Vulnerabilities


Serious Vulnerabilities Remain in Reader After Huge Patch Release, Researchers Say

Adobe patched a huge number of flaws in its Reader software on Windows and Mac OS X on Tuesday, many of which were reported to the company by members of Google’s internal security team, which had set up a long-term fuzzing program to look for interesting crashes in the embedded PDF viewer in the Chrome browser. However, the Google researchers said that there are still a number of serious vulnerabilities in the application running on Windows and OS X that Adobe failed to patch and so the researchers have released limited details on the bugs and some advice for users on how to mitigate the risks from the vulnerabilities.

Adobe Patches Critical Flash Bug, Releases Massive Reader Update

Adobe has issued a fix for a critical Flash vulnerability that attackers already are taking advantage of with targeted attacks. The flaw can allow attackers to get complete control of vulnerable machines, and Adobe said that it’s aware of attacks that are going after Flash on Internet Explorer.

Microsoft Patches Critical MS12-060 Office Flaw Being Used in Targeted Attacks

Microsoft on Tuesday fixed a critical vulnerability in a component of Office, SQL Server and other widely deployed applications that attackers already are using in targeted attacks. The flaw in the Microsoft Common Controls component, which was one of the 26 vulnerabilities fixed in nine bulletins issued today, can be exploited remotely and Microsoft said that attackers have been using malicious RTF files sent via email to take advantage of the bug.


Do not envy the life of a Web app. It’s a brutal, public existence filled with attacks from all sides. In fact, a new report by Imperva sheds some light on this sad life, showing that a typical Web app is attacked once every three days and some are targeted as many as 2,700 times in a given year.

Android devices have remained a constant target of attacks over the last quarter thanks in part to new variants from the FakeInst and OpFake families of malware. According to the latest version of the F-Secure Mobile Threat Report, the firm found 5033 malicious Android application packages (APKs), a 64 percent increase over the 3063 the firm identified in the first quarter of 2012.

SQL injection attacks have been going on for years, and the vulnerabilities and exploitation techniques are well-understood and widely discussed. However, they’re still quite prevalent and are used in a variety of scenarios. One recent example is the attack on a Yahoo site that resulted in a breach of 450,000 usernames and passwords. In this video, Ryan O’Boyle of Veracode discusses the nature of SQL injection attacks and how to defend against them.

On average, there were almost five fraudulent phone calls every minute earlier this year according to a report released today from security firm Pindrop Security. The Atlanta-based company found phone fraud was up 29 percent January to June this year from the last half of 2011 after it analyzed 1.3 million different instances as part of its 2012 State of Phone Fraud Report.