Critical patches for Windows and Flash Player

If you’re a user of Windows or Flash (and I would imagine that covers the vast majority of you) then it’s time to roll out the latest critical security patches, as Microsoft and Adobe have released updates to their software.

 

First up is Microsoft, who have released a bumper bundle of fixes as part of their regular “Patch Tuesday” cycle, issuing 14 bulletins to remedy 34 security holes in Windows, Internet Explorer, Microsoft Office, Silverlight, Microsoft XML Core Services and Server Message Block.

 

Eight of the bulletins have been Microsoft’s highest severity rating of “critical”, with the rest being labelled “important”.

 

The good news, as Chet Wisniewski explains, is that we haven’t yet seen any malware spreading by exploiting these vulnerabilities – but that may only be a matter of time.

 

Separately, Microsoft has also issued an advisory about a zero-day vulnerability, which could allow untrusted code to run on a user’s machine by exploiting a weakness in the Windows Service Isolation feature.

 

Meanwhile, another platform commonly targeted by malicious hackers has been updated to defend against security vulnerabilities.

 

Adobe has identified critical vulnerabilities in Adobe Flash Player version 10.1.53.64 and earlier, and urged users to update their installations of Flash and Adobe Air.

 

If you’re not sure which version of the Adobe Flash Player you have installed, visit the About Flash Player page. Remember that if you use more than one browser on your computer you should check the version number on each.

 

Read More…

 

 

 

Want to see who has viewed your Facebook profile? Take care..

I’m increasingly being asked by folks on Facebook if it’s possible to tell who has been viewing their Facebook profile. A number have been attracted to webpages and Facebook applications that claim to be able to give you a secret insight into who is spying on your profile.

 

Well, if you’re one of those people who are curious about who might be watching you online, take care.

 

Right now we’re seeing a significant number of Facebook users posting messages such as:

OMG OMG OMG... I can't believe this actually works! Now you really can see who views your profile!!! WOAH

and

See who views your Facebook profile in real-time!!!

 

However, like the “Justin Bieber cell phone number” scam and the “This mother went to jail for taking this pic of her son!” scam, the links pointed to in your friends’ status updates are not to be trusted.

 

If you make the mistake of clicking on the link to one of these pages offering to tell you who is viewing your Facebook profile, you will find that the people behind the “services” want you to do a few things first.

 

For instance, they’ll ask you to “Like” their pages (which means you are spreading the link to friends in your social network), and they will ask you to advertise their site by posting an “OMG” message (with a link) to at least five different places on Facebook.

 

After all that hard work you would hope that they would give you access to the powerful Profile Spy app wouldn’t you? But I’m afraid your luck is out.

 

They’ll next ask you to hand over your personal information by taking numerous surveys – before ultimately trying to trick you into handing over your cellphone number which they’ll sign up to an expensive premium rate service.

 

 

Remember, this scam doesn’t work as the result of clickjacking, or a vulnerability on Facebook. The scammers are achieving their ends because of human gullibility – pure and simple. If people considered what they were doing and thought twice about the possible consequences then we would see nothing like as many of these attacks occurring, and our news feeds on Facebook would see less spam.

 

 

Read More…

 

Security risks for those who stay with Windows XP SP2

Tomorrow (Tuesday 13 July 2010) Microsoft will issue its last ever security patches for Windows XP Service Pack 2 (SP2).

 

The service pack, which was first released in August 2004, will no longer be supported by Microsoft after Tuesday meaning that users will no longer receive any security patches – regardless of how critical any discovered vulnerability may be.

 

Furthermore, it’s not just Windows XP SP2 that Microsoft won’t be updating – but your installations for Internet Explorer, Windows Media Player, Outlook Express and other Windows XP SP2 components also won’t receive security patches if you’re running that version of the operating system.

 

You may be wondering – “What’s the problem? After all, Windows XP SP3 was released in 2008, and replaced SP2, right?”

 

Well, yes. It did. But recently published statistics suggest that an alarming 77% of organisations are running Windows XP SP2 on 10% or more of their PCs.

 

That’s an awful lot of computers which may not be properly protected when a new vulnerability is discovered – and could potentially be vulnerable to a malware attack.

 

Microsoft would probably like you to update your computers to Windows 7, but that may be a tall order for many older PCs. If you’re not ready for Windows 7, make sure you apply the free update to Windows XP SP3. Windows XP SP3 will be supported by Microsoft until at least April 2014.

 

Read More…

The Pirate Bay Hacked, User Info Exposed

An Argentinian hacker named Ch Russo claims that he and two associates have found several SQL injection vulnerabilities in The Pirate Bay’s database, which granted him access to all user information, including usernames and e-mails.

 

According to KrebsOnSecurity, who spoke with Ch Russo on the phone, the hackers did not modify the user data or give it away to a third party. They did, as they say, consider how much this info would be worth to various anti-piracy outfits such as the RIAA.

 

“Probably these groups would be very interested in this information, but we are not [trying] to sell it. Instead we wanted to tell people that their information may not be so well protected,” Ch Russo said.

 

It seems that the vulnerability has been at least partially patched however, as Russo said the website component that gives access to The Pirate Bay’s database has been removed. Furthermore, The Pirate Bay site is currently down, sporting the following message: “Upgrading some stuff, database is in use for backups, soon back again.. Btw, it’s nice weather outside I think.”

 

Although it’s been under the attack of the entertainment industry for years now, The Pirate Bay has somehow been able to survive to this day, even in the wake of some other major torrent trackers, such as Mininova.

 

Security problems such as this one, however, might cause huge problems to the service if user information falls into the wrong (or right, depending on how you look at it) hands.

 

 

By :Stan Schroeder

Source : mashable.com

Justin Bieber fans under fire in YouTube XSS attack

If there are any breathless fans of Justin Bieber reading this – let me calm you straight away: Justin Bieber has not died in a car crash.

 

But you may have imagined that he did if you checked out some of his YouTube videos this long US Independence Day holiday weekend, or read one of the many internet rumours that spread over the last day or so.

 

A vulnerability in YouTube’s comment system was exploited widely this weekend, allowing mischief-makers to embed code through a cross-site scripting (XSS) flaw. And one of the things they did was post messages claiming that the teen pop sensation had died in a car crash.

 

Normally YouTube is smart enough to weed out offending code left in the comments left for videos, but it appears that the hackers found a way to waltz past the site’s defences.

 

Those watching YouTube videos of Justin Bieber and others could find their eyeballs assaulted by other prankish pop-ups and offensive messages or redirected to tasteless websites.

It took about two hours before Google, YouTube’s parent company, got things under control.

 

XSS attacks are a serious problem, of course. Potentially they can fool unsuspecting users into handing over their login details (although this doesn’t appear to have happened on this occasion) or direct them to a malicious webpage.

 

Read More…

 

90 Second Security Roundup (Video)

 

 

Perform a security scan by Symantec Security Check

Is your computer safe from online threats? The Security Scan performs the following tests and offers recommendations based on the results:

Hacker Exposure Check
Checks whether your computer allows unknown or unauthorized Internet communications.

Windows Vulnerability Check
Checks whether basic information about your computer, including your PC’s network identity, is exposed to hackers.

Trojan Horse Check
Checks whether your computer is safe from Trojan horses.

 

 

Embarrassing privacy flaw found on Facebook

A researcher has found a critical security flaw on Facebook that could be exploited by hackers to expose sensitive information about users.

 

M J Keith, a senior security analyst with security firm Alert Logic, discovered the vulnerability which could lead to private information being exposed, or users’ Facebook pages being maliciously defaced.

 

IDG security reporter Robert McMillan has explained the problem well:

The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook's servers use code called a "post_form_id" token to check that the browser trying to do something -- liking a group, for example -- was actually the browser that had logged into the account. Facebook's servers check this token before making any changes to the user's page, but Keith discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account.

 

This is called a CSRF (Cross-site request forgery attack), which – if left unpatched – would allow hackers to set up malicious webpages that could submit instructions to the victim’s Facebook account without validation.

 

The consequence? Well, a hacker could make your hitherto private information public, or force your profile to “like” a Facebook group that you may find embarrassing.

 

M J Keith reports on AlertLogic’s website that he informed Facebook of the problem on the 11th of May, and that the problem has now been fixed.

 

However, IDG has reported that the security hole is still present.

 

Hopefully, if it’s not already patched, this privacy flaw – which comes at an embarrassing time for Facebook – will be removed soon.

 

If you’re a regular user of Facebook, you could do a lot worse than join the Sophos page on the site to ensure you are kept up-to-date with the latest security news. Oh, and remember to be careful about clicking on suspicious links..

 

By Graham Cluley, Sophos

 

Transport website leaking private information of 168,000 passengers

A hacker called “ins3ct3d” has demonstrated that he can access the personal information of 168,000 users of public transport in The Netherlands via an insecure website.

 

A campaign to encourage residents living in the provinces of Gelderland, Overijssel and Flevoland to use public transport has been promoting a website called “Experience the OV” at www.ervaarhetov.nl, which allows people to request a card allowing them to try out public transport travel for free.

 

However, as magazine Webwereld reports, a simple SQL injection attack allowed “ins3ct3d” to access how to access the personal information of subscribers – including names, addresses, birth dates, email addresses and phone numbers.

 

The hacker, who has chosen to remain anonymous, demonstrated the attack to the magazine by accessing the personal data of one of Webwereld’s reporters.

 

Explaining his reason for exposing the security vulnerability, “ins3ct3d” explained that he felt compelled to warn his fellow citizens as long as the government continues to use unsafe systems. “This time it’s sensitive personal data, next time your fingerprints or EPD,” he said.

 

(EPD is the Electronische Patientdossier.. I guess I don’t need to give a translation of that for you to realise why that’s not data you want falling into the wrong hands).

 

There’s no confirmation that banking data was exposed, but there were fields in the databases for ID card numbers, payment agreements and so forth. At the request of Webwereld, the hacker did not retrieve more data, so there’s no telling if any of these fields had been filled.

 

Webwereld contacted the authorities, and the website is currently “temporarily unavailable”:

I guess we should all breath a sigh of relief that, in this instance, the hack appears to have orchestrated with the interests of exposing poor security, rather than stealing users’ data and identities. Hopefully this incident might play some smart part in raising awareness around the world of the need to ensure your website is coded securely, and not at risk of leaking sensitive information.

 

By Graham Cluley, Sophos

 

Critical security updates from Microsoft and Adobe

It was “Patch Tuesday” yesterday, which means another parcel of security updates for computer users to unwrap, and this time the fixes aren’t just from Microsoft, but from Adobe too.

 

First on the menu is Microsoft, which has served up two security bulletins detailing vulnerabilities that could be exploited by hackers to execute malicious code (such as a worm) on your computer.

 

The first of these security holes exists in Outlook Express, Windows Mail, and Windows Live Mail. Microsoft’s Security Research & Defense blog goes into some detail about the vulnerability, explaining that although the security hole is given a “critical rating” on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008, it is considered less serious for Windows 7 users as Windows Live Mail is not installed by default on that platform.

 

The other patch from Microsoft addresses a vulnerability in Visual Basic for Applications, a component used by Microsoft Office and other third-party products. Microsoft has given this security update its highest possible rating – “Critical” – for all supported versions of Microsoft Visual Basic for Applications SDK and third-party applications that use Microsoft Visual Basic for Applications. It is also rated “Important” for all supported editions of Microsoft Office XP, Microsoft Office 2003, and the 2007 Microsoft Office System.

 

Next up is Adobe, who have released patches to squash over 20 security vulnerabilities in its Shockwave and ColdFusion products.

 

The critical vulnerabilities identified in Adobe Shockwave Player 11.5.6.606 and earlier versions impact both Windows and Macintosh users, and could allow attackers to run malicious code on your computer.

 

Adobe recommends that users update their version of Adobe Shockwave Player to version 11.5.7.609.

 

Details of the ColdFusion vulnerabilities, classed as “important”, are provided in Adobe Security Bulletin APSB10-11.

 

Enough of waffle. Download and install the patches if your computer is affected.

 

By Graham Cluley, Sophos

 

Next Page »