It was a year ago that security researcher Charlie Miller walked away with $10,000 for hacking into a MacBook Air with Safari in just two minutes during the annual Pwn2Own competition, and earlier this month Miller predicted Safari would be the first to fall at this year's event. Miller made good on that promise this week by using a prepared exploit to gain full control of the device in about 10 seconds.
"It's not easy, but this worked with one click [from the Safari browser]", Miller said.
Miller had discovered the exploit last year, which allows a remote attacker to take over a machine if a user clicks on a malicious URL. Details of the exploit, which Miller isn't allowed to divulge, will be shared with Apple from contest sponsor TippingPoint so that Apple can develop a patch.
On the same day, a 25-year-old computer science student at the University of Oldenburg in Germany demonstrated exploits in IE8, Safari, and Firefox, earning him a cool $15,000 ($5,000 per exploit), along with getting to keep the Sony Vaio P series notebook he used (Miller pocketed $5,000 and a MacBook Air).
While three major browsers succumbed to hacking attempts on day one, no mobile exploits have yet been successful. Mobile exploits carry the biggest reward for contest participants, with TippingPoint offering $10,000 for each successful exploit in the major smartphones.
Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technicareports. Conficker.C's designed to hide itself even more thoroughly than its older siblings, using tricks such as:
Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
The beauty of a Live CD is that it gives you a chance to access your computer or a batch of alternate applications without actually having to load up your operating system. You only need to pop the CD into your optical drive and boot it up from your BIOS -- this self-contained environment runs independent of anything that's located on your drive partitions, even though you can still perform a variety of tasks that manipulate the data on your drives.
For example, you can test our new Linux distributions using a Live CD, saving you the time and hassle of blanking an entire partition just to see if it's the right distribution for you. You can also manipulate the partitions of your drives using a Live CD, expanding and creating volumes to create alternate locations for new operating systems, files, or whatever it is you'd use a separate volume for. Live CDs are great for troubleshooting your system (or saving your data) when your primary operating system won't boot, and they can also be used to break through Windows installations that you've lost the password for.
All that functionality... and you don't even have to install a single program on your machine! Click the link to check out some of the best Live CDs that you should have sitting on your desk.
If you haven’t done so already, make sure your Adobe reader has checked for, and downloaded the latest updates. Adobe has finally released a patch for the zero day scripting vulnerability in its PDF software. The patch for version 9 hit the net a bit earlier than expected, but not a moment too soon to combat this now critically exploited weakness which has been in the wild now since December 2008. The patches for Version 7 & 8 are still planned for March 18th and users of this version would be advised to either upgrade to 9.1 or consider Foxit Reader.
The news was posted by Adobe blogger David Lenoe. "Today, we posted the Adobe Reader 9.1 and Acrobat 9.1 update, which resolves the recent JBIG2 security issue (CVE-2009-0658), including the 'no-click' variant of the vulnerability." "We encourage all Adobe Reader users to download and install the free Adobe Reader 9.1."
For those that haven’t been following the details of the exploit, the vulnerability is a result of an array indexing error in the processing of JBIG2 streams. Hackers have found a way to corrupt arbitrary memory using the PDF format and take control of compromised systems. The lesson learned here if we didn’t know it already, don’t take candy, or PDF’s from strangers.
Password. Letmein. Asdf. Blahblah. Monkey. 1234. These are just some of the most commonly used passwords being used around the web, but even worse than using a boneheaded password is using the same one for every registered website. Nothing new, right?
Apparently it is, at least for one-third of respondents who participated in an online survey conducted by security outfit Sophos. According to Sophos, only 19 percent of respondents said they never use the same password for multiple websites. Almost half admitted to using a few different passwords, and 33 percent fessed up to using the same password all the time.
To state the obvious, using a single password for multiple websites makes it easy for hackers to wreak more havoc should the password become compromised. But obvious as basic security may seem, it's not being practiced by many. Recent examples include high profile Twitter account hijackings, including the ones belonging to President Barack Obama, Britney Spears, and Fox News, and the discovery that the population at large continues to use unimaginative passwords, such as selecting their first name.
Today, Microsoft released a trio of security bulletins covering all currently-supported Windows versions. Users of Windows 2000 SP4 through Windows Vista SP1 (as well as Windows Server 2003 and 2008) need to install the update for the critical Windows kernel vulnerability noted in Security Bulletin MS-09-006. The other two bulletins (MS09-007 and MS09-008) solve important vulnerabilities in SChannel (007) and DNS/WINS Server (008); these bulletins apply to Windows 2000 SP4 through Windows XP and Server 2003 only.
Other updates to look for include the usual updates to the Malicious Software Removal Tool and the Windows Mail junk email filter. If you're on Automatic Updates, follow instructions to reboot if needed after installation. If you prefer to be in charge, don't forget to download and install these as soon as possible.
In what's sure to have Google blushing and cloud-based computing opponents hollering "told you so!," the search company issued a notice to users of its Document and Spreadsheet products alerting them that some of their documents may have been inadvertently shared with others.
"This inadvertent sharing was limited to people with whom you, or a collaborator with sharing rights, had previously shared a document," Google Docs Team wrote in a notice. "The issue only occurred if you, or a collaborator with sharing rights, selected multiple documents and presentations from the documents list and changed the sharing permissions. This issue affected documents and presentations, but not spreadsheets."
Google blamed the mishap on a bug, which the company claims to have now fixed. In the meantime, Google said it used an automated process to remove collaborators and viewers from the documents it identified as being affected, and those will need to be re-shared by the owner.
According to Google, this was an isolated incident that affected less than .05 percent of all documents.
Hit the jump and tell us whether or not this sours your outlook on cloud computing.
Online banking is pretty common these days, but so are people looking to get their grubby hands on your information! That’s why IBM developed the ZTIC USB stick, which allows for completely secure banking.
The ZTIC (or Zone Trusted Information Channel) is a dongle that allows for secure banking, even on a very infected machine. The way it works, is it opens an SSL connection with your bank’s servers, keeping data safe on its side (with no internal storage of its own) and displays the transaction on the built in display. Even if you’re attacked by a “man-in-the-middle,” the action will be shown on the display – a single press of the big red panic button and you’re in good shape! If you want to see it in action, be sure to check out this video.
Pricing and availability is reported to be based on what bank you use, but no actual details have been ironed out.
By now you should have received a pop-up alerting you a new version of Firefox, 3.0.7. If not, select 'Check for updates' from the 'Help' menu, as 3.0.7 introduces fixes for several stability and security issues, some of which are considered critical. Among the more notable fixes include:
URL spoofing with invisible control characters - LOW
Upgrade PNG library to fix memory safety hazards - CRITICAL
XML data theft via RDFXMLDataSource and cross-domain redirect - HIGH
Mozilla Firefox XUL Linked Clones Double Free Vulnerability - CRITICAL
Crashes with evidence of memory corruption (rv:18.104.22.168) - CRITICAL
A full list of bug fixes can be found here, including those which are specific to Windows, Mac, and Linux, and those which affect all three operating systems.
To the surprise of many (including ourselves), Symantec shed its old bloaty ways with the release of Norton Internet Security Suite 2009, a svelte security suite that earned a 9 verdict and KickAss award in our Antivirus Software Roundup. Now Symantec says its ready to do it again with a revamped version of its Norton 360 software. Has the world turned topsy-turvy?
"Norton 360 has become one of Symantec’s most popular consumer offerings in just two years due to the all-in-one convenience it delivers and the solutions value we have built directly into the suite,” said Janice Chaffin, group president of Symantec’s Consumer Business Unit. “With version 3.0, we are combining the unmatched performance of our 2009 security products with Norton Safe Web to create even more convenience and value for our customers."
Just like NIS 2009, Symantec says its new Norton 360 version 3.0 takes about a minute to install and consumes less than 10MB of system memory. Not only that, but the company claims users will see faster boot times once 360 turns off "unnecessary" startup programs. Other new features shipping with version 3.0 include pulse updates, idle backup routine, botnet protection, and a web rating service called Norton Safe Web.
Coinciding with the 360 v3.0 release, Symantec also announced the official launch of the Norton Users Discussion Forum. Prior to the launch, the forum had been in beta since April 2008 and currently boasts 1,200 new users and 7,000 posts every month.
Norton 360 is available now with an MRRP of $100 (includes 25GB of secured online storage) for the Premier Edition, $130 for the Small Business Edition 5 User Pack (plus 10GB), and $250 for the Small Business Edition 10 User Pack (plus 25GB).