Vulnerabilities & attacks

Mac OS 10.5.5 packs fixes for slew of security flaws

With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.

Version 10.5.5 can be obtained from the Apple Software Downloads page.

ATS This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.

BIND This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.

ClamAV This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.

Directory Services This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."

Directory Services II This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig. … Read more

'BusinessWeek' site hacked in potential malware attack

Updated at 2:25 p.m. PDT with "BusinessWeek" comment.

Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, a security researcher said on Monday.

It's unclear how long the site has been compromised and there is no evidence that BusinessWeek.com readers have been affected, but also no evidence that they haven't, said Graham Cluley, senior technology consultant at Sophos.

The hackers used an increasingly common form of attack called SQL … Read more

Hackers break into Large Hadron Collider computer

Hackers broke into a computer system at CERN's Large Hadron Collider, targeting a system that was "one step away" from a control computer, but otherwise appear to have done no major damage, according to a report on Friday in the British newspaper The Telegraph.

The system that was breached monitors the Compact Muon Solenoid Experiment, which will be analyzing data during subatomic particle collisions in the particle accelerator located along the French-Swiss border. Experiments, which began on Wednesday, are designed to help scientists explore particle physics theories.

During the attack on Tuesday and Wednesday, hackers left behind … Read more

One of 11 alleged T.J. Maxx hackers pleads guilty

One of the hackers accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, arguably the largest security breach worldwide, reportedly pleaded guilty on Thursday.

Damon Patrick Toey pleaded guilty to wire fraud, credit card fraud, and aggravated identity theft, and will be released subject to electronic monitoring, according to a report on the Wall Street Journal's Web site. Eleven defendants total are facing charges in federal court in Boston.

TJX Companies, the parent company of T.J. Maxx and Marshall's, said in March 2007 that 45.7 million accounts were compromised … Read more

New tool creates fake YouTube pages for spreading malware

Cybercriminals are getting more and more business-like. The latest examples involve a tool that automates the creation of fake YouTube Web sites that can be used to deliver malware and password-cracking services for sale.

Panda Security said it has uncovered a tool circulating in underground hacking forums, dubbed YTFakeCreator, that enables anyone to easily create a fake YouTube page that surreptitiously installs a Trojan, virus, or adware on a visitor's computer, said Ryan Sherstobitoff, chief corporate evangelist of Panda Security.

The tool does not spread the video link on its own. An attacker must distribute it via e-mail, FTP, … Read more

Acrobat 9 crashes with malformed URLs

Updated September 12 at 11:12 a.m. with comment from Adobe.

Certain URLs can cause Adobe Acrobat 9 to suffer a denial of service or crash, says a researcher.

According to an alert from the SecuriTeam mailing list, "a vulnerability in Adobe Acrobat 9 allow attackers to cause the program to crash by providing it with a malformed URL."

The alert cites a blog by researcher Jeremy Brown, who provides working exploit code. In one example, Brown uses the string "acroie:///DoS" to cause a DoS in Adobe Acrobat 9 running on Windows Vista.

A … Read more

Report: SF officials looking for hidden network device

San Francisco officials are trying to find a device on the city's computer network that was allegedly left there by an IT worker who was jailed for refusing to divulge passwords to the city network, the IDG News Service reported on Thursday.

San Francisco network administrator Terry Childs was arrested in July on four felony charges of taking control of the city's computer network and locking administrators out. He remains in jail on $5 million bail despite giving up the passwords to the mayor in a secret jail cell meeting a week later.

The device, which appears to … Read more

iTunes 8 causes Windows Vista problems

Not everyone is rocking to the new iTunes 8 released Tuesday. An informal poll on ZDNet suggests that a problem with the latest edition of the Apple media player is affecting some, but not all, users of the software on Microsoft's Windows Vista. (You can download iTunes 8 for Windows from CNET Download.com.)

Users on an Apple forum reported seeing the so-called blue screen of death (BSOD) on their desktops running Windows Vista with iTunes 8 installed. The BSOD problem occurs shortly after connecting their iPods and iPhones.

A second, more subtle effect is that their CD/DVD drives "disappear." … Read more

Security software that's perfect for San Francisco government

SAN DIEGO--A standoff between San Francisco city officials and a city employee jailed this summer for allegedly refusing to reveal passwords to the city's computer network could have been avoided with technology launched this week at DemoFall.

Terry Childs, a network administrator for the city of San Francisco, was jailed July 13 on four felony charges of taking control of the city's computer network and locking administrators out. He eventually gave up the passwords to the Mayor in a secret jail-cell meeting a week later.

Things would have been different if the city had been able to use … Read more