Ryan Naraine

Googler Drops Windows Zero-Day, Microsoft Unhappy

Google security researcher Tavis Ormandy has set the cat among the “responsible disclosure” pigeons with the release of technical details of a zero-day vulnerability affecting the Microsoft Windows Help and Support Center without giving Microsoft adequate time to prepare a patch.

Patch Tuesday: Microsoft Kills Pwn2Own Browser Bug

The Microsoft Patch Tuesday train rolled into town today, dropping off a massive 10 security bulletins with fixes for at least 34 documented vulnerabilities. Three of the bulletins are rated “critical” because of the risk of remote code execution attacks.  Affected products include the Windows operating system, Microsoft Office, the Internet Explorer browser and Internet Information Services (IIS).

Understanding The Porn + Malware Connections

CAMBRIDGE — For a minimal investment of about $160, a single porn site operator can infect more than 20,000 computers with malware for use in cybercrime, according to an academic study presented at the Workshop on the Economics of Information Security (WEIS 2010).


Apple has shipped new versions of its Safari browser with patches for at least 48 security vulnerabilities.The Safari 4.1 and 5.0 updates, considered “highly critical,” is available for both Windows and Mac OS X.  Exploitation of some of these vulnerabilities could lead to drive-by download (remote code execution) attacks.

Adobe issued an alert late Friday night to warn about zero-day attacks against an unpatched vulnerability in its Reader and Flash Player software products.The vulnerability, described as critical, affects Adobe Flash Player 10.0.45.2 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems.

Microsoft’s Patch Tuesday this month will be a big one:  10 bulletins fixing 34 vulnerabilities in Windows, Office and Internet Explorer.Three of the 10 bulletins will be rated “critical,” Microsoft’s highest severity rating.  The flaws addressed in those bulletins typically expose users to remote code execution attacks.

Looking to clamp down on the escalation of malicious apps on its popular social network, Facebook will now require that every developer to verify their Facebook account by providing a mobile phone number or adding a credit card to their account.

While this is clearly a step in the right direction, this won’t stop rogue apps from wreaking havoc on the social network.

As Microsoft prepares to pull the plug on support for Windows XP SP2, a move that stops the release of security updates for that operating system, research firm Gartner is urging businesses to start planning and testing Windows 7 this year with a plan to completely eliminate Windows XP by the end of 2012.

Joanna Rutkowska’s Qubes OS project will include a feature to create one-time use-and-discard virtual machines.The idea behind Disposable VMs is to have very lightweight virtual machines that can be created and booted quickly with a sole purpose of hosting only one application.  “Then, once you’re done, you just throw it away,” Rutkowska explained.

Microsoft has released an open-source Web Protection Library (WPL) to help developers protect web sites from cross-site scripting attacks.

The WPL, which is a set of .NET assemblies, is being offered as part of a defense in depth strategy to add an extra layer to any validation or secure coding practices.