DHS warns of vulnerabilities in widely used Niagara software
The U.S. Department of Homeland Security (DHS) has issued an alert warning of vulnerabilities in a software technology called the Niagara AX Framework, used to manage millions of devices over the Internet.
The alert, from the DHS' Industrial Control System Cyber Emergency Response Team (ICS-CERT) security group, is addressed to organizations that are using Niagara software to remotely control via the Internet industrial control systems, heating, lighting and security equipment, building automation devices and other systems.
Niagara's maker, Tridium, claims it has installed more than 300,000 copies of its software at customer locations worldwide. The company's customers include Boeing, ABB, Callaway and Whirlpool.
DHS said in its alert (PDF document) that Niagara contains a directory transversal flaw and a weak credential storage vulnerability that basically allows attackers to access and download files containing usernames and passwords for all users with access to a Niagara server within an organization. Read more...
Attack code published for two actively exploited vulnerabilities in Microsoft software
Attack code for two actively exploited vulnerabilities in Microsoft software, one of which has not yet been patched, was integrated into the open source Metasploit penetration testing framework.
One of the vulnerabilities is identified as CVE-2012-1875 and is located in Internet Explorer. Attackers can exploit it to execute malicious code by tricking users into visiting a specially crafted Web page or opening a Microsoft Office document that has a malicious ActiveX control embedded into it.
Microsoft addressed the security flaw on Tuesday as part of its MS12-037 security bulletin, but according to security researchers from antivirus vendor McAfee, the vulnerability had been actively exploited in attacks since at least June 1. Read more...
Chrome 18 update closes high-risk security holes
Google has released a new update to the stable 18.x branch of its Chrome web browser to close a number of security holes found in the application. The update, labelled 18.0.1025.168, addresses a total of five vulnerabilities, three of which are rated as "high severity" by the company. Read more...
Google boosts Web bug bounties to $20,000
Google today dramatically raised the bounties it pays independent researchers for reporting bugs in its core websites, services and online applications.
The search giant boosted the maximum reward from $3,133 to $20,000, and added a $10,000 payment to the program.
The Vulnerability Reward Program (VRP) will now pay $20,000 for vulnerabilities that allow remote code execution against google.com, youtube.com and other core domains, as well as what the company called "highly sensitive services" such as its search site, Google Wallet, Gmail and Google Play.
Remote code flaws found in Google's Web apps will also be rewarded $20,000. Read more...
Google patches Chrome for second time in eight days
Google on Thursday patched 12 Chrome vulnerabilities, the second time in eight days that the search company has updated its browser.
Most of the vulnerabilities -- eight of the dozen -- were identified as "use-after-free" bugs, a common type of memory vulnerability that researchers have found in large numbers within Chrome using Google's own AddressSanitizer detection tool.
Seven of the 12 bugs were rated "high," the second-most-serious ranking in Google's scoring system. Four were marked "medium" and one was labeled "low."
Google paid $6,000 in bounties to three researchers for reporting seven of the vulnerabilities. The others were unearthed by Google's own security team or were ineligible for a finder's fee. Read more...
New Mac malware exploits Java bugs, steals passwords
A new version of a well-known family of Mac malware exploits vulnerabilities in Java to steal usernames and passwords for online payment, banking, and credit card websites.
Flashback.G is the first variant of the Trojan horse to use an attack vector that doesn't require any user interaction, said Intego Security, a French firm that specializes in Mac antivirus software. Most Mac malware needs help from users to get on a machine, if only to okay an installation by entering the system password.
When users come across the new malware -- it's being served from an unknown number of malicious websites -- Flashback.G first tries to exploit a pair of Java bugs, one harking back to 2008, the other discovered last year.
Apple has patched both vulnerabilities in its Java updates, fixing the 2011 bug in the most recent Java security update, issued last November. Read more...
Why McAfee’s dire security report rings true
McAfee's latest report on advanced persistent threats, which detailed vulnerabilities in least 72 companies over a five-year period, has caused quite a stir. The conclusions are so stark, some have questioned whether McAfee is scaremongering in order to push more product.
Allow me to come to McAfee's defense. For one thing, the report is the first I've seen that collates the company type, location, and possible length of compromise for each victimized business. More important, I completely agree with the gist of the argument, as articulated by Dmitri Alperovitch, McAfee VP of Threat Research. Think your company has escaped advanced persistent threats? Think again:
...I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade secrets has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2000 firms into two categories: those that know they've been compromised and those that don't yet know...What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth... Read more...
Drive-by attack shows mobile threat
As smartphones increasingly hold interesting data, attackers will target the devices using known vulnerabilities in common software packages.
One security researcher plans to show off just such an attack at next week's Black Hat Security Briefings in Las Vegas.
In a presentation at the conference, Neil Daswani, chief technology officer for Web security firm Dasient, will show off a proof-of-concept attack that demonstrates a drive-by attack on an Android phone using a vulnerability in the Webkit framework that powers the common browser for the platform. The attack opens up a channel through which Daswani exploits a vulnerability in Skype to read information from the application and eavesdrop on chat conversations. Read more...