Serious Apache Exploit Discovered: Via Slashdot.

bennyboy64 writes "An IT security company has discovered a serious exploit in Apache's HTTP web server, which could allow a remote attacker to gain complete control of a database. ZDNet reports the vulnerability exists in Apache's core mod_isapi module. By exploiting the module, an attacker could remotely gain system privileges that would compromise data security. Users of Apache 2.2.14 and earlier are advised to upgrade to Apache 2.2.15, which fixes the exploit."
Note: according to the advisory, this exploit is exclusive to Windows.

Read Original Article:(Via Slashdot.)

Microsoft's new 'phone home' anti-piracy practice unacceptable, says critic: Via Computerworld Privacy News.

'At what point is one free of this' perpetual checking, asks Lauren Weinstein

The Internet advocate who blasted Microsoft in 2006 over the daily "phone home" habits of its anti-piracy software took the company to task again today for a new practice that will examine consumers' Windows 7 PCs every 90 days to make sure they're running legitimate copies of the OS.

Lauren Weinstein, the co-founder of People For Internet Responsibility (PFIR), urged Windows 7 users not to accept the option update to Windows Activation Technologies (WAT) when Microsoft begins seeding it to the Windows Update service later this month.

"The approach that Microsoft is now taking doesn't seem to make sense, even for honest consumers," Weinstein argued in a post to his blog. "Microsoft will trigger forced downgrading to non-genuine status if they believe a Windows 7 system is potentially pirated based on their 'phone home' checks that will occur at (for now) 90 day intervals during the entire life of Windows 7 on a given PC, even months or years after purchase. [ Read more ... ]

12 Trends to Watch in 2010: Via EFF.org Updates.

It's the dawn of a new year. From our perch on the frontier of electronic civil liberties, EFF has collected a list of a dozen important trends in law, technology and business that we think will play a significant role in shaping online rights in 2010.

In December, we'll revisit this post and see how it all worked out. [ Read more ... ]

Sneaky Microsoft plug-in puts Firefox users at risk: Via computerworld.

Patches critical bug, exploitable because of add-on silently slipped into Firefox last February

An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves the browser open to attack, Microsoft's security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site. [ Read more ... ]

Microsoft Security Bulletin MS09-048 - Critical: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723): Via Microsoft Security Bulletin.

This security update resolves several privately reported vulnerabilities in Transmission Control Protocol/Internet Protocol (TCP/IP) processing. The vulnerabilities could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. [ Read more ... ]

Code for Skype Spyware Released to Thwart Surveillance: Via Threat Level.

A Swiss programmer who crafted malware for intercepting and recording Voice-over-IP phone calls has posted the source code online to draw attention to vulnerabilities in programs such as Skype, and to make it harder for law enforcement to surreptitiously use the malware for surveillance, according to Tech World.

Ruben Unteregger, 33, wrote the code for “MiniPanzer” and “MegaPanzer” in 2006 for his former employer, ERA IT Solutions. The company allegedly sold the malware to Swiss authorities to be used for surveillance. [ Read more ... ]

Cyberwar - Defying Experts, Rogue Computer Code Still Lurks: Via NYTimes.com .

Like a ghost ship, a rogue software program that glided onto the Internet last November has confounded the efforts of top security experts to eradicate the program and trace its origins and purpose, exposing serious weaknesses in the world’s digital infrastructure.

The program, known as Conficker, uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers. [ Read more ... ]

Microsoft's Free AV App May Be a Non-Starter: Via Slashdot.

CWmike writes "Microsoft is preparing to launch a public beta of Morro, the free anti-malware it announced last November, according to reports. Morro will use the same scanning engine as Windows Live OneCare, the software that the free software will replace and Microsoft's first consumer-grade antivirus package. OneCare is to get the boot as of June 30 (along with finance app Microsoft Money). John Pescatore, an analyst at Gartner, has questioned whether users would step up to Morro even if it was free. [ Read more ... ]

Malware Steals ATM Data: Via Schneier on Security.

One of the risks of using a commercial OS for embedded systems like ATM machines: it's easier to write malware against it:

The report does not detail how the ATMs are infected, but it seems likely that the malware is encoded on a card that can be inserted in an ATM card reader to mount a buffer overflow attack. The machine is compromised by replacing the isadmin.exe file to infect the system.

The malicious isadmin.exe program then uses the Windows API to install the functional attack code by replacing a system file called lsass.exe in the C:\WINDOWS directory.

Once the malicious lsass.exe program is installed, it collects users account numbers and PIN codes and waits for a human controller to insert a specially crafted control card to take over the ATM.

After the ATM is put under control of a human attacker, they can perform various functions, including harvesting the purloined data or even ejecting the cash box.

Read Original Article:(Via Schneier on Security.)

New ATM Malware Captures PINs and Cash — Updated: Via Threat Level.

Security researchers have found malware planted on ATMs in Eastern Europe that captures PINs and magnetic stripe data from the machine’s memory and instructs the machines to spit out cash, eliminating the need for primitive skimming devices and advancing the tradecraft of card thieves to a new level.

“This malware is unlike any we have ever had experience with,” said Nick Percoco in a statement. Percoco is vice president and head of Trustwave’s SpiderLabs Incident Response Team, based in Chicago, which was called in to investigate the matter this last spring. [ Read more ... ]

Security Fix - Microsoft Update Quietly Installs Firefox Extension: Via Security Fix - Voices at The Washington Post.

A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

Earlier this year, Microsoft shipped a bundle of updates known as a "service pack" for a programming platform called the Microsoft .NET Framework, which Microsoft and plenty of third-party developers use to run a variety of interactive programs on Windows. [ Read more ... ]

Microsoft Offers Secure Windows … But Only to the Government: Via Threat Level.

It’s the most secure distribution version of Windows XP ever produced by Microsoft: More than 600 settings are locked down tight, and critical security patches can be installed in an average of 72 hours instead of 57 days.  The only problem is, you have to join the Air Force to get it.

The Air Force persuaded Microsoft CEO Steve Ballmer to provide it with a secure Windows configuration that saved the service about $100 million in contract costs and countless hours of maintenance. At a congressional hearing this week on cybersecurity, Alan Paller, research director of the Sans Institute, shared the story as a template for how the government could use its massive purchasing power to get companies to produce more secure products. And those could eventually be available to the rest of us.

Security experts have been arguing for this “trickle-down” model for years.  But rather than wield its buying power for the greater good, the government has long wimped out and taken whatever vendors served them. If the Air Force case is a good judge, however, things might be changing.

Threat Level spoke with former CIO of the Air Force, John Gilligan, to get the details. [ Read more ... ]

UAC Whitelist Hole In Windows 7: Via Slashdot .

David Gerard writes "Microsoft tried to make Vista secure with User Access Control (UAC). They relaxed it a bit in Windows 7 because it was such a pain in the backside. Unfortunately, one way they did this (the third way so far found around UAC in Windows 7) was to give certain Microsoft files the power to just ... bypass UAC. Even more unfortunately, one of the DLLs they whitelisted was RUNDLL32.EXE. [ Read more ... ]

Conficker Worm Could Create World's Biggest Botnet: Via Slashdot

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

Read Original Article ( Via Slashdot. )

Microsoft Releases Critical Internet Explorer Patch: Via InformationWeek

The out-of-band security update fixes a JavaScript-related vulnerability that's being actively exploited through hacked Web sites.

Microsoft has released an out-of-band security update, MS08-078, to fix a vulnerability in its Internet Explorer Web browser that's being actively exploited.

"At this time, we are aware only of attacks that attempt to use this vulnerability against Windows Internet Explorer 7," said Christopher Budd, Microsoft security response communications lead, in an e-mailed statement. "Our investigation of these attacks so far has verified that they are not successful against customers who have applied the security update. MS08-078 has a maximum severity rating of Critical for all versions of Internet Explorer." [ Read more ... ]

Nonetheless, Microsoft lists Internet Explorer 5.01, 6, and 7 as affected software in its Security Bulletin. It also says separately, in the FAQ section, that Internet Explorer 8 Beta 2 is affected.

The vulnerability can be exploited through JavaScript code posted on malicious Web sites. Internet Explorer users may be redirected to these sites through hacked legitimate sites. If the malicious code is successful, it silently downloads malware onto the victim's computer.

Microsoft Rushes Internet Explorer Patch: Via Slashdot

drquoz writes "Last week, it was reported that a critical security flaw was found in Internet Explorer. On Tuesday, experts were advising users not to use IE until a patch could be released. On Wednesday, Microsoft released the patch. An interesting quote from the article: 'Kandek suggests that Microsoft is at a disadvantage in updating Internet Explorer because its browser doesn't have a built-in update mechanism like other browser makers. Mozilla, for instance, just released Firefox 3.05 to Firefox users through its auto-update system.'"

Read Original Article ( Via Slashdot. )

Hackers Compromise Legit Web Sites to Target Microsoft IE Flaw: Via eWeek

Microsoft reported a significant increase in the number of users infected with malware targeting a vulnerability in Internet Explorer widely reported last week. The flaw affects all supported editions of IE.

Hackers have begun compromising Web sites to infect vulnerable computers with malware that exploits a zero-day flaw in Internet Explorer revealed last week.

Microsoft reported a significant increase in the number of infected users over the weekend, and researchers at Trend Micro estimated about 6,000 sites had been infected. The move is a shift in tactics for hackers, who had been relying on rogue Web sites to propagate their malware.

"Based on our stats, since the vulnerability has gone public, roughly 0.2 percent of users worldwide may have been exposed to Web sites containing exploits of this latest vulnerability," according to a posting on the Microsoft Malware Protection Center (MMPC) blog. "That percentage may seem low, however it still means that a significant number of users have been affected. The trend for now is going upwards: we saw an increase of over 50 percent in the number of reports today compared to yesterday."

So far, the compromised sites have run the gamut, ranging from a popular search engine in Taiwan – now reportedly clean – to various pornography sites. [ Read more ... ]

Experts Say To Switch Browsers In Light of IE Vulnerability: Via Slashdot

It appears that the exploit in IE briefly mentioned a few days ago is causing a serious reaction: SteveAU writes "Microsoft has begun flooding media outlets with information advising users to switch to an alternate browser while a serious security flaw is being patched. The flaw, which affects all versions of Microsoft Internet Explorer, is manifested via malware and has infected over 6000 sites thus far. Microsoft states: 'The vulnerability exists as an invalid pointer reference in the data-binding function of Internet Explorer. When data binding is enabled (which is the default state), it is possible under certain conditions for an object to be released without updating the array length, leaving the potential to access the deleted object's memory space. This can cause Internet Explorer to exit unexpectedly, in a state that is exploitable.'" --- According to the BBC report, though, Microsoft itself is only asking that users be "vigilant while it investigated and prepared an emergency patch"; it's outside experts who say to dump IE (at least for now).

Read Original Article ( Via Slashdot. )

Serious security flaw found in IE: Via BBC NEWS | Technology

Users of Microsoft's Internet Explorer are being urged by experts to switch to a rival until a serious security flaw has been fixed.

The flaw in Microsoft's Internet Explorer could allow criminals to take control of people's computers and steal their passwords, internet experts say.

Microsoft urged people to be vigilant while it investigated and prepared an emergency patch to resolve it.

Internet Explorer is used by the vast majority of the world's computer users.

Q&A: Stay safe online

"Microsoft is continuing its investigation of public reports of attacks against a new vulnerability in Internet Explorer," said the firm in a security advisory alert about the flaw.

Microsoft says it has detected attacks against IE 7.0 but said the "underlying vulnerability" was present in all versions of the browser.

Other browsers, such as Firefox, Opera, Chrome, Safari, are not vulnerable to the flaw Microsoft has identified. [ Read more ... ]

Slashdot | Oops! Missed One Fix — Windows Attacks Under Way - Via Slashdot :

CWmike writes

"Microsoft says attackers are now exploiting a critical Windows bug that it didn't get around to fixing in its biggest batch of security patches in more than five years, issued yesterday. Microsoft said that 'limited and targeted' attacks are in progress by hackers exploiting an unpatched vulnerability in the WordPad Text Converter, a tool included with all versions of Windows. If Microsoft patches the WordPad problem on its monthly schedule, the first opportunity for fixing the flaw would be Jan. 9, 2009."

--- Update: 12/10 22:28 GMT by T : OK, there might have been more than one: reader Simon (S2) writes [ Read more ... ]

New Windows worm builds massive botnet: Via Computerworld

Half a million PCs infected, botnet still growing, says researcher

The worm exploiting a critical Windows bug that Microsoft Corp. patched with an emergency fix in late October is being used to build a new botnet, a security researcher said today.

Ivan Macalintal, a senior research engineer with Trend Micro Inc., said that the worm, which his company has dubbed "Downad.a" -- it's called "Conficker.a" by Microsoft and "Downadup" by Symantec Corp. -- is a key component in a new botnet that criminals are creating.

"We think 500,000 is a ball park figure," said Macalintal when asked the size of the new botnet. "That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it's still starting to grow." [ Read more ... ]

Terrorism Survival Bundle Windows Mobile Version: 1 Mobifusion, Inc.: Via Mobile2Market's Windows Mobile Certified Software Catalog Home Page, includes Microsoft Windows Pocket PC (Touchscreen), and Microsoft Smartphone (Non-touchscreen)s. [ Read more ... ]

Slashdot | Attack Code Found For Recent Windows Bug - Via Slashdot:

CWmike writes "Just a day after downplaying the vulnerability that caused it to issue an out-of-cycle patch last week, Microsoft warned customers late yesterday that exploit code had gone public and was being used in additional attacks. 'We've identified the public availability of exploit code that now shows code execution for the vulnerability addressed by MS08-067,' said Mike Reavey, operations manager of Microsoft's Security Response Center, in a post to the MSRC blog. 'This exploit code has been shown to result in remote code execution on Windows Server 2003, Windows XP, and Windows 2000.'"

(Read Original Article - Via Slashdot .)

Microsoft to Issue Emergency Patch For File-Sharing Hole - Via Slashdot:

An anonymous reader writes "Microsoft said late Wednesday that it plans to release a critical security update today to plug a security hole present in all supported versions of Windows. The company hasn't released any details about the patch yet, which is expected to be pushed out at 1 p.m. PT. Normally, Redmond issues security updates on Patch Tuesday, the second Tuesday of each month. The Washington Post's Security Fix blog notes that each of the three times in the past that Microsoft has departed from its patch cycle, it was to fix some really nasty vulnerability that criminals already were exploiting to break into Windows PCs." --- [ Read more ... ]

Automatic Patch-Based Exploit Generation - Via cs.cmu.edu:

by David Brumley, Pongsin Poosankam, Dawn Song, and Jiang Zheng

Abstract

The automatic patch-based exploit generation problem is: given a program P and a patched version of the program P', automatically generate an exploit for the potentially unknown vulnerability present in P but fixed in P'. In this paper, we propose techniques for automatic patch-based exploit generation, and show that our techniques can automatically generate exploits for vulnerable programs based upon patches provided via Windows Update. [ Read more ... ]