From IDG News Service (Sumner Lemon)
Apple is working to fix an iPhone vulnerability that could allow an attacker to remotely install and run unsigned software code with root access to the phone.
The attack in question exploits a weakness in the way iPhones handle text messages received via SMS (Short Message Service), said security researcher Charlie Miller, during a presentation at the SyScan conference in Singapore on Thursday. He didn’t provide a detailed description of the SMS vulnerability, citing an agreement with Apple. Read the full story [Yahoo News].
Browsing Category: Vulnerabilities
From IDG News Service (Sumner Lemon)
VMware has released a patch for a serious flaw in the company’s flagship ESX software, which could enable an attacker to cause a denial of service or run arbitrary code on a vulnerable server. The flaw lies in the Kerberos authentication protocol, which is included in ESX, but is not enabled by default.
On May 28, our colleagues at The Microsoft Security Response Center released advisory 971778 which elaborated on a new vulnerability in Microsoft DirectShow effecting Windows 2000, Windows XP and Windows Server 2003. You can obtain more details on how to protect your environment from this vulnerability from the Microsoft SRD blog.
We have been closely monitoring the malware landscape for threats related to leveraging exploits against this new vulnerability. We subsequently developed and released a generic detection for malformed media files, Exploit:Win32/CVE-2009-1537, based on MAPP information provided to us. Also, we have developed detections for the known malicious web pages, as Exploit:JS/Mult.BM or Trojan:HTML/Redirector.I. Our security products, such as Windows Live OneCare, Microsoft Security Essentials, and Forefront Client Security can block access to these malformed media files with signature definition update version 1.59.798 or higher. Read the full story [Microsoft Malware Protection Center].
From CERT (Will Dormann)
Two recent US-CERT Vulnerability Notes [cert.org] describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 (JPX) data streams, were discovered as part of our Vulnerability Discovery initiative. The two vulnerability notes are quite similar, except for one aspect: attack surface. Read the full blog post [cert.org]
Adobe has patched a critical security flaw in its Shockwave Player software which could enable an attacker to gain complete control of affected machines. The vulnerability affects version 18.104.22.1686 and earlier of Shockwave.
Google has released a new version of its Chrome browser, which includes a fix for a serious buffer overflow vulnerability. The vulnerability in Chrome lies in the way that the browser handles certain responses from HTTP servers.
From The Wall Street Journal (Emily Steel)
On a Saturday night at the end of May, visitors to the forums section of Digital Spy, a British entertainment and media news Web site, were greeted with an ad that loaded malicious software onto their computers. The Web site’s advertising system had been hacked.
A number of such attacks have occurred this year, as perpetrators exploit the complex structure of business relationships in the online advertising, with its numerous middlemen and resellers. Web security experts say they have seen an uptick in the number of ads harboring malware as the economy has soured and publishers, needing to boost their ad revenues, outsource more of their ad-space sales. Read the full story [wsj.com]
From Just Ask Gemalto (Dennis Fisher)
Computer users have been conditioned over the last few years to recognize and avoid many of the more common scams and threats on the Internet: email viruses, phishing, spam, Nigerian 419 ploys and work-at-home money-mule schemes. You know that an email promising funny pictures of Britney Spears is probably more likely to install malware on your machine than to brighten up your day with more of Britney’s zany antics.
From PC World (Erik Larkin)
It doesn’t take much to get started in Internet crime these days. Find the right site, hand over $50, and you can start wreaking havoc with 1,000 already-infected PCs.
Finjan, a San Jose, CA security company, looked into the “Golden Cash” site, used by black hats to buy and sell the use of hijacked computers. The crooks behind the site infect PCs (or pay others to do so) with the Golden Cash remote-control malware, and then sell access to those PCs. And that access doesn’t cost much. Read the full story [pcworld.com]
Apple’s latest iPhone OS 3.0 software updates includes patches for multiple vulnerabilities, some with serious security implications.
The update, which is only available for download via iTunes, covers a total of 46 documented vulnerabilities, including several that allows malicious code execution if a user simply visits a rigged Web site or views a manipulated image. Read the full Apple advisory [apple.com]