Vulnerability

A security researcher said on Thursday that he hopes that Apple has a fix later this month for what he believes could be a vulnerability in the iPhone that could allow an attacker to gain control of the device remotely via SMS, according to IDG News Service.

An attacker could exploit a possible weakness in the way iPhones handle SMS (short message service) messages to do things like use GPS to track the phone's location, turn on the microphone for eavesdropping, or take control of the device and add it to a botnet, Charlie Miller, co-author of The Mac … Read more

A new, unpatched vulnerability exists in one of Microsoft's server products, the company warned late Monday.

In a technical bulletin, the company said it is looking into "public reports of a possible vulnerability in Microsoft Internet Information Services (IIS)."

The company said that a flaw exists in a certain type of Web serving operation.

"An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests," Microsoft said. "An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location … Read more

Microsoft will issue a patch on Tuesday to fix a critical vulnerability in PowerPoint that could be the same hole that has been exploited in limited and targeted attacks.

The vulnerability affects Microsoft Office 2000, 2003, 2007 and XP, as well as PowerPoint Viewer and Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 file formats, according to an advance notification released on Thursday.

In a security advisory in early April, Microsoft warned about a vulnerability in PowerPoint that had been targeted by attacks that were tailored and not widespread.

That vulnerability could be exploited by getting a person … Read more

Updated 4:35 p.m. PDT with Adobe saying Windows, Mac and Unix versions of Reader are affected and more details.

Security experts are recommending that people disable JavaScript in Adobe Reader following reports of a vulnerability in the popular portable document format reader on Tuesday.

The vulnerability appears to be due to an error in the "getAnnots()" JavaScript function and exploiting it could allow someone to remotely execute code on the machine, according to an advisory from the US-CERT.

"US-CERT encourages users and administrators to disable JavaScript in Adobe Reader to help mitigate the risk," … Read more

Updated at 11:32 a.m. PST with a summary of the bug fixes.

Mozilla released an update to Firefox 3 on Tuesday that patches 12 security vulnerabilities, four of which it rated as critical.

Firefox 3.0.9, the Web browser's third update this year, fixes two critical vulnerabilities in the Firefox browser engine and two in its JavaScript engine, according to a security advisory posted Tuesday:

Mozilla developers identified and fixed several stability bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these crashes showed evidence of memory corruption under certain circumstances, … Read more

If you worry that the Internet is a scary place full of digital pickpockets and online identity thieves, your fears will be bolstered by the latest Symantec Internet Security Threat Report released Tuesday.

The report finds huge increases in the number of security holes in software and the number of Internet threats, particularly attacks in which browsers are hijacked and forced to download malicious programs as people surf the Web.

Even visiting trusted Web sites isn't always safe. Most Web-based attacks target visitors to legitimate Web sites that have been compromised and that either serve up malicious content to … Read more

There have long been concerns over securing the power grid and other critical U.S. infrastructure, but those security issues are mounting. CNET News reporter Elinor Mills explains why.

That, and the headlines of the day, on Friday's CNET News Daily Podcast.

Today's stories:

Service restored in Silicon Valley after fiber cut

IDC: Linux spending set to boom by 21 percent in 2009

Rescue shuttle prepped for trip to launch pad

Just how vulnerable is the electrical grid?

Report: Yahoo, Microsoft CEOs meet face to face

Apple nearing 1 billion apps served… Read more

Hackers have launched attacks targeting an unpatched flaw in Microsoft PowerPoint, the company warned Thursday.

The vulnerability, which affects Microsoft Office 2000 SP3, 2002 SP3, and 2003 SP3, can be exploited by getting a person to open a PowerPoint file rigged for the attack. When the file is opened, PowerPoint will access an invalid object in memory. That then allows an attacker to remotely execute code on the system.

In a security advisory, Microsoft said that at present, attacks are not widespread but are tailored to affect specific victims.

"Microsoft is investigating new reports of a vulnerability in Microsoft … Read more

There is an old saying in the security world stating that people are the weakest link in the security chain. Here is a bit of data that reinforces this ancient security adage.

ESG Research recently conducted a project focused on confidential data security that will be published soon. However, here are some interesting advance results that support this venerable security dictum. ESG asked 308 North American and European security professionals from large organizations (i.e. 1,000 employees or more) a number of questions about data security risks, policies, and technology safeguards. When asked to define the most important measures … Read more