Google Plugs Android Security Holes

Google has shipped a new version of the Android open-source mobile phone platform to fix a pair of security flaws that could lead to denial-of-service attacks.
According to an advisory from oCERT, a group that handles vulnerability disclosure for open-source projects, the flaws could allow hackers to render Android-powered devices useless.  Here’s a link to the oCERT advisory [].

Botnet Caught Red Handed Stealing From Google

A recently discovered botnet has been caught siphoning ad revenue away from Google, Yahoo! and Bing and funneling it to smaller networks.

According to researchers at Click Forensics, computers that are part of the so-called Bahama Botnet are infected with malware that sends them to counterfeit search pages instead of the real thing. They look authentic, and with the help of DNS poisoning routines, they even display or in the address bar.  Read the full story [The Register/Dan Goodin]

‘High Risk’ Flaw Fixed in Google Chrome

Google has pushed out a new version of its Chrome browser to fix a high-severity security hole that could lead to malicious code execution attacks.
The vulnerability could be exploited to run arbitrary code within the Google Chrome sandbox, the company said in an advisory.

The Register’s Dan Goodin has news about a belated but significant move by Google to protect its GMail and other services from CSRF (cross site request forgery) attacks.
In recent days, Google’s login pages began setting a cookie with a unique token on each user’s browser.  That same value is also embedded into the login form. If the two don’t match, the user will be unable to log in.  Read the full article []

From IDG News Service (Robert McMillan)
Criminals flooded several online ad networks with malicious advertisements over the weekend, causing popular Web sites such as the Drudge Report, and to inadvertently attack their readers, a security company said Wednesday.
The trouble started on Saturday, when the criminals somehow placed the malicious ads on networks managed by Google’s DoubleClick, as well as two others: YieldManager and ValueClick’s Fastclick network.  Read the full story []

An ongoing attack on Google users is sending victims to rogue anti-virus software sites, researchers said this week.
The attack takes advantage of Google’s page-ranking feature, according to researchers at eSoft’s Threat Prevention Team. The scam works like this: An attacker hacks a site, but instead of embedding exploits on the hacked site, they put links to other websites to boost rankings for malicious sites, and Google users in particular seem to be the targets. Read the full story []

GENEVA — Head of Google’s anti-malvertising team Eric Davis wants Internet Service Providers (ISPs) to look beyond profits and take a more proactive approach to dealing with malware-infested computers on their networks.
During a keynote presentation at the Virus Bulletin conference here, Davis said competitors in the ISP space must look beyond profits and partner on new initiatives to deal with the “parasites” that have taken control of the Internet landscape.

There are security conferences, and then there is Virus Bulletin. While virtually all of the presentations are from researchers working at antimalware vendors and other security companies, the talks are quite technical and this year’s conference, which starts Wednesday in Geneva, Switzerland, features one most interesting speaker: Eric Davis of Google.

Locked in a cat-and-mouse game with spammers who use bots to defeat anti-fraud mechanisms and create fake accounts, Google today announced a deal to acquire reCAPTCHA, a company that provides those squiggly words at login screens.
The ReCAPTCHA deal isn’t exactly a security transaction.  Strategically, it gives Google an excellent crowd-sourcing tool to beef up its already impressive machine-vision algorithms (think book-scanning and maps) but, in the long run, the ability to use CAPTCHAs that are near-impossible for bots to decipher allows Google to raise the bar significantly in the fight against bots and spam.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.