Vulnerabilities & attacks

On Tuesday, Apple released iPod Touch version 2.1 to address several security issues. Among them are the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Other issues include vulnerabilities in Webkit, CoreGraphics, and the Application Sandbox.

Earlier on Tuesday, Apple released updates to its QuickTime media player.

Apple notes that this update is only available through iTunes as part of the iPod Touch updating process and will not appear in your computer's Software Update application, nor can it be found on the Apple Downloads site.

Application Sandbox This patch affects users of iPod Touch v2.… Read more

Apple on Tuesday released Bonjour for Windows 1.0.5., patching the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Bonjour for Windows can be found within iTunes. Earlier on Tuesday, Apple released DNS patches for iPod Touch. Bonjour for Windows 1.0.5 may be obtained downloading iTunes 8.0 or from Apple Software Downloads.

mDNSResponder 1 This patch affects users of Windows Vista, XP SP2, SP3, 2003, and 2000. The update addresses null pointer reference issue in CVE-2008-2326. Apple says the problem within Bonjour Namespace Provider lies in resolving a maliciously crafted ".local" … Read more

Apple on Tuesday released QuickTime 7.5.5, a version that includes nine security patches, some of which could lead to denial of service or allow an attacker to run code on a compromised machine. The patches cover both Windows and Mac OS X versions of QuickTime. Earlier Tuesday, Microsoft released two bulletins addressing serious vulnerabilities in its Windows Media Player.

QuickTime 7.5.5 may be obtained from the Apple Software Update application or you can download the latest version of free Quicktime player here.

QuickTime 1 This patch affects users of Windows Vista, XP SP2, and SP3. The … Read more

Microsoft on Tuesday released its September 2008 security bulletin summary.

The four bulletins concern Windows GDI+, Windows Media Player, and Microsoft Office OneNote. All are rated critical by Microsoft. There is no cumulative patch for Internet Explorer this month.

Starting next month, Microsoft plans to share the technical details of new vulnerabilities to give software developers time to update affected products before the public announcement.

Also in October, Microsoft will start providing each bulletin with an Exploitability Index to help system administrators prioritize the patches. All current Microsoft security patches for both Windows and Office software are available via Microsoft Update … Read more

Earlier today, Google was keeping mum about a three-day-old security fix to its Chrome browser, but now the company has revealed details of two critical-risk vulnerabilities and some lesser issues it says are fixed.

The critical patches relate to buffer overrun vulnerabilities that could have let a remote attacker execute arbitrary software on a Chrome user's computer, said Mark Larson, a Google Chrome program manager, in a mailing list posting Monday afternoon. The first patch fixed a vulnerability in handling long file names, called the SaveAs vulnerability, and the second a vulnerability in dealing with the Web site addresses displayed in Chrome's status area when the user hovers over a link. … Read more

In yet another new way to infect people, criminal hackers are using a Twitter page, according to one security researcher.

In a blog, Chris Boyd, director of malware research for Facetime, explained how a Twitter page is being used to lure victims. To lend credibility to his discovery, the Twitter page lists 17 followers, however each appeared to be fraudulent. Boyd said Twitter had been notified.

The messages, written in Portuguese, attempt to get visitors to download a photo album. In order to view the album, you'll need to download a Flash update, which is really the infection files … Read more

Updated 1:44 p.m. PDT with details that Chrome automatically updates itself with no notification or choice for the user.

Google has quietly begun releasing a hastily prepared update to its Chrome browser to fix some security problems.

The new version, 0.2.149.29, replaces the 0.2.149.27 that was released when Google launched the Chrome beta version last week. Google started releasing the update Friday, initially to a small number of users, but didn't make much of an announcement about the change.

"149.29 is a security update and we released it as … Read more

Updated Sept. 8 with National Geographic saying the app is not sanctioned by them.

Researchers have created a proof-of-concept application for Facebook that turned the machines of people who added the app to their Facebook page into elements of a botnet that in a demonstration launched denial-of-service attacks on a victim server.

"Social Network Web sites have the ideal properties to become attack platforms," according to a paper entitled "Antisocial Networks:Turning a Social Network into a Botnet," that was authored by five researchers from the Institute of Computer Science in Greece and one from the … Read more

It's been only a few days since Google released its Chrome browser, and security researchers are still digging into the software in search of the first few flaws.

A company in Vietnam has turned up the latest vulnerability in Chrome, according to a story posted to Information Week's Web site. Bach Khoa Internet Security says that the Chrome 0.2.149.27 release is susceptible to a critical buffer-overflow flaw, which could allow a remote attacker to take control of a PC. BKIS says it has reported the vulnerability to Google.

Here's how BKIS describes the vulnerability … Read more