Dennis Fisher talks with Charlie Miller of Independent Security Evaluators about Mac OS X security, winning the Pwn2Own contest again and the real market for selling vulnerabilities. Read Miller’s paper on selling 0-day vulnerabilities (.pdf).
Browsing Category: Vulnerabilities
Hundreds of thousand websites host vulnerable Adobe Flash files which can be exploited by malicious people to conduct convincing phishing and XSS attacks. In most cases, cookie hijacking is possible.
Unsuspecting users can be redirected from trustworthy SSL and non-SSL sites to malware, adware and spyware sites. Read the full story [xssed.com]
Guest editorial by Andrew Storms
Yesterday was a perfect example of the lack of communication between software vendors and their customers about security. Three vendors released major patches for serious bugs, all within hours of each other.
You would think that customers would be a high priority for all vendors, especially in this economy. All vendors certainly give lip service to doing the right thing by their customers; unfortunately, most have a bad case of amnesia when it comes to security.
Adobe joined the Patch Tuesday barrage late yesterday, dropping fixes for a pair of code execution holes affecting its Adobe Reader and Acrobat products.
The critical update [adobe.com] addresses a publicly known vulnerability that was being exploited with booby-trapped PDF files.
On the same day Microsoft shipped a bundle of patches for gaping holes in its PowerPoint software, Apple followed suit, dropping a monster Mac OS X update to correct 67 security vulnerabilities.
The sudden Apple Patch Day also included a patch to cover a trio of flaws in the Safari Web browser (Mac OS X and Windows). Read the full story [zdnet.com]
By Eric Schultze
Microsoft patched all Windows versions of PowerPoint today — addressing both a zero-day flaw [microsoft.com] and 13 other privately reported security vulnerabilities. The zero-day vulnerability enabled attackers to take over client machines if a user opened a malformed powerpoint document or visited an evil website. The attacker would be able to execute code on the user’s machine with the same level of permissions afforded to the logged on user. (If the user was logged on as an administrator, the evil code could execute as admin. If the user was logged on as a user-level account, then the evil code could only execute with user permissions and not admin permissions).
Microsoft has slapped a massive band-aid on its PowerPoint presentation software to cover at least 14 documented security vulnerabilities.
The MS09-017 update, rated “critical,” includes a fix for a known code execution flaw that was used to launch targeted exploits via rigged PowerPoint files. Read the full story [zdnet.com] Also see Microsoft’s explanation of the update [technet.com]
From DarkReading (Kelly Jackson Higgins)
The cleanup cost for fixing a bug in a homegrown Web application ranges anywhere from $400 to $4,000 to repair, depending on the vulnerability and the way it’s fixed.
Security experts traditionally have been hesitant to calculate the actual cost associated with bug fixes because there are so many variables, including the severity of the vulnerability, differences in man-hour rates, and the makeup of the actual fix. Read the full story [darkreading.com]
From The H Security
According to information which only recently came to light, in early April a botnet consisting of an estimated 100,000 PCs apparently destroyed itself – as its control server send out a command that made Windows inoperable. The botnet was based on the Zeus [rsa.com] botnet tool kit, which allows criminals to infect and subsequently remotely control users’ PCs. Read the full story [h-online.com]
From ZDNet (Dancho Danchev)
A newly discovered email worm dubbed OSX/Tored-A once again puts the spotlight on the potential worm-ability, and malware spreading tactics targeting Apple’s OS X.
The worm propagates through emails harvested from infected hosts, and has a backdoor functionality allowing its author to perform the following actions if a successful remote connection is established – attempts to create a botnet, has keylogging functionality, and can also perform DDoS attacks as well as send spam. Read the full story [zdnet.com]