By Alex Rothacker

In our last column, we focused on privilege escalation attacks, and the impact that this category of  SQL injection attacks can have on the database - particularly where specific database vulnerabilities exist, and can be exploited through the manipulation of privileges. Let’s look more deeply at how organizations struggle with the issue of extensive privileges assigned directly to users - or indirectly through user groups. We’ll address what can happen when database users are over-credentialed, and what should be done to ensure you are aware of all activity that is occurring in your environment.

Shorten URL: . Click to copy to clipboard or post to Twitter

By Oliver Lavery

It’s been interesting watching DLL hijacking grow from interesting phenomena  to a full-on snowball of hype and FUD over the last few days. As of this writing Google turns up 152 news articles on the subject. The vast majority of coverage is calling this a “new class of attack” and pointing out how “over 30 zero-day vulnerabilities have been found so far!”. The only way to paraphrase many of the headlines is: “Panic!”

Shorten URL: . Click to copy to clipboard or post to Twitter

By Stefan Tanase

The growing popularity of  location-based services in the social networking world is a serious security and privacy risk that must be taken seriously.

Shorten URL: . Click to copy to clipboard or post to Twitter

By Stefan Tanase

“All upcoming Guns N' Roses dates are officially canceled. Please contact your place of purchase for any refunds.” 

 No Guns N’ Roses fan ever wants to see this text. And especially when it’s published on Axl Rose’s official Twitter account, it’s a guaranteed recipe for disaster. 

Shorten URL: . Click to copy to clipboard or post to Twitter

By Charlie Miller

I’m a security researcher.  I find bugs in software, they get fixed. I write exploits, they give me a shell. It's more or less always the same and it gets kind of boring. But there was one exploit I helped write back in 2007 that was a little different. This is the story of that exploit.

Shorten URL: . Click to copy to clipboard or post to Twitter

Microsoft has released their planned 14 bulletins fixing 34 vulnerabilities today.  There are four bulletins that administrators should look at patching as soon as possible.

Shorten URL: . Click to copy to clipboard or post to Twitter

By Alex Rothacker

Privilege escalation attacks consist of exploiting a bug or design flaw in a software application to gain access to resources which normally are protected from an application or user. The result is that the application allows actions with privileges beyond an acceptable level for the specific user.  

Shorten URL: . Click to copy to clipboard or post to Twitter

By Ivan Arce
In the early years of Core Security Technologies, the company not only offered security consulting services, but often was sub-contracted to do R+D for several security vendors. The first and most intellectually rewarding of such contracts came from Secure Networks Inc. (SNI), a Canadian start-up that was developing a network vulnerability scanner named Ballista Network Auditing System. Our contract work for SNI, plus a couple of local security consulting contracts, were largely responsible for the financial viability of Core in its early days and for that I will be always thankful to the SNI team.

Shorten URL: . Click to copy to clipboard or post to Twitter

Microsoft has released four new security bulletins in the July 2010 edition of patch Tuesday. These bulletins address five vulnerabilities.

It is not uncommon, and has become expected, for a light patch Tuesday to follow a heavy patch Tuesday release from Microsoft.  Last month, Microsoft released a hefty load of patches with 10 security bulletins addressing 34 vulnerabilities.

Shorten URL: . Click to copy to clipboard or post to Twitter

By Costin Raiu

Recently, I was sitting around with a number of colleagues from Kaspersky Lab, discussing everybody’s favorite subject: the state of anti-virus testing these days. During the talks, somebody brought up the name of a new, obscure testing organization in the Far East. Nobody else had ever heard of them and so my colleague Aleks Gostev jokingly called them a “rogue Andreas Marx."

Shorten URL: . Click to copy to clipboard or post to Twitter