Monthly Archive for August, 2009
Microsoft today issued a raft of software updates to plug at least 19 security holes in its various Windows operating systems and other software, 15 of which earned the company's most dire "critical" rating. This month's batch of patches fix some fairly dangerous flaws. Redmond labels a security flaw "critical" if attackers could use it to seize control over a vulnerable system without any help from the victim. What's more, a dozen of the flaws earned the highest rating on Microsoft's "exploitability index," which is the software maker's best estimation of the likelihood that criminals will soon develop reliable ways to exploit them to break into Windows-based machines. Patches are available for Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft said none of the vulnerabilities affect Windows 7, its newest operating system. Windows users can download the updates from Windows Update or via Automatic Updates Many
The theories behind who and what attacked Twitter and Facebook yesterday -- causing intermittent outages at each -- are flying like so many tweets across the Internet. The prevailing theory suggests that the outage was due to a cyber skirmish stemming from simmering tensions between Russia and Georgia. CNet and CNN place blame for the incident on an elaborate, politically motivated vendetta timed to coincide with the one year anniversary of the Russia-Georgia war, a brief but costly skirmish in August 2008 accompanied by cyber attacks on Georgian government Web sites. In short: the outage at Twitter (and to a lesser extent Facebook & LiveJournal) was due to an effort to silence an anti-Russian blogger from Tbilisi who has been calling attention to a recent resurgence of tensions in the region. CNet cites Facebook's Chief Security Officer Max Kelly saying that a political blogger using the online name "Cyxymu" -
Hackers broke into more than a dozen Web sites for members of the U.S. House of Representatives in the past week, replacing portions of their home pages with digital graffiti, according House officials. The landing pages at house.gov for Reps. Duncan Hunter (R-Calif.), Jesse L. Jackson, Jr. (D-Ill.), and Spencer Bachus (R-Ala.) were among at least 18 member pages that were defaced in a series of break-ins that apparently began earlier this month, according to zone-h.com, a site that archives evidence of Web site attacks. Adam Bozzi, a spokesman for Rep. Harry Mitchell (D-Ariz.), confirmed that Mitchell's site was among those hacked. Bozzi said it appears the attackers broke in by guessing passwords used to administer the site. Bozzi said the messages that the hackers left behind had been erased, and that his office now has stronger passwords for the site. The hackers replaced portions of the member pages with
Security researchers today unveiled details about a little-known but ubiquitous class of vulnerabilities that may reside in a range of Internet components, from Web applications to mobile and cloud computing platforms to documents, images and instant messaging products. At issue are problems with the way many hardware and software makers handle data from an open standard called XML. Short for "eXtensible Markup Language," XML has been used for many years as a fast and efficient way to transport, store and structure information across a wide range of often disparate applications. Researchers at Codenomicon Ltd., a security testing company out of Oulu, Finland, say they found multiple critical flaws in XML "libraries," chunks of code that are typically used and re-used in software applications to process XML data. Codenomicon is a spinoff from the University of Oulu, and is run by many of the same individuals who in 2001-2002 found and
Faced with a recent surge in the number of malicious software programs using its micro-blogging service to spread, Twitter is making an effort to block users from posting links to known malicious Web sites. The initiative, first noted in a blog posting by Finnish anti-virus maker F-Secure Corp., involves the use of Google's Safe Browsing program, which the search giant uses to prevent Internet users from visiting Web sites that Google's bots have flagged for installing malicious software. "Our Safety and Security team has been using the Safebrowsing API for many months," Twitter co-founder Biz Stone wrote in a reply to an inquiry by Security Fix. Web sites flagged in Google searches by the Safe Browsing bots are generally accompanied by a warning under the search result listing that reads: "This Site May Harm Your Computer." If you ignore that warning and click the link anyway, Google will try to
Apple has issued a security update for the iPhone. The patch fixes a vulnerability demonstrated recently at a hacker conference in Las Vegas, where security researchers showed they could hijack an iPhone simply by sending it a series of booby-trapped text messages. Apple's patch comes in response to research revealed at last week's Black Hat security conference, by well-known Apple hacker Charlie Miller and co-presenter Collin Mulliner, a Ph.D. student in telecommunications security at the Technical University of Berlin. The two showed that a specially designed text-message barrage could allow attackers to hijack various iPhone core functions, such as making calls and turning on the device's microphone and camera. The update is available only through iTunes, which should auto-detect that the update is available. If it doesn't, or you don't want to wait around for an auto-update notice (Apple says that process can take up to a week), click the
