Dennis Fisher talks with Charlie Miller of Independent Security Evaluators about Mac OS X security, winning the Pwn2Own contest again and the real market for selling vulnerabilities. Read Miller’s paper on selling 0-day vulnerabilities (.pdf).
Hundreds of thousand websites host vulnerable Adobe Flash files which can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases, cookie hijacking is possible.
Unsuspecting users can be redirected from trustworthy SSL and non-SSL sites to malware, adware and spyware sites. Read the full story [xssed.com]
Botnets have become one of the more insidious threats on the Internet in the last few years. Large-scale botnets such as the Storm, Asprox and Nugache networks have caused tremendous problems by serving as platforms for spamming operations, DDoS attacks and other mischief. In this podcast from SearchSecurity.com, Rob Westervelt talks with Brian Rexroad of AT&T Labs about the company’s botnet research program.
Former director of security architecture at One Laptop per Child (OLPC) Ivan Krstic has joined Apple to help thwart hacker attacks against the Mac operating system.
Krstic, a well-respected innovator who designed the Bitfrost security specification for the OLPC initiative, joined Cupertino this week and will work on core OS security. His hiring comes at a crucial time for a company that ties security to its marketing campaigns despite public knowledge that it’s rather trivial to launch exploits against the Mac. Read the full story [zdnet.com]
Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.
You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.
Little, if anything, gets Mac users more exercised than a mention of their favorite machine’s security problems. Despite the fact that security experts believe Macs to be much easier to exploit than Windows machines, Mac users simply trot out the old saw about there not being any virus attacks on Macs. Not only is that assertion demonstrably false, but it misses the point entirely: Virus attacks are not an indicator of the security of an operating system.
From SC Magazine (Chuck Miller)
Attackers have discovered that spreading their malware is a much easier task on social networking sites than it is on the rest of the Web. The success rate for malware on social networking sites such as Twitter and Facebook is 10 percent, compared with less than one tenth of that on normal sites and through email.
Adobe joined the Patch Tuesday barrage late yesterday, dropping fixes for a pair of code execution holes affecting its Adobe Reader and Acrobat products.
The critical update [adobe.com] addresses a publicly known vulnerability that was being exploited with booby-trapped PDF files.
At a Churchill Club event in Santa Clara, Calif., Peter Solvik, managing director at Sigma Partners, talks to a panel of CIOs about how they’re making mobile devices more secure in the enterprise and whether their employees prefer the BlackBerry over the iPhone. The panel includes: Matt Carey, chief information officer of Home Depot; Karenann Terrell, CIO of Baxter; and Lars Rabbe, former CIO of Yahoo.
From eWEEK (Brian Prince)
Attackers pushing pirated, malware-laced copies of Microsoft’s upcoming Windows 7 operating system have been actively trying to build a botnet.
According to researchers at Damballa, attackers hid a Trojan inside of pirated copies of the operating system and began circulating them on BitTorrent sites. Damballa reported that it shut down the botnet’s command and control server May 10, but by that time infection rates had risen as high as 552 users per hour. Read the full story [eweek.com]