November 19th, 2009

Inside the Google Chrome OS security model

Posted by Ryan Naraine @ 11:54 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, iPhone

Tags: Google Inc., Operating System, Web Browser, Google Chrome, Attack, End Goal, Web Browsers, Operating Systems, Security, Internet

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS. Read the rest of this entry »

November 12th, 2009

Microsoft bracing for malware attacks from embedded fonts

Posted by Ryan Naraine @ 11:16 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Denial of Service (DoS), Exploit code, Metasploit, Microsoft, Passwords, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware

Tags: Malware, Microsoft Internet Explorer, Microsoft Corp., Attack Vector, Font, Attack, Metasploit, Microsoft Windows, Security, Operating Systems

Heads up to all Microsoft Windows users: If you’re running Windows 2000, Windows XP or Windows Server 2003, stop what you’re doing and immediately download and apply the MS09-065 update released earlier this week.

Security researchers say it’s only a matter of time — days not weeks — before malicious hackers start exploiting one of the vulnerabilities via booby-trapped Web pages or Office (Word or PowerPoint) documents.

Read the rest of this entry »

November 11th, 2009

Apple Safari exposes Windows to drive-by download attacks

Posted by Ryan Naraine @ 1:37 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Malware, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Spyware and Adware, Vulnerability research

Tags: Apple Macintosh, Apple Safari, Microsoft Windows XP, Microsoft Windows Vista, Apple Inc., Attack, WebKit, Microsoft Windows, Apple Mac OS X, Apple Mac OS

Apple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.

The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site.  Some of the issues affect Microsoft’s new Windows 7 operating system.
Read the rest of this entry »

November 10th, 2009

Microsoft patches Windows worm holes, drive-by download flaws

Posted by Ryan Naraine @ 11:22 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Malware, Microsoft, Patch Watch, Pen testing, Responsible disclosure

Tags: Attacker, Flaw, Window, Vulnerability, Severity, Microsoft Corp., Microsoft Windows, Security, Operating Systems, Software

As part of its scheduled batch of patches for November, Microsoft today issued six security bulletins with fixes for a total of 15 vulnerabilities affecting its Windows and Office product lines.

Three of the six bulletins are rated “critical,” meaning they can be used to launch remote code execution or worm attacks without any user action.  One of the Windows vulnerabilities could expose users to drive-by malware attacks via the browser, Microsoft warned.

Read the rest of this entry »

November 10th, 2009

Major online ad site hacked, serving up exploit cocktail

Posted by Ryan Naraine @ 9:55 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Flash, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware

Tags: Websense Inc., Microsoft Corp., Exploit, Online Advertising, Security, Viruses And Worms, Databases, Enterprise Software, Software, Data Management

A high-profile online advertising Web site has been hacked and rigged to serve multiple exploits to Microsoft Windows users surfing the net with unpatched third party desktop software.

According to a warning issued by Websense Security Labs, the malicious code was found on media-servers.net, which is described as a high-profile advertiser on the Internet realm.  The site has been firing an assortment of exploits for several months, including exploits for vulnerabilities in Microsoft DirectShow and Adobe PDF Reader. Read the rest of this entry »

November 6th, 2009

High-risk flaw dings Google Chrome

Posted by Ryan Naraine @ 9:18 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Google, Google Chrome, Open source, Patch Watch, Responsible disclosure

Tags: Google Inc., Web Browser, Google Chrome, Arbitrary Code Execution, Details, Web Browsers, Security, Internet, Ryan Naraine

Google has pushed out a Chrome browser update to fix a pair of security vulnerabilities that expose uses to malicious hacker attacks.

One of the flaws carry a “high-risk” rating because of the threat of arbitrary code execution.  Read the rest of this entry »

November 5th, 2009

Patch Tuesday heads-up: Critical MS Office patches coming

Posted by Ryan Naraine @ 1:11 pm

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Hackers, Microsoft, Passwords, Patch Watch, Responsible disclosure

Tags: Patch Management, Microsoft Corp., Microsoft Windows, Microsoft Office, Operating Systems, Software, Office Suites, Ryan Naraine

Microsoft plans to release six security bulletins next Tuesday November 10 to fix at least 15 serious vulnerabilities that could expose Windows users to malicious hacker attacks.

According to Microsoft’s advance notice for this month’s Patch Tuesday, the updates will address gaping holes in the Windows operating system and the Microsoft Office productivity suite. Read the rest of this entry »

November 3rd, 2009

Adobe Shockwave haunted by critical security holes

Posted by Ryan Naraine @ 12:12 pm

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Flash, Malware, Patch Watch, Pen testing, Responsible disclosure, Spam and Phishing, Viruses and Worms, Vulnerability research

Tags: Adobe Systems Inc., Shockwave, Vulnerability, Shockwave Player, Security, Ryan Naraine

Adobe today released a patch to fix several serious security flaws in its Shockwave Player software.

The update, which is rated “critical,” addresses a total of five documented vulnerabilities.  The most serious flaw could allow remote code execution attacks against Windows and Mac users. Read the rest of this entry »

October 28th, 2009

Firefox hit by multiple drive-by download flaws

Posted by Ryan Naraine @ 7:34 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Firefox, Malware, Mozilla, Open source, Passwords, Patch Watch, Privacy, Responsible disclosure, Vulnerability research

Tags: Mozilla Firefox, Attacker, Flaw, Vulnerability, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Mozilla’s flagship Firefox browser is vulnerable to at least 11 “critical” vulnerabilities that expose users to drive-by download attacks that require no user interaction beyond normal browsing.

The open-source group shipped Firefox 3.5.4 with patches for the vulnerabilities, which range from code execution risk to the theft of information in the browser’s form history. Read the rest of this entry »

October 26th, 2009

UK newspaper Web site hacked; 500,000 job-seekers affected

Posted by Ryan Naraine @ 9:32 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Exploit code, Hackers, Passwords, Responsible disclosure, Zero-day attacks

Tags: Web, Web Site, Deliberate, Web Site Development, Web Technology, Recruitment & Selection, Channel Management, Professional Development, Internet, Human Resources

In what is being described as a “deliberate and sophisticated crime,” the Guardian newspaper in the U.K. says the careers section of its Web site was hacked, exposing sensitive data belonging to about half a million users. Read the rest of this entry »