Tag: FLAW

Microsoft recently delivered a patch for its malware and antivirus tools, including Security Essentials, Windows Defender, MSRT, and Forefront -- its enterprise antivirus solution. The patch addresses a flaw in Microsoft's scanning engine which could allow an attacker who had a valid username and password to gain elevated rights on a system. As is often the case with these flaws, the fact that ...

Microsoft has posted a new security bulletin which describes a critical flaw in Internet Explorer which -- wait for it -- could allow a remote attacker to execute arbitrary commands on a compromised computer. The flaw affects all supported versions of IE and occurs because of "the creation of uninitialized memory during a CSS function within Internet Explorer." Vista and Windows 7 users are at ...

Sophos Labs' Graham Cluely posted this morning about a nasty little Twitter security flaw that is being actively exploited. Twitter apparently doesn't block onMouseOver JavaScript code, which (you guessed it!) kicks in when your mouse pointer passes over a specially crafted link. What happens next is up to the creator. It could be something harmless like the alert box you see above, or it ...

Yesterday, Adobe reported another critical security exploit in Flash. Show us your surprised face. Unlike a lot of the Flash warnings we see, however, this one is actively being exploited, and a successful attack allows untrusted code to be remotely executed. That's bad, especially since Adobe's post states that the patch won't be arriving for about two weeks. Flash can't seem to catch a ...

Is it just me, or are Adobe Acrobat and Reader about as secure as the contents of President Skroob's suitcase? Remember that new zero-day exploit which they announced yesterday? Well, if yesterday was day zero it's now day one, and that exploit is being targeted by the bad guys. Trend Micro reports that a trojan is spreading which drops a downloader -- which then drops another downloader. From ...

Anyone else having deja vu? Adobe's improved security efforts have been a welcome change, but it sure seems like they're still not doing enough. Of course, it's also possible that things have been footloose and fancy-free for so long that it's going to take a while to sort out. They've promised sandboxing is coming, and that should help. In the meantime, however, we're going to see more ...

Microsoft has already fessed up -- admitting that a vulnerability in Internet Explorer was a key component in the Chinese attacks on companies including Google and Yahoo. Today, a post at Wired revealed some very disappointing news: Microsoft knew about the exploit as far back as September of 2009. Microsoft's senior security officer Jerry Bryant had this to say: "Our investigation into this ...

Microsoft is acting to address concerns regarding the vulnerability that has been widely reported on since it was revealed last week. According to BetaNews there still haven't been any reported incidents involving the exploit. Even though the vulnerability's existence has yet to be confirmed, Microsoft has responded quickly and has prepared a patch for release today at 10:00am PST. There are also ...

According to eEye Digital Security, the latest version of Symantec AntiVirus contains a security flaw that could be used to take control of the victim's PC "without any user action." eEye spokesperson Mike Puterbaugh describes the hole as "definitely wormable," i.e. malicious software could gain access to a machine, change or delete files at will, and spread itself to other machines. Symantec says ...

Actually, two of them. Fortunately, this new set of vulnerabilities, discovered only days after Microsoft released a patch for the recently-discovered and very dangerous previous WMF vulnerability, is much less serious. Rather than allowing an attacker to execute arbitrary code on your system, these two new vulnerabilities only allow a malicious person to crash the viewer, e.g. Internet Explorer, ...