Browsing Category: Vulnerabilities

Categories: Vulnerabilities

Hundreds of thousand websites host vulnerable Adobe Flash files which can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases, cookie hijacking is possible.
Unsuspecting users can be redirected from trustworthy SSL and non-SSL sites to malware, adware and spyware sites.  Read the full story [xssed.com]

Read more...

Categories: Vulnerabilities

Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.

You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.

Read more...

Categories: Vulnerabilities

Adobe joined the Patch Tuesday barrage late yesterday, dropping fixes for a pair of code execution holes affecting its Adobe Reader and Acrobat products.

The critical update [adobe.com] addresses a publicly known vulnerability that was being exploited with booby-trapped PDF files.

Read more...

Categories: Vulnerabilities

On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.
The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows). Read the full story [zdnet.com]

Read more...

Categories: Vulnerabilities

By Eric Schultze

Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [microsoft.com] and 13 other privately reported security vulnerabilities.   The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website.  The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user.  (If the user was logged on as an administrator, the evil code could execute as admin.  If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).

Read more...

Categories: Vulnerabilities

Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.
The MS09-017 update, rated “critical,” includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files. Read the full story [zdnet.com] Also see Microsoft’s explanation of the update [technet.com]

Read more...

From DarkReading (Kelly Jackson Higgins)
The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it’s fixed.
Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix. Read the full story [darkreading.com]

Read more...

Categories: Vulnerabilities

From The H Security
According to information which only recently came to light, in early April a botnet consisting of an estimated 100,000 PCs apparently destroyed itself – as its control server send out a command that made Windows inoperable. The botnet was based on the Zeus [rsa.com] botnet tool kit, which allows criminals to infect and subsequently remotely control users’ PCs. Read the full story [h-online.com]

Read more...

From ZDNet (Dancho Danchev)
A newly discovered email worm dubbed OSX/Tored-A once again puts the spotlight on the potential worm-ability, and malware spreading tactics targeting Apple’s OS X.
The worm propagates through emails harvested from infected hosts, and has a backdoor functionality allowing its author to perform the following actions if a successful remote connection is established – attempts to create a botnet, has keylogging functionality, and can also perform DDoS attacks as well as send spam. Read the full story [zdnet.com]

Read more...