ie8 fix

Security & Privacy

Google details 'reboot' bug, Android security fixes

Google has begun releasing some details about the vulnerabilities it patched in two updates to Google's Android operating system software in the T-Mobile G1 smartphone.

The company had acknowledged some of the work earlier, but it hasn't posted an official comment about the vulnerabilities. But Rich Cannings of the Android security team shared details about the RC29 and RC30 updates that T-Mobile began distributing to G1 customers at least as early as November 1 and November 9, respectively.

Google had acknowledged the RC29 patch for the G1 fixed a browser vulnerability that could have let an attacker use malicious code on a Web site to take over the browser. The severity of such issues is limited by Android's security design, which walls off applications into separate compartments to limit an attacker's power. But Cannings said the patch also fixed two other issues.

The Android browser is based on the open-source WebKit engine for converting HTML instructions into an actual Web page, and RC29 brought Android up to date with two patches that had been released but that Google had missed. One of them is a universal cross-site scripting problem that could give an attacker control of the browser, Canning said.

RC29 also fixed a problem that could let someone bypass Android's locking mechanism by booting the phone into safe mode.

Google plans to publish fuller details on its Android Security Announcements group soon, Cannings said, but the company waits until the patches have been offered to all users before disclosing full details.

RC30 and the root console bug RC30, which came about a week later, fixed an unusual "root-console" problem in Android in which text that people typed--while composing e-mail messages or searching contacts, for example--could be executed as Linux commands with the highest-level privileges. One user found it by typing the word "reboot" in a text message.

The problem was that Google left in a feature that let programmers execute commands with a remote device attached over a serial port, but when there was no such device attached, the phone just used input from the keyboard.

Linux and Unix users are advised to use their systems with "root" privileges reserved only for administrators, but Android was actually giving anybody that privilege. The problem was lessened because many characters used in Linux commands, such as hyphens, tildes, and slashes, weren't available, but it was still a big problem, Cannings said. … Read more

Microsoft fixes four flaws with two patches

Microsoft on Tuesday released its November 2008 security bulletin, including one patch rated "critical."

The critical bulletin affects Microsoft XML Core Services and Internet Explorer, while the "important" bulletin affects Microsoft Server Message Block (SMB) Protocol. Both affect all versions of Windows. Starting last month, Microsoft is sharing the technical details of new vulnerabilities to give software developers a chance to update affected products before the public announcement. Microsoft is including within each bulletin an "exploitability index" to help system administrators prioritize the patches. All Microsoft security patches for both Windows and Office software … Read more

Study: DDoS attacks threaten ISP infrastructure

Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.

The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order … Read more

US-CERT warns of SAP vulnerability

The U.S. Computer Emergency Readiness Team has warned of a vulnerability in SAP GUI, the graphical user interface client in the German company's enterprise resource-planning software.

The unspecified flaw can cause Microsoft's Internet Explorer browser to crash in an exploitable manner. The flaw lies in an ActiveX control called MDrmSap, a component of SAP GUI.

US-CERT warned in an advisory, updated on Monday, that if users are fooled into viewing a specially crafted HTML document, external attackers might be able to gain control of their system, with their privileges.

A patch is available from SAP, through SAP … Read more

Apple fixes three iLife flaws

Apple released an update on Monday for iLife 8.0 and Aperture 2 running on Mac OS v10.4.9 through v10.4.11.

The update does not affect those running Mac OS X v10.5.5. The update affects system software components shared by all iLife '08 applications and, in most cases, the specific vulnerabilities could lead to application termination or arbitrary code execution. iLife Support 8.3.1 may be obtained from the Software Update pane in System Preferences or Apple's Software Downloads Web site.

ImageIO-1 This patch affects users of iLife 8 or Aperture 2 running … Read more

Nigerian scammers hit Facebook

Karina Wells, a Google employee in Australia, received a Facebook message from a friend on Friday saying he was stranded in Lagos, Nigeria and needed $500 for a plane ticket home. What made her suspicious was her Australian friend's use of American terms like "cell phone" instead of "mobile."

So, Wells pretended that she was going to send the money via Western Union and instead turned the case over to authorities, according to The Sydney Morning Herald.

Other Facebook users might not be so wise. Such Nigerian scams are common over e-mail but not on … Read more

Google starts fixing Android 'reboot' bug

Google has begun fixing a bug that would reboot T-Mobile's G1, the first Android-powered phone, any time a user typed the word "reboot."

According to the bug filed about the problem, "It would appear that Android is, at some level, interpreting specific text strings and acting as if they were local commands," according to user called mogphone.

Added another commenter, jdhorvat, "Funny story behind finding this: I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the … Read more

Forensic tool detects pornography in the workplace

Pornography in the workplace can pose a serious problem for employers because a significant amount of material is downloaded by employees during business hours.

The viewing of porn at work can result in lost time, creativity, productivity, and employer profitability. More importantly, it can help create a hostile work environment and can be considered sexual harassment, in violation of Title VII of the Civil Rights Act of 1964. Naturally, corporations want to avoid the potentially serious legal consequences and protect their bottom line.

On Sunday, Orem, Utah-based forensic-software maker Paraben plans to introduce a unique piece of enterprise software developed … Read more

Report: White House e-mail system attacked

It was revealed this week that the presidential campaigns of Barack Obama and John McCain were hacked over the summer. Now, a report has surfaced that the White House has suffered multiple attacks in recent months as well.

According to a story by the Financial Times on Friday, U.S. officials have confirmed that the White House e-mail archives were attacked several times in recent months. The report says the National Cyber Investigative Joint Task Force, a new unit established in 2007 to tackle cybersecurity, detected the attacks on the White House, and also traced the attacks back to servers … Read more

Security expert talks Russian gangs, botnets

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.

Shortly … Read more

ie8 fix