Microsoft fixes 17 flaws in 11 patches; 6 are 'critical'

Microsoft on Tuesday released its February 2008 security bulletin, which includes 11 bulletins, six of which are deemed "critical" by Microsoft, while five are deemed "important." One bulletin, suggested in the advance notice posted Thursday, failed to be released Tuesday. A majority of the "critical" patches affect Microsoft Office, two critical patches include users of Office for Mac 2004, one affects Visual Basic 6.

The "important" patches are mostly Internet services-related. One patch is specific to the Windows Vista update, however, all the Windows Vista-related updates will be included with Windows Vista … Read more

Apple releases security updates for Leopard, Tiger

Apple today released 11 security updates for Mac OS X, with many of the updates specific to the newly-released Leopard operating system. The Security Update 2008-001 is the first from Apple for 2008. The applications affected include Time Machine, Mail, and Parental Controls. The update can be downloaded and installed via Software Update preferences, or from Apple Downloads.

Directory Services This patch affects users of Mac OS X v10.4.11 and Mac OS X Server v10.4.11 and addresses the vulnerability in CVE-2007-0355. Apple says, "A stack buffer overflow exists in the Service Location Protocol (SLP) daemon, … Read more

Exploits plague Adobe Reader and Acrobat

Over the weekend, security vendor iDefense reported three specific exploits affecting a fully patched version of Adobe Acrobat and Reader 8.1 running on Windows. In each of the cases, the attacker would need to have the users open a specially crafted PDF file delivered via an e-mail attachment or linked from a Web site. In response, Adobe has released a security update, Adobe Acrobat and Reader 8.1.2.

The Adobe Reader and Acrobat JavaScript insecure method exposure vulnerability affects users of Adobe Reader 8.1 on Windows XP SP2 and is to be further detailed in CVE-2007-5663. According … Read more

The day the wiretaps go dead

With all of the attention that the Foreign Intelligence Surveillance Act (FISA) update (and the administration's vigorous attempts to immunize the criminals telcos), it seems like a good time to explore the issues surrounding surveillance and privacy in America today.

While there are so many scary things being done by intelligence and law enforcement, hope is not far away. Easy to use privacy technologies are upon us, and with them, comes a radical shift in the balance of power. As this article will explain, the scalable techniques with which the NSA, FBI and other agencies can spy on innocent … Read more

Apple updates QuickTime security

On Wednesday, Apple released QuickTime 7.4.1. The update is for users of Mac OS X v10.3.9, Mac OS X v10.4.7, Mac OS X v10.5 or later, and Windows Vista and Windows XP SP2. It addresses the vulnerability described in CVE-2008-0234.

By enticing a user to visit a maliciously crafted Web page, Apple says that an attacker may use an unpatched version of QuickTime to cause an unexpected application termination or arbitrary code execution. The vulnerability is a heap buffer overflow that exists in QuickTime's handling of HTTP responses when RTSP tunneling is … Read more

Industry giants lobby to kill pro-consumer data-breach legislation

In a direct slap in the face to consumers, tech industry giants including Microsoft, AT&T, and Verizon are frantically engaged in an effort to kill pro-consumer provisions in a data breach notification bill currently being considered by the Indiana State Senate.

The bill would require that the state attorney general act as a single point of contact for data breaches. Any company that suffered a breach impacting one or more Indiana consumers would be required to notify the AG's office. The bill would also make Indiana the only state in the country to to require the attorney … Read more

Apple updates iPhoto 7.1.2 with a security fix

On Tuesday, Apple issued a security update for iPhoto. The update is for users of Mac OS X v10.4.9 or later running iPhoto '08 (part of iLife 08). It addresses the vulnerability detailed in CVE-2008-0043.

To be vulnerable, Apple says, a user must subscribe to a maliciously crafted photocast. A remote attacker may then execute arbitrary code on the compromised machine. The fix addresses how iPhoto handles format strings when processing photocast subscriptions.

Apple credits Nathan McFeters of Ernst & Young's Advanced Security Center for reporting this vulnerability.

Spam continues to increase, Symantec says

Spam now accounts for 78.5 percent of all e-mail traffic, according to a new report from Symantec. That's up from previous months. And Europe, not the United States, can now claim to be the source of most spam.

Other notable points culled from the "State of Spam" report for February 2008 (PDF) include:

There was an appreciable decline of image spam during January 2008. The overall file size of spam messages has also decreased. Product spam, the largest category, makes up 28 percent of all spam. Internet Web hosting and Web design spam makes up 23 … Read more

Free tool blocks Facebook, MySpace, and Yahoo ActiveX vulnerabilities

A researcher over at the Internet Storm Center has created a powerful GUI that will set the kill-bits on vulnerable ActiveX controls used in Facebook, Myspace, and Yahoo apps. These popular apps came under attack on Monday after researchers Elazar Broad and Krystian Kloskowski disclosed their findings to a online security newsgroup.

On Tuesday, exploits for the Yahoo apps were reported circulating. There is currently no patch from the individual vendors, so the only workaround is to disable the several specific, vulnerable ActiveX controls. (ActiveX controls were developed by Microsoft for use with Internet Explorer and other browsers.)

The SANS … Read more