Guest Editorial by Dino Dai ZoviAs reported by Intego and Matasano Security, a new local privilege escalation vulnerability has been found that gives local root access on Mac OS X Tiger and Leopard.While Intego calls this a critical vulnerability, I'm mostly with Matasano's Thomas Ptacek on this one where I am saying this vulnerability is not nearly that serious.
Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Violet Blue is an outspoken and controversial author and journalist; she contributes to ZDNet, CNET, CBS News and SF Appeal.
Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years
A security researcher has released demo exploits for what appears to be a critical -- unpatched -- memory corruption vulnerability affecting the ubiquitous Microsoft Word software program.The proof-of-concept exploits accompany a warning that the flaw affects Microsoft Office 2000 and Microsoft Office 2003.
90% of all statistics can be made to say anything... 50% of the time, aka my thoughts on the Verizon report
** Update 06/23/2008: I realize I didn't do a very good job of talking about what we're reviewing here. This is in response to the statistics gathered by Verizon related to Forensic Analysis of Data Breaches over a four year span.
Security research Billy Rios posted an article today about the Apple Safari "Carpet Bomb" attack, discussing a new issue that, despite the patch which prevented a "blended" remote command execution attack when Safari was used in conjunction with IE on a Windows system, keeps the "Carpet Bomb" attack alive and well.
It appears that Google is using an invalid security certificate across many of its domains. If you type https://gmail.
A member of Apple's security team has discovered multiple serious security vulnerabilities in Ruby, the popular open-source scripting language.According to an advisory on the Ruby project site, Apple's Drew Yao reported at least six of the vulnerabilities, which can be exploited to cause a denial-of-service condition or the execution of arbitrary code.
A currently active phishing campaign is circulating across Facebook end users' walls, using already compromised accounts to post the phishing links, tricking the user into thinking it's a legitimate friend sending the message in order to redirect them to a fake login page. The campaign is taking advantage of multiple typosquatted domains which are in a fast-flux state, namely, they respond to multiple IP addresses and change them automatically every three minutes in this particular attack.
Sourcefire, the company behind the popular Snort intrusion detection system, has released a freeware utility to help identify potentially threatening Microsoft Office files.The tool, called OfficeCat, can be used to process Microsoft Office documents -- Word, PowerPoint, Excel and Publisher -- determine if possible exploit conditions exist.
Mozilla security chief Window Snyder (left) has confirmed the existence of a serious code execution vulnerability in the brand-new Firefox 3.0 browser.
In what amounts to a major about-face, Apple has patched the Safari "carpet bombing" vulnerability that led to a Safari-to-Internet Explorer remote code execution combo threat.After insisting for weeks that the issue is more of an irritant than a security risk, Apple today released Safari v3.