Apple patches Safari, blocks outdated Flash Player
Apple on Wednesday patched four security vulnerabilities in Safari and blocked outdated versions of Adobe's Flash Player from running in its browser.
The Flash blocking move was similar to one Apple made last month when it stopped the Java plug-in from launching automatically.
Safari 5.1.7, which runs on OS X 10.6 and 10.7 -- Snow Leopard and Lion, respectively -- as well as on Windows XP, Vista and Windows 7, was released alongside another update for Lion that included a slightly-older version of the browser. Lion users must download and install both updates to push Safari to version 5.1.7. Read more...
Half of all Macs will lack access to security updates by summer
Unless Apple changes its security update practice, nearly half of all Mac users will be adrift without patches sometime this summer.
Apple will launch OS X 10.8, aka Mountain Lion, in the next few months, and then will -- baring a change in a decade-old habit -- stop serving patches to OS X 10.6, or Snow Leopard.
Although Apple has never spelled out its support policy for older operating systems, it has always dropped an edition around the time it has two newer versions in play. If the current OS X is dubbed "n," then "n-2" support ends at the debut of "n." Read more...
Avaya revs Identity Engines for more secure BYOD
Network and security vendors such as Cisco, Juniper, and Enterasys are lining up at Interop this week with products aimed at easing security admins' BYOD-spawned migraines. Also in the queue: Today's release of Avaya Identity Engines (AIE) 8.0, designed to help organizations better secure and control who can access wired and wireless networks, as well as how they do it.
The move represents the struggling networking company's attempt to broaden its mobile strategy, which has included the Flare Experience -- a videoconferencing product to rival to the Cisco Cius -- followed by a Flare client for the iPad. Read more...
Microsoft boots Chinese firm for leaking Windows exploit
Microsoft on Thursday identified a Chinese security partner as the source of a leak last March in its highly restricted vulnerability information-sharing program.
The company, Hangzhou DPTech Technologies, was tossed out of the Microsoft Active Protection Program (MAPP) for leaking the proof-of-concept exploit.
"During our investigation into the disclosure of confidential data shared with our Microsoft Active Protections Program (MAPP) partners, we determined that a member ... Hangzhou DPTech Technologies Co., Ltd., had breached our non-disclosure agreement (NDA)," Yunsun Wee, director of Microsoft's Trustworthy Computing group, wrote in a post to a company blog. "Microsoft takes breaches of our NDAs very seriously and has removed this partner from the MAPP Program." Read more...
Scammers create fake Instagram app on Android
According to security company Sophos, a Russian web site has sprung up which offers a fake version of the popular Instagram app for Android. The Russian language site emulates the look of the official Instagram product page but the download link doesn't lead to the actual app on Google's Play store. Users who download the program from the Russian site get a fake app instead that sends out premium SMS text messages in the background which are used to earn revenue for the scammers. Read more...
White House raises concerns over CISPA bill
The White House joined the growing chorus of voices expressing concern over the proposed Cyber Intelligence Sharing and Protection Act (CISPA) legislation that is scheduled for a vote in the U.S. House of Representatives next week.
The bill would allow Internet service providers and Internet companies such as Google and Facebook to collect and share a wide range of user data with the government. Privacy and civil rights groups have blasted the bill , saying it would dismantle privacy protections and enable unprecedented surveillance of online activities under the pretext of cybersecurity.
Caitlin Hayden, a spokeswoman for the White House's National Security Council echoed those sentiments in a statement made to The Hill newspaper late Tuesday. Read more...
15-year-old hacks 259 websites in just 3 months
If you’re looking for a gauge as to how good or bad web security is at the moment, look no further than the case of a 15-year-old from Austria who, over the course of 3 months, managed to hack 259 company websites and databases.
The young man (boy?) was anti-social and turned to the Internet for “praise and affirmation.” He found a hacking community that rewarded successful attacks, downloaded the tools he needed, and set about bypassing the security of different websites. Read more...
Oracle CSO trashes PCI rules
In an unusual move, Oracle chief security officer Mary Ann Davidson has called on vendors of payment application software to join her company in opposing specific security vulnerability reporting requirements of the Payment Card Industry Security Standards Council.
In a lengthy, sharply-worded blog post late last month, Davidson lashed out at the PCI Council for allegedly not responding to Oracle's repeated requests that it reconsider its policy of requiring software vendors to share detailed vulnerability data even in circumstances where patches haven't been released.
"Established industry practice concerning vulnerability handling avoids the risks created by the [PCI Council's] vulnerability disclosure requirements," Davidson said. Read more...
Apple patches Mac Java zero-day bug
Apple yesterday released a Java update for Mac owners that fixes a dozen security flaws, including one that has been exploited by attackers for at least two weeks.
The update follows a decision Monday by Mozilla to blacklist unpatched editions of the Java plug-in from running in the Windows version of Firefox. Mozilla has yet not instituted a similar ban for Firefox on Mac OS X, however.
Apple classified all 12 of the Java vulnerabilities patched Tuesday as critical. Although the company does not use a threat scoring system to rate bug fixes, its use of the phrase "...may lead to arbitrary code execution," in its advisory describes the most serious kind of flaw that could be used by attackers to take control of a machine.
The update applies to Mac OS X 10.6, aka Snow Leopard, and OS X 10.7, better known as Lion. Read more...
Duqu malware resurfaces after four-month holiday
Duqu, the malware that has been compared to 2010's notorious Stuxnet, is back, security researchers said today.
After a several-month sabbatical, the Duqu makers recompiled one of the Trojan's components in late February, said Liam O Murchu, manager of operations at Symantec's security response team.
The system driver, which is installed by the malware's dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC's memory.
Symantec has captured a single sample of the driver, which was compiled Feb. 23, 2012. Before that, the last time the Duqu gang updated the driver was Oct. 17, 2011. Read more...
Cloud security registry slow to catch on
Last August the Cloud Security Alliance (CSA) announced at the Black Hat security conference in Las Vegas a registry that it hoped would serve as a place for prospective cloud users to go to easily inspect and compare cloud vendors' security controls. But to date, only three companies have submitted their cloud security data, making the registry of limited use.
The Security, Trust and Assurance Registry (STAR) is designed to index the security features of cloud providers using a 170-point questionnaire that end users are then able to peruse. Soon after the CSA announced STAR, big names such as Google, Intel, McAfee, Verizon, and Microsoft all agreed to take part. So far though, Microsoft is the only one of that group to have followed through. Read more...
We need good code, says Diffie at Black Hat Europe
Cryptographer Whitfield Diffie reckons one of the most important things for good cryptography and security in the age of the Internet is good code.
Unfortunately, really good code is generally too expensive to write, he said at the Black Hat Europe conference.
"We are as much moving into a software age as we moved into an iron age," Diffie said, comparing the Internet evolution to the first cities formed on earth. "We take our cultural machinery and are moving that into the Internet," told the audience in the opening keynote of Black Hat Europe here this week. Read more...
Safer Internet encryption via TLS may take years, expert says
Although the TLS (Transport Layer Security) 1.2 protocol, designed to make network connections more secure, was defined in 2008, a security expert at Black Hat Europe this week in Amsterdam said it will be years before Web users can reap its benefits.
TLS was developed in 1999 as an improvement on SSL (Secure Socket Layer) data encryption. Though SSL 3.0 is still used, TLS version 1.0 is supported by most commonly used browsers. However, it was proven vulnerable in 2001 when security researchers demonstrated a working exploit, code named BEAST (Browser Exploit Against SSL/TLS). Read more...
Mozilla nixes Firefox 11 delay, will launch upgrade today
Mozilla on Monday announced it was postponing the release of Firefox 11, but changed its mind today, saying that the browser upgrade would go out on schedule.
Yesterday, Johnathan Nightingale, senior director of Firefox engineering, said Mozilla was delaying Firefox 11's launch to examine a bug unveiled at last week's Pwn2Own hacking contest and to give developers time to scrutinize Microsoft's security updates, set to release today at approximately 1 p.m. ET.
On the last day of Pwn2Own, a two-man team -- Vincenzo Iozzo and Willem Pinckaers -- exploited a Firefox vulnerability to take the contest's $30,000 second-place prize. Read more...
How new Mac OS X security measures will affect your AppleScripts
To the average user, the two new security technologies coming to OS X this year -- sandboxing and Gatekeeper -- should be virtually invisible. But they could be all too visible to more advanced users, particularly those who use AppleScript and Automator.
As we've reported previously, Apple will soon require that all Mac App Store apps implement sandboxing, which forces developers to request specific permission (or, in developer-speak, "entitlement") from Apple to give their apps access to certain parts of a user's system. Few apps in the Mac App Store today use sandboxing, but come June all new apps and updates to existing ones will need to per Apple's revised rules. Read more...