Microsoft rolled out seven security updates today, including a fix for a critical remotely exploitable Word vulnerability. In all, 20 vulnerabilities were repaired by Microsoft, which also issued an advisory regarding poorly generated digital certificates that have to be replaced and the distribution of an automated mechanism that will check for certificate key lengths and revoke any shorter than 1024 bits.
Browsing Author: Michael Mimoso
Less than a month after the Nitol botnet takedown, Microsoft has released data casting more scrutiny of supply chain security. In its latest Security Intelligence Report (SIR) for the first half of 2012, Microsoft has connected the most prevalent malware families involved in supply chain compromises, including malicious add-ons pre-installed on PCs by manufacturers, as well as pirated software available on peer-to-peer networks, and music and movie downloads.
Malware intent on SMS fraud, also known as toll fraud, has been a constant on mobile platforms, Android in particular, for some time. And FakeInst is definitely king of the hill when it comes to this type of malware. Prevalent in Russia and the rest of Eastern Europe, the malware poses as popular applications, free games or screensaver and once installed, sends premium SMS messages to a service controlled by an attacker. The malware also intercepts messages confirming the charges from wireless providers and ultimately, the user is socked with a massive phone bill while the attacker quietly cashes in. A recent report from Lookout Security said toll fraud malware accounted for 91% of mobile malware and FakeInst malware has netted more than $10 million this year for the attackers behind the malware.
A slew of major American banks, some already stressed by a stream of DDoS attacks carried out over the past 10 days, may soon have to brace themselves for a large-scale coordinated attack bent on pulling off fraudulent wire transfers.
Is the Java browser plug-in the IT equivalent of the human appendix? Would you miss it if it were gone? Probably not, experts say, especially now that attackers are beating the Java sandbox with a rash of zero-day exploits.
It might sound like a security researcher’s worst nightmare to string together 300,000 virtual instances of the Android OS, but for scientists at Sandia National Laboratories, it’s just another day.The Department of Energy-sponsored national security-focused laboratory released the MegaDroid project on Tuesday, a cluster of 300,000 networked virtual machines running Android on commodity hardware. The project gives scientist a massively scaled platform to test anything that could cause a network disruption, including malware or an attack on critical infrastructure.
Hackers fond of man-in-the-browser (MiTB) attacks have brought efficiency to their work. New strains of MiTB malware have been discovered that are able to parse logs for the sensitive information hackers are targeting, rather than send massive unstructured logs back to the attacker’s command and control server.
Attackers targeting major U.S. banks with distributed denial of service attacks are using a number of toolkits to automate the job. Prolexic Technologies, a security company specializing in DDoS protection services, identified one toolkit called itsoknoproblembro, a kit that attacks multiple ports and network targets.
Mobile malware has largely been limited to Trojans buried inside a malicious app targeting sensitive data stored on the phone such as email, contact information and SMS messages. A new proof-of-concept piece of malicious software, however, expands the scope of mobile malware and essentially turns an Android device into a surveillance tool, bringing a while new range of security and privacy implications into the equation.
Mozilla is trying to deal a two-fisted blow to the continued use of passwords as an online authenticator, as well as the practice using social media username-password combinations as a persistent login on other sites. Its Persona project has moved into its first beta release promising developers and website users a better and more private authentication experience.