Vulnerabilities & attacks

On Wednesday, researchers announced a flaw in how the Google Chrome browser behaves with undefined handlers. An exploit provided as a demonstration crashes the new browser.

In an article on the Securiteam site, Rishi Narang from Evilfingers says a crash can occur without user interaction. If a user is provided a malicious link with an undefined handler followed by a special character, Chrome crashes.

In Google-speak, the browser displays a message "Whoa, Google Chrome has crashed. Restart now?"

Narang found the fault in chrome.dll version 0.2.149.27. More details can be found on this Evilfingers page. … Read more

The Best Western hotel chain has given details of a hack involving one of its hotels, but downplayed reports that 8 million customers have been affected.

In response to an article published in Scotland's Sunday Herald, Best Western rejected claims that it had suffered a massive compromise of customer details.

Best Western confirmed on Tuesday that it had suffered a breach at one of its German hotels, but denied Sunday Herald claims that every customer using Best Western European hotels since 2007 had had their booking details compromised.

"We can confirm that on 21 August, 2008, three separate … Read more

Virtual worlds are playgrounds not just for people who want some online fantasy role-playing, but for cybercriminals who are looking for places to launder money and steal data, according to a new white paper from McAfee (PDF).

The in-game economies of virtual worlds are being hijacked by criminals who attempt to hide their profits through the exchange of virtual currencies, Dr. Igor Muttik, a senior architect at McAfee's Avert Labs says in a white paper entitled "Securing Virtual Worlds Against Real Attacks--The Challenges of Online Game Development."

"Typically, when a gaming account is compromised, attackers will … Read more

The first ever reported computer virus has infected at least two laptops onboard the International Space Station more than 200 miles above Earth.

The worm, believed to be W32.Gammima.AG, steals personal information used to play online games from infected computers and then attempts to send the information back to a remote computer, according to SpaceRef.com, which broke the news on Monday.

The virus was not the first to hit a space station last month, just the first one that was reported, NASA spokesman Kelly Humphries told Wired News. He described it as a "nuisance" that … Read more

Researchers at Carnegie Mellon University have released an extension for Firefox 3 that can protect wireless network users from so-called "man-in-the-middle" attacks.

The software, dubbed "Perspectives," is available for download for free.

Perspectives also protects against attacks that exploit a recently exposed flaw in the DNS system, which translates Web addresses into numerical IP addresses, said Dave Andersen, a computer science professor at Carnegie Mellon who was an adviser on the Perspectives project.

In an attack on the DNS system, someone typing in a legitimate Web address could be redirected to a malicious site without knowing … Read more

Ubuntu on Tuesday became the latest Linux vendor to patch a vulnerability in the open-source operating system's kernel that could have left the door open for hackers to find their way into users' machines.

In an e-mail sent overnight, the Linux vendor warned users to update all machines running recent versions of Ubuntu, ranging from 6.06, which was released back in mid-2006, to version 8.04, which came out earlier this year. The problem also applied to other versions of Ubuntu such as Kubuntu, Edubuntu, and Xubuntu.

"It was discovered that there were multiple NULL-pointed function de-references … Read more

A security researcher has been in discussions with Google on an exploit he plans to release that would allow a hacker to easily intercept someone's communications with supposedly secure Web sites over an unsecured Wi-Fi network, but other sites, like Facebook, Yahoo Mail, and Hotmail, remain vulnerable.

Mike Perry, a reverse engineer and developer at Riverbed Technology, says he announced on the BugTraq e-mail list a year ago a common flaw with the way Web sites implement the SSL (Secure Sockets Layer) protocol that is designed to protect people's data when they surf the Web. Typically, they only … Read more

Red Hat warned on Friday that a network attack compromised some servers last week that are involved with both its commercially supported and free versions of Linux.

The breaches involved Red Hat Linux Enterprise servers and those from its community-supported Fedora project that it sponsors.

Red Hat said in a security advisory that it is confident the intrusion did not compromise the Red Hat Network, which is the chief mechanism used to distribute changes to its Red Hat Enterprise Linux product, or updates sent over the network. Therefore customers are not at risk, the company said.

The open-source vendor also … Read more

Someone broke into a U.S. Homeland Security Department phone system and made 400 calls to the Middle East and Asia, racking up $12,000 in long-distance charges, The Associated Press reported.

The phone phreaker got into the voice mail system of the Federal Emergency Management Agency last weekend and had free calling to places like Afghanistan, Saudi Arabia, and Yemen for at least two days before someone at Sprint noticed, according to FEMA spokesman Tom Olshanski.

It appears that a hole was left open by a contractor during an upgrade of the voice mail system, but further details were … Read more