Ryan Naraine

Vulnerability Broker Draws Line in Disclosure Sand

Looking to put pressure on software vendors who procrastinate on fixing security flaws, the world’s biggest broker of vulnerability data is drawing a line in the sand.Starting August 4, TippingPoint’s Zero Day Initiative (ZDI) will enforce a six-month deadline for patches on all vulnerabilities bought from the security research community and reported to software vendors.

Hacker Demos Remote Attacks Against ATMs

LAS VEGAS — Using home-brewed software tools and exploiting a gaping security hole in the authentication mechanism used to update the firmware on automated teller machines (ATMs), a security researcher hacked into ATMs made by Triton and Tranax and planted a rootkit that dispensed cash on demand.


A prominent security researcher is urging users of Apple’s Safari browser to immediately turn off the AutoFill feature to block hackers from stealing sensitive information.

According to Jeremiah Grossman, founder and Chief Technology Officer of WhiteHat Security, the AutoFill Web Forms feature can be hacked to steal data from the computer’s address book.

Cisco has shipped a critical bulletin to warn about a serious security hole in the Cisco Internet Streamer application, which is part of the Cisco Content Delivery System. In an advisory, Cisco warned that exploitation of this vulnerability may allow a remote, unauthenticated attacker to obtain sensitive information, including password files and system logs.

Dell has confirmed that some of its PowerEdge server motherboards were shipped to customers with malware code on the embedded server management firmware.The infected motherboard was found on replacement Dell PowerEdge R410 rack servers, according to a post on a Dell support forum.

Mozilla has shipped a mega patch for Firefox to fix a total of 16 security flaws that expose Web surfers to drive-by download, data theft and local bar spoofing attacks.The latest Firefox 3.6.7 update includes fixes for nine “critical” issues that could be exploited to launch remote code execution attacks.  Two of the 16 bugs are rated “high risk” while five carry a “moderate” severity rating.

The next major version of Adobe’s PDF Reader will feature new sandboxing technology aimed at curbing a surge in malicious hacker attacks against the widely deployed software.The security feature, called “Protected Mode,” is similar to the Google Chrome sandbox and Microsoft Office 2010 Protected Viewing Mode, according to Adobe’s security chief Brad Arkin.