Bug in IE 8 Causes XSS Errors

The latest version of Microsoft’s Internet Explorer browser contains
a bug that can enable serious security attacks against websites that
are otherwise safe. The flaw in IE 8 can be exploited to introduce XSS, or cross-site
scripting, errors on webpages that are otherwise safe. Read the full article. [The Register]

Can Adobe Beat Back the Hackers?

For years, Adobe Systems has occupied a quiet corner of the personal-computer industry. Photographers and designers use its software to clean up photos and set up Web sites. Workers everywhere trade electronic documents formatted with Adobe’s programs, often without knowing the company behind the software.  Now Adobe is attracting the unwanted attention of hackers — and security experts are concerned the company isn’t doing enough to repel assaults. Read the full story [BusinessWeek] 

At the SecurityByte & OWASP AppSec Conference in India, Roberto Suggi Liverani and Nick Freeman offered insight into the substantial danger posed by Firefox extensions. Mozilla doesn’t have a security model for extensions and Firefox fully
trusts the code of the extensions. There are no security boundaries
between extensions and, to make things even worse, an extension can
silently modify another extension. Read the full article. [Help Net Security]

The U.S. Food and Drug Administration is pressuring a number of Internet service providers to shut off nearly 12 dozen Web sites alleged to be selling counterfeit or unapproved prescription drugs. The agency said none of the sites represent pharmacies located in the United States or Canada, as most claim. Read the full article. [Washington Post]

The latest release (PHP 5.3.1) features the addition of the “max_file_uploads” INI
directive, which can be used to limit the number of file uploads for
each request to 20 by default. By limiting the number of uploads
per-request, users can prevent possible denial of service (DoS)
attacks. Missing sanity checks around EXIF (exchangeable image file format) processing have also been added. Read the full article. [The H Security]

Three alleged members of the hacker gang Kryogeniks were hit with a
federal conspiracy charge for a 2008 stunt that replaced
Comcast’s homepage with a shout-out to other hackers. Prosecutors identified Christopher Allen Lewis, 19, and James Robert
Black Jr., 20, as the hackers “EBK” and “Defiant,” known for hijacking
Comcast’s domain name in May of last year — a prank that took down the
cable giant’s homepage and webmail service for more than five hours,
and allegedly cost the company over $128,000. Read the full article. [Wired] Read the Federal indictment.

Microsoft today denied that it has built a
backdoor into Windows 7, a concern that surfaced yesterday after a
senior National Security Agency (NSA) official testified before
Congress that the agency had worked on the operating system. “Microsoft has not and will not put ‘backdoors’ into Windows,” a company spokeswoman said. Read the full article. [Computerworld]

A viral marketing campaign designed to exploit your anticipation over the New Moon movie coming out tomorrow may look like normal free media you’ve come to expect on the Internet. A scareware purveyor has been spreading bad URLs, with the help of corrupted Google search results, having to do with the movie and its stars. Fans are being directed to chats and blogposts  that read “Watch New Moon Full Movie.” Concurrently,
the bad guys use an automated script  to fill the posts and comments
with related keywords to attract more search engines. Read the full article. [The Last Watchdog]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.