Vulnerabilities


Secunia pushes for standard to patch consumer apps

From DarkReading (Kelly Jackson Higgins)
Danish security firm Secunia is attempting to rally other software vendors to develop an industry-standard tool that automatically updates all applications on a consumer’s PC.
Secunia envisions an industry-standard app that runs when a laptop starts up, for example, scanning for unpatched or vulnerable apps and guiding the user with simple point-and-click options to update the machine. Read the full story [darkreading.com]

Mozilla patches a dozen Firefox vulnerabilities

Mozilla has shipped a refresh [mozilla.com] of its flagship Firefox browser to fix a dozen documented vulnerabilities that expose users to URL spoofing, cross-site scripting, code injection and code execution attacks.
The most serious fix covers four browser engine and JavaScript engine crashes where Mozilla’s developers found evidence of memory corruption.  Read the full story [zdnet.com]

85% of malicious sites only online for 24 hours

From PC Advisor (Carrie-Ann Skinner)

More than 80 percent of websites that had been poisoned with malicious code between 2008 and 2009 were removed within 24 hours, says AVG.

The security vendor’s Web Threat Profile Report estimated that on any one day between 8 and 14 million web users are being exposed to social engineering scams, such hoax Facebook pages or rogue security apps that encourages surfers to download malicious software to their PC. Read the full story [cio.com]


From The H Security
Research In Motion have published an advisory [blackberry.com] to warn of another vulnerability in the PDF distiller of the BlackBerry Attachment service. This new vulnerability is in addition to previous issues with the PDF distiller service.
According to US-CERT, the issue is related to VU196617 [cert.org], which involves the open source Xpdf and poppler applications and their handling of JBIG2 data. Read the full story [h-online.com]

From IDG News (Jeremy Kirk)

Criminals are willing to pay thousands of euros for a discontinued Nokia mobile phone with a software problem that can be exploited to hack into online bank accounts [cio.com], according to a fraud investigator in the Netherlands.

About 10 days ago, investigators observed someone transfer €25,000 (US$32,413) for a Nokia 1100 phone, said Frank Engelsman of Ultrascan Advanced Global Investigations. The candy-bar style phone is one of Nokia’s all-time best-selling models, and originally sold for under €100. Read the full story [cio.com]

Multiple news outlets [ZDNet, CBC, The Register and Washington Post] are reporting on what appears to be the first malicious botnet made up only of machine’s running Apple’s Mac operating system.
The botnet is directly linked to a previously known Trojan that was embedded into pirated copies of Apple’s iWorks program.  It was being used in the past to launch denial-of-service attacks.  The full analysis of the botnet is available at Virus Bulletin [subscription required]

From SearchSecurity (Robert Westervelt)
The glum economy has put increased pressure on CISOs to cut costs while maintaining the same security defenses. Tightening budgets, coupled with increased compliance demands could have security professionals looking for answers next week at the 2009 RSA Conference. Read the full story [searchsecurity.com]

From Computerworld (Jeremy Kirk)
Apple security whiz Charlie Miller has discovered a method that may enable attackers to run shellcode on the latest version of the Apple iPhone, something that researchers previously thought to be impossible. In a presentation at Black Hat Europe this week, Miller discussed his findings, but said that in order to get the shellcode working, an attacker would still need an exploit.

Microsoft on Wednesday plans to launch a new research effort to determine the total cost of the patch-management cycle, from testing and distributing a fix to user deployment of the patch. The end result of the project, which will be completely open and transparent to outsiders, will be a full metrics model that the company plans to make freely available.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.