Macs at risk from ‘super dangerous’ Java zero-day
Hackers are exploiting a zero-day vulnerability in Java 7, security experts said today.
The unpatched bug can be exploited through any browser running on any operating system, from Windows and Linux to OS X, that has Java installed, said Tod Beardsley, the engineering manager for Metasploit, the open-source penetration testing framework used by both legitimate researchers and criminal hackers.
David Maynor, CTO of Errata Security, confirmed that the Metasploit exploit -- which was published less than 24 hours after the bug was found -- is effective against Java 7 installed on OS X Mountain Lion.
"This exploit works on OS X if you are running the 1.7 JRE [Java Runtime Environment]," said Maynor in an update to an earlier blog post. Read more...
Experts sound worm alarm for critical Windows bug
Microsoft today released six security updates that patched seven vulnerabilities, including a critical Windows bug that hackers will certainly try to exploit with a network worm, according to researchers.
"This is a pre-authentication, remote code bug," said Andrew Storms, director of security operations at nCircle Security, referring to MS12-020, the one critical bulletin today and the update that he, other researchers and even Microsoft urged users to patch as soon as possible.
"It will allow network execution without any authentication, and has all the ingredients for a class worm," said Storms.
"I'm particular spooked by this one," said Jason Miller, manager of research and development at VMware. "Hackers want [vulnerabilities] that don't require authentication and are in a part of Windows that's widely used. I guarantee that attackers are going to look at this closely." Read more...
Apple releases Safari 5.1.4 update with improved JavaScript performance and bug fixes
Apple has released an update to its Safari web browser, bringing the version to 5.1.4. The update addresses a variety of bugs and issues and claims to improve JavaScript performance.
Safari 5.1.4 contains improvements to performance, stability, compatibility, and security, including changes that:
- Improve JavaScript performance
- Improve responsiveness when typing into the search field after changing network configurations or with an intermittent network connection
- Address an issue that could cause webpages to flash white when switching between Safari windows Read more...
Threatened by Anonymous, Symantec tells users to pull pcAnywhere’s plug
Symantec this week took the highly unusual step of telling users of its pcAnywhere remote access software to disable or uninstall the software while it fixes an unknown number of bugs.
Security experts said the move was unprecedented for a company of Symantec's size.
"This is the first time I have seen a company of Symantec's scale tell their customers to stop using a shipping product, especially one that many users depend on for remote access," said HD Moore, chief technology officer of Rapid7, and the creator of the popular Metasploit penetration testing toolkit.
"It's certainly a new precedent for a security breach," added Andrew Storms, director of security operations at nCircle Security. "Talk about dirty laundry getting aired."
Symantec's recommendation was blunt. Read more...
Hackers exploit Adobe Reader zero-day, may be targeting defense contractors
Adobe today confirmed that an unpatched, or zero-day, vulnerability in Adobe Reader is being exploited by criminals.
Those attacks may have been aimed at defense contractors.
Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.
The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.
"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning email. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." Read more...
Google patches 30 Chrome bugs, adds Instant Pages
Google patched 30 vulnerabilities in Chrome today, paying out the third-highest bounty total ever for the bugs that outsiders filed with its security team.
The company packaged the patches with an update to Chrome 13, adding Instant Pages to the "stable" channel of the browser. The feature, which Google earlier tucked into Chrome 13 previews, proactively pre-loads some search results to speed up browsing.
Google last upgraded Chrome's stable build in early June. Like Mozilla, which this year shifted to a rapid-release schedule, Google produces an update about every six-to-eight weeks.
Fourteen of the 30 vulnerabilities patched today were rated "high," the second-most-serious ranking in Google's four-step scoring system, while nine were pegged "medium" and the remaining seven were labeled "low." Read more...
Exclusive: China software bug makes infrastructure vulnerable
Software widely used in China to help run weapons systems, utilities and chemical plants has bugs that hackers could exploit to damage public infrastructure, according to the Department of Homeland Security.
The department issued an advisory on Thursday warning of vulnerabilities in software applications from Beijing-based Sunway ForceControl Technology Co that hackers could exploit to launch attacks on critical infrastructure.
Sunway's products, widely used in China, are also deployed to a lesser extent in other countries including the United States, DHS's Industrial Control Systems Cyber Emergency Response Team said in its advisory. Read more...
Microsoft slates hefty Patch Tuesday, to fix 34 flaws next week
Microsoft today said it will issue 16 security updates next week to patch 34 vulnerabilities in Windows, Internet Explorer (IE), Office, SQL Server and other products.
"It's the usual mishmash for an even-numbered month," said Andrew Storms, director of security operations at nCircle Security. "But to some degree, we expected a big month. And they stayed true to form."
Microsoft typically releases a larger number of updates in even-numbered months, and fewer in odd-numbered months. In May, for instance, Microsoft shipped just two updates -- the company called them "bulletins" -- to patch only three vulnerabilities. Read more...
Opera releases Web page debugger
Opera Software has embedded into its Web browser a beta set of tools, collectively called Dragonfly, that can help developers find errors in their complex Web pages, the company announced Monday.
"Dragonflies eat bugs, and that is exactly what we want [Dragonfly] to do for developers around the world," said David Storey, an Opera developer relationship manager, in a statement.
Dragonfly is not the first browser-based debugger. Mozilla, for example, offers Firebug, and Google's Chrome browser also features some built-in element inspection features as well. Dragonfly also offers the ability to debug Web pages on smartphones, televisions and other devices, by hooking them up to the developer's PC. Read more...