Vulnerabilities

Adobe pushed out the latest build of its Flash Player (11.4) and AIR (3.4) runtime environment Tuesday, patching six critical vulnerabilities that if left unpatched, could have allowed an attacker to gain control of or crash any affected system.The fixes address flaws for Flash Player in Windows, Macintosh, Linux and several Android versions (2.x, 3.x, 4.x) and updates AIR for Windows, Macintosh and the AIR SDK.

Espionage has gone digital and we’re just now seeing the beginnings of what will prove to be a “cyber arms race,” according to Mikko Hypponen, Chief Research Officer for the F-Secure, the Finnish security firm. Hypponen laid out his thoughts and recapped the last seven months in threats in the latest edition of the company’s Threat Report (.PDF), released today.

There is no such thing as a trivial detail when it comes to the impending release of an Apple product and scammers are well aware of this. A recent attack is exploiting the public’s fascination with all things Apple and the ubiquitous interest in anything iPhone 5-related with an email phishing scam that includes a file that claims to contain pictures of the unreleased iPhone’s battery but actually contains a malicious Word document.

Google’s recent announcements that the company is doubling some of the rewards in its Chromium Vulnerability Reward Program and will also be committing up to $2 million for another round of the Pwnium contest in a couple of months brought a round of cheers from the security research community. The Google rewards programs have been quite successful in drawing submissions from researchers, as have similar programs from Mozilla, Facebook, Barracuda, PayPal and others, but the question around all of these programs is whether they actually succeed in making software, and by extension, the Web, safer.

Google has been handing out rewards to researchers who discover vulnerabilities in the company’s products and Web properties for several years now, both through its Chrome bug bounty program and its Pwnium contest at this year’s CanSecWest conference. Company officials say that the programs have been quite successful at finding and fixing bugs, so much so, in fact, that the number of new submissions have been dropping off lately. Instead of closing down the reward program, however, Google this week said it will pay even more for some bugs and also announced that is reprising the Pwnium contest at Hack in the Box in Malaysia this Fall, offering up to $2 million in rewards.

Google officials say that they will be handing out bonuses on top of existing rewards to security researchers who report especially troublesome flaws as part of their bug bounty program.

The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems.