Vulnerabilities


A guide to the IIS WebDAV vulnerability

Even for the most experienced security professionals, understanding complex attacks and vulnerabilities sometimes can be a serious challenge. A perfect example is the recent Microsoft IIS WebDAV vulnerability, which surfaced last week and has yet to be patched by Microsoft. It’s a complicated issue, which some experts say was made more so by the guidance that the software maker released about it. Luckily, Steve Friedl of Unixwiz.net has taken the time to make some sense of it all.

RIM issues patch for serious PDF flaw in BlackBerry software

There is a series of vulnerabilities in the widely used BlackBerry Enterprise Server software that could allow an attacker to compromise BlackBerry devices by sending a malicious PDF file. Research in Motion, the software’s maker, has issued a patch that fixes the problem in BES, as well as in BlackBerry Professional Software.

Twitter API ripe for malware, worm abuse

A security researcher is warning that the Twitter API can be trivially abused by hackers to launch worm attacks.
The red-hot social networking/microblogging service has been scrambling to plug cross-site scripting and other Web site vulnerabilities to thwart worm attacks but, as researcher Aviv Raff points out, it’s much easier to misuse the Twitter API as a “weak link” to send worms squirming through Twitter.  Read the full story [zdnet.com]


Adobe has become the third major software vendor to begin shipping its security updates on a regular schedule. Following the lead of Microsoft and Oracle, who have been releasing patches on a set schedule for many years, Adobe now will ship its patches once per quarter. It’s a move that’s overdue for Adobe and one that other vendors (read: Apple) would do well to follow.

A security researcher from nCircle is accusing Microsoft of gamesmanship in its description of an unpatched IIS vulnerability in the way the WebDAV extension  decodes a requested URL. The end result is that a successful exploit would allow a hacker to bypass authentication and gain unauthorized access to resources.

Borrowing a few pages from Microsoft’s playbook, Adobe today announced plans for a quarterly Patch Day for its Reader/Acrobat product lines and new initiatives to beef up its code hardening and security response processes.
Starting this summer, Adobe Reader and Acrobat security patches will be released on a quarterly schedule and will be timed to coincide with Microsoft’s second-Tuesday-of-the month bulletin releases. Read the full story [zdnet.com].  Also see Adobe’s announcement [adobe.com]

There is an easily exploitable vulnerability in the Java implementation in Apple’s Mac OS X which could allow an attacker to run arbitrary code on a remote machine. The flaw, which is similar to a vulnerability that has been public for five months and affect other vendors’ products, affects even the most recent version of OS X, which was released last week.

From DarkReading (Kelly Jackson Higgins)

Most Websites harbor at least one major vulnerability, and over 80 percent of Websites have had a critical security flaw, according to new data released today by WhiteHat Security.

The Website vulnerability statistics, based on Website vulnerability data gathered from WhiteHat’s own enterprise clients, show that 63 percent of Websites have at least one high, critical, or urgent vulnerability issue, and there’s an average of seven unfixed vulnerabilities in a Website today. Read the full story [darkreading.com]

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.