On The Insider: Britney's Bikini-Clad Top 10
BNET Business Network:
BNET
TechRepublic
ZDNet

ZDNet Must Read:

Microsoft confirms 'detailed' Windows 7 exploit

Microsoft has issued a security advisory to acknowledge a crippling denial-of-service flaw affecting its newest operating systems -- Windows 7 and Windows Server 2008 R2.... Continued »

Category: Java

October 22nd, 2009

Gaping security hole in Time Warner cable routers

Posted by Ryan Naraine @ 9:11 am

Categories: Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Exploit code, Java, Mobile (In)Security, Passwords, Patch Watch, Pen testing, Phishing, Responsible disclosure

Tags: Security, Time Warner Inc., Router, Network, Time Warner Cable Inc., Chen, Routers & Switches, Network Technology, Networking, Ryan Naraine

A gaping security hole in cable modems distributed to Time Warner/Road Runner customers could potentially be exploited remotely to access private networks and possibly capture and manipulate private data.

That’s the warning issued by David Chen, a blogger and start-up founder who discovered he could trivially access a customer’s  of Time Warner’s SMC8014 series cable modem/Wi-Fi router combo by simply disabling JavaScript in the browser to access hidden features in the router’s admin interface. Read the rest of this entry »

October 14th, 2009

Does software piracy lead to higher malware infection rates?

Posted by Dancho Danchev @ 4:20 pm

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Botnets, Exploit code, Flash, Hackers, Java, Malware, Microsoft, Patch Watch, Pen testing, Viruses and Worms

Tags: Software Piracy, Malware, Spyware, Adware & Malware, Microsoft Windows, Viruses And Worms, Security, Operating Systems, Dancho Danchev

Yes it does, at least according to a recently released report by the Business Software Alliance (BSA) which basically correlates data on the known piracy rates for particular countries and their malware infection rates, using public sources.

The rationale behind their claims is fairly simple - users relying on pirated copies of software also do not have access to the latest, often critical from a security perspective, updates issued by the vendors, and are therefore susceptible to client-side vulnerabilities.

How biased are BSA’s claims, or are the report’s claims in fact real, emphasizing on how millions of users relying on pirated Windows copies are usually the first to become part of a botnet?

Read the rest of this entry »

September 9th, 2009

Mozilla patches 'drive-by download' security flaws

Posted by Ryan Naraine @ 5:48 pm

Categories: Anti Virus, Browsers, Data theft, Denial of Service (DoS), Exploit code, Firefox, Java, Mozilla, Open source, Patch Watch, Responsible disclosure

Tags: Web, Mozilla Firefox, Attacker, Vulnerability, Patch Management, Web Browser, Mozilla Corp., Web Browsers, Patches, Security

Mozilla has released a new version of its flagship Firefox browser to fix 10 vulnerabilities that put Web surfers at risk of code execution attacks.

The Firefox 3.5.3 update — available for Windows, Mac and Linux users — patches security holes that could allow drive-by download attacks if a user simply surfs to a booby-trapped Web site.

Read the rest of this entry »

September 3rd, 2009

Apple plugs 15 Java for Mac security holes

Posted by Ryan Naraine @ 1:06 pm

Categories: Anti Virus, Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Java, Passwords, Patch Watch

Tags: Security, Apple Macintosh, Java Applet, Apple Inc., Applet, Arbitrary Code Execution, Programming Languages, Java, Software Development, Software/Web Development

Apple today released a new version of Java for Mac to plug a total of 15 documented security vulnerabilities that could lead to remote code execution attacks via rigged Web pages.

The Java for Mac OS X 10.5 Update 5 includes patches for security holes covered by Sun Microsystems last month.

Read the rest of this entry »

September 1st, 2009

Firefox add-on spies on Google usage, search results

Posted by Ryan Naraine @ 10:54 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Firefox, Google, Java, Locally Running Web Servers, Malware, Mozilla, Open source, Passwords, Patch Watch

Tags: Google Inc., Mozilla Firefox, Malware, Google Search, Web Browser, Search Result, Web Browsers, Internet, Ryan Naraine

Security researchers have intercepted a fake Flash Player update creating a Firefox add-on that spies on a target user’s Google search results.

Read the rest of this entry »

August 18th, 2009

Adobe plugs critical ColdFusion, JRun vulnerabilities

Posted by Ryan Naraine @ 12:11 pm

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Flash, Java, Malware, Patch Watch, Pen testing, Responsible disclosure, Vulnerability research

Tags: Adobe Systems Inc., Macromedia JRun, Allaire ColdFusion, Vulnerability, XSS, Cross-site Scripting Vulnerability, Development Tools, Software Development, Software/Web Development, Ryan Naraine

Adobe’s never-ending run on the security treadmill hit a new gear this week with the release of patches to cover serious vulnerabilities in the ColdFusion and JRun web design and development platforms.

The patches, rated critical, cover a total of 7 vulnerabilities, some of which “could lead to the potential compromise of user accounts or the affected system,” according to an advisory from Adobe (Techmeme).  They affect ColdFusion v8.0.1 and earlier versions, and JRun 4.0.

Read the rest of this entry »

June 17th, 2009

Apple iPhone OS 3.0 update plugs 46 security holes

Posted by Ryan Naraine @ 11:25 am

Categories: Apple, Arbitrary Code Execution, Botnets, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Java, Locally Running Web Servers, Malware, Mobile (In)Security, Passwords, Patch Watch, Pen testing, Responsible disclosure, iPhone

Tags: Apple iPhone, Malicious Code, Vulnerability, Apple Inc., Security, IPSec, Viruses And Worms, Networking, Ryan Naraine

Apple’s latest iPhone OS 3.0 software updates includes patches for multiple vulnerabilities, some with serious security implications.

The update, which is only available for download via iTunes, covers a total of 46 documented vulnerabilities, including several that allows malicious code execution if a user simply visits a rigged Web site or views a manipulated image.

Read the rest of this entry »

June 8th, 2009

Apple Safari jumbo patch: 50+ vulnerabilities fixed

Posted by Ryan Naraine @ 1:17 pm

Categories: Adobe, Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Firefox, Flash, Hackers, Java, Malware, Mozilla, Patch Watch, Responsible disclosure, Viruses and Worms, iPhone

Tags: Apple Macintosh, Microsoft Windows XP, Update, Microsoft Windows Vista, Mac OS X Server, Server, Apple Inc., Microsoft Windows, Issue, Web Site

Apple has shipped a whopper of a Safari browser update to fix more than 50 vulnerabilities, some rated extremely critical.

The latest fixes, available in the new Safari 4.0, corrects a wide range of code execution and denial-of-service vulnerabilities and even comes with a fix for the vexing “clickjacking” issues plaguing modern Web browsers.

Read the rest of this entry »

May 20th, 2009

Mac OS X vulnerable to 6-month old Java flaw

Posted by Ryan Naraine @ 12:46 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Hackers, Java

Tags: Malicious Code, Apple Macintosh, Java Applet, Flaw, Applet, Landon Fuller, CVE-2008-5353, Apple Mac OS X, Apple Mac OS, Java

Attention Mac OS X users:  Turn Java off immediately or you could be at high risk of malicious code execution attacks.

Tired of waiting for a patch from Apple for a Java flaw that was fixed upstream six months ago, Mac developer Landon Fuller (of Month of Apple Bugs/Fixes fame) has released a proof of concept exploit to demonstrate the severity of the issue.

Read the rest of this entry »

April 28th, 2009

Exploit posted for brand-new Adobe PDF zero-day

Posted by Ryan Naraine @ 6:43 am

Categories: Adobe, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Java, Malware, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, Zero-day attacks

Tags: Adobe Systems Inc., Adobe PDF, Adobe Acrobat Reader, Proof-of-concept Exploit Code, Adobe PDF Reader Software, Security, Ryan Naraine

Proof-of-concept exploit code has been published for a new zero-day vulnerability haunting Adobe’s widely deployed PDF Reader software.

In a brief note posted to its PSIRT blog, Adobe confirmed it was investigating the issue, which affects Adobe Reader 9.1 and 8.1.4.  “We are currently investigating, and will have an update once we get more information,” according to Adobe’s David Lenoe.

Read the rest of this entry »

Ryan NaraineRyan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.


Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

Most Popular Posts

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

Enterprise Applications

  • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
  • New Online Dashboard
  • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline