Apple updates iPhoto 7.1.2 with a security fix

On Tuesday, Apple issued a security update for iPhoto. The update is for users of Mac OS X v10.4.9 or later running iPhoto '08 (part of iLife 08). It addresses the vulnerability detailed in CVE-2008-0043.

To be vulnerable, Apple says, a user must subscribe to a maliciously crafted photocast. A remote attacker may then execute arbitrary code on the compromised machine. The fix addresses how iPhoto handles format strings when processing photocast subscriptions.

Apple credits Nathan McFeters of Ernst & Young's Advanced Security Center for reporting this vulnerability.

Spam continues to increase, Symantec says

Spam now accounts for 78.5 percent of all e-mail traffic, according to a new report from Symantec. That's up from previous months. And Europe, not the United States, can now claim to be the source of most spam.

Other notable points culled from the "State of Spam" report for February 2008 (PDF) include:

There was an appreciable decline of image spam during January 2008. The overall file size of spam messages has also decreased. Product spam, the largest category, makes up 28 percent of all spam. Internet Web hosting and Web design spam makes up 23 … Read more

Free tool blocks Facebook, MySpace, and Yahoo ActiveX vulnerabilities

A researcher over at the Internet Storm Center has created a powerful GUI that will set the kill-bits on vulnerable ActiveX controls used in Facebook, Myspace, and Yahoo apps. These popular apps came under attack on Monday after researchers Elazar Broad and Krystian Kloskowski disclosed their findings to a online security newsgroup.

On Tuesday, exploits for the Yahoo apps were reported circulating. There is currently no patch from the individual vendors, so the only workaround is to disable the several specific, vulnerable ActiveX controls. (ActiveX controls were developed by Microsoft for use with Internet Explorer and other browsers.)

The SANS … Read more

Yahoo IM affected by ActiveX vulnerabilities

On the heels of ActiveX vulnerabilities in the image uploading tools for Facebook and MySpace.com, researchers warned Monday that Yahoo Instant Messenger and Yahoo Messenger are vulnerable to ActiveX-based attacks.

Researcher Elazar Broad has disclosed a Boundary Condition vulnerability within mediagrid.dll, version 2.2.2 56. Researchers Krystian Kloskowski and Broad have disclosed a second Boundary Condition vulnerability within datagrid.dll, version 2.2.2 56c. And Kloskowski alone has disclosed a buffer overflow within datagrid.dll 2.2.2 56, which affects the AddImage function.

The three vulnerabilities are present within Yahoo Instant Messenger version 3.5 … Read more

Why you should patch your Java Runtime Environment

According to Secunia, Sun Microsystems has patched a vulnerability that could allow malicious attackers to bypass certain security restrictions.

Secunia says, "The security issue is caused due to the JRE processing external XML entity references even though the 'external general entities' property is set to FALSE. This can be exploited to e.g. access certain URLs or cause a DoS (denial of service) via malicious XML documents."

Sun says that the JDK and JRE 6 Update 4 for multiple platforms is available for download.

Facebook, MySpace image uploaders vulnerable to attack

Updated at 3:37 p.m. PST with statement from MySpace and Facebook.

Within the last week, researcher Elazar Broad has disclosed two ActiveX vulnerabilities in the tools that MySpace.com and Facebook users use to upload images to their sites. On Sunday, Broad disclosed a buffer overflow vulnerability within the Facebook image upload control. Last week, Broad disclosed a similar buffer overflow flaw within MySpaceAurigma's ImageUploader ActiveX; the MySpace vulnerability also affects Facebook users.

Facebook and MySpace use controls repackaged from Aurigma Imaging Technology. Vulnerable to the recent attack scenario are FaceBook PhotoUploader 4.5.57.0, Aurigma … Read more

SSL-encrypted Gmail not safe to 'sidejacking' attacks, says researcher

Robert Graham, CEO of Errata Security, who last year found that it's possible to capture someone's session cookie via wireless eavesdropping, now says that even encrypted services such as Google's Gmail can sometimes provide him with a session cookie. This is a departure from his advice last August when he said SSL HTTPS sessions of Gmail should be immune.

Graham, working with David Maynor, created two tools (Ferret and Hamster), which together help him grab session cookies out of thin air, say, at a local hot spot, like an Internet cafe. Session cookies allow you to shop … Read more

RealPlayer named by StopBadware.org

StopBadware.org said Tuesday it has labeled two versions of the RealPlayer media player as "badware," or spyware.

RealPlayer 10.5, it claims, "fails to accurately and completely disclose the fact that it installs advertising software on the user's computer." And RealPlayer 11, it claims, "does not disclose the fact that it installs Rhapsody Player Engine software, and fails to remove this software when RealPlayer is uninstalled." Ryan Lukin, PR manager for RealNetworks, disputed some of the claims.

Lukin said the Message Center in 10.5 feeds only news and information, product updates, … Read more

Google, PayPal introduce political-phishing defenses

In the last few months, both Google and eBay unit PayPal have quietly rolled out new online-payment solutions that specifically target Internet-based political-campaign contributions.

While the companies primarily pitch their new products as methods for "attracting more supporters" and "increasing online giving to your campaign," the Internet titans have also laid the groundwork for phishing-resistant campaign contributions.

In a research paper released last year, Markus Jakobsson, Oliver Friedrichs, and I wrote about the looming threat of phishing Web sites posing as legitimate political-campaign sites.

The phishing problem is a particular threat to campaign sites, for a … Read more