Multiple Google-targeted exploits disclosed in the past 3 days could compromise your GMail account, steal your pictures from Picasa or impersonate you on almost 200,000 big sites.
In the past 3 days, 4 interesting disclosures have been published:
The names, Social Security numbers and credit information of 5,208 customers are leaked onto the LimeWire peer-to-peer file-sharing network.
Citgroup has confirmed that it’s investigating a data breach involving the names, Social Security numbers and credit information of 5,208 customers leaked by an employee of its ABN Amro Mortgage Group unit onto the LimeWire peer-to-peer file-sharing network.
Click for more on Citigroup Customer Data Leaked on P2P Network »
In a Q&A with Scott Charney, the vice president of Trustworthy Computing at Microsoft, Charney suggests that security in Microsoft products has moved on from being the “laughing stock” of the IT industry to something more respectable.
He largely attributes this to the new Security Development Lifecycle implemented in development practices nearly six years ago. ‘The challenge is really quite often in dealing with unrealistic expectations. We still have vulnerabilities in our code, and we’ll never reduce them to zero. So sometimes we will have a vulnerability and people say to me, “So the [Security Development Lifecycle (SDL)] is a failure right?” No it isn’t. It was our aspirational goal that the SDL will get rid of every bug.’”
[source]
A new zero-day vulnerability involving Windows XP reported today. This flaw could potentially allow a system to be remotely compromised.
The culprit in this instance involves the implementation of the “FindFile()” in the mfc42.dll and mfc42u.dll files bundled with the operating system. These files are still likely to be linked to by older applications.
The vulnerability is caused due to a boundary error in the “FindFile()” function of the CFileFind class in mfc42.dll and mfc42u.dll. This can be exploited to cause a heap-based buffer overflow by passing an overly long argument to the affected function.
Successful exploitation may allow execution of arbitrary code.
No patches have been announced for this vulnerability yet. It is recommended for applications using this vulnerable library to first check the length of the user input before passing it to the affected function.
A zero-day PDF vulnerability in Adobe’s Acrobat Reader has come to light that can lead to Windows boxes getting taken over completely and invisibly, according to a security researcher.
“All it takes is to open a [maliciously rigged] PDF document or stumble across a page which embeds one,” said researcher Petko D. Petkov, aka pdp, in a blog posting on Sept. 20.
Click for more on Critical Zero-Day PDF Bug Compromises Windows PCs »
Microsoft explained the [misleading] “back-door” of Windows Update service.
It was widely reported last week that Microsoft had automatically updated systems that had Automatic Updates set to “Check for updates but let me choose whether to download and install them”. Nate Clinton, a Windows Update Program Manager at Microsoft posted a response on his blog shortly after the widespread [misconceived] reporting had gone out.
Click for more on The Windows Update Stealth Affair Cleared »
Users running Firefox are vulnerable to IE flaws via files supported by Windows Media Player, a researcher shows.
Running Firefox or Opera as a default browser won’t save you from unpatched Internet Explorer vulnerabilities—a fact made explicit when a researcher showed how easy it is to put HTML inside files supported by Windows Media Player.
Researcher Petko D. Petkov said in a Sept. 18 blog posting that he’s found that a fully patched Windows XP Service Pack 2 system running Internet Explorer 6 or 7 along with Windows Media Player 9—the default, although the media player is now up to Version 11—will open any page of an attacker’s choice even if the default browser is not Internet Explorer.
VMWare users, update now!
VMware Workstation allows multiple operating systems to run on the same computer
VMware Workstation is a powerful virtual machine software for system administrators and developers who want to revolutionize software development, deployment and testing in their enterprise.
Essential features such as virtual networking, live snapshots, drag and drop and shared folders, and PXE support make VMware Workstation the most powerful and indispensable tool for enterprise IT developers and system administrators.
Researcher David Maynor has published details of the controversial Apple Wi-Fi hack he disclosed at last year’s Black Hat conference.
Maynor had been under a nondisclosure agreement, which had previously prevented him from publishing details of the hack, but the NDA is over now and by going public with the information, Maynor hopes to help other Apple researchers with new documentation on things like Wi-Fi debugging and the Mac OS X kernel core dumping facility.”
Click for more on Hacker Publishes Notorious Apple Wi-Fi Attack »
McAfee CEO David DeWalt says cyber-crime has become a US$105 billion business that now surpasses the value of the illegal drug trade worldwide.
Despite the increase in government compliance requirements and the proliferation of security tools, companies continue to underestimate the threat from phishing, data loss, and other cyber vulnerabilities, new McAfee CEO David DeWalt said Tuesday.
Click for more on Cybercrime Now Worth $105 Billion, Bypasses Drug Trade »
