Apple has shipped another Mac OS X monster update to fix a total of 25 documented vulnerabilities that could lead to arbitrary code execution attacks.With Security Update 2008-004, Apple fixes code execution flaws in Launch Services, SMB File Server, System Configuration, VPN and WebKit.
Staying on top of the latest in software/hardware security research, vulnerabilities, threats and computer attacks.
Violet Blue is the author of The Smart Girl's Guide to Privacy. She contributes to ZDNet, CNET, CBS News, and SF Appeal.
Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years
Another day, another gaping hole affecting fully patched versions of Microsoft's Internet Explorer browser.According to a warning from US-CERT, proof-of-concept exploit code has been published for a new zero-day bug that can be used for a variety of malicious attacks against Windows users running IE 6, IE 7, and IE 8 beta 1.
Eek, from Slashdot today:The FBI has confirmed to Popular Mechanics that it's not only adding palm prints to its criminal records, but preparing to balloon its repository of photos, which an agency official says 'could be the basis for our facial recognition.' It's all part of a new biometric software system that could store millions of iris scans within 10 years and has privacy advocates crying foul.
What would the perfect phishing attack from a social engineering perspective? The one that compared to using typosquatted domains impersonating the bank's web application directory structure is in fact using the bank's legitimate domain names as redirectors due to XSS flaws within.
I'm personally a huge fan of the Matasano blog, and have a lot of respect for their group. I took a peek over at their blog today and noticed an article by Dave Goldsmith that deals with "Vulnerability Reporting in a Web 2.
If you use Tor for anonymity/privacy on the Web, you might want to pay attention to this critical security announcement from project leader Roger Dingledine.According to the advisory, a known vulnerability in the Debian GNU/Linux distribution's OpenSSL package could allow an attacker to figure out private keys generated by these buggy versions of the OpenSSL library.
My colleague at Kaspersky Lab Roel Schouwenberg (see disclosure) has discovered a drive-by malware download taking advantage of what Microsoft describes as an Internet Explorer "feature" to launch cross-site scripting attacks.The attack, discovered at a compromised legitimate site, is using a modified GIF file to exploit the cross-site scripting feature/vulnerability.
A group of Dutch security researchers were able to clone the "smartcards" that commuters use to pay fares in the London Underground system, allowing the group to ride for free. This is an interesting attack vector that I actually talked to Adam Laurie about when I was at Black Hat Amsterdam.
What happens when the official domain names of the organizations that issue the domain names in general, and provide all the practical guidance on how the prevent DNS hijacking, end up having their own domain names hijacked? A wake up call for the Internet community.
Interesting bit of news coming out of the FIRST Conference in Vancouver today: Five big-name IT firms have created a non-profit consortium aimed at "proactively driving excellence and innovation in security response."The group -- called ICASI (Industry Consortium for Advancement of Security on the Internet) -- counts Cisco, IBM, Intel, Juniper Networks and Microsoft Corp among its founding members.