Browsing Category: Vulnerabilities

Categories: Vulnerabilities

On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.
The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows). Read the full story [zdnet.com]

Read more...

Categories: Vulnerabilities

By Eric Schultze

Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [microsoft.com] and 13 other privately reported security vulnerabilities.   The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website.  The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user.  (If the user was logged on as an administrator, the evil code could execute as admin.  If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Read more...

Categories: Vulnerabilities

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.
The MS09-017 update, rated “critical,” includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files. Read the full story [zdnet.com] Also see Microsoft’s explanation of the update [technet.com]

Read more...

From DarkReading (Kelly Jackson Higgins)
The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it’s fixed.
Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix. Read the full story [darkreading.com]

Read more...

Categories: Vulnerabilities

From The H Security
According to information which only recently came to light, in early April a botnet consisting of an estimated 100,000 PCs apparently destroyed itself – as its control server send out a command that made Windows inoperable. The botnet was based on the Zeus [rsa.com] botnet tool kit, which allows criminals to infect and subsequently remotely control users’ PCs. Read the full story [h-online.com]

Read more...

From ZDNet (Dancho Danchev)
A newly discovered email worm dubbed OSX/Tored-A once again puts the spotlight on the potential worm-ability, and malware spreading tactics targeting Apple’s OS X.
The worm propagates through emails harvested from infected hosts, and has a backdoor functionality allowing its author to perform the following actions if a successful remote connection is established – attempts to create a botnet, has keylogging functionality, and can also perform DDoS attacks as well as send spam. Read the full story [zdnet.com]

Read more...

Categories: Vulnerabilities

Exactly one month after malicious hackers started using rigged PowerPoint files to launch targeted attacks, Microsoft announced plans to ship a “critical” bulletin affecting its flagship presentation program.
The PowerPoint update is the only bulletin scheduled for this month’s Patch Tuesday on May 12, 2009 .  It is rated “critical” (remote code execution) for all supported versions of Microsoft Powerpoint 2000 through 2007.

Read more...

Categories: Vulnerabilities

For the second time in two weeks, Google has shipped a new version of its Chrome browser to fix a pair of serious security vulnerabilities [blogspot.com].
One of the two flaws carry a “critical” rating because of the risk of code execution with the privileges of the logged on user. Read the full story [zdnet.com]

Read more...

Categories: Vulnerabilities

From InformationWeek (Thomas Claburn)
Windows 7 RC is now available, but Microsoft’s new operating system could use a bit more tinkering to improve security.
Specifically, Windows Explorer provides a way to hide a file’s extension. Virus writers use this feature to disguise executable files as something more innocuous, such as text files, F-Secure’s Mikko Hypponen explains in a blog post [f-secure.com]. By also changing the appearance of a malicious executable’s icon, malware authors have a much easier time convincing users to run malicious software using social engineering techniques. Read the full story [informationweek.com]

Read more...

Categories: Vulnerabilities

Adobe has set a May 12 date for the delivery of patches to cover a critical zero-day vulnerability in its Adobe Reader 9.1 and Acrobat 9.1 software products.
An official security advisory from Adobe confirms the severity of the vulnerability and reiterates the advice for users to turn off JavaScript as a temporary measure to avoid code execution attacks.  However, customers have started to grumble that Adobe’s mitigation is difficult to implement and, even worse, useless in corporate environments.  Read the full story [zdnet.com]

Read more...