February 5th, 2010

Oracle rushes out patch for gaping server hole

Posted by Ryan Naraine @ 1:17 pm

Categories: Arbitrary Code Execution, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Open source, Oracle, Responsible disclosure, Vulnerability research

Tags: Oracle Corp., Vulnerability, Patches, Security, Firewalls, Networking, Ryan Naraine

Oracle has released an out-of-band patch to fix a gaping security hole in the Oracle WebLogic Node Manager and warned that an attacker could launch remote attacks over a network without the need for a username and password.

The patch follows the public release of exploit code as part of the recent Week of Web Server Bugs.

Read the rest of this entry »

January 22nd, 2010

Tor Project suffers hack attack

Posted by Ryan Naraine @ 12:36 pm

Categories: Arbitrary Code Execution, Botnets, Data theft, Exploit code, Open source, Patch Watch, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Bandwidth, Attacker, Attack, Dingledine, Security, Servers, Hardware, Ryan Naraine

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Read the rest of this entry »

January 21st, 2010

Mozilla drops Firefox 3.6 with security goodies

Posted by Ryan Naraine @ 10:23 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Firefox, Flash, Google, Mozilla, Open source, Patch Watch, Responsible disclosure

Tags: Security, Mozilla Firefox, Web Browser, Mozilla Corp., Plug-in, Web Browsers, Internet, Ryan Naraine

Mozilla has released the latest iteration of its flagship Firefox browser with a few significant security goodies to keep malicious hacker at bay.

The update, which is being shipped via the browser’s automatic update mechanism, includes new features to patch third-party Firefox plug-ins and lock out rogue add-ons. Read the rest of this entry »

January 4th, 2010

Adobe working on new automatic (silent) updater

Posted by Ryan Naraine @ 9:54 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Firefox, Flash, Java, Malware, Mozilla, Open source, Pen testing, Responsible disclosure

Tags: Adobe Systems Inc., Spyware, Adware & Malware, Cyberthreats, Security, Scripting Languages, Productivity, Patches, Viruses And Worms, Software/Web Development, Web Development

In the wake of a dramatic surge in malware attacks against Adobe’s ubiquitous software products (Reader, Acrobat, Flash Player), the company plans to ship a new automatic updater mechanism that will silently patch security holes without any user action.

Sometime this month, Adobe will release the updater to beta users to test the effectiveness of silent patching.   In effect, the tool gives end users an automatic download in the background and will install the updates with no user interaction option. Read the rest of this entry »

December 16th, 2009

Mozilla patches critical, high-risk Firefox vulnerabilities

Posted by Ryan Naraine @ 8:17 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Firefox, Mozilla, Open source, Patch Watch, Responsible disclosure, Vulnerability research

Tags: Attacker, Window, Vulnerability, Video, Web Browser, Mozilla Corp., Attack, Corporate Communications, Web Browsers, Construction

Mozilla has shipped Firefox 3.5.6 with patches for at least 11 documented security vulnerabilities.

The most serious issue could lead to remote code execution attacks, according to warning from the open-source browser software maker.  In other scenarios, the bugs could cause denial-of-service or URL spoofing attacks. Read the rest of this entry »

December 1st, 2009

Exploit published for FreeBSD local root vulnerability

Posted by Ryan Naraine @ 9:22 am

Categories: Arbitrary Code Execution, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Kernel-level Exploits, Locally Running Web Servers, Open source, Passwords, Patch Watch, Pen testing

Tags: FreeBSD, Vulnerability, FreeBSD Security Team, Patches, UNIX, Operating Systems, Open Source, Security, Software, Ryan Naraine

The FreeBSD security team has rushed out a temporary patch to cover a local root vulnerability that exposes users to code execution attacks. The patch follows the public release of exploit code on the Full-Disclosure mailing list.

Read the rest of this entry »

November 19th, 2009

Inside the Google Chrome OS security model

Posted by Ryan Naraine @ 11:54 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, iPhone

Tags: Google Inc., Operating System, Web Browser, Google Chrome, Attack, End Goal, Web Browsers, Operating Systems, Security, Internet

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS. Read the rest of this entry »

November 19th, 2009

Microsoft finds security hole in Google Chrome Frame

Posted by Ryan Naraine @ 9:49 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Google Chrome, Malware, Microsoft, Open source, Patch Watch

Tags: Google Inc., Microsoft Corp., Google Chrome, Web Browsers, Security, Viruses And Worms, Internet, Ryan Naraine

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections. Read the rest of this entry »

November 18th, 2009

Mozilla locks out rogue Firefox add-ons

Posted by Ryan Naraine @ 10:33 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Firefox, Malware, Microsoft, Mozilla, Open source, Patch Watch, Vulnerability research

Tags: Mozilla Firefox, Mozilla Corp., Migration Document, Web Browsers, Internet, Ryan Naraine

Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser’s application components directory.

This will most certainly block developers and software vendors from silently installing Firefox add-ons without explicit user permission.  It will also significantly reduce browser crashes linked to third-party add-ons, Mozilla said. Read the rest of this entry »

November 9th, 2009

Mac OS X mega patch covers 58 security vulnerabilities

Posted by Ryan Naraine @ 2:17 pm

Categories: Adobe, Apple, Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Malware, Open source, Passwords, Patch Watch

Tags: Security, Apple Macintosh, Apple Mac OS X V10.6 Snow Leopard, Update, Mac OS X Server, Server, Issue, Arbitrary Code Execution, Impact, Adaptive Firewall Description

Apple has dropped another mega-patch to cover a total of 58 documented vulnerabilities affecting the Mac OS X ecosystem.

The majority of the flaws could allow a remote attacker to gain complete control of an unpatched system, meaning that this update carries an “extremely critical rating.” Read the rest of this entry »