Major DoS vulnerabilites in TCP/IP

10/06/08

Yikes. Newly discovered (but yet to be disclosed) flaws in the TCP/IP protocol - the backbone of the Internet - could be exploited to launch denial-of-service attacks against virtually any device running any operating system, including firewalls and other security measures. According to reports, the researchers that discovered the flaws are working with vendors to repair the issue before releasing their findings to the general public. iPhone users weren't so lucky: A frustrated security researcher detailed two flaws he found in the popular Apple device after not hearing back from Cupertino on his July discovery.

Phishers and scammers use bleak economic news to lure victims

10/02/08

Lots of Phishing, Spam and Scam news today. Looks like the down economy is proving to be a lucrative lure for scammers, who are using the stock and credit market woes in phishing attacks featuring Bank of America and pump-and-dump scams for penny stocks. Also, 419 scammers are hacking e-mail accounts and sending out a plea for money to "friends" of the hacked account. Different, but still slimy.

Yet another Firefox update

09/29/08

Thought it was odd this morning that Firefox was asking me to install a new update when I had just done so late last week. Turns out Mozilla had to rush out another patch to fix a password vulnerability in the popular browser. Be on the lookout. Also, CA Service Desk users should download the latest update, which patches multiple flaws in the trouble ticket tracking system.

Inside the hacker underground

09/25/08

Tom Rusin, President of Affinion Security Center, has me scared that hackers are trading my personal and credit card information all over the Web. His company uses monitoring of underground chat rooms and other sources to help keep customers credit safe and he recently gave me a live look at the hacker underground in action. Amazing how much of this information is being traded every minute.

Web-based mail service not so secure

09/22/08

Much attention is being brought to the Web-based mail security (or lack of), after last week's hack in to vice presidential candidate Sarah Palin's Yahoo e-mail account. It seems all the major services are vulnerable to the same sort of password recovery hack used in the Palin case, so vendors are coming out with ways you can protect yourself and tips for the providers to offer better security for end users. The good news is, authorities seem to be hot on the trail of the Palin hacker.

Apple has its own Patch Tuesday

09/18/08

Apple Patch Tuesday came out of the blue this week with a new Mac OS X 10.5.5 update the fixes flaws in numerous systems, including a well-known DNS vulnerability. The company also released an update for Remote Desktop to fix a privilege flaw. Plus, there's a new Trojan on the march trying to infiltrate SQL Server systems.

DEMOFall features cool security technology

09/15/08

Last week's DEMOFall 08 generated a lot of press around the theme of "distributed Web", but there were a number of security-related technologies worthy of mention. My favorite among the bunch was Usable Systems UsableLogin product, which promises single-signon for Web sites using strong passwords and centralized management. Very slick.

Microsoft, Apple and Google release major fixes

09/11/08

Big names rolled out patches this week: Microsoft, Apple and Google, along with updates for Mandriva, Gentoo and Ubuntu. Microsoft's Patch Tuesday is only (only!) four critical patches, but touches some 42 different products/versions, making life difficult for those ensuring all systems are up-to-date. Google's Chrome update is interesting too because users must manually get the update, unlike competitor Firefox that automatically rolls out fixes to users. Finally, I did promise some DEMO coverage today, but will push that off until Monday. The 72 companies are all melded in my mind and I need to sort them out.

Will security products debut at big tech shows this week?

09/08/08

With some 120 new products being unveiled this week at the DEMOfall 08 and TechCrunch 50 events this week (I am at DEMOfall), it'll be interesting to see how many are enterprise security related. Usually, not many. But every once in a while one slips through, such as Lucent's Lojack-like system for laptops a few years ago. Hopefully we'll get a couple of new security entries that will help lock down networks while continuing to allow workers to remain productive. If so, I'll bring it to you in our Thursday newslettter. In the meantime, Microsoft's got four new critical patches coming on Tuesday.

Chrome dinged; Patches from Cisco

09/04/08

When will companies learn to stop proclaiming new products as the most secure? It only invites attacks. Just ask Google. The company touted its new Chrome browser as being built from the ground up and therefore not vulnerable to some of the same issues as other older browsers. Well, it only took 48 hours for flaws in Chrome to be uncovered. Granted, Chrome is only in "beta" at the moment, so that might by Google some leeway, but from here, there's definitely a scratch on that shiny new Chrome.

VMware releases batch of updates

09/01/08

VMware is out with a batch of fixes for its systems that includes a new ActiveX control update designed to quell security issues related to Internet Explorer and updates for a range of other issues. Pidgin users should take heed and download the latest version of the open source IM client after the latest warning from The Zero Day Initiative about a flaw in the MSN chat protocol. And iPhone users will have to wait at least a few more days for a fix from Apple for the little flaw that allows locked iPhones to be opened with a few easy button pushes.

A new Perspective on Firefox security

08/28/08

Skimming the security headlines this week, one might think Carnegie Mellon University researchers release of the Perspectives Add-on for Firefox came in reaction to news of Firefox 3.0's handling of certain SSL certificates. That was just a somewhat happy coincidence though as the research team led by David Anderson, assistant professor of computer science at CMU, had been working on the plug-in for a good 18 months. At issue is self-signed SSL certificates and how they are handled by browsers. Some say Firefox does things correctly by popping up a warning, but the message itself can be confusing to end users. Anderson explains Perspectives' role in browser security on our Newsmaker of the Week podcast.

Phishers getting smarter

08/25/08

Phishing systems always seem a little...fishy. The login or rejected credentials page isn't quite right. There's always something to tip you off. A new fish for the Habbo Hotel site steals your info then logs you on to the site as if nothing were wrong. A nice man-in-the-middle approach that could leave the victim unaware that their credentials have been pilfered. Hopefully, site owners will figure out a way to prevent such an attack from working by barring the passing of login data from a potentially malicious site. One can hope.

Hackers get tricky with clipboard attack

08/21/08

Most attack vectors used by hackers and spammers would not be called "cunning" by researchers, but a new clipboard attack being launched against both PC and Mac users is being described as just that, cunning. Using some sort of Flash command embedded in ads, attackers are stuffing a user's clipboard with malicious URLs after visiting legitimate sites. Of course, the targeted user would then have to paste the URL into their location bar for the attack to be effective. What makes it cunning is that the attack does not seem to exploit any known vulnerability, it's just leveraging common system functions in an effort to trick users.

Cisco patches WebEx Meeting Manager

08/18/08

With Microsoft's monster Patch Tuesday now behind us, today's alerts seem light by comparison. WebEx power users will want to make sure they're using the latest update of WebEx Meeting Manager as previous versions contain a flaw that could result in malicious code running on the machine. Also, the peer-to-peer client uTorrent has a major update that fixes some serious flaws. And, VMWare's CEO is apologizing for last week's minor spot of bother with his company's software that left customers unable to log in.

Patch Tuesday haul nets 11 fixes

08/14/08

Microsoft's monthly Patch Tuesday brought the largest haul of patches in quite some time and included another fix for the company's WSUS patch management tool for businesses. A previous fix in July didn't fix the initial problem entirely, so a second update was required. VMWare users also have a bevy of patches to install, particularly the users that woke up to inoperable servers Tuesday due to a software bug. And Nokia phone users beware, a bug in the Java implementation for the Nokia Series 40 phones could allow hackers to make calls and record converstations on an affected phone.

Oracle emergency patch and a Microsoft Dozen

08/11/08

If the Black Hat/Defcon news over the weekend is not enough for you, Microsoft is delivering a dozen new updates tomorrow to keep your plate full. The updates cover most of Microsoft's major products, including critical fixes for Office, Windows, and Internet Explorer. Also, Oracle issued an out-of-cycle update for its Oracle WebLogic Server and Express products after announcing the flaw last week.

Adobe warns of fake Flash installers

08/07/08

With many security folks converging in Las Vegas for Black Hat, alerts have been a little slow this week. But there should be a ton of new patches and warnings coming over the next few days as more presenters at the conference unveil holes in systems and applications that will leave vendors scrambling for fixes. One thing to be wary of, fake Flash Player installers that could result in malicious code being downloaded to an affected system.

Apple finally releases DNS patch

08/04/08

Apple has gotten off the sidelines and patched its version of DNS, nearly a month after a researcher disclosed major issues with the naming system. The DNS update for Mac OS X is part of a broader security update from Apple. There are some reports from another researcher that the patch does not work, so be on the lookout for a potential follow-up patch from Apple.

Oracle looking at emergency patch for WebLogic

07/31/08

Oracle is departing from its regular quarterly patch schedule to fix a severe vulnerability in its popular WebLogic application servers. The problem lies in an Apache plug-in for WebLogic and is rated a 10 in severity. A workaround is available while Oracle engineers work on a permanent patch for the issue. Also, RealNetworks patched four critical bugs in its multimedia player and VMWare released an update for its ESX service console packages that fixes a couple of flaws.

Dog Days of Summer

07/28/08

Hackers and cybercriminals must have taken the weekend off as things are slow today, or they're just gearing up for next week's Black Hat conference. If you're a Thunderbird user, a new update is avaialble that fixes nine flaws. Also, Debian and Mandriva have a smattering of patches available. Enjoy the lull, it won't last.

Not all perfect with iPhone 2.0

07/24/08

Last month's iPhone 2.0 software upgrade, in addition to adding new features, fixed a number of security problems in previous generations of the sofware. Looks like it didn't fix enough. Security researcher Aviv Raff is reporting flaws in the iPhone's e-mail and Safari browser applications that could be exploited to spam the affected device. No one wants spam on their iPhone. Also today, there are two new patches available for Asterisk IP PBX system.

MP3 worm and BlackBerry server patch

07/21/08

A new worm is targeting Windows-based audio by inserting links to malicious Web sites inside the file. The worm targets MP3 files on an infected machine and coverts them to Windows ASF files, which can contain embedded links to Web material. No word on any mass infections yet. Also, RIM released a patch for a PDF bug in its BlackBerry Enterprise Server, which it warned about last week. An unpatched server could be a key entry point to a corporate network for hackers.

San Francisco case demonstrates insider threat

07/17/08

It's an IT shops worst nightmare: All your systems are patched, intrusions are monitored and quarantined, virus-ladden e-mails are turned away before they hit the mail server, but an insider wreaks havoc on your systems. The City of San Francisco is living that nightmare as a system admin changed all the passwords to key systems and refused to divulge the key. See all the dirty details in our related links area.

iPhone 2.0 upgrade with a side of security updates

07/14/08

While everyone was getting hot and bothered over the new iPhone 2.0 launch, Apple quietly slipped in some security updates for the first generation of iPhones. Turns out, some browser bugs in the original phone could be exploited by attackers to run malicious code on the device. Apple also patch flaws in Apple TV and Xcode tools this past week, making it a busy week for the security teams.

More

Jason Meserve is multimedia editor at Network World.