February 9th, 2010

Patch Tuesday: Microsoft plugs critical Windows worm holes

Posted by Ryan Naraine @ 11:29 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Microsoft, Passwords, Patch Watch, Viruses and Worms, Vulnerability research, Web 2.0

Tags: Denial Of Service, Attacker, Vulnerability, Victim, Exploit Code, Microsoft PowerPoint, Microsoft Corp., Small And Medium Business, Attack, CVE-2010-0242

Microsoft today released 13 security bulletins with fixes for 26 vulnerabilities affecting Windows and Office users and warned customers to pay special attention to a slew of flaws that can be trivially exploited by malware miscreants.

The company urged customers to prioritize and deploy four updates because of the “critical” severity rating and the fact that “consistent exploit code” is likely within the next 30 days.

Read the rest of this entry »

February 9th, 2010

Adobe screw-up leaves Flash flaw unpatched for 16 months

Posted by Ryan Naraine @ 8:49 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Exploit code, Firefox, Flash, Locally Running Web Servers, Malware, Mozilla, Patch Watch, Responsible disclosure, Viruses and Worms

Tags: Adobe Systems Inc., Flaw, Macromedia Flash Player, Web Browsers, Security, Internet, Ryan Naraine

Adobe has acknowledged that an internal screw-up caused potentially dangerous serious Flash Player flaw to remain unpatched for more than 16 months after it was first reported by an external security researcher.

“It slipped through the cracks,” said Emmy Huang, a product manager for Flash Player.  Adobe’s mea-culpa follows the public release of proof-of-concept code demonstrating a Flash Player browser plug-in crash.

Read the rest of this entry »

February 4th, 2010

MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

Posted by Ryan Naraine @ 10:48 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Microsoft, Patch Watch, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Vulnerability, Microsoft Corp., Microsoft Windows, Security, Microsoft Windows 7, Operating Systems, Software, Ryan Naraine

Microsoft’s February batch of security patches will be a biggie — 13 bulletins with fixes for a whopping 26 vulnerabilities.

According to an advance notice from the Redmond, Wash. software vendor, five of the 13 bulletins will be rated “critical” because of the risk of remote code execution attacks.

Read the rest of this entry »

February 3rd, 2010

Microsoft warns of new IE data-leakage vulnerability

Posted by Ryan Naraine @ 2:25 pm

Categories: Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Microsoft, Patch Watch, Responsible disclosure, Spam and Phishing, Vulnerability research

Tags: Vulnerability, Microsoft Windows, Microsoft Internet Explorer, Microsoft Corp., Attack, Web Browsers, Security, Internet, Ryan Naraine

Microsoft today issued a security advisory to acknowledge an information disclosure hole in its Internet Explorer browser and warned that an attacker could exploit the flaw to access files with an already known filename and location.

The vulnerability was first discussed at this week’s Black Hat DC conference by Jorge Luis Alvarez Medina, a security consultant with Core Security Technologies.   Microsoft says the risk is highest for IE users running Windows XP or who have disabled the browser’s Protected Mode feature. Read the rest of this entry »

February 2nd, 2010

Code execution holes in iPhone OS, iPod Touch

Posted by Ryan Naraine @ 11:09 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Malware, Mobile (In)Security, Passwords, Patch Watch, Responsible disclosure, iPhone

Tags: Apple iPhone, Apple iPod, Operating System, Apple iPod Touch, Smart Phones, Digital Music, Digital Media, Consumer Electronics, Personal Technology, Ryan Naraine

Apple has shipped a patch to cover five documented vulnerabilities that expose iPhone and iPod Touch users to malicious hacker attacks.

The most serious flaw could allow remote code execution if an iPhone/iPod Touch user opens audio and image files. Read the rest of this entry »

January 22nd, 2010

Tor Project suffers hack attack

Posted by Ryan Naraine @ 12:36 pm

Categories: Arbitrary Code Execution, Botnets, Data theft, Exploit code, Open source, Patch Watch, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Bandwidth, Attacker, Attack, Dingledine, Security, Servers, Hardware, Ryan Naraine

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Read the rest of this entry »

January 22nd, 2010

RealPlayer haunted by 11 critical vulnerabilities

Posted by Ryan Naraine @ 10:41 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Digital rights management, Exploit code, Hackers, Malware, Patch Watch, Spyware and Adware, Viruses and Worms

Tags: Critical Vulnerability, Code, Buffer-overflow, RealNetworks RealPlayer, Error, Interactive Voice Response (IVR), Digital Music, Digital Media, Viruses And Worms, Security

A quick heads-up to any computer users out with RealPlayer installed:  There are at least 11 critical vulnerabilities that expose Windows, Mac and Linux users to malicious hacker attacks.

RealNetworks released an advisory to warn of the vulnerabilities, which could be exploited via rigged image and media files to launch remote code execution attacks.

Read the rest of this entry »

January 21st, 2010

Microsoft knew of IE zero-day flaw since last September

Posted by Ryan Naraine @ 12:34 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Malware, Microsoft, Patch Watch, People's Republic of China, Research, Responsible disclosure, Vulnerability research

Tags: Attacker, Vulnerability, Microsoft Internet Explorer, Microsoft Corp., Zero-day Bug, Web Browsers, Security, Internet, Ryan Naraine

Microsoft today admitted it knew of the Internet Explorer flaw used in the attacks against Google and Adobe since September last year.

The flaw was in the Microsoft Security Response Center’s (MSRC) queue to be fixed in the the next batch of patches due in February but the targeted zero-day attacks against U.S. companies forced the company to release an emergency, out-of-band IE update.

Read the rest of this entry »

January 21st, 2010

Mozilla drops Firefox 3.6 with security goodies

Posted by Ryan Naraine @ 10:23 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Firefox, Flash, Google, Mozilla, Open source, Patch Watch, Responsible disclosure

Tags: Security, Mozilla Firefox, Web Browser, Mozilla Corp., Plug-in, Web Browsers, Internet, Ryan Naraine

Mozilla has released the latest iteration of its flagship Firefox browser with a few significant security goodies to keep malicious hacker at bay.

The update, which is being shipped via the browser’s automatic update mechanism, includes new features to patch third-party Firefox plug-ins and lock out rogue add-ons. Read the rest of this entry »

January 21st, 2010

Microsoft confirms 17-year-old Windows vulnerability

Posted by Ryan Naraine @ 8:05 am

Categories: Arbitrary Code Execution, Complex Attacks, Denial of Service (DoS), Google, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research, Windows Vista

Tags: Advisory, Flaw, Microsoft Corp., Attack, Ormandy, Microsoft Windows, Security, Microsoft Windows NT, Operating Systems, Software

One day after a Google security researcher released code to expose a flaw that affects every release of the Windows NT kernel — from Windows NT 3.1 (1993) up to and including Windows 7 (2009) — Microsoft dropped a security advisory to acknowledge the issue and warn of the risk of privilege escalation attacks.

Read the rest of this entry »