The Tekky Thread

[towhom]

Microsoft warns of serious computer security hole
Technology Review / arXiv Blogs
Monday, July 06, 2009
www.technologyreview.com/wire/22963/

SAN JOSE, CA -- Microsoft Corp. has taken the rare step of warning about a serious computer security vulnerability it hasn't fixed yet.

The vulnerability disclosed Monday affects Internet Explorer users whose computers run the Windows XP or Windows Server 2003 operating software.

It can allow hackers to remotely take control of victims' machines. The victims don't need to do anything to get infected except visit a Web site that's been hacked.

Security experts say criminals have been attacking the vulnerability for nearly a week. Thousands of sites have been hacked to serve up malicious software that exploits the vulnerability. People are drawn to these sites by clicking a link in spam e-mail.

The so-called "zero day" vulnerability disclosed by Microsoft affects a part of its software used to play video. The problem arises from the way the software interacts with Internet Explorer, which opens a hole for hackers to tunnel into.

Microsoft urged vulnerable users to disable the problematic part of its software, which can be done from Microsoft's Web site, while the company works on a "patch" -- or software fix -- for the problem.

Microsoft rarely departs from its practice of issuing security updates the second Tuesday of each month. When the Redmond, Wash.-based company does issue security reminders at other times, it's because the vulnerabilities are very serious.

A recent example was the emergency patch Microsoft issued in October for a vulnerability that criminals exploited to infect millions of PCs with the Conficker worm. While initially feared as an all-powerful doomsday device, that network of infected machines was eventually used for mundane moneymaking schemes like sending spam and pushing fake antivirus software.

On the Net - Microsoft support page:
support.microsoft.com/kb/972890#FixItForMe

[towhom]

'Critical' DirectX patch in Microsoft security updates
ZDNet New & Blogs / Technology
Posted on ZDNet News: Jul 10, 2009 4:32:59 AM
news.zdnet.com/2100-9595_22-319409.html?tag=nl.e539

Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.

In May, Microsoft announced that there had been attacks against a DirectX vulnerability that could allow someone to take complete control of a computer using a maliciously crafted QuickTime file.

Earlier this week, Microsoft warned of attacks being launched that exploit a hole in the Video ActiveX Control when used in Internet Explorer for recording and playing video in DirectShow. Microsoft offered a workaround on Monday for that hole, which reportedly it had known about since last year.

The ActiveX control vulnerability was likely independently rediscovered by malicious hackers or leaked through the Microsoft Active Protection Program which the company uses to share early security information with third-party vendors, according to a statement from security firm Rapid7.

Asked for comment, a Microsoft spokeswoman provided a statement that said: "Microsoft received the original, private report from Ryan Smith and Alex Wheeler with IBM ISS X-Force in the early Spring of 2008. The company did not share any information with MAPP partners about the reported Video ActiveX Control vulnerability until immediately before the advisory posting on Monday."

The critical vulnerabilities affecting various Windows versions all could allow an attacker to run code remotely, while one of the non-critical holes involving Virtual PC and Virtual Server would allow remote code execution and the other non-critical holes could allow elevation of privilege.

Affected software for the critical updates is Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008. The versions of Direct X affected are DirectX 7.0, 8.1 and 9.0.

The non-critical updates affect 2007 Microsoft Office System Service Pack 1, Microsoft Internet Security and Acceleration Server 2006, Microsoft Virtual PC 2004 and 2007, and Microsoft Virtual Server 2005 R2.

This article was originally posted on CNET News.

[towhom]

Web Attacks Highlight a Bigger Problem
DDoS attacks are a symptom of a common illness, albeit with an elusive cure.
Technology Review / arXiv Blogs
Friday, July 10, 2009
www.technologyreview.com/blog/editors/23824/

Mystery still surrounds this week's distributed denial of service (DDoS) attacks on U.S. and South Korean websites, and while speculation points to North Korea as the source, it's likely that we'll never know for certain. The use of a botnet--thousands of infected computers--by definition obscures the identity of the attacker, and with thousands of IP addresses involved, they're hard to trace back to the source.

An article in the Wall Street Journal points out politically motivating factors that implicate North Korea: the timing can be linked to North Korea's most recent missile launches, as well as new U.N. sanctions announced last week. Wednesday was also the fifteenth anniversary of the death of Kim Il-Sung, the former leader of the DPRK.

Even so, the attacks appear to be relatively unsophisticated. Jose Nazario of Arbor Networks, a company that monitors internet traffic and DDoS attacks calls them "amateurish" due to a mix of approaches cobbled together using a five- or six-year-old malcode that wasn't particularly well hidden. It's also only a moderately sized attack--at 25 megabits per second--though it involves just over 100,000 bots, concentrated heavily in South Korea. What's most interesting, says Nazario, is the coordination of attacks on both U.S. and South Korean government and commercial sites.

While the attacks made headlines, DDoS is a common problem that happens to big companies every day, and far more aggressively than these hits to government and commercial sites. The White House, NSA, State Department and Department of Defense, after all, are not high traffic moguls like Google or Amazon, which get attacked daily and have built up their own in-house defenses, says Hal Roberts, of Harvard's Berkman Center for Internet and Society. We just don't hear about Amazonor Google getting attacked, Roberts says, because it happens so frequently and doesn't bring down their sites. "There are literally hundreds, if not thousands [of attacks] going on in any given time," says Roberts.

If two governments were to really go at it in cyberspace, Arbor Networks' Nazario says they would more likely target key nodes like voice exchange points to inflict real pain or disrupt communications, or they could go after each other's secrets, similar to the "Titan Rain" attacks that began in 2003, where government and academic research computers were mined for secret project information. Stealing or modifying data, says Nazario, would have a much bigger impact than overwhelming websites.

[towhom]

Apple plugs dangerous Safari security holes
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
July 8th, 2009 @ 6:05 pm
blogs.zdnet.com/security/?p=3720&tag=nl.e550

Apple has released Safari 4.0.2 to fix a pair of security flaws that could lead to cross-site scripting or remote code execution attacks.

The vulnerabilities affect Safari for Windows (XP and Vista) and Mac OS X.

Here are the raw details:

• CVE-2009-1724: An issue in WebKit’s handling of the parent and top objects may result in a cross-site scripting attack when visiting a maliciously crafted website. This update addresses the issue through improved handling of parent and top objects.
  
  
• CVE-2009-1725: A memory corruption issue exists in WebKit’s handling of numeric character references. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This update addresses the issue through improved handling of numeric character references.

Safari 4.0.2 is available via the Apple Software Update application or Apple’s Safari download site.

[towhom]

Jul 11, 2009 0:07:00 GMT 4 @towhom said:

'Critical' DirectX patch in Microsoft security updates
ZDNet New & Blogs / Technology
Posted on ZDNet News: Jul 10, 2009 4:32:59 AM
news.zdnet.com/2100-9595_22-319409.html?tag=nl.e539

Microsoft said on Thursday that it will issue six security updates on Patch Tuesday next week, including a critical one that will fix two outstanding holes in DirectX that have been targeted in attacks.

Just a reminder - tomorrow is MicroSnot Patch Tuesday - the DirectX holes' patches are included.

So - update, update, update!

[towhom]

UPDATE: CA antivirus trashing Windows system files
ZDNet News & Blogs / Technology
Posted by Adrian Kingsley-Hughes
July 9th, 2009 @ 10:50 am
blogs.zdnet.com/hardware/?p=4899&tag=nl.e550

I tipster just pointed me to the CA support forums where there’s a lot of chatter about CA Anti-Virus misidentifying key Windows system files as malware.

Here are the kinds of messages that people are seeing:

• 7/8/2009 16:58:31 PM File infection: C:\WINDOWS\system32\net.exe is Win32/AMalum.ZZNPB infection. Quarantined
  
• 7/8/2009 16:58:32 PM File infection: C:\WINDOWS\system32\netsh.exe is Win32/AMalum.ZZOKH infection. Quarantined
  
• 7/8/2009 16:58:38 PM File infection: C:\windows\SERVIC~1\i386\net.exe is Win32/AMalum.ZZNPB infection. Quarantined
  
• 7/8/2009 16:58:38 PM File infection: C:\windows\ServicePackFiles\i386\net.exe is Win32/AMalum.ZZNPB infection.
  
• 7/8/2009 16:58:38 PM File infection: C:\windows\SERVIC~1\i386\netsh.exe is Win32/AMalum.ZZOKH infection. Quarantined
  
• 7/8/2009 16:58:39 PM File infection: C:\windows\ServicePackFiles\i386\netsh.exe is Win32/AMalum.ZZOKH infection.
  
• 7/8/2009 16:58:42 PM File infection: C:\WINDOWS\system32\reg.exe is Win32/AMalum.ZZOAF infection. Quarantined
  
• 7/8/2009 16:58:47 PM File infection: C:\windows\SERVIC~1\i386\reg.exe is Win32/AMalum.ZZOAF infection. Quarantined
  
• 7/8/2009 16:58:47 PM File infection: C:\windows\ServicePackFiles\i386\reg.exe is Win32/AMalum.ZZOAF infection.
  
• 7/8/2009 16:58:49 PM File infection: C:\WINDOWS\system32\verclsid.exe is Win32/AMalum.ZZNRA infection. Quarantined

The problem mainly affects Windows XP SP3, but users of other versions of Windows are also claiming to see the problem.

Following the quarantining of the files users will be faced by a dialog box warning them that system files have been changed and that it may make the system unstable.

This problems seems to have started yesterday and some users who called up tech support were told that a fix would be forthcoming. A fix was released but for some this just seemed to bring more misery. If you are affected then try updating the malware signatures and then un-quarantining the files and see if that works for you. What makes it doubly frustrating for users is that there’s been no official word from CA about this issue.

If you accidentally deleted the quarantined files then the instructions here should help you put them back.

This seems like a huge blunder and it’s hard to see how it wasn’t caught out at the testing stage before the update was released to customers. It’s also a fine example of how software that’s supposed to protect you from malware can actually turn out to be very toxic to your system.

[UPDATE: CA apologizes for the blunder.]

I do know that Time Warner Cable / Roadrunner offers the CA Security Suite to its ISP users free. I am sure there are other ISP groups that offer this security suite, too.

Hopefully this hasn't been a problem for the GT members.

[towhom]

The newsletter has the following article listed as "Patch Now or Build a Bomb Shelter":

MS Patch Tuesday: 9 bulletins, 6 rated critical
ZDNet News & Blogs / Security
Posted by Ryan Naraine
July 14th, 2009 @ 11:20 am
blogs.zdnet.com/security/?p=3739&tag=nl.e550

Microsoft today released six bulletins with fixes for at least nine documented security vulnerabilities in a range of products that put users at risk of malicious hacker attacks.

At least two of the vulnerabilities are currently being attacked in the wild so it’s imperative that Windows users and administrators treat these patches with the highest possible priority.

Of the six bulletins in the July batch of patches, three are rated “critical,” Microsoft’s highest severity rating.

[ SEE: Dangerous Microsoft DirectX vulnerability under attack ]

They are:

• MS09-029: This covers two privately reported vulnerabilities in the Microsoft Windows component, Embedded OpenType (EOT) Font Engine. The vulnerabilities could allow remote code execution. Rated rated “critical” for all supported editions of Microsoft Windows 2000, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
  
• MS09-028: This update fixes three separate vulnerabiliteis (one publicly disclosed and under attack!) in Microsoft DirectShow. The vulnerabilities could allow remote code execution if a user opened a specially crafted QuickTime media file.
  
• MS09-032: This security update resolves a privately reported vulnerability in Microsoft Video ActiveX Control. The vulnerability could allow remote code execution if a user views a specially crafted Web page using Internet Explorer that uses the ActiveX control. This vulnerability is currently being exploited in the wild! Rated “critical”for all supported editions of Windows XP and “moderate” for all supported editions of Windows Server 2003.

Three other bulletins were issued to cover a solitary bug (rated “important”) in Microsoft Virtual PC and Microsoft Virtual Server; a privilege escalation issue in Microsoft Internet Security and Acceleration (ISA) Server 2006; and a remote code execution hole in Microsoft Office Publisher.

It’s important to keep in mind that another ActiveX control vulnerability has been confirmed by Microsoft but is not yet patched. This is also being exploited in the wild.

Microsoft has shipped a Fix it tool to assist users in mitigating the risks associated with this vulnerability.

[towhom]

Remote code execution exploit for Firefox 3.5 in the wild
ZDNet News & Blogs / Security
Posted by Dancho Danchev
July 14th, 2009 @ 11:55 am
blogs.zdnet.com/security/?p=3743

A zero day exploit (Firefox 3.5 Heap Spray Vulnerability) affecting Mozilla’s latest Firefox release has been published in the wild. Through an error in the processing of JavaScript code in ‘font tags’ malicious attackers could achieve arbitrary code execution and install malware on the affected hosts.

There’s no indication of its use on a global scale just yet, however due to the fact that the PoC is now public, it shouldn’t take long before cybercriminals embed it within the diverse exploits set of their web malware exploitation kits, allowing it to scale.

More details on the mitigation and the exploit itself:

“Mozilla Firefox is prone to a remote code-execution vulnerability. Successful exploits may allow an attacker to execute arbitrary code in the context of the user running the affected application. Failed attempts will likely result in denial-of-service conditions. The issue affects Firefox 3.5; other versions may also be vulnerable.

NOTE: Remote code execution was confirmed in Firefox 3.5 running on Microsoft Windows XP SP2. A crash was observed in Firefox 3.5 on Windows XP SP3.”

Additional testing courtesy of heise Security indicates the exploit crashed Firefox under Vista, and that when tested under Windows 7 RC1 a dialog abortion script appeared.

In terms of mitigation, NoScript works like charm, successfully detecting the PoC’s attempt to access file://.


Additional Article:


Attack code posted for unpatched Firefox 3.5 flaw
ZDNet News & Blogs / Security
Posted by Ryan Naraine
July 14th, 2009 @ 1:41 pm
blogs.zdnet.com/security/?p=3749&tag=nl.e550

Mozilla’s security response team is scrambling to respond to the release of exploit code for a gaping hole in the latest version of its flagship Firefox browser.

The flaw, rated “highly critical by Secunia, puts millions of Firefox users at risk of remote code execution attacks.


The vulnerability is caused due to an error when processing JavaScript code handling e.g. “font” HTML tags and can be exploited to cause a memory corruption.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 3.5. Other versions may also be affected.

Exploit code has been published at Milw0rm.

In the absence of a fix, Firefox users and administrators should immediately disable JavaScript. The US-CERT has a valuable document (Securing Your Web Browser) with instructions to help mitigate the risks associated with browser vulnerabilities.

[fr33ksh0w2012]

THIS IS COOL!!

[towhom]

Researcher: Update and You're Owned
Technology Review / arXiv Blogs
Monday, July 27, 2009
www.technologyreview.com/blog/unsafebits/23904/

Hundreds of applications that use software updates are making computers more vulnerable to attack.

Automatic updating, if done right, can help eliminate the threat of known security vulnerabilities before attackers start exploiting the flaws. Done wrong, however, the updating process itself becomes an efficient way for attackers to install their code on the victim's system.

One security researcher has found that at least a hundred programs use an update process that puts their users at risk. How? A computer on the same network as the target machine--think public wireless network--intercepts a message requesting the most recent software update, replies that there is a more recent version available, and then provides malicious code that will be installed through the update process, explains Itzik Kotler, security-operations-center team leader for security firm Radware.

"Every security guru will tell you that you have to patch, have a firewall, and have your antivirus updated," Kotler says. "However, if [someone] attack the update channel, none of those protections will stop [him] from putting [harmful] code on the system."

The problem is that many programs use a simple Web request to the software developers' server, through the hypertext transfer protocol (HTTP), to check for an update. Without encryption, a malicious attacker on the same network can see the request and immediately reply to it, far faster--in Internet time--than a server out on the Web. The attack convinces the software running on the victim's machine that the attacker's computer is the legitimate update server, Kotler says.

"I came to the conclusion that the majority of the applications--we have over 100 now--download a file through a simple HTTP request to the vendor Web site," he says.

The issue affects some major applications, including popular instant messaging and document software, according to Kotler, who asked that the names of the software not be divulged. Among the applications whose update feature does not have the problem: Microsoft's Office. Microsoft, which has focused on locking down its software since it announced the Trustworthy Computing Initiative in 2002, uses encryption to secure its update requests.
[Note: The problem with MicroSnot is they are doing some updating without your consent. It doesn't matter what your "Automatic Update" settings are (like "Download but I will select the install" or "Notify me of updates"). The only way to stop this is to turn off "Automatic Update" - then your machine has a heart attack... ]

Thinking about the security of the update system is uncommon, Kotler says. Software developers typically believe that sending an unencrypted request through the Internet is secure.

"You can't say that they have neglected anything or done anything wrong," he says. "The assumption that the infrastructure is secure is a very natural one for many people."

While the attacker needs to be on the same network as the victim for the initial infection, after that, the malicious program could use the same technique to infect anyone that checks for updates in the presence of a compromised machine, Kotler says.

"I can basically create an airborne attack," he says.

The attack can be blunted by making sure that programs do not update on an untrusted network. Security-conscious users should also make sure that all programs notify them when updating.

[towhom]

Microsoft issues emergency patch for IE
ZDNet News & Blogs
Posted on ZDNet News: Jul 29, 2009 4:53:00 AM
news.zdnet.com/2100-9595_22-325863.html?tag=nl.e589

Microsoft released an emergency patch on Tuesday to protect Internet Explorer users from a hole in technology used to build ActiveX controls and other web application components that has been targeted in attacks.

A critical patch for all versions of IE will protect consumers, while a security update for Visual Studio will help developers fix the controls and components they built that could be affected.

Microsoft also has had discussions with Adobe, Sun and Google about some components involving their software that are affected, said Mike Reavey, director of the Microsoft Security Response Center. He declined to elaborate.

Internet Explorer users running Flash Player and Shockwave Player are vulnerable, Adobe said in a blog post that contains links to the Adobe security bulletins for those products.

A Google representative said the company has been working with Microsoft on the issues but declined to comment further. And a Sun representative did not respond to a call seeking comment.

Cisco will release free software updates for any of its software that is affected by the vulnerability and is making available workarounds that mitigate the issue, the company said in a detailed advisory.

The company released two security updates that deal with a vulnerability in Microsoft's Active Template Library, which is used to build components for web applications and which could be targeted to take control of the computers of web surfers visiting sites hosting malicious code.

The critical update, MS-09034, is targeted at IE users. The other update, MS-09035, is targeted at Visual Studio developers, and is rated moderate. It affects Visual Studio 2005 and 2008.

"A library can get used in a lot of places, and vulnerabilities in libraries are challenging," Reavey said. "It's an industry-wide problem when [vulnerabilities] do happen."

"The vulnerability is in the controls, not IE; however, to provide protections while developers update the controls, IE (versions that are patched will block attacks)," he said.

The company warned on Friday that a security update would come on Tuesday instead of waiting for the next Patch Tuesday cycle on 11 August. This is only the ninth out-of-band release Microsoft has had, according to Reavey.

Microsoft first warned about the ActiveX issue on July 6, saying a vulnerability in its Video ActiveX Control could allow an attacker to take control of a PC if the user visits a malicious website and attackers were exploiting the hole. The company offered a workaround for the issue.

During the July Patch Tuesday release the following week, Microsoft still did not have a patch ready and was recommending a manual 'kill bit' method to disable ActiveX, or sending customers to a 'Fix it for me' website.

However, researchers figured out a way to get around the kill bit protection mechanism, thus rendering it ineffective and exposing the system to attack, said Eric Schultze, chief technology officer at Shavlik Technologies.

"Some security researchers found that they were able to bypass the kill bit function and still execute certain controls," Schultze said in a statement on Tuesday. "A presentation on how this is done is slated for tomorrow afternoon at the Black Hat Conference [in Las Vegas]."

Reavey said: "We were aware of limited attacks on the Microsoft kill bit control where the underlying issue was this vulnerability. As a result of those attacks we released the bulletin to protect customers...but that created chatter. We saw more details released and we had these updates ready so we released them now instead of waiting for [attacks] to get worse."

The IE patch also resolves three privately reported vulnerabilities that could allow remote code execution if a user views a specially crafted web page using the browser.

Tyler Reguly, senior security researcher for nCircle, criticised Microsoft for not fixing the underlying issue with a proper patch and said the update could put other software vendors at risk.

"Although Microsoft has protected against the kill bit bypass and has patched the public ATL vulnerabilities, there has been no mention or reference to fixing the issue in msvidctl.dll itself," he wrote in a statement.

"One has to question what the release of the ATL patch means for other software vendors," Reguly added. "We also have to wonder if they are now more vulnerable than they were previously. They now have to obtain this patch and recompile and release their tools.

"This means until that process can occur, malicious individuals can reverse the patches to pinpoint each of the vulnerabilities and target third-party software. It's a race to see who will get there first, and the vendors didn't get a head start."

In response, a Microsoft representative provided this comment: "As part of our overall response to the ATL issue, we are continuing our investigation for Microsoft components and controls that may be affected by the ATL issue and will update customers as appropriate throughout the process."

More information about the vulnerabilities and fixes in Microsoft advisory 973882 are available on the TechNet site.

This article was originally posted on CNET News.

Yeah, I know...that "Automatic Update" article...

Ignore the "Automatic Update" shield. Run Windows or Microsoft Update from your start menu. Let it run its complete cycle. These updates will appear. Let them download and run. Your system will require a restart.

BTW - Mozilla and Foxfire have critical updates pending, too. Run those from their sites, if possible. The same with Adobe - NEVER update Adobe products via a link. Access their site directly and use the "Support/Downloads" tabs. Offsite Adobe links are major targets for corrupted or compromised downloads (Acrobat Reader, Flash and Shockwave).

Hope this helps.

[towhom]

Hacker demos persistent Mac keyboard attack
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
August 3rd, 2009 @ 8:55 am
blogs.zdnet.com/security/?p=3851&tag=nl.e539

Apple’s sleek $49 Mac keyboards can be hacked and infected with keystroke loggers and impossible-to-detect rootkits, according to a security researcher presenting at this year’s Black Hat/DEFCON conferences.


The researcher, known only as “K. Chen,” found a way to reverse engineer and tamper with the keyboard’s firmware upgrade. With the firmware under control, an attacker can subvert the keyboard by embedding malicious code that allows a rootkit to survive a clean re-installation of the host operating system.

Chen, from the Georgia Institute of Technology, said malicious code embedded into the firmware would be immune to the typical rootkit detection methods which examine the integrity of the filesystem, check for hooks or direct kernel object manipulation, or detect hardware and/or timing discrepancies due to virtualization in the case of a virtual-machine based rootkit.

“Such code could also completely bypass the remote attestation of a Trusted Platform Module, if one were present in the computer. As far as everybody is concerned, our [malicious keyboard] code is simply the user typing commands at the keyboard,” he explained.

Chen said a malicious keyboard can be used to snoop on keystrokes from any machine it is plugged into.

Here’s a technical paper discussing the keyboard firmware attack.

It is important to note there are only 2 ways this exploit can be done:

1) Physical access to the actual keyboard or
2) A system already owned (infected) by a rootkit

This is basically a "proof of concept" work demonstrated at the Black Hat DefCon on an actual keyboard (and it is NOT limited to a MAC keyboard, either).

[towhom]

Patch Tuesday heads-up: 9 bulletins, 5 critical
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
August 6th, 2009 @ 3:07 pm
blogs.zdnet.com/security/?p=3983&tag=nl.e539

For Microsoft Windows users, next week’s Patch Tuesday will be somewhat hectic.

The Redmond, Wash. software maker plans to release a total of nine bulletins to patch a wide range of serious vulnerabilities affecting Windows, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server and the .Net Framework.

Five of the bulletins will be rated “critical,” the company’s highest severity rating.

Microsoft said in its advance notice for August that one of the “critical” bulletins will address a Client for Mac security problem.

All supported versions of the Windows operation systems are affected, including the newer Windows Vista and Windows Server 2008.

Maybe MicroSnot should just issue one bulletin:

"We're updating (just about) everything because the "Hack-N-Snatch" goobers updated all of their 'stuff'. We (think) have patched all of the vulnerabilities. We 'strongly suggest' that all users currently running any Windows OS or MS software run these updates...or you'll be sorry. Have a great day!"

[towhom]

Browser flaws expose users to man-in-the-middle attacks
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
August 7th, 2009 @ 10:55 am
blogs.zdnet.com/security/?p=3950

Security researchers at Microsoft have found a way to break the end-to-end security guarantees of HTTPS without breaking any cryptographic scheme.

During a research project (.pdf) concluded earlier this year, the Microsoft Research team discovered a set of vulnerabilities exploitable by a malicious proxy targeting browsers’ rendering modules above the HTTP/HTTPS layer.

Here’s the gist of the problem, as explained by the research team:

[In] many realistic network environments where attackers can sniff the browser traffic, they can steal sensitive data from an HTTPS server, fake an HTTPS page and impersonate an authenticated user to access an HTTPS server. These vulnerabilities reflect the neglects in the design of modern browsers — they affect all major browsers and a large number of websites.

According to a SecurityFocus advisory, attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how sites are rendered to the user. Other attacks are also possible.

Affected browsers include Microsoft’s Internet Explorer 8, Mozilla Firefox, Google Chrome, Apple Safari and Opera.

Originally, it was believed that this issue only affected Mozilla’s browsers but the advisory was update to reflect that the issue affects multiple browsers, not just Mozilla products.

You know what...

Snail mail and checks are making a "come-back".

Maybe the "bankies" are "working behind the scenes" so they can charge higher fees for paper check processing...

[towhom]

Aug 8, 2009 2:18:11 GMT 4 @towhom said:

Patch Tuesday heads-up: 9 bulletins, 5 critical
ZDNet News & Blogs / Technology
Posted by Ryan Naraine
August 6th, 2009 @ 3:07 pm
blogs.zdnet.com/security/?p=3983&tag=nl.e539

For Microsoft Windows users, next week’s Patch Tuesday will be somewhat hectic.

The Redmond, Wash. software maker plans to release a total of nine bulletins to patch a wide range of serious vulnerabilities affecting Windows, Microsoft Office, Microsoft Visual Studio, Microsoft ISA Server, Microsoft BizTalk Server and the .Net Framework.

Five of the bulletins will be rated “critical,” the company’s highest severity rating.

Microsoft said in its advance notice for August that one of the “critical” bulletins will address a Client for Mac security problem.

All supported versions of the Windows operation systems are affected, including the newer Windows Vista and Windows Server 2008.

Maybe MicroSnot should just issue one bulletin:

"We're updating (just about) everything because the "Hack-N-Snatch" goobers updated all of their 'stuff'. We (think) have patched all of the vulnerabilities. We 'strongly suggest' that all users currently running any Windows OS or MS software run these updates...or you'll be sorry. Have a great day!"

"Critical Update" update: There are now 14 critical updates pending today on MicroSnot's Patch Tuesday - including one to SP2 and/or SP3 - dependent upon which SP your system has installed.