February 5th, 2010

Oracle rushes out patch for gaping server hole

Posted by Ryan Naraine @ 1:17 pm

Categories: Arbitrary Code Execution, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Open source, Oracle, Responsible disclosure, Vulnerability research

Tags: Oracle Corp., Vulnerability, Patches, Security, Firewalls, Networking, Ryan Naraine

Oracle has released an out-of-band patch to fix a gaping security hole in the Oracle WebLogic Node Manager and warned that an attacker could launch remote attacks over a network without the need for a username and password.

The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.

Read the rest of this entry »

February 5th, 2010

Mozilla Firefox hit by malware add-ons

Posted by Ryan Naraine @ 8:20 am

Categories: Anti Virus, Browsers, Data theft, Exploit code, Firefox, Malware, Microsoft, Mozilla, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research

Tags: Mozilla Firefox, Trojan Horse, Malware, Mozilla Corp., Add-on, Spyware, Adware & Malware, Cyberthreats, Spyware, Viruses And Worms, Security

Mozilla says a pair of malicious Firefox add-ons slipped by its security checks and infected approximately 4,600 Windows computers over the last five months.

The browser add-ons, described my Mozilla as “experimental,”  contained a Trojan horse that executed when Firefox started and infected the host computer.

Read the rest of this entry »

February 4th, 2010

MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

Posted by Ryan Naraine @ 10:48 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Microsoft, Patch Watch, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Vulnerability, Microsoft Corp., Microsoft Windows, Security, Microsoft Windows 7, Operating Systems, Software, Ryan Naraine

Microsoft’s February batch of security patches will be a biggie — 13 bulletins with fixes for a whopping 26 vulnerabilities.

According to an advance notice from the Redmond, Wash. software vendor, five of the 13 bulletins will be rated “critical” because of the risk of remote code execution attacks.

Read the rest of this entry »

February 3rd, 2010

Microsoft warns of new IE data-leakage vulnerability

Posted by Ryan Naraine @ 2:25 pm

Categories: Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Microsoft, Patch Watch, Responsible disclosure, Spam and Phishing, Vulnerability research

Tags: Vulnerability, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Attack, Web Browsers, Security, Internet, Ryan Naraine

Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files with an already known filename and location.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies.   Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature. Read the rest of this entry »

January 22nd, 2010

Tor Project suffers hack attack

Posted by Ryan Naraine @ 12:36 pm

Categories: Arbitrary Code Execution, Botnets, Data theft, Exploit code, Open source, Patch Watch, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Bandwidth, Attacker, Attack, Dingledine, Security, Servers, Hardware, Ryan Naraine

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Read the rest of this entry »

January 21st, 2010

Microsoft knew of IE zero-day flaw since last September

Posted by Ryan Naraine @ 12:34 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Malware, Microsoft, Patch Watch, People's Republic of China, Research, Responsible disclosure, Vulnerability research

Tags: Attacker, Vulnerability, Microsoft Internet Explorer, Microsoft Corp., Zero-day Bug, Web Browsers, Security, Internet, Ryan Naraine

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Read the rest of this entry »

January 21st, 2010

Microsoft confirms 17-year-old Windows vulnerability

Posted by Ryan Naraine @ 8:05 am

Categories: Arbitrary Code Execution, Complex Attacks, Denial of Service (DoS), Google, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Advisory, Flaw, Microsoft Corp., Attack, Ormandy, Microsoft Windows, Security, Microsoft Windows NT, Operating Systems, Software

One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.

Read the rest of this entry »

January 20th, 2010

Critical out-of-band IE patch coming tomorrow (Jan 21)

Posted by Ryan Naraine @ 10:23 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Google, Governments, Microsoft, Patch Watch, People's Republic of China, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Ryan Naraine

This is just a quick heads-up that the emergency security patch for Microsoft’s Internet Explorer will be released tomorrow (January 21, 2009).

The update, rated critical for all versions of IE, will cover a remote code execution flaw that has already been used in targeted attacks against U.S. companies, including Google and Adobe. Read the rest of this entry »

January 20th, 2010

Researcher demos clickjacking attack on Facebook

Posted by Ryan Naraine @ 9:37 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Flash, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Facebook, Researcher, Attack, Security, Ryan Naraine

An Israeli security researcher has found a way to perpetrate so-called clickjacking attacks on Facebook, proving that it’s trivial to manipulate the social network’s security and privacy mechanisms.

A demo exploit released by Shlomi Narkolayev shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

Read the rest of this entry »

January 20th, 2010

Critical flaws haunt Adobe Shockwave Player

Posted by Ryan Naraine @ 7:42 am

Categories: Adobe, Arbitrary Code Execution, Data theft, Exploit code, Malware, Patch Watch, Pen testing, Responsible disclosure, Viruses and Worms, Vulnerability research

Tags: Adobe Systems Inc., Shockwave, Flaw, Security, Viruses And Worms, Ryan Naraine

Adobe’s run on the patching treadmill continued this week with a “critical” update to fix a pair of code execution holes in its Shockwave Player.

The vulnerabilities affect Adobe Shockwave Player 11.5.2.602 and earlier versions, on the Windows and Mac operating systems.  Read the rest of this entry »