's Black Hat USA, Billy Hoffman and Matt Wood, both security researchers at HP, plan to demonstrate a darknet designed to run entirely within a browser.
Tufin is teaming with McAfee to integrate their security products to reduce the time and cost of running firewalls and make it easier to draw on data needed to meet regulatory audits.
Any business accepting credit and debit cards -- and using or considering wireless LANs -- should carefully review the recommendations for use of 802.11 wireless access points that are detailed in the guidelines issued Wednesday by the Payment Card Industry Security Standards Council.
The Computer Security Handbook, Fifth Edition (CSH5) edited by Seymour Bosworth, M. E. Kabay and Eric Whyne was published in February 2009 and we’ve already found mistakes! Oy gevalt ("Woe is me" in Yiddish). You can humiliate the editors even further with your very own contributions of typographical errors, infelicitous phrases, unclear paragraphs, and obsolete references. Just join the new CSH5_Discussion group on Yahoo and pitch in!
The DHS and two U.S. Senators moved this week to mandate use of the federal E-Verify program by employers to determine whether workers are legally employed in the U.S.
Microsoft today fixed a serious, under-attack flaw in a video ActiveX control, along with other critical flaws involving QuickTime files and fonts. But a critical zero-day hole in another ActiveX control remains unpatched.
Attacks exploiting the latest Microsoft vulnerability are quickly growing in quantity and intensity, several security companies warned today as they rang alarms about the developing threat.
Microsoft today delivered six security updates that patched nine vulnerabilities. The patches fix two bugs now being used by hackers but leave one still open to exploit.
A critical flaw in the way Firefox 3.5 handles Javascript opens the door to a serious attack, according to Secunia, which tracks security vulnerabilities.
British authorities have launched an investigation into the recent cyberattacks that crippled Web sites in the U.S. and South Korea, as the trail to find the perpetrators stretches around the world.
An admitted hacker who broke into U.S. military computer systems shortly after the Sept. 11, 2001 terrorist attacks has made a new appeal to a British court seeking to be tied in the U.K. rather than in the U.S.
'NULL pointer' bug plagues even super max versions
A recently published attack exploiting newer versions of the Linux kernel is getting plenty of notice because it works even when security enhancements are running and the bug is virtually impossible to detect in source code reviews.…
SPIM phishers feel the wrath of Redmond's lawyers
Microsoft has set its legal attack dogs on a Hong Kong distributor of mobile ringtones, over allegations that it has flooded Microsoft Live Messenger users with deceptive, fraudulent IM spam messages ultimately aimed at promoting online smut.…
Tackling bigger and better idiots
Thanks for some great comments from the article about making applications more secure. One of my favourites was, “It's all very well trying to make your software idiot proof, but the problem is that the world keeps creating bigger and better idiots.” How true this often appears.…
Fuzz logic
Police in the Australian state of Queensland are to go on the hunt for unsecured wireless networks.…
Ghost in the machine
Forget mis-configured Apache servers and vulnerability-laden Adobe applications. The biggest security threats to business and home networks may be the avalanche of webcams, printers, and other devices that ship with embedded web interfaces that can easily be turned against their masters.…
<empty field> + binhex = Visa FAIL
It seems an empty amount field is the culprit in the programming glitch that caused some 13,000 holders of prepaid Visa cards to receive warnings that their accounts were overdrawn by more than $23 quadrillion.…
Lunkhead junk mail buyers come clean
Almost a third of consumers admit responding to messages that might be spam emails. Some acted out of curiosity or by mistake but a puzzling 96 from a sample of 800 (12 per cent) said they clicked because they interested in the product or service advertised in junk mail messages.…
Squeezing the zucchini juice
Google has shrink-wrapped the way it delivers updates to its Google Chrome browser by releasing a new system dubbed Courgette.…
Low-risk mobile Trojan bundles botnet features
Security researchers have identified the first known spam bot client for 3G phones.…
$30k rampage served cold
A former support admin was sentenced to one year in prison after admitting he shut down the servers of a large IT company a few months after his employment ended there.…
Biz Stone's briefs
An unidentified hacker has exposed confidential corporate and personal information belonging to microblogging site Twitter and its employees after breaching electronic accounts belonging to several people close to the company.…
Still no fix
If you own a mobile phone made by HTC and connect using Bluetooth, there's a decent chance security researcher Alberto Moreno Tablado can rummage through sensitive files stored on the device using a critical bug in some of its wireless device features.…
Admits 17-digit 'glitch'
Visa says a technical glitch is responsible for a rash of notices warning customers their accounts are overdrawn to the tune of $23 quadrillion.…
Snazzy Toshiba TG01s infected
O2 in Germany has stopped sending out Toshiba TG01 smartphones, which have been inadvertently infected with malware.…
Measures self with Cisco yardstick
Juniper has stretched its enterprise security mechanisms to better protect all those machines logging into corporate networks from remote locations.…
'One bad apple' defence wormed into
A committee of MPs was presented evidence on Tuesday that several News of the World journalists were involved in illegal mobile phone hacks, piling further pressure on News International which maintains that only one rogue reporter was involved.…
More of the same to come
Microsoft released six bulletins - three covering critical flaws - on Tuesday as part of its monthly Patch Tuesday update cycle.…
Twelve years for the brothers PIN
Three brothers have been jailed for a total of 12 years for making fake credit and debit cards.…
Official snooping suspected in UAE
An update pushed out to BlackBerry users on the Etisalat network in the United Arab Emirates appears to contain remotely-triggered spyware that allows the interception of messages and emails, as well as crippling battery life.…
Category: Management & Leadership
Paper Added: July 16, 2009
On Thursday, July 16, Google Chrome 2.0 ...(more)...
As a follow up to a previous Diary (Oracle Black Tuesday) we had a Storm Center participant, Brian, ...(more)...
Various analysts and sites have recently confirmed a vulnerability is present in FireFox 3.5 ...(more)...
Almost on cue, with the news of the bombing in Jakarta, the bottom-feeders of the black-hatters have ...(more)...
G-SEC posted an advisory of a nifty little vulnerability that affects most browsers on most platform ...(more)...
Source code for a exploit of a Linux kernel vulnerability has been posted by Brad Spengler (Brad is ...(more)...
Thanks to all those who have sent in submissions overnight to alert us to the release of Firefox 3.5 ...(more)...
One of the must have tools for every person doing anything related to IT security is definitely Nmap ...(more)...
As we thought, it was just a matter of time before more attackers start exploiting the still unpatch ...(more)...
An ISC reader wrote in about a change that occurred this month with the Windows Security Center (WSC ...(more)...
One of our readers, Tom Ueltschi, sent an e-mail with details about an exploit that is exploiting a ...(more)...
Oracle's quarterly patch release day was today as well. Oracle keeps details restricted to customer ...(more)...
The Internet Systems Consortium released patches to their dhcp implementation. The patches fix a st ...(more)...
Updated story, thanks to for helping figure it out! The mozilla security blog confirms an exploit a ...(more)...
Overview of the July 2009 Microsoft patches and their status. # ...(more)...
After the rush of the new vulnerability being published, exploits in the wild, and malware being dis ...(more)...
Ireland's Communications (Retention of Data) Bill 2009 will require Internet service providers (ISPs) to retain users' Internet use information for one year; the bill also reduced the amount of time phone records must be retained from three years to two years.......
A study of 117 small and medium-sized Irish businesses found that 43 percent have not established disaster recovery plans.......
A court in Shanghai has sentenced a man to two-and-a-half years in jail for inserting viruses into software products made by his former employer, an IT company.......
Chi Tong Kuok has been indicted for alleged conspiracy, money laundering, smuggling and attempting to export a defense article without a license.......
South Korea has moved up the date for completion of a cyber security center for financial and economic institutions in the wake of recent cyber attacks on government, news, and financial websites.......
France has created a new national agency to help defend government and commercial networks from attacks.......
Twitter is suspending accounts of members whose computers are infected with Koobface.......
LexisNexis has sent letters to more than 13,000 people, warning them that their personal information may have been accessed by a Florida man who is allegedly involved in a mafia racketeering conspiracy.......
Just one day before its scheduled security release, Microsoft has issued an advisory warning of attacks that exploit an arbitrary code execution vulnerability in the Spreadsheet ActiveX control in Microsoft Office Web Components.......
The malware behind the distributed denial-of-service (DDoS) attacks that hit sites in South Korea and the US also includes instructions to delete data on the PCs it has infected starting on July 10, 2009, so the computers used in the attacks are at risk as well.......
South Korea was hit with a third wave of cyber attacks late last week, but the Korean Communications Commission has not listed North Korea among the possible origins of the attacks.......
The process of reaching a consensus on information security documents can sometimes get mired in endless, trivial discussions.......
By Marcia Savage
Guide analyzes PCI requirements pertaining to wireless networks and provides recommendations.
By Robert Westervelt
The Conficker worm authors have a vast army of zombie machines at their disposal. So far the botnet lie dormant, but one researcher will show at Black Hat that it could awaken.
By Robert Westervelt
The Conficker worm authors have a vast army of zombie machines at their disposal. So far the botnet remains dormant, but one researcher will show at Black Hat that it could awaken.
By SearchSecurity Staff
The database giant repaired critical flaws in Oracle Database, BEA WebLogic and Oracle E-Business Suite.
By SearchSecurity.com Staff
Attackers could exploit the flaw by tricking a user into viewing a website with the malicious code.
By Robert Westervelt
The software giant issued six updates this week as part of its Patch Tuesday updates. Three bulletins were rated critical.
Mozilla has updated its Firefox browser to plug a critical security hole days after attack code for the vulnerability surfaced on the Web.
With persistent reports about hacker attacks, compromised privacy and phishing scams, social networks can be scary places. But that doesn't mean the corporate world should run. IT managers can establish policies that protect corporate network and data security without shutting out social networks altogether. Here are some of the issues IT managers should keep in mind when dealing with social networks.
A recent attack on the private e-mail account of an administrative employee at Twitter led to company data being compromised. But despite the focus on password strength and cloud computing, the security risk lies in the area of password recovery and security best practices.
Spammers have taken to cracking CAPTCHA protection for Microsoft Hotmail, Google Gmail and other Web mail services in recent years. Startup company Pramana is pushing a proactive approach to keeping botnets at bay.
Recently leaked Twitter documents that were stored on Google Apps highlight a deeper issue - namely, when everything you do is stored online, how will you protect your personal data? As Google revs up its new Chrome OS, phishing and hacker attempts will be exacerbated. How, exactly, will you deal with your data security in this brave new world of data portability?
The free Microsoft Security Essentials anti-virus solution, formerly known as Morro, works but won't blow your mind. With it, Microsoft is raising the security bar--albeit the lowest rung on the ladder--but integration with third-party solutions could result in something big.
Internal company information from Twitter obtained when a hacker hit the private e-mail accounts of employees has been leaked out on to the Internet. The information ranges from the mundane - employee meal preferences - to Twitter's financial projections.
Microsoft patches nine vulnerabilities for Patch Tuesday July 14. Among them are two critical security flaws that have come under attack by hackers.
In Safety Tips
Mozilla has pushed out an update to Firefox 3.5 to plug a critical security hole that Security Fix warned about this week. According to the SANS Internet Storm Center, there have been reports of public exploits for this flaw being used in the wild.
In Latest Warnings
Most people are familiar with the notion that a computer virus can be passed from PC to PC, but many folks would probably be surprised to learn that a sick PC can often pass its infection on to Web sites, too. Some of the most pervasive malicious software circulating today (e.g., Virut) includes spreading capabilities that hark back to the file-infecting methods of the earliest viruses, which spread by making copies of themselves, or by inserting their code into other files on the host system.
In Latest Warnings
Purveyors of spam and malicious software are taking full advantage of URL-shortening services like bit.ly and TinyURL in a bid to trick unwary users into clicking on links to dodgy and dangerous Web sites. Fortunately, with the help of a couple of tools and some common sense, most Internet users can avoid these scams altogether.
In New Patches
Microsoft Corp. today issued software updates to plug at least nine different security holes in its various Windows operating systems and other software. Today's patch batch includes fixes for two very serious flaws that are actively being exploited by attackers to break into vulnerable PCs.
The scale of security
Nmap gets a major upgrade
Mozilla works to patch Firefox flaw
BlackBerry update bursting with spyware
Microsoft fixes 9 flaws as tenth fuels attacks
In technology
PC World - Google says it is working on an operating system designed for netbooks that boots in seconds, is impervious to viruses, and is designed to run Web-based applications really well. What's not to like? Plenty--if you're the number one software maker, Microsoft. Expect a showdown. Google faces an uphill battle rolling out its operating system, Chrome OS. The irony is, Google may not care if Chrome OS succeeds or fails. Here's why.
In technology
PC World - After two years at the job, the CEO of Dutch antivirus seller AVG Technologies is stepping down.
In technology
PC World - Microsoft has sued a Hong Kong seller of mobile ringtones, saying the company used phishing techniques to flood Microsoft Live Messenger users with spam messages.
In technology
PC World - The first worm that spreads between mobile devices by spamming text messages has developed a new communications capability that one security vendor says signals the arrival of mobile botnets.
In technology
PC World - A decision by India's central bank to mandate another level of authentication for card use for online transactions will deter such transactions in the country, according to an association of India's e-commerce industry.
In technology
AFP - A Vietnamese computer security firm believes Britain was the likely origin of last week's cyber attacks that crippled major US and South Korean websites, Seoul officials said.
In business
Investor's Business Daily - S. Korean police said computer hackers extracted files from computers they contaminated with the virus that triggered cyberattacks last week in the U.S. and S. Korea, a sign they tried to steal information from the victims. The finding adds to concerns that contaminated computers were ordered to damage their own hard disks.
In technology
Reuters - Microsoft Corp warned that cybercriminals have attacked users of its Office software for Windows PCs, exploiting a programing flaw that the software giant has yet to repair.
In technology
PC World - About one in six consumers have at some time acted on a spam message, affirming the economic incentive for spammers to keep churning out millions of obnoxious pitches per day, according to a new survey.
Vulnerability Summary for the Week of July 6, 2009
Microsoft Updates for Multiple Vulnerabilities
Severity Rating: Important - Revision Note: V1.1 (July 15, 2009): Added command line instructions for Windows Vista and Windows Server 2008. Also removed erroneous entry of update log file.Summary: This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Important - Revision Note: V1.1 (July 15, 2009): Added a link to Microsoft Knowledge Base Article 969693 under Known Issues in the Executive Summary. Added information about additional security features included in this update to the Frequently Asked Questions (FAQ) Related to This Security Update section. Corrected the update filename for Office Publisher 2007 (publisher2007-kb969693-fullfile-x86-glb) in the Security Update Deployment section. These are informational changes only. There were no changes made to the security update files in this bulletin.Summary: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: V1.1 (July 15, 2009): Updated Executive Summary for MS09-032; corrected restart requirement for MS09-029; and performed miscellaneous edits.Summary: This bulletin summary lists security bulletins released for July 2009.
Summary: This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Severity Rating: Critical - Revision Note: V1.1 (July 15, 2009): Clarified a FAQ about the workaround from Microsoft Security Advisory 972890, added a FAQ about Microsoft Security Advisory 973472, and added a FAQ about the kill bits contained in this bulletinSummary: This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Important - Revision Note: V1.0 (July 14, 2009): Bulletin published.Summary: This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.1 (July 15, 2009): Updated the restart requirement descriptions for all updates in the Update Information section to clarify that in some cases, this update does not require a restart.Summary: This security update resolves two privately reported vulnerabilities in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Severity Rating: Critical - Revision Note: V1.0 (July 14, 2009): Bulletin published.Summary: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Revision Note: V1.1 (July 15, 2009): Updated the impact description of the workaround, "Prevent Office Web Components Library from running in Internet Explorer."Summary: Microsoft is investigating a privately reported vulnerability in Microsoft Office Web Components. An attacker who successfully exploited this vulnerability could gain the same user rights as the local user. When using Internet Explorer, code execution is remote and may not require any user intervention.
Revision Note: V1.1 (June 17, 2009): Added an entry to Frequently Asked Questions to communicate that for the purpose of automatic updating, this update does not replace the Cumulative Security Update of ActiveX Kill Bits (950760) that is described in Microsoft Security Bulletin MS08-032.Summary: Microsoft is releasing a new set of ActiveX kill bits with this advisory.
Learn about and download the latest computer security updates for July 2009. Read tips on protecting your computer by using anti-spyware and anti-spam programs.
Bulletin Severity Rating: - This security update resolves a privately reported vulnerability in Microsoft Virtual PC and Microsoft Virtual Server. An attacker who successfully exploited this vulnerability could execute arbitrary code and take complete control of an affected guest operating system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
Bulletin Severity Rating:Critical - This security update resolves a privately reported vulnerability that is currently being exploited. The vulnerability in Microsoft Video ActiveX Control could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. This ActiveX control was never intended to be instantiated in Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Bulletin Severity Rating:Important - This security update resolves a privately reported vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2006. The vulnerability could allow elevation of privilege if an attacker successfully impersonates an administrative user account for an ISA server that is configured for Radius One Time Password (OTP) authentication and authentication delegation with Kerberos Constrained Delegation.
Bulletin Severity Rating: - This security update resolves a privately reported vulnerability in Microsoft Office Publisher that could allow remote code execution if a user opens a specially crafted Publisher file. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Bulletin Severity Rating:Critical - This security update resolves two privately reported vulnerabilities in a Microsoft Windows component, the Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. An attacker who successfully exploited either of these vulnerabilities could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Bulletin Severity Rating:Critical - This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file. An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
By MSRCTEAM on Security Update
Today Adrian Stone and I conducted the security bulletin webcast for June covering the six bulletins we released yesterday and Security Advisory 973472 (vulnerability in Office Web Components).
There were several questions about MS09-028 and MS09-032. These security updates addressed two open security advisories (971778 and 972890 respectively). One common question was “if I installed the Fix it workaround in the advisory, do I need to uninstall it before installing the update in the bulletin?”. The answer to that question is no, you can install the security update right on top of the Fix it workaround.
Another area where we were asked for clarification was if the cumulative security update of ActiveX Kill Bits contained the kill bit for the OWC advisory (973472). Good question. The kill bit provided in the advisory is not part of MS09-032. The issue discussed in the advisory is still under investigation and when that is complete, we will take appropriate action to protect customers. Meanwhile, we encourage all customers to evaluate and apply the workaround as quickly as possible.
With that, here is the complete list of questions and answers and I invite you to view the video below from today’s webcast.
More viewing and listening options:
Please join us August 12th for our next regularly scheduled webcast following the August bulletin release where we will again have a room full of subject matter experts to answer all of your questions.
Thanks!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights.*
By MSRCTEAM
Summary of Microsoft’s monthly security bulletin release for July 2009.
This month we are releasing six bulletins. Three of those affect Windows and are rated Critical. All three of those also have an Exploitability Index rating of “1” which means that we believe that consistent exploit code in the wild is highly likely within the first 30 days. In fact, as we discussed in the advance notification blog post last week, two of those are under active attack and were discussed in security advisories which are being replaced with the release of these bulletins.
The remaining three bulletins are all rated Important and affect Microsoft Office Publisher, Microsoft ISA Server, and both Virtual PC and Virtual Server. The first two also have Exploitability Index ratings of “1” so please consider this while doing your risk assessment.
In total, we are addressing nine vulnerabilities this month. All of these vulnerabilities have an Exploitability Index rating of “1” except for the single vuln being addressed in the Virtual PC bulletin, MS09-033 which is rated a “2”.
In the video below, Adrian Stone and I provide a little more discussion on risk and impact concerning this month’s bulletins and Security Advisory 973472 which we released yesterday, July 13, 2009, for Office Web Components:
More viewing and listening options:
We invite you to attend our regular monthly webcast tomorrow where we will go in to detail on each bulletin and address your questions with the help of a room full of subject matter experts. Please also check the Security Research and Defense blog for additional technical information on these updates.
Webcast info: Wednesday, July 15, 2009, at 11:00 a.m. PDT (UTC –7). Click HERE to register.
Thanks!
Jerry Bryant
*This posting is provided "AS IS" with no warranties, and confers no rights*
By blue@jinx.dk (Jesper M. Christensen)
Taking a look on some different types of remote access solutions that you can use for internal and external support.
Posts
