Peaches

Facebook Photo Uploader 'ImageUploader4.1.ocx' FileMask Method ActiveX Buffer Overflow Vulnerability Bugtraq ID: 27756 Class: Boundary Condition Error CVE: CVE-2008-5711 Remote: Yes Local: No Published: Feb 12 2008 12:00AM Updated: Dec 31 2008 06:02PM Credit: Rafel Ivgi, "The-Insider" discovered this vulnerability. Vulnerable: Facebook ImageUploader4.ocx 4.5.57 0 Facebook ImageUploader4.1.ocx 4.5.57 0 Not Vulnerable: Facebook ImageUploader4.ocx 4.5.57 1 Source: http://www.securityfocus.com/bid/27756

Google Calendar phishing scam surfaces By John Leyden 30th December 2008 09:47 GMT "Fraudsters are using Google's Calendar service as a means to develop a new strain of phishing scam. The ruse appears in the guise of a Google Calendar email notification. Would-be marks are told their accounts will be deleted unless they submit their Google username, password and date of birth. But rather than coming from Google's “Customer Varifaction†(sic) department the bogus emails come from fraudsters looking to extract login information. Phishing fraudsters set up a Gmail accounts in ord

MD5 Hack Is Not a Threat, Microsoft Says Gregg Keizer, Computerworld Tuesday, December 30, 2008 1:35 PM PST In reaction to the news today that security researchers have come up with a way to spoof the digital certificates that secure many Web sites, Microsoft Corp. downplayed the threat to users. In a security advisory, Microsoft acknowledged the disclosure earlier in the day of an exploit of long-known bugs in the MD5 hashing algorithm used to create the digital certificates that in turn provide proof of a secure connection between users and Web sites. But the software vendor m

Microsoft Security Advisory (961509) Research proves feasibility of collision attacks against MD5 Published: December 30, 2008 Microsoft is aware that research was published at a security conference proving a successful attack against X.509 digital certificates signed using the MD5 hashing algorithm. This attack method could allow an attacker to generate additional digital certificates with different content that have the same digital signature as an original certificate. The MD5 algorithm had previously shown a vulnerability, but a practical attack had not yet been demonstrated. This new dis

Samsung Shipped Infected Digital Picture Frames Agam Shah, IDG News Service December 24, 2008 3:50 PM PST "For the second year in a row, some of those digital photo frames lying under the Christmas tree may come with a nasty surprise. Samsung says that CDs that shipped with many models of its digital photo frames may have included a malicious Trojan horse program that gives cyber criminals access to the PC. The malicious software, known as W32.Sality.AE lies in the XP version of Samsung's Frame Manager 1.08 software, which ships with many other models of Samsung frames. A malware r

28 December 2008, 10:53 Vulnerability in Windows Media Player “According to a report by Security Tracker, all versions of Windows Media Player, including the latest version, 11, have a security related vulnerability. The problem is an integer overflow when playing WAV, SND or MIDI files, which can allow an attacker to execute arbitrary code with the privileges of the user. heise Security found that the test attached to the Security Tracker report, crashed Media Player 9 on Windows XP with Service Pack 2 and Media Player 11 on Windows XP with Service Pack 3. Security Tracker say that th

phpEmployment File Upload Vulnerability Release Date: 2008-12-26 Critical: Highly Impact: System access Where: From remote Solution Status: Unpatched Software:phpEmployment 1.x Subscribe: Instant alerts on relevant vulnerabilities Description: ahmadbady has discovered a vulnerability in phpEmployment, which can be exploited by malicious people to compromise a vulnerable system. This vulnerability is caused due to the auth.php script failing to validate the types of uploaded images. This can be exploited to upload files with arbitrary extensions (e.g. ".php") and execute arbitrar

19 December 2008, 17:07 Vulnerability in Realtek Media Player A previously unpatched vulnerability in the Realtek Media Player can be exploited to smuggle code onto a system and execute it. The problem is a buffer overflow when opening a saved playlist. The error was discovered in version 1.15.0.0, but other versions may be affected. heise security has already noted several exploits circulating. The suggested course of action is to use another media player. The Realtek Media Player is bundled with the driver installation for systems which use the Realtek chipsets. Heise securi

Hackers Acting Faster, Study Concludes Siobhan Chapman, Computerworld UK Saturday, December 20, 2008 10:16 AM PST Zero-day malware accounted for 26 percent of blocked threats in November, says web security firm ScanSafe. In its monthly Global Threat Report, ScanSafe said the rate of zero-day malware blocks increased in November to 26 percent of blocks, compared to 16 percent in October. The number is also significantly higher than the 19 percent average reported for the year. In a zero day attack, hackers are faster than software vendors and security providers by exploiting vulnera

Dec18 Scammers Evade Spam Filters by using Email ‘From’ Fields "Scam messages that purport to be from banks, government institutions, or even from certain individuals circulate the Web. Email messages where recipients are told that they have won a prize or are asked for donations would already be familiar to most Web users. Scammers, however, show no signs of slowing down using this technique. The Trend Micro Content Security team received samples of spammed email messages with the same announcement as most scam mails: the recipient has won a huge amount of money in lottery.

5 ways to secure your BlackBerry December 17, 2008 (CSO) " It seems we can't go a day lately without a new story about some security screw-up involving a lost or misplaced BlackBerry. This week, officials with John McCain's campaign mistakenly sold a BlackBerry to a Fox television reporter for $20 in a fire sale. The device contained confidential campaign information. And many Hollywood gossip publications were abuzz earlier this month with news that Tom Cruise had lost his BlackBerry while promoting a movie in Toronto. (Mixed reports now peg the device as either "found," or "never l

Posted at 09:15 PM ET, 12/17/2008 Firefox 2 Users Will Get No More Security Updates "Security Fix has often praised Mozilla for equipping its Firefox Web browser with a no-hassle system for automatically applying security updates. But for those users still browsing the Interwebs with anything less than Firefox 3, it's time to take note: Mozilla shipped its final update to Firefox 2 on Tuesday, and plans no further updates for this version. Put simply: If you want to keep using Firefox safely, you're going to need to upgrade to Firefox 3. The latest version of the popular browser rece

Firefox 3.0.5 fixes several security issues. FireFox 3.0.5 has been released with several security fixes. Published: 2008-12-17, Last Updated: 2008-12-17 15:09:15 UTC by donald smith (Version: 1) "Fixed in Firefox 3.0.5 MFSA 2008-69 XSS vulnerabilities in SessionStore MFSA 2008-68 XSS and JavaScript privilege escalation MFSA 2008-67 Escaped null characters ignored by CSS parser MFSA 2008-66 Errors parsing URLs with leading whitespace and control characters MFSA 2008-65 Cross-domain data theft via script redirect error message MFSA 2008-64 XMLHttpRequest 302 response disclosure

16 December 2008, 12:36 Security update for Opera "Opera Software have released Opera 9.6.3, a security update for the Opera web browser. Opera 9.6.3 has been released for Windows, Mac OS X, Linux, FreeBSD and Solaris. Apart from updating the Presto rendering engine to version 2.1.1, fixes have been applied to a number of flaws which could allow arbitrary code to be executed. These included an vulnerability manipulating text input contents, a flaw in HTML parsing, a problem with log host names in file: URLs, script injection while previewing news feeds and problems with built in XS

December 16, 2008 - 3:18 P.M. Google falls from list of most trusted companies for privacy By Preston Gralla "Privacy groups have long worried about Google's privacy policies --- and now it appears that consumers have followed suit. Google has dropped off the list of the most trusted companies when it comes to privacy protection. The Ponemon Institute and TRUSTe surveyed 6,486 consumers about which companies they felt were most trustworthy and protected their private information. They recently published the list of the top 20. Last year, Google clocked in at number 10. Today, it's

Microsoft preps emergency IE patch for Wednesday release Second out-of-cycle update in the last two months is imminent By Gregg Keizer December 16, 2008 (Computerworld) "Microsoft Corp. announced today that it will issue an emergency patch tomorrow to quash a critical Internet Explorer bug that attackers have been exploiting for more than a week. The advance warning came less than a week after Microsoft acknowledged that exploit code had gone public and was being used by hackers to hijack Windows PCs running IE. Microsoft will deliver the out-of-cycle patch Wednesday

Microsoft sees 'huge increase' in IE attacks Thousands of hacked sites, including porn URLs, exploit unpatched IE bug December 14, 2008 (Computerworld) "Microsoft warned Saturday of a "huge increase" in attacks exploiting a critical unpatched vulnerability in Internet Explorer (IE), and said some originated from hacked pornography sites. Other researchers confirmed that attacks were increasingly coming from compromised Web sites. Microsoft noted the upswing in attacks on the company's Malware Protection Center blog late Saturday. "The trend for now is going upwards," said researchers Ziv Mad

Almost a stocking stuffer: Radio Shack selling $100 netbook But required two-year AT&T data plan boosts total cost to $1,540, not counting taxes and fees December 12, 2008 (Computerworld) " Radio Shack Corp. late Thursday confirmed that it's selling the popular $500 Acer Aspire One netbook for just $100. The catch? Customers must also subscribe to a minimum $60-per-month 3G high-speed wireless data service plan from AT&T Wireless for two years, according to a Radio Shack press release that confirmed information appearing in newspaper ads from last Sunday. Offering cell phone handsets

[b]Microsoft confirms that all versions of IE have critical new bug It adds IE6 and IE8 Beta 2 to the list, recommends disabling .dll to stay safe December 12, 2008 (Computerworld) "The unpatched bug in Internet Explorer 7 (IE7) that hackers are now exploiting also exists in older versions of the browser, including the still-widely-used IE6, Microsoft Corp. said late yesterday. Today, a Danish security researcher added that Microsoft's original countermeasure advice was insufficient and recommended that users take one of the new steps the company spelled out. In a revised security advisory,

December 12, 2008 12:41 PM PST Microsoft: Hole exploit endangers all IE versions Posted by Elinor Mills An unpatched security hole in Internet Explorer that is being exploited affects all versions of the browser, making it more serious than originally believed when it was first publicized two days ago, Microsoft says. Microsoft is investigating reports of attacks against a new vulnerability in IE but said in an update to a security advisory issued late on Thursday that all versions of IE are potentially vulnerable. The company recommends setting the Internet zone security setting to "high" a

9 December 2008, 11:20 Vulnerabilities in Linksys WVC54GC wireless network camera "US-CERT has posted notifications of two security vulnerabilities in the Linksys WVC54GC wireless network camera. US-CERT say that by delivering a specially crafted packet to the cameras UDP port 916, an attacker can make it respond with a packet that contains the majority of its system configuration, including details such as username, password, wireless ssid, WEP key, WEP password, WPA key, and DNS server. The camera is reported to send this information as an unencrypted packet over the network, which can allo

Koobface Worm Targets MySpace, Other Sites Resurgent worm seeks to recruit zombies for botnets, experts say Dec 10, 2008 | 04:59 PM By Tim Wilson DarkReading "The Koobface worm which has plagued the Facebook social networking site during the past week, is now targeting MySpace, Bebo, and other sites as well, security researchers warn. Researchers at security vendor F-Secure said yesterday in a blog about the Koobface worm that the new infection is designed to spread to other popular social networking sites, including MyYearbook.com, BlackPlanet.com, and Friendster.com. Koobface, which wa

10 December 2008, 10:33 Third Zero Day exploit appears [/b] Microsoft has confirmed it is investigating another zero day exploit. This time, the vulnerability appears to affect the WordPad Text Converter for Word 97 files on Windows 2000 Service Pack 4, Windows XP Service Pack 2, Windows Server 2003 Service Pack 1, and Windows Server 2003 Service Pack 2. Microsoft says that Windows XP Service Pack 3, Vista and Server 2008 are unaffected as they do not contain the vulnerable code. Microsoft says that the vulnerability requires a user to open an attachment or file which starts up WordPad. If Mic

Apple Releases Firmware Fixes For Latest MacBooks The updates come in pairs that are each for the MacBook, MacBook Pro, and MacBook Air introduced in October. By Antone Gonsalves InformationWeek December 10, 2008 08:08 PM "Apple on Wednesday released a number of firmware updates to fix stability problems with the latest MacBook computers. The updates come in pairs that are each for the MacBook, MacBook Pro, and MacBook Air introduced in October. One update in the pair fixes "several issues to improve the stability" of the computers, Apple said. The other "improves the sensing and accura

BlackBerry Storm firmware updated two weeks after launch Analyst calls quick-fix a 'wake-up call' for normally efficient smart phone maker RIM "December 9, 2008 (Computerworld) "Just two weeks after sales of the device began, Verizon Wireless and the maker of the BlackBerry Storm have issued a firmware update, which has raised concerns from some customers. One customer, in an e-mail to Computerworld, said she might just return the smart phone to Verizon, rather than bother with this or future updates, because of the hassle. "It's great that they have software updates for the phone, but you w