Vulnerabilities


Twitter API Being Exploited by Drive By Malware

Drive-by exploit writers have been spotted using a popular Twitter
command to send web surfers to malicious sites, a technique that helps
conceal the devious deed.  According to researcher Denis Sinegubko, it’s
being added to heavily obfuscated redirection scripts injected into
compromised websites. The scripts, which redirect victims to drive-by
sites that attempt to exploit unpatched vulnerabilities in programs
such as Apple’s QuickTime. Read the full article. [The Register]

Server Message Block Bug Crashes Windows 7

Security researcher Laurent Gaffie unveiled a new unpatched
bug in Windows 7 and Server 2008 R2 that, when exploited, locks up the
system, requiring a total shutdown to regain control. Microsoft acknowledged that it’s investigating the flaw. Read the full article. [Computerworld]


Apple today shipped Safari 4.0.4 to fix a total of seven security flaws that expose Windows and Mac users to a wide range of malicious hacker attacks.The high-priority update patches vulnerabilities that allow remote code execution (drive-by downloads) if a user simply surfs to a maliciously rigged Web site.  Some of the issues affect Microsoft’s new Windows 7 operating system.

The security glitch, which is linked to a “cash back” system
operated by Bing, potentially leaves users and retailers exposed to
fake transactions. But despite an outcry online over the existence of
the loophole, the world’s largest company has responded to the issue by
threatening legal action against the man who discovered the problem. First launched last year, before Microsoft rebranded
its search website, the affiliate scheme offers users the chance to
earn money back for every product they buy through the service. Read the full article. [guardian.co.uk]

Hackers will quickly jump on one of the 15 vulnerabilities Microsoft patched Tuesday to build attack code that infects Internet Explorer users, security researchers agreed today. The bug, which Microsoft patched as part of a record-tying security update for the month of November, is in the Windows kernel, the heart of the operating system. Read the full article. [Computerworld]

A
high-profile online advertising Web site has been hacked and rigged to
serve multiple exploits to Microsoft Windows users surfing the net with
unpatched third party desktop software.
According to a warning issued by Websense Security Labs, the malicious code was found on media-servers.net,
which is described as a high-profile advertiser on the Internet realm. 
The site has been firing an assortment of exploits for several months,
including exploits for vulnerabilities in Microsoft DirectShow and
Adobe PDF Reader.  Read the full advisory [websense.com]

Almost 80% of more than 3,000 software security flaws publicly reported
so far this year have been in Web technologies such as Web servers,
applications, plugins and Web browsers.
That number is about 10% higher than the number of flaws reported in
the same period last year — and nine out of 10 of the flaws were found
in commercial code. Read the full article. [Computerworld]

Adobe has shipped a patch to cover a security vulnerability affecting its Photoshop Elements software product.
The flaw, rated moderate, affects Adobe Photoshop Elements versions
8.0 and 7.0. It could be exploited by a hacker with valid login
credentials and/or physical access to execute arbitrary commands with
elevated privileges. Read the advisory [adobe.com]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.