Chrome dinged; Patches from Cisco

09/04/08

When will companies learn to stop proclaiming new products as the most secure? It only invites attacks. Just ask Google. The company touted its new Chrome browser as being built from the ground up and therefore not vulnerable to some of the same issues as other older browsers. Well, it only took 48 hours for flaws in Chrome to be uncovered. Granted, Chrome is only in "beta" at the moment, so that might by Google some leeway, but from here, there's definitely a scratch on that shiny new Chrome.

VMware releases batch of updates

09/01/08

VMware is out with a batch of fixes for its systems that includes a new ActiveX control update designed to quell security issues related to Internet Explorer and updates for a range of other issues. Pidgin users should take heed and download the latest version of the open source IM client after the latest warning from The Zero Day Initiative about a flaw in the MSN chat protocol. And iPhone users will have to wait at least a few more days for a fix from Apple for the little flaw that allows locked iPhones to be opened with a few easy button pushes.

A new Perspective on Firefox security

08/28/08

Skimming the security headlines this week, one might think Carnegie Mellon University researchers release of the Perspectives Add-on for Firefox came in reaction to news of Firefox 3.0's handling of certain SSL certificates. That was just a somewhat happy coincidence though as the research team led by David Anderson, assistant professor of computer science at CMU, had been working on the plug-in for a good 18 months. At issue is self-signed SSL certificates and how they are handled by browsers. Some say Firefox does things correctly by popping up a warning, but the message itself can be confusing to end users. Anderson explains Perspectives' role in browser security on our Newsmaker of the Week podcast.

Phishers getting smarter

08/25/08

Phishing systems always seem a little...fishy. The login or rejected credentials page isn't quite right. There's always something to tip you off. A new fish for the Habbo Hotel site steals your info then logs you on to the site as if nothing were wrong. A nice man-in-the-middle approach that could leave the victim unaware that their credentials have been pilfered. Hopefully, site owners will figure out a way to prevent such an attack from working by barring the passing of login data from a potentially malicious site. One can hope.

Hackers get tricky with clipboard attack

08/21/08

Most attack vectors used by hackers and spammers would not be called "cunning" by researchers, but a new clipboard attack being launched against both PC and Mac users is being described as just that, cunning. Using some sort of Flash command embedded in ads, attackers are stuffing a user's clipboard with malicious URLs after visiting legitimate sites. Of course, the targeted user would then have to paste the URL into their location bar for the attack to be effective. What makes it cunning is that the attack does not seem to exploit any known vulnerability, it's just leveraging common system functions in an effort to trick users.

Cisco patches WebEx Meeting Manager

08/18/08

With Microsoft's monster Patch Tuesday now behind us, today's alerts seem light by comparison. WebEx power users will want to make sure they're using the latest update of WebEx Meeting Manager as previous versions contain a flaw that could result in malicious code running on the machine. Also, the peer-to-peer client uTorrent has a major update that fixes some serious flaws. And, VMWare's CEO is apologizing for last week's minor spot of bother with his company's software that left customers unable to log in.

Patch Tuesday haul nets 11 fixes

08/14/08

Microsoft's monthly Patch Tuesday brought the largest haul of patches in quite some time and included another fix for the company's WSUS patch management tool for businesses. A previous fix in July didn't fix the initial problem entirely, so a second update was required. VMWare users also have a bevy of patches to install, particularly the users that woke up to inoperable servers Tuesday due to a software bug. And Nokia phone users beware, a bug in the Java implementation for the Nokia Series 40 phones could allow hackers to make calls and record converstations on an affected phone.

Oracle emergency patch and a Microsoft Dozen

08/11/08

If the Black Hat/Defcon news over the weekend is not enough for you, Microsoft is delivering a dozen new updates tomorrow to keep your plate full. The updates cover most of Microsoft's major products, including critical fixes for Office, Windows, and Internet Explorer. Also, Oracle issued an out-of-cycle update for its Oracle WebLogic Server and Express products after announcing the flaw last week.

Adobe warns of fake Flash installers

08/07/08

With many security folks converging in Las Vegas for Black Hat, alerts have been a little slow this week. But there should be a ton of new patches and warnings coming over the next few days as more presenters at the conference unveil holes in systems and applications that will leave vendors scrambling for fixes. One thing to be wary of, fake Flash Player installers that could result in malicious code being downloaded to an affected system.

Apple finally releases DNS patch

08/04/08

Apple has gotten off the sidelines and patched its version of DNS, nearly a month after a researcher disclosed major issues with the naming system. The DNS update for Mac OS X is part of a broader security update from Apple. There are some reports from another researcher that the patch does not work, so be on the lookout for a potential follow-up patch from Apple.

Oracle looking at emergency patch for WebLogic

07/31/08

Oracle is departing from its regular quarterly patch schedule to fix a severe vulnerability in its popular WebLogic application servers. The problem lies in an Apache plug-in for WebLogic and is rated a 10 in severity. A workaround is available while Oracle engineers work on a permanent patch for the issue. Also, RealNetworks patched four critical bugs in its multimedia player and VMWare released an update for its ESX service console packages that fixes a couple of flaws.

Dog Days of Summer

07/28/08

Hackers and cybercriminals must have taken the weekend off as things are slow today, or they're just gearing up for next week's Black Hat conference. If you're a Thunderbird user, a new update is avaialble that fixes nine flaws. Also, Debian and Mandriva have a smattering of patches available. Enjoy the lull, it won't last.

Not all perfect with iPhone 2.0

07/24/08

Last month's iPhone 2.0 software upgrade, in addition to adding new features, fixed a number of security problems in previous generations of the sofware. Looks like it didn't fix enough. Security researcher Aviv Raff is reporting flaws in the iPhone's e-mail and Safari browser applications that could be exploited to spam the affected device. No one wants spam on their iPhone. Also today, there are two new patches available for Asterisk IP PBX system.

MP3 worm and BlackBerry server patch

07/21/08

A new worm is targeting Windows-based audio by inserting links to malicious Web sites inside the file. The worm targets MP3 files on an infected machine and coverts them to Windows ASF files, which can contain embedded links to Web material. No word on any mass infections yet. Also, RIM released a patch for a PDF bug in its BlackBerry Enterprise Server, which it warned about last week. An unpatched server could be a key entry point to a corporate network for hackers.

San Francisco case demonstrates insider threat

07/17/08

It's an IT shops worst nightmare: All your systems are patched, intrusions are monitored and quarantined, virus-ladden e-mails are turned away before they hit the mail server, but an insider wreaks havoc on your systems. The City of San Francisco is living that nightmare as a system admin changed all the passwords to key systems and refused to divulge the key. See all the dirty details in our related links area.

iPhone 2.0 upgrade with a side of security updates

07/14/08

While everyone was getting hot and bothered over the new iPhone 2.0 launch, Apple quietly slipped in some security updates for the first generation of iPhones. Turns out, some browser bugs in the original phone could be exploited by attackers to run malicious code on the device. Apple also patch flaws in Apple TV and Xcode tools this past week, making it a busy week for the security teams.

DNS patches continue to pour in

07/10/08

Early this weeek, Microsoft said during its Patch Tuesday updates that the DNS fix was only "important," not critical. Turns out, it might be critical based on the widespread nature of the vulnerability. Most major vendors simultaneously released updates on Tuesday for the DNS flaw, which could be exploited to redirect legitimate Web sites to malicious locales. Also, Microsoft announced there is a Zero Day exploit out for Word 2002, a flaw not patched in this recent round of updates. That leaves some versions of Access and Word exposed to threats for potentially another month.

Access flaw found, not part of Patch Tuesday updates

07/07/08

Microsoft is warning of a new Access-based attack that is exploited when users visit a malicious Web site using Internet Explorer. Details are limited about exactly what is wrong with Access and the fix will not be included in today's Patch Tuesday release, meaning attackers potentially have another month to exploit the flaw. Microsoft will be patching four non-critical bugs today in its monthly update, including flaws in Exchange and SQL.

Apple, Mozilla stomp multiple bugs

07/03/08

With a long holiday weekend upon us, it's good time to take a look at the various browsers on your system and make sure they're up to date. Why? According to one survey, 637 million users are running out-of-date browsers that put them at risk to malware and other threats. The timing is good as well since Mozilla just released a new Firefox 2 update that fixes a number of flaws and notes that it will end support for Version 2.0 sometime in December. Apple Mac OS X users also have 25 fixes to install this week. Happy 4th of July!

Microsoft plays Whack-a-Mole with fixes

06/30/08

Microsoft seems to have gotten its arms around a fix for Windows XP Service Pack 3 that crippled a number machines. But while that fix is in progress, researchers are warning of a Zero-Day bug in Internet Explorer 6. Never a dull moment for the Redmondians. Also, we reported that the popular Ruby on Rails programming environment suffers from some flaws last week. This week, Linux vendors are coming out with patches for the environment.

Ruby on Rails suffers from serious flaws

06/26/08

Ruby on Rails programmers will want to take note of this newsletter: The company that oversees development of the coding language is warning of "serious" flaws in the system, which could be exploited to take over systems. Also, the major VOIP hardware vendors are issuing patches for a number of common flaws in their respective systems. And, Adobe has patched Acrobat to fix a flaw that could be used to take over an non-patched system.

Microsoft patches: Take Two

06/23/08

Microsoft is working on releasing updates to a couple of its recent patches after they were found to be ineffective in some cases. First, the critical Bluetooth patch that was part of this month's Patch Tuesday release does not fix Windows XP. And, an update for a flaw in Microsoft's corporate patch distribution system did not make its way to the company's Windows Server Update Service. Both new updates should be out shortly. Also, beware of the pesky Storm Worm, which seems to be making a resurgence and is masquerading as a porn scam.

Firefox 3: One day old, one vulnerability found

06/19/08

Firefox 3 isn't out a day and a new vulnerability has been found in the new browser revision. TippingPoint isn't disclosing exactly what the flaw is, but Mozilla is working on a fix. Also, Microsoft updated its patch system for corporations, and Cisco fixed a bug in its Intrusion Prevention System. And, check out our "Related Links" section for a story about a guy fired from his job for having porn, only to have evidence surface that he didn't download it, but spyware and other malicious files may have.

Enterprise customers still waiting for Patch Tuesday updates

06/16/08

It's been nearly a week since Microsoft's June Patch Tuesday security updates were released, but some corporate users are still waiting for updates because of a bug in Microsoft's patch distribution tools for enterprises. A fix is in the works and Microsoft is offering a workaround for those that want to push patches out ASAP. There's also a number of new phishing attack vectors hackers are using in attempt to lure personal information out of would-be victims.

Microsoft patches Bluetooth and more

06/12/08

Big week with 10 new fixes from Microsoft, including an interesting one to the company's Bluetooth stack, plus updates from OpenOffice.org, Apple for QuickTime, and the SNMPv3 protocol. Also, a couple of U.S. Congressmen have accused China of hacking into their governemnt computers, systems that could include information on Chinese dissidents.

More

Jason Meserve is multimedia editor at Network World.