Microsoft admits zero-day bug in IE8, pledges patch
Microsoft late Friday confirmed that a "zero-day," or unpatched, vulnerability exists in Internet Explorer 8 (IE8), the company's most popular browser.
According to multiple security firms, the vulnerability has been used in active exploits, including "watering hole"-style attacks against the U.S. Department of Labor and U.S. Department of Energy, targeting workers at the latter agency involved in nuclear weapons research.
On Friday, Microsoft published a security advisory that acknowledged the bug. In the advisory, the company also said that other versions of Internet Explorer, including the newer IE9 and IE10, are not affected, and that the firm is working on an update to patch the problem. Read more...
D-Link firmware flaws could allow IP video stream spying
If you run a bank and use an IP video camera from D-Link, you may want to pay attention to this.
A number of IP-based surveillance video cameras made by D-Link have firmware vulnerabilities that could allow an attacker to intercept the video stream, according to security researchers.
Core Security, a company based in Boston that specializes in vulnerability detection and research, published on Monday details of five vulnerabilities in D-Link's firmware, which is wrapped into at least 14 of its products. Read more...
McAfee spots Adobe Reader PDF-tracking flaw
McAfee said it has found a vulnerability in Adobe Systems' Reader program that reveals when and where a PDF document is opened.
The issue is not a serious problem and does not allow for remote code execution, wrote McAfee's Haifei Li in a blog post. But McAfee does consider it a security problem and has notified Adobe. It affects every version of Adobe Reader, including the latest version, 11.0.2, Li wrote.
McAfee recently detected some "unusual" PDF samples, Li wrote. McAfee withheld some key details of the vulnerability, but did generally describe it. Read more...
AP Twitter hack prompts fresh look at cyber security needs
Getting hacked on Twitter is fast becoming a rite of passage for big corporations, but Tuesday's attack on the Associated Press could be a tipping point and shows that social networks must do more to keep their users safe, security experts said.
Wider use of two-factor authentication, which can involve an access code being sent to a user on a second device such as a smartphone, is one possible solution. Such a mechanism could be introduced selectively, some experts said, for high profile accounts such as celebrities and large corporations. Read more...
Dell blames ‘uncertain adoption’ of Windows 8 for some of its financial woes
Dell blamed Microsoft's Windows 8 as one of several causes for its grim financial future, according to a filing with securities regulators.
"The difficult environment faced by the Company as a result of its underperformance relative to a number of its competitors [includes] ... the uncertain adoption of the Windows 8 operating system," Dell said in a lengthy proxy statement filed Friday with the U.S Securities and Exchange Commission (SEC).
The proxy statement laid out Dell's case for shareholders accepting a $24.4 billion offer, led by its founder and CEO, Michael Dell, to take the PC maker private. Michael Dell has joined with private-equity firm Silver Lake Partners to buy the company, with Silver Lake in turn tapping Microsoft for a $2 billion contribution. Read more...
Everyone knew what China was doing — now what?
The report released this week by security firm Mandiant laid out damning evidence linking China to a sophisticated cyber espionage ring and set off an avalanche of alarms and hand-wringing that brings to mind the scene in "Casablanca" where Captain Renault exclaims, "I'm shocked, shocked to find that gambling is going on in here!"
That China engages in cyber spying has been an open secret. InfoWorld's own Roger Grimes has been issuing warnings for more than two years about the dangers of APTs (advanced persistent threats) and detailed the methods used by cyber spies to steadily mine corporations' sensitive data. Read more...
Many companies likely affected by hack of popular iOS developer forum
The administrators of a popular iOS developer Web forum called iPhoneDevSDK confirmed Wednesday that it had been compromised by hackers who used it to launch attacks against its users. Security experts believe the site served as a gateway for the recent attacks against Twitter, Facebook, and Apple employees and that many other companies might be affected as well.
At the beginning of February, Twitter announced that it had been the target of an attack and that hackers might have accessed authentication data on 250,000 users.
"This attack was not the work of amateurs, and we do not believe it was an isolated incident," Twitter said at the time. "The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked." Read more...
Security researcher digs up another critical zero-day Java bug
A security researcher known for finding Java bugs has uncovered a new critical zero-day vulnerability in all currently-supported versions of the popular Oracle software.
The bug, which was publicly reported on the Full Disclosure security mailing list Tuesday by Adam Gowdiak, the founder and CEO of Polish security firm Security Explorations, can be leveraged to hijack a machine equipped with Java, letting attackers install malware on the system.
Windows PCs and Macs are equally at risk if their users have installed Java, or in the case of OS X, are running 10.6, aka Snow Leopard, or earlier. Snow Leopard was the last edition where Apple bundled Java with the operating system. All currently supported versions of Java, including Java 5, Java 6 and Java 7, contain the bug. Read more...
New vicious UEFI bootkit vuln found for Windows 8
Security researchers have discovered security shortcomings in Windows 8 that create a means to infect the upcoming operating system with rootkit-style malware.
Italian security consultants ITSEC discovered the security hole following an analysis of the Unified Extensible Firmware Interface (UEFI), a successor to the legacy BIOS firmware interface, that Microsoft began fully supporting with 64-bit versions of Windows 7.
ITSEC analysed the UEFI platform now that Microsoft has ported old BIOS and MBR's boot loader to the new UEFI technology in Windows 8. Andrea Allievi, a senior security researcher at ITSEC, was able to use the research to cook up what's billed as the first ever UEFI bootkit designed to hit Windows 8. The proof-of-concept malware is able to defeat Windows 8's Kernel Patch Protection and Driver Signature Enforcement policy. Read more...
Security startup isolates untrusted content in virtual machines
Security software startup Bromium is shipping its first product, a virtualization client that runs any untrusted content inside its very own virtual machine -- a microVM -- protecting the underlying operating system and whatever content is stored on the physical machine from theft and malware infection.
The software, VSentry, is aimed at stopping threats that have never been seen before and so can't be detected by signature-based defenses. It also lets end users access whatever content they want to without risk of infecting their own machines or other machines on corporate networks, the company says.
The software filters applications, Web pages, attachments -- anything that customers define with a rule set -- and automatically runs them in separate microVMs, which are destroyed when users are done with each task. Read more...
New IE exploit variant used to distribute PlugX malware, researchers say
Researchers from security vendor AlienVault have identified a variant of a recently discovered Internet Explorer exploit that is used to infect targeted computers with the PlugX RAT (remote access Trojan) program.
The newly discovered exploit variant targets the same unpatched vulnerability in IE 6, 7, 8, and 9 as the original exploit, but uses slightly different code and has a different payload, AlienVault Labs manager Jaime Blasco said Tuesday in a blog post.
The first exploit was found over the weekend on a known malicious server by security researcher Eric Romang and distributed the Poison Ivy RAT. The second exploit version discovered by AlienVault researchers was found on a different server and installs a much newer RAT program called PlugX. Read more...
HP security smorgasbord upgrades include management software, IPS and printer access
HP is announcing widespread improvements to its security portfolio including security management software, services, IPS platform, and even printer security.
The company is announcing the addition of HP Correlation Optimized Retention and Retrieval Engine (CORR-Engine) to its security management platform called Enterprise Security Manager (ESM) 6.0c. This adds the intelligence to sort through traffic five times faster to find potential threats, prioritize them and reduce the impact of attacks.
ESM 6.0c can also store log data using 20 times less space than previous versions. The software can ID who is on the network, what they are doing and whether it represents a threat. The platform creates workflows for dealing with security incidents it identifies.
ESM 6.0c will be available in October. Read more...
Qubes OS bakes in virty system-level security
Invisible Things Lab (ITL), a group of security researchers based in Warsaw, Poland, has announced Qubes 1.0, the first production release of a new desktop operating system designed to provide unprecedented security through the pervasive use of virtualization.
"Unfortunately, contrary to common belief, there are no general purpose, desktop OSes, that would be formally proven to be secure," ITL founder and CEO Joanna Rutkowska wrote in a blog postannouncing the release on Monday. "At the very best," she said, "there are some parts that are formally verified, such as some microkernels, but not whole OSes."
To help rectify that situation, Rutkowska and her team built Qubes, an OS that uses virtual machines (VMs) to isolate sensitive applications and their data from parts of the system that may be vulnerable to compromise. Read more...
Security pros advise users to ditch Java
Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.
On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.
Overall, the incident has left a bitter taste in the collective mouths of many security professionals. Read more...