vulnerability posts

Filed under: Security, Adobe, Mozilla, Browsers

Firefox catches 50% with insecure Flash, only 30% click through to update

by Lee Mathews Sep 18th 2009

Two weeks ago Mozilla prepared a new landing page for Firefox updaters to check for outdated versions of the Adobe Flash Player plugin. When the page went live last week for some six million Firefox 3.5.3 and 3.0.14 users, Mozilla compiled some interesting -- and disconcerting -- statistics.

Just over 50% of users shown the page were found to be running an insecure Flash Player version. That's an alarming number, especially considering the number of times Flash vulnerabilities have been exploited in the past two years alone.

The bad news doesn't stop there. As it turns out, the warning only convinced about 30% of viewers to click through and immediately update the plugin.

When you consider the amount of time most people spend browsing and massive number of threats lurking on the Internet maintaining a secure, updated browser is imperative. That, of course, means keeping plugins like Flash and Java up to date and there's no time like the present to do it.

Hopefully Mozilla's next push will meet with more success.

Tags: firefox, flash, flash-player, plugin, vulnerabilities, vulnerability

Filed under: Security, Adobe

Adobe's security woes continue as new exploits found in Reader, Flash

by Lee Mathews Jul 24th 2009

2009 has been a rough one so far for Adobe when it comes to security. Reader has become an increasingly popular target for malware authors, and Flash has been plagued with vulnerabilities.

Trend Micro reaserchers have hit on new flaws in Adobe Reader 9.1.2, and Flash Player 9 /10. According to Trend, "Once a user opens a specially crafted PDF file, two binary executables are dropped and executed on his/her system."

Adobe's blog post states "There are reports that this vulnerability is being actively exploited in the wild via limited, targeted attacks against Adobe Reader v9 on Windows" though other platforms are also vulnerable. A workaround is offered, though you may want to use an alternative PDF viewing application like Sumatra, xPDF, or Foxit Reader. You can also use a web-based service like Zoho Viewer or PDFMeNot.

Even after announcing they would switch to a Microsoft-style "Patch Tuesday" schedule to redouble their security efforts, the exploits keep on surfacing. It's a major problem for us all, since both Flash and Reader are so widely used. We know Adobe said they're re-committing themselves to security, so let's hope they follow through.

Tags: adobe-reader, exploit, flash, security, vulnerability

Filed under: Security, Mozilla, Browsers

Firefox security questioned again as another exploit surfaces

by Lee Mathews Jul 19th 2009

What's going on here, Mozilla?

It's only been a couple days since the Firefox 3.5.1 update was released to address a critical vulnerability in the Javascript JIT compiler and there's already a new exploit causing quite a ruckus. You can actually hear the chuckles coming from Redmond if you listen closely.

It would be unreasonable to assume that the first patch for Firefox 3.5 would make it bulletproof. Still, after the long delays that proceeded its release the rapid discovery of two such vulnerabilities is a bit surprising. Past releases of the browser have had their share of security issues as well, but as Firefox becomes more popular its security shortcomings are going to be much more publicly exhibited.

It's interesting to note that Secunia has still yet to post a single exploit for Chrome 3. If you're security minded, now might be a good time to take it for a test drive.

[via Security Focus]

Tags: exploit, firefox-3.5.1, vulnerability

Filed under: Security, Mozilla, Browsers

Critical Firefox 3.5 javascript exploit surfaces

by Lee Mathews Jul 15th 2009

In just over two weeks, Firefox 3.5 has been downloaded almost 28 million times. And yes, 3.5 boasts greatly improved JavaScript performance.

Unfortunately, the JIT compiler also sports a critical weakness in its current state. A web site containing the correct exploit code (which has been shared by Simon Berry at milw0rm.com) could allow an attacker to execute arbitrary code on vulnerable systems.

For the time being, you can disable the JIT compiler to protect yourself. Open about:config in Firefox , type jit in the search box, and double-click javascript.options.jit.content. Set the value to false. Doing this will reduce JavaScript performance, but will close up the hole until it is officially patched.

It's interesting to note that Mozilla was already aware of the bug and planning on releasing a patch some time in the next two weeks. On the official security blog, one developer states, "This fix was going to be in the 3.5.x update we had scheduled for the end of July, but obviously now we have moved up the schedule for release."

Tags: exploit, firefox, javascript, jit, vulnerability

Filed under: Security, Office, Adobe

Adobe Acrobat bug more dangerous than originally thought

by Lee Mathews Mar 5th 2009

The Adobe Acrobat vulnerability that was reported here back on February 20th remains unpatched, and it now appears that the risk the bug presents is even greater than originally thought.

Because of the way Adobe integrates into Windows explorer - to provide metadata information about PDF files - there is a chance that your system could become infected without ever opening a single file. Since the bug's code can be placed within a file's metadata, any action that calls that data could set things in motion. That includes something as simple as hovering your mouse over the file icon, according to Obsessable's Stephen Schenck.

In the original post, I suggested using an alternative application to read files, but that won't fully address the vulnerability. To be completely safe, you'll have to remove Adobe Reader (and presumably, Acrobat as well) from your system for the time being and reinstall it once Adobe has developed a patch.

[ via Obsessable ]

Tags: adobe-reader, bug, danger, error, vulnerability

Filed under: Internet, Security, Adobe

Adobe warns of critical vulnerability in Reader, Acrobat

by Lee Mathews Feb 20th 2009

Bad news for anyone that utilizes Adobe's Acrobat software, or Adobe reader to view PDF files. A critical vulnerability has been identified that can cause the applications to crash and allow an attacker to control the affected system. All versions from 7 forward on all operating systems are suspected to be at risk.

According to the announcement from Adobe, this isn't just a possibility, it's actually happening. Reports have already been made of the buffer overflow exploit being used in this type of attack. Adobe is also working with antivirus vendors to patch the holes, and patches to update the vulnerable apps are in the works. The bad news: patches aren't likely to be ready until March 11th, 2009.

That's not nearly fast enough considering the severity of the flaw. In the meantime, you'd be wise to install an alternative applications to handle viewing PDF files. Sumatra and FoxIt are both good alternatives for Windows.

The announcement doesn't specify whether the flaw is platform specific, so Mac users may want to play it safe and stick to using Preview. *nix is also at risk, though most users are likely already utilizing alternatives.

The full bulletin is available on Adobe's web site.

Tags: acrobat, adobe-reader, malicious, security, vulnerability

Filed under: OS Updates, Security, Windows, Microsoft

Microsoft releases critical patch for SMB vulnerability

by Lee Mathews Jan 13th 2009

Just because it's relatively quiet on Patch Tuesday doesn't mean the one bulletin that was released should be ignored.

Microsoft today issued MS09-001 to address a critical vulnerability in the SMB protocol that could allow an attacker free reign to cause havoc via the NetBIOS ports (139 and 445). According to Microsoft, "an attacker who successfully exploited these vulnerabilities could install programs; view, change, or delete data; or create new accounts with full user rights."

Though it would be difficult for an attacker to successfully exploit the weakness, Microsoft advises that users of all versions of Windows from 2000 up download the appropriate patch immediately. It's worth noting that Windows 7 does not appear in the affected software list - whether we should be concerned about that fact remains to be seen.

Just what Linux and Mac users needed: another reason to deride SMB.

Tags: patch, smb, vulnerability, windows

Filed under: Internet, Security, Microsoft, Browsers

Microsoft issues patch for latest IE vulnerability

by Lee Mathews Dec 17th 2008

Microsoft is acting to address concerns regarding the vulnerability that has been widely reported on since it was revealed last week. According to BetaNews there still haven't been any reported incidents involving the exploit.

Even though the vulnerability's existence has yet to be confirmed, Microsoft has responded quickly and has prepared a patch for release today at 10:00am PST. There are also webcasts scheduled for December 17th and 18th to answer customer concerns regarding the out-of-band update.

For more information about the specifics of the vulnerability, read Microsoft's December 12th TechNet post. The post also details five different workarounds (which should be unnecessary once the patch is released).

It's likely that Microsoft will also update the original security advisory with a link to the patch once it has been made available.

Update: downloads are available here - choose the link that matches your Windows OS.

[ via BetaNews ]

Tags: exploits, flaw, ie, internet-explorer, security, vulnerability

Filed under: Security, Windows, Browsers

Microsoft: Internet Explorers 5 through 8 vulnerable to attack

by Brad Linder Dec 14th 2008

There's a bug in Internet Explorer that allows attackers to execute malicious code on your machine under certain conditions. When Microsoft first acknowledged the vulnerability a few days ago the company was under the impression that only Internet Explorer 7 was affected. But the security advisory has been updated and it's now clear that the flaw affects every version of Internet Explorer from IE 5.01 SP 4 through Internet Explorer 8 Beta 2.

Microsoft recommends enabling a firewall and anti-virus software to minimize your risk, as well as using Protected Mode in IE7 or IE8. We'd add that you could also switch to a browser that doesn't have this vulnerability like Firefox, Google Chrome, Safari, or Opera at least until Microsoft issues a fix.

[via Computer World]

Tags: internet-explorer, security, security-flaw, vulnerability

Filed under: Security, IBM

XForce report on computer threats and vulnerabilities

by Christina Clark Jul 31st 2008

The XForce won't save you from a burning building but, they just might make your surfing safer. The XForce is IBM's team of Internet Security Systems researchers and they've just released the midyear report for 2008, listing all kinds of facts and figures on internet security. If you're really into data, go read the report for yourself. It might also be good for insomnia. I'll give you the quick highlights here.

The first part of the report is about computer threats and vulnerabilities. Top five companies with vulnerability disclosures (when they publish information about a security problem) in 2008 so far?

Apple
Joomla!
Microsoft
IBM
Sun

And a surprise at the bottom of the list, Wordpress, which is new on the list this year.

The most exploited vendors so far in 2008? Apple, HP and Microsoft. Not surprising targets since that's what most of us use in our daily life.

More worrisome is the increase in web application vulnerabilities. There has been a 51% increase since 2006. That means we, the people who are online all day, are being targeted more often. Some of these threats come from malicious websites which most of us have learned to stay away from. But some also come from web facing applications, like WordPress

Tags: IBM, security, vulnerability, XForce

Filed under: Internet, Mozilla, Browsers

Mozilla Firefox breaks non-existent world record - nobody cares

by Drew Olanoff Jul 2nd 2008

Remember, that whole Firefox download day thing that we got so amped up about? Us too.

Remember when their servers screwed the pooch for most of "Download Day"? Us too.

How about that vulnerability that affected all 8 zillion of us who downloaded version 3? Yep, we remember that too.

Now you can put all those rough memories behind and sleep easy. Today, Mozilla "officially" announced setting the record, with 8,002,530 downloads on the release day of Firefox 3. It's fair to point out that, nothing was broken here... this was a new record, hence "setting" and not "breaking".

Will you remember Mozilla set the Guinness World Record for the most software downloads in 24 hours on June 18th, 2008? Neither will we.

But congrats on still being #2 Firefox. Let us know when that changes and we'll jump around and party like it's 2035!

Tags: boring, browser, firefox, guinness book of wor..., GuinnessBookOfWor..., mozilla, vulnerability

Filed under: Internet, Security, AOL

AOL Instant Messenger vulnerability won't be fixed until mid-October

by Brad Linder Sep 27th 2007

Core Security's Aviv Raff reports that AOL's AIM client has a severe vulnerability. A user can send code in an instant message that will execute code on your computer. You don't even have a click a link. As long as you're accepting incoming messages, a hacker could wreak havoc on your system.

In a demonstration, Raff sent ZDNet's Ryan Naraine a message that cause his Windows calculator to open. AOL is working on a patch, and recommends users upgrade to the latest beta version of AIM. But Raff says that so far each patch that has been issued has been easily circumvented.

AOL says a full solution will be available by mid-October. In the meantime, we recommend rejecting messages from any unknown source and hoping that your buddies aren't running infected PCs. And if you want to be extra careful, you can access your buddy list using an alternative program like Meebo, Pidgin, or Trillian.

Tags: AIM, calclulator, instant-messenger, malicios-code, vulnerability

Filed under: Security, Mozilla, Open Source

Mozilla pushes out Firefox 2.0.0.6 security update

by Brad Linder Jul 31st 2007

Just two weeks after Mozilla released Firefox 2.0.0.5, the corporation has pushed out another critical security update. Firefox 2.0.0.6 fixes two vulnerabilities.

The problem is that Firefox "did not percent-encode spaces and double-quotes in URIs handed off to external programs." Essentially that means that hackers could create web sites that would launch arbitrary code on your computers when visited with the Firefox browser.

Odds are you'll get the update through Firefox's auto-update feature. But if your browser hasn't prompted you to download Firefox 2.0.0.6 yet, you can grab it from the Firefox homepage.

Tags: firefox, firefox 2.0.0.6, Firefox2.0.0.6, URI, vulnerability, web browser, WebBrowser

Filed under: Internet, Security, Web services

Reddit and Pligg vulnerabilities discovered

by Brad Linder May 27th 2007

It hasn't been a good weekend for social ranking sites. Security vulnerabilities were uncovered at Digg-competitor Reddit and Pligg, a site that lets you create your own Digg clone. The security problems at each site were unrelated and have been patched.

Basically, the problem at Reddit was that the site let users upload malicious code in their comments that could grant access to your account login and other information. For the most part, Reddit users played with vulnerability by uploading benign code. The exploit has been fixed, and now any user who uploaded such code has had the text replaced with "I am a terrible person."

The Pligg vulnerability was even more serious, allowing an attacker to take over an entire website. Pligg has released a patch, and recommends anyone running a Pligg site upgrade immediately.

[via Frantic Industries]

Tags: hack, pligg, reddit, vulnerability

Filed under: Internet, Security, News

Microsoft issues security warning regarding animated cursors

by Brad Linder Mar 29th 2007

You know those web sites that have kooky animated cursors? Yeah, don't surf to those with Internet Explorer unless you want to leave your computer vulnerable to hackers.

Microsoft has issued a notice that it is investigating the vulnerability. If users visit a web site or view an e-mail containing hacked .ani files (the animated cursor file type), so Microsoft's advice for the moment: be careful when opening unsolicited emails or browsing new web sites. A long term fix is still a few steps away.

The vulnerability appears to affect Internet Explorer 6 and 7 running on Windows XP SP2. IE7 on Vista doesn't appear to be affected.

[via ZDNet]

Tags: animated cursors, AnimatedCursors, cursor, vulnerability

The World's Hardest Game 2.0 - Time Waster

So, just how good at time waster games are you? Think you've got the stuff? Well, The World's Hardest Game 2.0 doesn't think you do. Yes, amazingly, it's possible to have a sequel to a game called "The World's Hardest Game". It doesn't seem logically possible, since if the first one was actually the world's hardest, how could another one come along and share the moniker? It made me doubt the name in the first place. That is, until I tried the game. The mechanics of the game are very simple. You are a small red square, ...

View more Time Wasters

Featured Galleries

Defective by Design, London: Protest Pictures

Download Squad at the Crunchies After-Party

Android First-look: Amazon.com MP3 Store

Flickr Pool

www.flickr.com

Download Squad bloggers (30 days)

#	Blogger	Posts	Cmts
1	Jay Hathaway	110	5
2	Lee Mathews	82	24
3	Sebastian Anthony	69	248
4	Brad Linder	39	4
5	Jason Clarke	23	0
6	Dolores Parker	8	2
7	Grant Robertson	6	2
8	Victor Agreda, Jr.	5	1
9	Matt Heerema	4	2
10	Nik Fletcher	4	0
11	John Burke	2	0
12	Paul O'Brien	2	0
13	Download Squad Staff	1	0

More Tech Coverage

Control Shift It's all about the experience
Somewhat Frank Perspectives on tech as it fuses in everyday life
Switched Gadgets, web news and commentary
Urlesque Exposing bits of the web

Download Squad