February 4th, 2010

MS Patch Tuesday heads-up: 13 bulletins, 26 vulnerabilities

Posted by Ryan Naraine @ 10:48 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Microsoft, Patch Watch, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Vulnerability, Microsoft Corp., Microsoft Windows, Security, Microsoft Windows 7, Operating Systems, Software, Ryan Naraine

Microsoft’s February batch of security patches will be a biggie — 13 bulletins with fixes for a whopping 26 vulnerabilities.

According to an advance notice from the Redmond, Wash. software vendor, five of the 13 bulletins will be rated “critical” because of the risk of remote code execution attacks.

Read the rest of this entry »

January 22nd, 2010

Tor Project suffers hack attack

Posted by Ryan Naraine @ 12:36 pm

Categories: Arbitrary Code Execution, Botnets, Data theft, Exploit code, Open source, Patch Watch, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Bandwidth, Attacker, Attack, Dingledine, Security, Servers, Hardware, Ryan Naraine

The Tor Project, a service that provides privacy and anonymity to Web users, said hackers broke into two of its servers and used the CPU and bandwidth to launch additional attacks.

Tor project lead Roger Dingledine confirmed the hack in an e-mail that urged users to immediately upgrade to get fresh identity keys for the two compromised directory authorities.

Read the rest of this entry »

January 20th, 2010

Critical out-of-band IE patch coming tomorrow (Jan 21)

Posted by Ryan Naraine @ 10:23 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Google, Governments, Microsoft, Patch Watch, People's Republic of China, Responsible disclosure, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Microsoft Internet Explorer, Microsoft Corp., Web Browsers, Internet, Ryan Naraine

This is just a quick heads-up that the emergency security patch for Microsoft’s Internet Explorer will be released tomorrow (January 21, 2009).

The update, rated critical for all versions of IE, will cover a remote code execution flaw that has already been used in targeted attacks against U.S. companies, including Google and Adobe. Read the rest of this entry »

January 20th, 2010

Researcher demos clickjacking attack on Facebook

Posted by Ryan Naraine @ 9:37 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Flash, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Facebook, Researcher, Attack, Security, Ryan Naraine

An Israeli security researcher has found a way to perpetrate so-called clickjacking attacks on Facebook, proving that it’s trivial to manipulate the social network’s security and privacy mechanisms.

A demo exploit released by Shlomi Narkolayev shows how easy it is to trick Facebook users into adding apps or other malicious content by hijacking clicks to what appears to be harmless links.

Read the rest of this entry »

January 19th, 2010

Google-China cyber espionage saga - FAQ

Posted by Dancho Danchev @ 8:30 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Exploit code, Google, Governments, Hackers, Malware, Microsoft, Passwords, People's Republic of China, Phishing, Viruses and Worms, Zero-day attacks

Tags: China, Google Inc., Malware, Cyberattack, Spyware, Adware & Malware, Cyberthreats, Security, Dancho Danchev

With more details emerging on the inner workings of the targeted malware attack that hit Google and over 30 other companies (ZDNet News Special Coverage - Special Report: Google, China showdown), it’s time to summarize all the events that took place during the past week, and answer some of the most frequently asked questions such as - How did the attack take place? Did Google strike back at the attackers? Was the Chinese government behind the attacks, and if not who orchestrated them and for what reason?

Go through the FAQ and their answers.

Read the rest of this entry »

January 19th, 2010

Microsoft readies emergency IE patch to counter public exploits

Posted by Ryan Naraine @ 5:26 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Governments, Hackers, Malware, Microsoft, Patch Watch, People's Republic of China, Responsible disclosure, Spyware and Adware, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Vulnerability, Microsoft Internet Explorer 6, Exploit Code, Microsoft Internet Explorer, Microsoft Corp., Exploit, Data Execution Prevention, Attack, Web Browsers, Security

UPDATE: Here is the official confirmation from Microsoft that an out-of-band patch is coming.  No official date yet.

Microsoft has started dropping broad hints that an emergency patch for Internet Explorer will be released very soon to counter targeted attacks and the publication of exploit code for a “browse and you’re owned” vulnerability in its flagship Web browser.

The out-of-band update will be released once the company is satisfied that it has been properly tested against all affected versions of Windows.  This could happen as early as this weekend. Read the rest of this entry »

January 15th, 2010

Microsoft says Google was hacked with IE zero-day

Posted by Ryan Naraine @ 8:46 am

Categories: Adobe, Anti Virus, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Governments, Malware, Microsoft, Patch Watch, People's Republic of China, Responsible disclosure, Vulnerability research, Yahoo!, Zero-day attacks

Tags: Google Inc., Web, Attacker, Vulnerability, Microsoft Internet Explorer 6, Microsoft Internet Explorer, Microsoft Corp., Web Site, Attack, Web Browsers

Hackers linked to China used a zero-day vulnerability in Microsoft’s Internet Explorer browser to compromise corporate systems at more than 30 U.S. companies, including Google, Adobe and Juniper Networks.

According to Microsoft, the vulnerability is still unpatched and can lead to remote code execution attacks if a target is lured to a booby-trapped Web site or views a malicious online advertisement. Read the rest of this entry »

January 13th, 2010

Adobe plugs PDF zero-day flaw in latest security makeover

Posted by Ryan Naraine @ 8:06 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Flash, Hackers, Locally Running Web Servers, Malware, Patch Watch, Reverse Engineering, Viruses and Worms, Zero-day attacks

Tags: Adobe Systems Inc., Adobe PDF, Adobe Acrobat, Vulnerability, Update, Adobe Acrobat Reader, Zero-day Bug, Enhanced Security, Security, Ryan Naraine

Adobe has released a mega-update for its Reader and Acrobat software products to fix a total of eight documented security vulnerabilities.

The update comes with significant security improvements, including the on-by-default addition “Enhanced Security,” a feature that provides a set of default restrictions and a method to define trusted locations that should not be subject to those restrictions.
Read the rest of this entry »

December 17th, 2009

Cisco patches critical WebEx security holes

Posted by Ryan Naraine @ 11:56 am

Categories: Arbitrary Code Execution, Browsers, Cisco, Data theft, Denial of Service (DoS), Zero-day attacks

Tags: Security, WebEx Communications Inc., Patch Management, Cisco Systems Inc., Ryan Naraine

Cisco has released a security fix for at least six security holes that expose users of its WebEx Player software to remote code execution attacks.

The affected Cisco WebEx WRF Player is an application that is used to play back WebEx meeting recordings that have been recorded on the computer of an on-line meeting attendee.

Read the rest of this entry »

December 16th, 2009

Adobe PDF attack update: Patch coming Jan 12

Posted by Ryan Naraine @ 11:09 am

Categories: Adobe, Arbitrary Code Execution, Browsers, Exploit code, Hackers, Malware, Patch Watch, Responsible disclosure, Vulnerability research, Zero-day attacks

Tags: Adobe Systems Inc., Adobe PDF, Adobe Acrobat, JavaScript, Attack, Scripting Languages, Security, Software/Web Development, Web Development, Ryan Naraine

Here’s a quick update to the Adobe PDF Reader/Acrobat zero-day story that broke yesterday after the company confirmed that an unpatched vulnerabilities was being attacked in the wild.

First up, an exploit has been fitted into the Metasploit point-and-click penetration testing tool and there are predictions that exploit code will be widely available within a day or two. Read the rest of this entry »