CommonMime

I felt that some humor might be beneficial today....

Confronting the 5 Stages of IT Grief

10 More Stupid Things Smart IT People Still Do

Microsoft Tackles Vista, Virtualization Patches

By Lisa Vaas

Patch Tuesday finds Microsoft addressing a host of security issues with Vista and virtualization.

Patch Tuesday brings with it a host of security issues with Vista, issues with virtualization and a fun time for system administrators who deal with clients using some wildly popular Microsoft applications: Internet Explorer and Excel.

On Aug. 14, Microsoft released nine security patches for 14 vulnerabilities, with six of the updates rated critical, in its biggest patch release since February.

Visit aka jane to read the rest of this article

Facebook Leaks Its Own Code

By Lisa Vaas

Facebook reveals part of its source code on a blog named Facebook Secrets due to a server error.

Social networking site Facebook on Aug. 12 posted Facebook's homepage source code onto a newly created blog named Facebook Secrets on Aug. 12 and is now telling people not to use it.

Visit aka jane to read the rest of this article

Biggest Pump-and-Dump Scam Ever Spikes Spam 445%

By Lisa Vaas
August 10, 2007

The largest spam scam ever tracked increased the spam count by 445 percent in one day.

The largest spam attack ever tracked wound down Aug. 9 after delivering enough big, fat PDF files to increase total spam size 445 percent in one day, according to Postini, a hosted e-mail filtering company that's been tracking the attack since it started Aug. 7.

Visit aka jane to read the rest of this article

Researchers Crack the iPhone

By Lisa Vaas
July 23, 2007

Updated: Apple's popular multifunctional device can be exploited for data theft or snooping purposes, according to a security firm.

A security firm has run the first remote exploits on Apple's iPhone, proving that the widely popular smart phone is vulnerable not only to data theft but also to being turned into a remote snooping device.

A trio of researchers from Independent Security Evaluators—Charlie Miller, Jake Honoroff and Joshua Mason—have created an exploit for the iPhone's Safari Web browser wherein they use an unmodified device to surf to a maliciously crafted drive-by download site. The site downloads exploit code that forces the iPhone to make an outbound connection to a server controlled by the security firm.

Visit aka jane to read the rest of this article

Author Claims Mac OS X Worm 'Ready to Go'

By Lisa Vaas

The same troll who claimed to have intercepted and reverse-engineered Dino Dai Zovi's QuickTime exploit from the Mac Pwn-to-Own contest at CanSecWest said over the weekend that he or she now has a Mac OS X worm loaded and ready to go.

Visit aka jane to read the rest of this article

Australian Government Sues Google over Deceptive AdWords

Thursday, July 12, 2007 10:06 AM/EST

An Australian government consumer advocacy group is suing Google for "misleading and deceptive conduct" in its SERP AdWords.

Visit aka jane to read the rest of this article

Zero-Day Hits IE-Firefox Combo

By Lisa Vaas
July 10, 2007    

Security researcher Thor Larholm has discovered a zero-day vulnerability that could lead to remote attackers hijacking systems running both Internet Explorer and Firefox.

Larholm is calling this an IE zero day, blaming the vulnerability on an input validation flaw in Internet Explorer that allows users to specify arbitrary arguments to the process responsible for handling URL protocols. It's the same type of input validation vulnerability that Larholm discovered in the Safari 3 beta, he said.

Visit aka jane to read the rest of this article

A Six-Pack of iPhone Hangover Cures

Visit aka jane to read the rest of this article

Does the CIA's Dark Past Foretell Current Data Abuse?
By Lisa Vaas

News Analysis: With the CIA's release of reports on 25 years of illegal exploits, data privacy advocates now have a lengthy record of abuses to justify restraining governments' access to personal data.

With the CIA's June 26 release of documents detailing 25 years of illegal exploits, data privacy advocates now have a book-length record of misdeeds—including examples of data abuse such as wiretapping—to back up their arguments that personal data is better off when kept out of the hands of an unsupervised government or law enforcement agency.

Visit aka jane to read the rest of this article

Don't Hold Your Breath for a MS DNS Hole Patch

Microsoft says it hopes to patch the hole in its Domain Name System Server—which is now leaving vulnerable PCs open to a worm attack—by "no later" than Patch Tuesday in May.

Microsoft teams are working around the world and around the clock to get a fix out for the May 8 security bulletin release, the MSRC's Christopher Budd wrote in the security center's blog on Tuesday night.

Budd said that Microsoft teams are now developing and testing 133 separate updates, including one in every language for every currently supported version of Windows servers.

"Each of these has to be tested to ensure they effectively protect against the vulnerability," Budd said. "Because DNS is a critical part of the networking infrastructure, they also have to be tested to ensure that changes introduced by the updates don't pose a greater risk than the security issue we're addressing."

Visit aka jane to read the rest of this article

By Brian Prince

Microsoft Investigates DNS Attacks

Microsoft is investigating attacks exploiting a vulnerability in the Windows Server Domain Name System Service, as well as two types of hacks targeting Vista's OEM BIOS activation feature.

A company spokesperson said a very limited number of attacks exploiting the flaw in the Windows Server DNS Service have been seen in the wild.

"Our investigation reveals that this vulnerability could allow a criminal to run code in the security context of the Domain Name System Server Service, which by default runs as Local SYSTEM," a Microsoft spokesperson said.

Visit aka jane to read the rest of this article

Symantec Patches Flaw in Enterprise Security Manager
By Brian Prince

Symantec has patched a security hole in its Enterprise Security Manager tool that allows attackers to take control of infected machines.

The Cupertino, Calif., company cautioned users in an advisory that all versions of ESM, except version 6.5.3, are vulnerable to a remote code execution attack. The problem, officials at the anti-virus vendor reported, is that the ESM agent remote upgrade interface does not authenticate the source of remote upgrade requests – a vulnerability that can be exploited to launch malware via a specially crafted upgrade request.

Visit aka jane to read the rest of this article

ANI Patch: The Day After

Microsoft's release of the patch for the animated cursor—or ANI—vulnerability isn't the end of the story. More chapters will unfold as the company answers why the patch took so long to develop, as so many other flaws are fixed, and as IT organizations grapple with deploying an out-of-band patch.

The ANI vulnerability rose to urgency near the end of March, when the first exploit code appeared and reappeared again and again. Within days of the first exploit, ANI posed such serious risk that Microsoft instructed end users to read all e-mail in plain text.

But while exploits appeared about a week ago, Microsoft had known about the vulnerability since mid-December. Why did the patch take so long?

The ANI vulnerability bears striking similarity to the WMF (Windows Metafile) bug that squashed some Microsoft researchers' 2005 holiday and 2006 New Years. Both flaws affect the Windows graphics subsystem—or GDI—and were exploited without patches being available.

Visit aka jane to read the rest of this article

Firefox Still Sitting Duck for ANI Exploits

By Lisa Vaas

Firefox browsers are still vulnerable to attacks exploiting the animated cursor flaw that caused Microsoft to rush out a patch on April 3.

Alexander Sotirov, the security researcher at Determina who first discovered the ANI flaw and reported it to Microsoft in December, has posted a video depicting successful ANI vulnerability exploits on both Internet Explorer 7 and Firefox 2.0 running on Vista in default mode.

Visit aka jane to read the rest of this article