November 19th, 2009

Inside the Google Chrome OS security model

Posted by Ryan Naraine @ 11:54 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Hackers, Microsoft, Open source, Passwords, Patch Watch, Responsible disclosure, Viruses and Worms, Vulnerability research, iPhone

Tags: Google Inc., Operating System, Web Browser, Google Chrome, Attack, End Goal, Web Browsers, Operating Systems, Security, Internet

Google plans to use a combination of system hardening, process isolation, verified boot, secure auto-update and encryption to thwart malicious hackers from planting malware on its new Google Chrome OS. Read the rest of this entry »

November 19th, 2009

Microsoft finds security hole in Google Chrome Frame

Posted by Ryan Naraine @ 9:49 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Google, Google Chrome, Malware, Microsoft, Open source, Patch Watch

Tags: Google Inc., Microsoft Corp., Google Chrome, Web Browsers, Security, Viruses And Worms, Internet, Ryan Naraine

Back in September, when Google launched the Google Chrome Frame plug-in for Internet Explorer users, Microsoft immediately warned that the move would increase the attack surface and make IE users less secure.

Now comes word that a security researcher in the Microsoft Vulnerability Research (MSVR) has discovered a “high risk” security vulnerability that could allow an attacker to bypass cross-origin protections. Read the rest of this entry »

November 18th, 2009

Mozilla locks out rogue Firefox add-ons

Posted by Ryan Naraine @ 10:33 am

Categories: Anti Virus, Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Firefox, Malware, Microsoft, Mozilla, Open source, Patch Watch, Vulnerability research

Tags: Mozilla Firefox, Mozilla Corp., Migration Document, Web Browsers, Internet, Ryan Naraine

Mozilla has made a significant tweak to this Firefox 3.6 code base to block rogue add-ons from loading in the browser’s application components directory.

This will most certainly block developers and software vendors from silently installing Firefox add-ons without explicit user permission.  It will also significantly reduce browser crashes linked to third-party add-ons, Mozilla said. Read the rest of this entry »

November 16th, 2009

Microsoft confirms 'detailed' Windows 7 exploit

Posted by Ryan Naraine @ 10:25 am

Categories: Arbitrary Code Execution, Browsers, Denial of Service (DoS), Exploit code, Microsoft, Passwords, Patch Watch, Punditocracy, Vulnerability research, Windows Vista

Tags: Denial Of Service, Web, Attacker, Vulnerability, Microsoft Corp., Web Site, Small And Medium Business, Microsoft Windows 7, Microsoft Windows, Smb/Sme

Microsoft has issued a security advisory to acknowledge a crippling denial-of-service flaw affecting its newest operating systems — Windows 7 and Windows Server 2008 R2.

Exploit code for the vulnerability was released by researcher Laurent Gaffié after failed attempts to get Microsoft’s security response center to acknowledge that this was an issue that needs to be patched (SEE UPDATE BELOW). Read the rest of this entry »

November 12th, 2009

Microsoft bracing for malware attacks from embedded fonts

Posted by Ryan Naraine @ 11:16 am

Categories: Arbitrary Code Execution, Botnets, Browsers, Denial of Service (DoS), Exploit code, Metasploit, Microsoft, Passwords, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware

Tags: Malware, Microsoft Internet Explorer, Microsoft Corp., Attack Vector, Font, Attack, Metasploit, Microsoft Windows, Security, Operating Systems

Heads up to all Microsoft Windows users: If you’re running Windows 2000, Windows XP or Windows Server 2003, stop what you’re doing and immediately download and apply the MS09-065 update released earlier this week.

Security researchers say it’s only a matter of time — days not weeks — before malicious hackers start exploiting one of the vulnerabilities via booby-trapped Web pages or Office (Word or PowerPoint) documents.

Read the rest of this entry »

November 11th, 2009

Apple Safari exposes Windows to drive-by download attacks

Posted by Ryan Naraine @ 1:37 pm

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Malware, Microsoft, Passwords, Patch Watch, Pen testing, Responsible disclosure, Spyware and Adware, Vulnerability research

Tags: Apple Macintosh, Apple Safari, Microsoft Windows XP, Microsoft Windows Vista, Apple Inc., Attack, WebKit, Microsoft Windows, Apple Mac OS X, Apple Mac OS

Apple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.

The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site.  Some of the issues affect Microsoft’s new Windows 7 operating system.
Read the rest of this entry »

November 10th, 2009

Adobe plugs security hole in Photoshop Elements

Posted by Ryan Naraine @ 4:15 pm

Categories: Adobe, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Locally Running Web Servers, Patch Watch, Pen testing

Tags: Adobe Systems Inc., Adobe PhotoShop, Adobe PhotoShop Elements, Security, Patches, Ryan Naraine

Adobe has shipped a patch to cover a security vulnerability affecting its Photoshop Elements software product.

The flaw, rated moderate, affects Adobe Photoshop Elements versions 8.0 and 7.0. It could be exploited by a hacker with valid login credentials and/or physical access to execute arbitrary commands with elevated privileges. Read the rest of this entry »

November 10th, 2009

Microsoft patches Windows worm holes, drive-by download flaws

Posted by Ryan Naraine @ 11:22 am

Categories: Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Exploit code, Malware, Microsoft, Patch Watch, Pen testing, Responsible disclosure

Tags: Attacker, Flaw, Window, Vulnerability, Severity, Microsoft Corp., Microsoft Windows, Security, Operating Systems, Software

As part of its scheduled batch of patches for November, Microsoft today issued six security bulletins with fixes for a total of 15 vulnerabilities affecting its Windows and Office product lines.

Three of the six bulletins are rated “critical,” meaning they can be used to launch remote code execution or worm attacks without any user action.  One of the Windows vulnerabilities could expose users to drive-by malware attacks via the browser, Microsoft warned.

Read the rest of this entry »

November 10th, 2009

Major online ad site hacked, serving up exploit cocktail

Posted by Ryan Naraine @ 9:55 am

Categories: Adobe, Anti Virus, Arbitrary Code Execution, Browsers, Data theft, Exploit code, Flash, Patch Watch, Responsible disclosure, Spam and Phishing, Spyware and Adware

Tags: Websense Inc., Microsoft Corp., Exploit, Online Advertising, Security, Viruses And Worms, Databases, Enterprise Software, Software, Data Management

A high-profile online advertising Web site has been hacked and rigged to serve multiple exploits to Microsoft Windows users surfing the net with unpatched third party desktop software.

According to a warning issued by Websense Security Labs, the malicious code was found on media-servers.net, which is described as a high-profile advertiser on the Internet realm.  The site has been firing an assortment of exploits for several months, including exploits for vulnerabilities in Microsoft DirectShow and Adobe PDF Reader. Read the rest of this entry »

November 10th, 2009

Why is Apple meddling with my Windows AutoRun?

Posted by Ryan Naraine @ 6:46 am

Categories: Apple, Arbitrary Code Execution, Browsers, Data theft, Denial of Service (DoS), Digital rights management, Exploit code, Malware, Microsoft, Pen testing, Punditocracy, iPhone

Tags: Operating System, Apple Inc., Microsoft Windows, Apple iTunes, Digital Music, Digital Media, Operating Systems, Personal Technology, Consumer Electronics, Software

Guest editorial by Costin Raiu

In every system designed by man, there is always a balance between features, usability and security. While designing pretty, easy to use and secure systems is possible, quite often this is not what the users get, or worse, this is not what the users want.

The most popular example of this applies to Apple. Focusing on eye-catching designs and easy to use products, Apple is listed in almost every marketing book as a success story.

Interestingly, maybe their second most popular software product, Mac OS X (after iTunes) represents a curious blend between eye-catching, easy to use, flexible, usable and decently secure, modern operating system. Please notice how I avoided saying “secure” and instead, wrote “decently secure”. Read the rest of this entry »