Defense in Depth

For the last week, I've written that Dan Kaminsky undertook unprecedented action in coordinating a variety of vendors in secret over the last six months. Ari Takanen, co-founder and chief technology officer of Codenomicon, wrote to challenge that notion.

In an e-mail on Thursday, Takanen cited his work on a Simple Network Management Protocol version 1 (SNMPv1) flaw back in 2002 as an example. Like Domain Name System, SNMP is a fundamental element of the Internet.

I wrote: "There have been other multiparty patch releases, but never has there been one on such a massive scale. It took … Read more

Gaining the ability to remotely control your HVAC might seem like an energy-responsible thing to do, but it might also pose hidden security risks.

In a recent blog titled Security implications in HVAC equipment SANS handler Swa Frantzen wrote of his concerns regarding one energy-saving program in Texas. The utility, TXU, uses what's called an iThermostat, which allows you to program your thermostat remotely over the Internet from any laptop or desktop.

In California, PG&E offers a similar program, SmartAC. PG&E also uses an Internet addressable, programmable thermostat, however, the user guide (PDF) mentions only … Read more

Programming note: As of Friday, July 11, 2008, Defense in Depth will now only carry my weekly column plus additional commentary on the state of computer security. My security news blogs will instead appear under the CNET News Security banner going forward. And my CNET News Security Bites podcasts can be found at here. All of these can be subscribed to via RSS.

While security researcher Dan Kaminsky still won't comment on the specific nature of a flaw within the Domain Name System--for fear that criminal hackers might exploit it before the worldwide network of name servers worldwide … Read more

On Thursday, Check Point Software Technologies released updated versions of all its ZoneAlarm products, addressing an incompatibility with a patch Microsoft released earlier this week.

The fix requires ZoneAlarm users to download the latest version, 7.0.438.000, from its site. A reboot is required to complete installation.

Since Tuesday, ZoneAlarm customers have complained that access to the Internet was denied after installing MS08-037, a patch designed by Microsoft to correct a vulnerability in both the client and server Domain Name System packages within Windows. Earlier on Tuesday, a security researcher announced a massive, multi-vendor patch release to address … Read more

Apple released a security update on Thursday for its Apple TV. Version 2.1 includes six patches that address buffer overflow and arbitrary code execution vulnerabilities.

Apple TV 2.1 can be automatically downloaded when the update is detected by the Apple TV device. The patches may take up to one week to be detected, depending on the day a device checks. A manual update can be accomplished by using the TV interface and selecting Settings > Update Software. This update will not appear in your computer's Software Update application or in the Apple Downloads site.

Here's an … Read more

Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.

Storm got its name because it first took advantage of a huge winter storm in Northern Europe in early 2007. Since then, it has used a variety of social engineering tricks, including the use of political themes, to get unsuspecting users to open its malicious payload.

This time … Read more

Check Point Software Technologies, maker of ZoneAlarm, on Wednesday said it is working with Microsoft to resolve an issue with one of the patches within the software maker's July 2008 Patch Tuesday release.

At issue is the Microsoft Update KB951748 (MS08-037) from Microsoft, which addresses the flaw in DNS made public on Tuesday by security researcher Dan Kaminsky.

For ZoneAlarm customers who have automatic update selected for Windows Updates, and whose ZoneAlarm Internet security level is set to "high," they will experience a loss of Internet connectivity upon reboot.

ZoneAlarm users without automatic update may wish to … Read more

On Thursday, Webmasters around the world noticed unusual spikes in traffic. For some smaller sites the sudden surge of Web traffic toward their sites appeared to be almost a denial-of-service attack.

Turns out it was the free version of AVG Antivirus 8.0 just doing its job.

In a statement on Saturday, Grisoft said "We have actively listened to the Webmasters who have brought this to our attention, and as a company we have reacted quickly to solve them." What it did was issue a new build of the popular free program.

What's different in version 8 … Read more

Users of an older version of Microsoft Word could have their computers compromised after downloading and opening a specially crafted .doc file, according to an advisory issued late Tuesday.

Microsoft said only limited and targeted attacks have so far attempted to use this vulnerability against systems running Microsoft Word 2002 SP3.

To become infected, a vulnerable user would have to open a specially crafted .doc document. An attacker using this vulnerability would then have the same user rights as the victim. If a victim were running as administrator, the attacker would gain full access to the compromised PC.

Attacks such … Read more