By Eric Schultze
Like the old saying goes, “Close only counts in horseshoes and hand grenades.” I’ve developed a corollary this week, “The ‘number of flaws’ only matters to vulnerability assessment scanners and journalists.”
I’ve read many news stories this week talking about the record number of flaws/vulnerabilities that Microsoft fixed in the June ’09 Patch Tuesday release. For the record, I’m saying that none of this is relevant.
Browsing Category: Vulnerabilities
By Eric Schultze
From DarkReading (Kelly Jackson Higgins)
Texting just keeps getting riskier: Researchers at next month’s Black Hat USA in Las Vegas will demonstrate newly discovered threats to mobile phone users, as well as release a new iPhone application that tests phones for security flaws.
“We set out to create a graphical SMS auditing app that runs on the iPhone,” says Luis Miras, an independent security researcher. The tool can test any mobile phone, not just the iPhone, for vulnerabilities to specific exploits that use SMS as an attack vector. Read the full story [darkreading.com]
Apple has finally released a Java for Mac update to fix multiple security flaws that were patched upstream more than six months ago.
The fix comes three weeks after developers released proof-of-concept code to demonstrate the severity of the flaw and to nudge embarrass Apple into shipping the patch. Read the full story [zdnet.com]
This Google Tech Talk features Michael Steil and Felix Domke discussing the security model of the Microsoft Xbox 360 and how to break it.
Dennis Fisher talks with Cormac Herley of Microsoft Research about the paper he co-authored on the realities of the underground economy, why sales of stolen credit cards resemble a market for lemons and how we can get better data on cybercrime activities.
Mozilla has joined this week’s patchapalooza with the release of a Firefox update to fix 11 documented security vulnerabilities.
Six of the 11 issues are in advisories rated “critical” because of the risk of code execution attacks that could allow hackers to take complete control of a compromised machine. Read the full advisory from Mozilla [mozilla.org]
From The H Security
A vulnerability in WebKit can be exploited by an attacker to crash a tab or execute arbitrary code in Google Chrome due to a memory corruption issue in WebKit’s handling of recursion in certain DOM event handlers. For an attack to be successful, a victim must first visit a maliciously crafted website. The malicious code, however, will be sandboxed, limiting the damage that an attacker can do when exploiting the vulnerability. Nonetheless, Google considers the vulnerability to be a high risk. Read the full story [h-online.com]
From ZDNet (Dancho Danchev)
Researchers from ParetoLogic are reporting on a newly discovered Mac OS X malware variant posing as fake video ActiveX object [paretologic.com] found at a bogus Macintosh PortTube site.
The use of fake video codecs is a social engineering tactic exclusively used by malware targeting Windows, and seeing it used in a Mac OS X based malware attack proves that successful social engineering approaches remain OS independent. Read the full story [zdnet.com]