Slashdot Mirror

Nimey writes "Adobe has posted a security bulletin for Photoshop CS5 for Windows and OSX. It seems there is a critical security hole that will allow attackers to execute arbitrary code in the context of the user running the affected application. Adobe's fix? You need to pay to upgrade to Photoshop CS6. For users who cannot upgrade to Adobe Photoshop CS6, Adobe recommends users follow security best practices and exercise caution when opening files from unknown or untrusted sources."

Not long after Firefox 3.5.1 was released to address a security issue, a new exploit has been found and a proof of concept has been posted. "The vulnerability is a remote stack-based buffer-overflow, triggered by sending an overly long string of Unicode data to the document.write method. If exploited, the resulting overflow could lead to code execution, or if the exploit attempts fail, a denial-of-service scenario." It's recommended that Firefox users disable Javascript until the issue is patched, though add-ons like NoScript should do the trick as well (unless a site on your whitelist becomes compromised).

Update: 07/20 00:09 GMT by KD : An anonymous reader informs us that the Mozilla security blog is indicating that this vulnerability is not exploitable; denial of service is as bad as it gets.

Hugh Pickens writes "Former CIA counterterrorism analyst Stephen Lee has an interesting article in the Examiner asserting that the National Security Agency is 'a secretive, hidebound culture incapable of keeping up with innovation,' with a history of disregard for privacy and civil liberties. Lee says that for most of its sixty-year history, the NSA has been geared to cracking telecom and crypto gear produced by Soviet and Chinese design bureaus, but at the end of the cold war became 'stymied by new-generation Western-engineered telephone networks and mobile technologies that were then spreading like wildfire in the developing world and former Soviet satellite countries.' When the NSA finally recognized that it needed to get better at innovation, it launched several mega-projects, tagged like 'Trailblazer' and 'Groundbreaker,' that have been spectacular failures, costing US taxpayers billions. More recently, the NY Times reported that the NSA has been breaking rules set by the Obama administration to peer even more aggressively into American citizens' phone traffic and email inboxes. Whistleblower reports portray NSA domestic eavesdropping programs as unprofessional and poorly supervised, with intercept technicians ridiculing and mishandling recordings of citizens' private 'pillow talk' conversations. Lee concludes that 'if the Federal government must play a role, then Congress and President Obama should turn to another agency without a record of creating mistrust — perhaps even a new entity. Meanwhile, NSA should focus on listening in on America's enemies, instead of being an enemy of Americans and their enterprises.'"

nandemoari writes "Hackers have reportedly infiltrated restricted computer databases at the University of California Berkeley, putting the private data of 160,000 students, alumni, and others at risk. According to UC Berkeley, computer administrators determined on April 9, 2009 that electronic databases in University Health Services had been breached by overseas criminals. The breakins began in October 2008. Information contained on the breached databases included Social Security numbers, health insurance information, and non-treatment medical information such as records of immunization and names of treating physicians."

CWmike writes "Adobe Systems has acknowledged that all versions of its Adobe Reader, including editions for Windows, the Mac and Linux, contain at least one, and possibly two, critical vulnerabilities. 'All currently supported shipping versions of Adobe Reader and Acrobat, [Versions] 9.1, 8.1.4 and 7.1.1 and earlier, are vulnerable to this issue,' said Adobe's David Lenoe said in a blog entry yesterday. He was referring to a bug in Adobe's implementation of JavaScript that went public early Tuesday. A "Bugtraq ID," or BID number has been assigned to a second JavaScript vulnerability in Adobe's Reader. Proof-of-concept attack code for both bugs has already been published on the Web. Adobe said it will patch Reader and Acrobat, but Lenoe offered no timetable for the fixes. In lieu of a patch, Lenoe recommended that users disable JavaScript in the apps. Andrew Storms, director of security operations at nCircle Network Security, said of the suggestion in lieu of patches, 'Unfortunately, for Adobe, disabling JavaScript is a broken record, [and] similar to what we've seen in the past with Microsoft on ActiveX bugs.'"

snydeq writes "Microsoft Excel has a zero-day vulnerability that attackers are exploiting on the Internet, according to security vendor Symantec. The problem affects Excel 2007 both without and with Service Pack 1, according to an advisory on SecurityFocus, and other versions going back to Excel 2000. The program's vulnerability can be exploited if a user opens a maliciously crafted Excel file, allowing a hacker to leave a Trojan horse on the infected system."

ALF-nl writes "A forensics expert claims that wiping your hard drives with just one pass already makes it next to impossible to recover the data with an electron microscope." But that's not accounting for the super secret machines that the government has, man.

northern squirrel writes "As reported by Security Focus, Google had publicly released their 50-page Browser Security Handbook (under a CC BY license, too). To quote, the document is 'meant to provide developers, browser engineers, and information security researchers with a one-stop reference to key security properties of contemporary web browsers,' and features a comparison of security features in Internet Explorer, Firefox, Opera, Safari, and — you guessed it — Chrome. Is it a belated Christmas gift to web developers, or just a reaction to recent bad publicity?"

narramissic writes "Back in March 2001, a hacker named Josh Buchbinder (a.k.a Sir Dystic) published code showing how an attack on a flaw in Microsoft's SMB (Server Message Block) service worked. Or maybe the flaw was first disclosed at Defcon 2000, by Veracode Chief Scientist Christien Rioux (a.k.a. Dildog). It was so long ago, memory is dim. Either way, it has taken Microsoft an unusually long time to fix. Now, a mere seven and a half years later, Microsoft has released a patch. 'I've been holding my breath since 2001 for this patch,' said Shavlik Technologies CTO Eric Schultze, in an e-mailed statement. Buchbinder's attack, called a SMB relay attack, 'showed how easy it was to take control of a remote machine without knowing the password,' he said."

Weblver1 writes "A recent report by web security firm Finjan shows how easily data can be accessed on PCs by malware which circumvents existing defenses. With the use of obfuscated code, antivirus software and static Web filters could not identify the scrambled attack code as a threat. The report walks through a real-life scenario of the infection process step-by-step, and tracks what happens to the stolen data. This demonstrates how stealing sensitive data has become unbearably easy — especially, given the abundance of easy-to-use DIY crimeware toolkits. Finjan's report is available here (PDF, registration required). Shortly after this report, Security firm RSA has released their findings of a huge amount of stolen 'virtual wallets' in one of the largest discoveries of stolen data from computers compromised by the Sinowal trojan. While the trojan can be traced back to 2006, it managed to become more productive over time with frequent variants. Given the scale, ease of use, and hiding techniques making infections extremely difficult to find, no wonder today's crimeware achieves such 'impressive' results."

twigles writes with news of a new proposed bill that seeks to curtail DHS's power to search and seize laptops at the border without suspicion of wrongdoing. Here is Sen. Feingold's press release on the bill. The new bill has more privacy-protecting safeguards than the previous one, which we discussed last month. "The Travelers Privacy Protection Act, a bill written by US Senators Russ Feingold, D-Wis., and Maria Cantwell, D-Wash., and Rep. Adam Smith, D-Wash., would allow border agents to search electronic devices only if they had reasonable suspicions of wrongdoing. In addition, the legislation would limit the length of time that a device could be out of its owner's possession to 24 hours, after which the search becomes a seizure, requiring probable cause."

SATAN writes "Wietse Venema started out as a physicist, but became interested in the security of the programs he wrote to control his physics experiments. He went on to create several well-known network and security tools, including the Security Administrator's Tool for Analyzing Networks (SATAN) and The Coroner's Toolkit with Dan Farmer. He is also the creator of the popular MTA Postfix and TCP Wrapper. SecurityFocus chatted up Venema to talk about software security, how to improve the code quality, what solutions we might have to fight spam successfully, the principle of least privilege, and the philosophy behind the design of Postfix. Venema is currently a researcher at IBM's T.J. Watson Research Center."

Wolf nipple chips writes "Craig Wright discovered that the Jura F90 Coffee maker, with its honest-to-God Jura Internet Connection Kit, can be taken over by a remote attacker, who can cause the coffee to be weaker or stronger; change the amount of water per cup; or cause the machine to require service (call this one a DDoC). 'Best yet, the software allows a remote attacker to gain access to the Windows XP system it is running on at the level of the user.' An Internet-enabled, remote-controlled coffee-machine and XP backdoor — what more could a hacker ask for?"

Microsoft Watch writes "Microsoft downplays a recent DNS vulnerability in all Microsoft operating systems (XP, Vista, 2000, and 2003), claims Amit Klein, the security researcher who published the original vulnerability description (PDF) earlier this month. According to Klein, the description in Microsoft's Secure Windows Initiative blog entry is misleading, contains disinformation about the DNS transaction ID algorithm, and downplays the severity of the issue. Klein refutes Microsoft's claim that there is no way to reproduce the next transaction ID, given a series of observed transaction IDs. He shows that this is possible in his paper, which Microsoft had before publishing the SWI post, as well as on the series of data provided in the SWI blog itself."

An anonymous reader writes "2Wire manufactures DSL modems and routers for AT&T and other major carriers. Their devices suffer from a DNS redirection vulnerability that can be used as part of a variety of attacks, including phishing, identity theft, and denial of service. This exploit was publicly reported more than eight months ago and applies to nearly all 2Wire firmware revisions. The exploit itself is trivial to implement, requiring the attacker only to embed a specially crafted URL into a Web site or email. User interaction is not required, as the URL may be embedded as an image that loads automatically with the requested content. The 2Wire exploit bypasses any password set on the modem/router and is being actively exploited in the wild. AT&T has been deploying 2Wire DSL modems and router/gateways for years, so there exists a large vulnerable installed base. So far, AT&T/2Wire haven't done anything about this exploit." Update: 04/09 17:48 GMT by KD : AT&T spokesman Seth Bloom sends word that AT&T has not been ignoring the problem. According to Bloom: "The majority of our customers did not have gateways affected by this vulnerability. For those that did, as soon as we became aware of the issue, we expeditiously implemented a permanent solution to close the vulnerability. In fact, we've already updated the majority of affected 2Wire gateways, and we're nearing completion of the process. We've received no reports of any significant threats targeting our customers."

Anonymous writes "Security researchers Greg Hoglund and Gary McGraw poked around in World of Warcraft and other online games, finding vulnerabilities and exploiting the system using online bots and rootkit-like techniques to evade detection. Their adventures in online game security became fodder for the book, Exploiting Online Games. McGraw discussed with securityfocus the state of security in modern video games, cheating and anti-cheating systems, how the market for cheats, exploits, and digital objects is growing, what we could learn from the design of these huge systems, and how game developers react to submissions of security vulnerabilities."

An anonymous reader writes "In a recent blog posting, a German operator of a Tor anonymous proxy server revealed that he was arrested by German police officers at the end of July. Showing up at his house at midnight on a Sunday night, police cuffed and arrested him in front of his wife and seized his equipment. In a display of both bitter irony and incompetence, the police did not take or shut-down the Tor server responsible for the traffic they were interested in, which was located in a data center, over 500km away. In the last year, Germany has passed a draconian new anti-security research law and raided seven different data centers to seize Tor servers. While back in 2003, A German court ordered the developers of a different anonymity network to build a back-door into their system."

twistedmoney99 writes "The full-disclosure debate is a polarizing one. However, no one can argue that disclosing a vulnerability publicly often results in a patch — and InformIT just proved it again. In March, Seth Fogie found numerous bugs in EZPhotoSales and reported it to the vendor, but nothing was done. In August the problem was posted to Bugtraq, which pointed to a descriptive article outlining numerous bugs in the software — and guess what happens? Several days later a patch appears. Coincidence? Probably not considering the vendor stated "..I'm not sure we could fix it all anyway without a rewrite." Looks like they could fix it, but just needed a little full-disclosure motivation."

Slashdot regular Bennett Haselton has written in with his latest essay. He starts "WabiSabiLabi generated some controversy recently by announcing their eBay-like site for security researchers to sell security exploits to the highest bidder. But WabiSabiLabi didn't create the black-and-grey market for security exploits, they merely helped draw attention to it. There's nothing that companies like Microsoft can do about the black market where security exploits sell for tens of thousands of dollars, but there's one obvious thing they can do to help protect users: offer to buy up the security vulnerabilities themselves. If they did that, then the exploits would probably never make it onto a black-market auction in the first place, because the "white hat" researchers would have found them and reported them first. Thus I think WabiSabiLabi is doing the world a favor, by shining a spotlight on the black market that thrives when companies won't pay for security bug reports." Click that magical little read more link below to continue the thought.

Really, what is a good argument against companies paying for security exploits? It's virtually certain that if a company like Microsoft offered $1,000 for a new IE exploit, someone would find at least one and report it to them. So the question facing Microsoft when they choose whether to make that offer, is: Would they rather have the $1,000, or the exploit? What responsible company could possibly choose "the $1,000"? Especially considering that if they don't offer the prize, and as a result that particular exploit doesn't get found by a white-hat researcher, someone else will probably find it and sell it on the black market instead? (Throughout this discussion, I'm using Microsoft as a metaphor for all companies which have products in widespread use, and which do not currently pay for security exploits even though they could obviously afford to.)

Perhaps you say that you would be willing to report bugs to Microsoft for free, and I respect people who do that out of selflessness, but that's not the point. Even if you and some other people would do "white-hat testing" for free, there are more people who would do it if there were prizes. The amount of people willing to do security testing for free, has not been enough to keep exploits from being found and sold on the black market -- but if Microsoft offered enough money, it would be. Obviously if Microsoft offered more than the black-market prices, everyone would just sell their exploits to them. But probably Microsoft could offer much less than the black-market prices and still put the black market out of business, because there are lots of researchers who wouldn't sell exploits on the black market even for tens of thousands of dollars, but would be willing to participate in a legal Microsoft "white hat" program for much less money.

Microsoft would undoubtedly say that they do their own in-house testing, and indeed the offer of a prize should not be used as a substitute for good security testing within a company. But at the same time, the fact that a company does their own testing isn't a good reason for not offering a prize. If a company says that they already do their own in-house security audits to catch as many bugs as they can, that still doesn't answer the question: given that a cash offer would probably result in an outsider finding a new exploit that they missed, why wouldn't they want to take it? Even if there are already outsiders who willingly find new exploits and turn them over to Microsoft for free, there's almost certainly at least one more exploit out there that would be found if they offered a cash prize. (And if the cash prize doesn't turn up any new exploits, then the company doesn't pay out and has lost nothing.)

I've done security consulting for companies like Google and Macromedia who paid me "by the bug", so you might think I'm biased in favor of more such "bounty" programs because I think I could make money off of them. Actually, I think that if Microsoft and most other large software companies offered security hole bounties to everyone in the world, almost all exploits would be picked clean by other people, and my chances of getting anything out of it would go way down, and there would be one less buffer protecting me from having to get a real job. But most people's computers would be safer.

Microsoft does in fact "pay" for security exploits in their own way, by crediting people in their security bulletins. To some people, who report exploits in hopes of being recognized, this is apparently enough. And there are third-party companies like iDefense who will buy your security exploits and then use them to gain reputation-credits for themselves, by handing them over for free to the software developer and warning their own clients about the potential risks. But there are a lot of people including me who have found exploits in the past, but don't consider the benefits of being mentioned in a Microsoft security bulletin to be worth the effort of finding a new one. And even the benefits that iDefense gets from reporting security holes, are evidently not sufficient for them to offer enough money for exploits to compete with the black-market prices (if iDefense got that much benefit out of it, then they'd be able to offer so much money that nobody would sell exploits on the black market). So using recognition as payment is evidently not enough; as Lord Beckett says, "Loyalty is no longer the currency of the realm; I'm afraid currency is the currency of the realm."

A cash prize program might mean that some people get mad when they are turned away for offering "exploits" that don't really qualify, but so what? What are they going to do for revenge, release their "exploit" into the wild? If it's not a real exploit, then it won't do any harm, and if it is a real exploit, then Microsoft should have paid them after all! Some people might threaten to sue if they aren't awarded prizes, even if the rules of the program state clearly that Microsoft is the final arbiter of what counts as an exploit. Maybe in some rare cases they would even win. But all of this could be considered a cost of running the program, just like the cost of giving out the prizes themselves -- and all insignificant compared to the cost of an exploit that gets released into the wild and allows a malicious site to do "drive-by installs" of spyware onto people's machines.

Probably the real reason Microsoft doesn't pay for security exploits is that they don't pay the full price for those drive-by installs and other problems when a new exploit is discovered. I've heard hard-core open-source advocates say that either (a) Microsoft should be held liable for the cost of exploits committed using flaws in their software, or that (b) users of Microsoft software should be held liable for exploits committed through their machines (which would drive up the cost of using Windows and IE to the point where nobody would use it). If that happened, Microsoft probably would pay for security exploits to forestall disaster. But let's make the reasonable assumption that neither of those liability rules is going to come to pass. The real price that Microsoft currently pays for security exploits is in terms of reputation, and the price they're paying right now is too low, because people don't realize that Microsoft could find and fix a lot more bugs by spending only a tiny amount of money -- but chooses not to. Despite all the snickering when "Microsoft" and "security" are used in the same sentence, most people seem to believe that Microsoft is doing everything they can to prevent users from being exploited. But as long as Microsoft doesn't pay for security holes, they're emphatically not doing "everything they can".

It's not that I think security bosses at Microsoft are trying to screw anyone over. They probably just have an aversion to the idea of paying for security holes, and what I'm arguing is that such an aversion is irrational. The people they would be paying money to are not criminals or bad people, they're legitimate researchers who just can't afford to do work for Microsoft for free when they could be doing something else for money. Offering cash will bring in new exploits, and every exploit that is reported and fixed is one that can't be sold on the black market later.

There are some interesting details that would have to be worked out about how such a program would be implemented. For example, what happens if Bob reports an exploit, and then Alice later reports the same exploit, before Microsoft has gotten a chance to push the patch out? Microsoft wouldn't want to pay $1,000 to both of them, because then whenever Bob found an exploit, he could collude with Alice so that they both "independently" reported the same bug and got paid twice. Microsoft could pay only Bob, but Alice could get so disillusioned at getting paid nothing that she might stop helping entirely. My own suggestion would be to split the money between all researchers who report the same bug in the time window before the fix is pushed out. If 10 researchers happened to report the same bug and each only got a paltry $100, some of them would quit in disgust, but if researchers start to leave because the average payout-per-person has fallen too low, then that will drive the average payout back up, so the number of active researchers stays in equilibrium.

Another issue: What happens if a researcher reports an exploit confidentially, and then the next day, the exploit appears in the wild? If Microsoft's policy was that they would pay for the exploit anyway, then a researcher would have no incentive not to sell the exploit twice, once to Microsoft and again on the black market (whereupon it might start being used in the wild). On the other hand, if Microsoft refused to pay for exploits that were released in the wild before they issued a patch, then that might leave many researchers feeling cheated if they turned in a genuine exploit and got nothing just because someone else sold it on the black market before the patch came out. My suggestion would be to simply pay for exploits even if they did subsequently get released on the black market -- on the theory that of the white hat researchers who turn in bugs to Microsoft, most of them would be ethically opposed to selling exploits to black marketeers, so they shouldn't be punished if the exploit ends up on the black market since they probably weren't the ones who put it there. Another would be to make the payout so large that even if researchers got no payment when the exploit got leaked into the wild before a patch was issued, the payout from the times that they did get paid, would more than make up for it.

But whatever rules are decided upon, there should be some sort of monetary rewards for people who confidentially report security flaws to big software companies. Whatever you can say about the merits of rewarding people through "recognition", or through social pressures to practice "responsible disclosure", the one obvious fact is that it hasn't been enough -- exploits still get sold on the black market, and every exploit that gets sold on the black market, would have been reported to Microsoft if they'd offered enough money. The talent is out there that could find these bugs and get them fixed. Most of them just can't afford to donate the work for free -- but the amount of money Microsoft would have to pay them, is far less than the benefits that would accrue to people all over the world in terms of fewer drive-by spyware installs, fewer viruses, and fewer security breaches. And if these benefits were reflected back at Microsoft in terms of greater user confidence and fewer snide jokes about "Microsoft security", then everybody would win all around. There are no barriers to making this happen, except for a mindset that it's "bad" to pay for security research. But if you prevent millions of Internet Explorer users from being infected with spyware, you deserve to at least get paid what Bill Gates earns in the time it took you to read this sentence.

rs232 writes to let us know that the US House of Representatives Committee on Homeland Security called this week for the Nuclear Regulatory Commission to further investigate the cause of excessive network traffic that shut down an Alabama nuclear plant. Investigators want to know whether the data storm could have been initiated from outside the plant.

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

Ant writes "SecurityFocus has a two-part article offering a high-level look at changes in Windows Vista that a computer forensic investigator needs to know about. Part 1 covers the different versions of Vista available and Vista's built-in encryption, backup, and system protection features. Part 2 continues with a look at typical user activities such as Web browser and email usage."

mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a big drop in December when lots of people replaced/upgraded systems. Time to upgrade your spam filtering software, the onslaught is coming."

mengel writes "According to the folks at SecurityFocus the number of bot-infested systems has surged to nearly 1.2 million. This after a big drop in December when lots of people replaced/upgraded systems. Time to upgrade your spam filtering software, the onslaught is coming."

ACTRAiSER writes "A recent Post on Bugtraq claims the hack of the Xbox 360 Security Protection Hypervisor. It includes sample code as well." From Bugtraq "We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access."

PHP writes "Stefan Esser is the founder of both the Hardened-PHP Project and the PHP Security Response Team (which he recently left). During an interview with SecurityFocus he announced the upcoming Month of PHP bugs initiative in March." Quoting: "We will disclose different types of bugs, mainly buffer overflows or double free (/destruction) vulnerabilities, some only local, but some remotely triggerable... Additionally there are some trivial bypass vulnerabilities in PHP's own protection features... As a vulnerability reporter you feel kinda puzzled how people among the PHP Security Response Team can claim in public that they do not know about any security vulnerability in PHP, when you disclosed about 20 holes to them in the two weeks before. At this point you stop bothering whether anyone considers the disclosure of unreported vulnerabilities unethical. Additionally a few of the reported bugs have been known for years among the PHP developers and will most probably never be fixed. In total we have more than 31 bugs to disclose, and therefore there will be days when more than one vulnerability will be disclosed."

Franki3 invites our attention to a SecurityFocus interview with Bill Cheswick. He started the Internet Mapping Project in the 90s; you have probably seen the maps that resulted. The interview ranges over firewalling, logging, NIDS and IPS, how to fight DDoS, and the future of BGP and DNS. From the interview: "I have been impressed with the response of the network community. These problems, and others like security weaknesses, security exploits, etc., usually get dealt with in a few days. For example, the SYN packet DOS attacks in 1996 quickly brought together ad hoc teams of experts, and within a week, patches with new mitigations were appearing from the vendors. You can take the Internet down, but probably not for very long."

Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"

applejax writes "SecurityFocus is running an article regarding some concerns about Vista's activation terms. Do you have the right to use properly purchased but not validated software? What happens if Microsoft deactivates your OS that was legally purchased? The article goes into some detail about Vista's validation and concerns." From the article: "The terms of the Vista EULA, like the current EULA related to the 'Windows Genuine Advantage,' allows Microsoft to unilaterally decide that you have breached the terms of the agreement, and they can essentially disable the software, and possibly deny you access to critical files on your computer without benefit of proof, hearing, testimony or judicial intervention. In fact, if Microsoft is wrong, and your software is, in fact, properly licensed, you probably will be forced to buy a license to another copy of the operating system from Microsoft just to be able to get access to your files, and then you can sue Microsoft for the original license fee."

Reverse Gear writes "SecurityFocus has an interesting article about a paper published on the possibility of hiding a rootkit in different PCI cards and having the rootkit survive a reboot or cleansing of the hard disk. It seems though that the author of the article doesn't think this would be abused frequently. From the article and paper: '(Because) enough people do not regularly apply security patches to Windows and do not run anti-virus software, there is little immediate need for malware authors to turn to these techniques as a means of deeper compromise.'"

ShaunC writes "The PHP Group and Zend have released PHP 5.2.0, and upgrades are encouraged. The 5.2.0 update offers several security fixes, including patches for a couple recently announced buffer overflows in input parsing. This release also includes a number of library upgrades, bug fixes, and default bundling of the popular JSON extension to help with AJAX development. See the full changelog for more details."

androthi writes "Scott Granneman takes a look at some surprises in Microsoft Vista's EULA that limit what security professionals and others can do with the new operating system. You want to post benchmarking results? Well, Microsoft may now have a say in it. Vista's EULA no longer shows up on Microsoft's software licensing page, but does still exist — also take note of Windows DRM deciding what you can and can not listen to, and Defender deciding and removing what it considers spyware automatically (by default)."

grandgator writes, "Hyped by a good deal of fanfare, outfitted with some new features, and now available for download, Firefox 2.0 has already passed 2 million downloads in less than 24 hours. However, a growing number of users are reporting bugs, widening memory leaks, unexpected instability, poor compatibility, and an overall experience that is inferior to that offered by prior versions of the browser. Expanding on these ideas, this list compiles nine reasons why it might be a good idea to stick with 1.5 until the debut of 3.0, skipping the "poorly badged" 2.0 release completely." OK, maybe it's 10 reasons. An anonymous reader writes, "SecurityFocus reports an unpatched highly critical vulnerability in Firefox 2.0. This defect has been known since June 2006 but no patch has yet been made available. The developers claimed to have fixed the problem in 1.5.0.5 according to Secunia, but the problem still exists in 2.0 according to SecurityFocus (and I have witnessed the crash personally). If security is the main reason users should switch to Firefox, how do we explain known vulnerabilities remaining unpatched across major releases?"
Update: 10/30 12:57 GMT by KD : Jesse Ruderman wrote in with this correction. "The article claims that Firefox 2 shipped with a known security hole This is incorrect; the hole is fixed in both Firefox 1.5.0.7 and Firefox 2. The source of the confusion is that the original version of this report demonstrated two crash bugs, one of which was a security hole and the other of which was just a too-much-recursion crash. The security hole has been fixed but we're still trying to figure out the best way to fix the too-much-recursion crash. The report has been updated to clear up the confusion."

Several reader write about a new AIM threat dubbed the "AIM Pipeline Worm" that uses a sophisticated network of "chained" executables to attack the end user. Security Focus has a brief note. One anonymous reader writes: "Using this method, there is no starting point for the attack — a malicious link via IM can send you to any given file, at which point the path of infection you take depends entirely on the file you start off with. The hackers can then decide which order to install malicious software, depending on their needs at the time. At a bare minimum, you will become a Botnet Zombie — if you're really lucky, you might be Trojaned, have a Rootkit installed on your PC, and be used for spam, file storage, and DOS attacks. Unlike similar attacks that have been attempted in the past, the removal of a file from the chain will not stop the attack — you will simply end up with something else installed instead, in the form of a randomly named executable dumped in your system32 folder. You'll still spam an infection link to all your contacts."

An anonymous reader writes, "Disclosure. Just a word, but in the security field it is the root of progress, sharing knowledge and getting bugs fixed. SecurityFocus published an interesting collection of quotes about the best disclosure processes. The article features 11 big vendors, 2 buyers of vulnerabilities, and 3 independent researchers. What emerges is a subtle picture of the way vendors and researchers differ over how much elapsed time constitutes 'responsible.' Whereas vendors ask for unlimited patience, independent researchers look for a real commitment to develop a patch in a short time. Nice read." Wikipedia has an entry for "full disclosure" but none for "responsible disclosure."

An anonymous reader writes "Microsoft is rushing to fix a flaw introduced by the company's latest security update to Internet Explorer. From the article: 'The flaw, initially thought to only crash Internet Explorer, actually allows an attacker to run code on computers running Windows 2000 and Windows XP Service Pack 1 that have applied the August cumulative update to Internet Explorer 6 Service Pack 1, security firm eEye Digital Security asserted. The update, released on August 8, fixed eight security holes but also introduced a bug of its own, according to Marc Maiffret, chief hacking officer for the security firm, which notified Microsoft last week that the issue is exploitable.'"

conJunk writes "Security Focus has an article about HD Moore's Exploit-Every-Day-in-July endeavor raising the hackles of both browser vendors and criminals. He started the project because he felt that vendors were not taking his analysis seriously enough, but he appears to be the only one enjoying it. 'Black Hats' are having their exploits exposed, and Microsoft (who bears responsibility for the majority of the browser holes) can't keep up with the pace he's setting." From the article: "The software giant indirectly criticized the release of vulnerabilities in a statement to SecurityFocus, underscoring the importance of getting customers updated before they are exposed to threats from malicious attackers. 'Microsoft continues to encourage responsible disclosure of vulnerabilities,' the software giant said in a statement sent to SecurityFocus. 'We believe the commonly accepted practice of reporting vulnerabilities directly to a vendor serves everyone's best interests.'"

Apu writes "SecurityFocus has published an interesting interview with Rachna Dhamija, co-author of the paper 'Why Phishing Works' and creator of Dynamic Security Skins (a plugin for Mozilla). She presented some very interesting results from her research efforts, for example 'simply showing a user's history information ("you've been to this website many times" or "you've never submitted this form before") can significantly increase a user's ability to detect a spoofed website and reduce their vulnerability to phishing attacks.' She also suggested to 'make it easy for users to personalize their interfaces. Look at how popular screensavers, ringtones, and application skins are — users clearly enjoy the ability to personalize their interfaces. We can take advantage of this fact to build spoof resistant interfaces.'"

Slashdot tonight brings some corrections, clarifications, and updates to previous Slashdot stories, including a few thoughts on the McKinnon situation, New Zealand revises their views on OSS, Korean cloners facing possible jail time, the fight for .xxx continues, more details on Diebold problems, the Supreme Court sides with eBay, AT&T denied a closed hearing, and Sony's Blu-Ray demo on the level. -- Read on for details.

Mathew Bevan speaks out on McKinnon case. mrkuji writes "Ex military hacker Mathew Bevan AKA Kuji has released his comments and thoughts about the goings on of the McKinnon hacker extradition trial."

New Zealand revises their view of OSS. sam_vilain writes "As previously noted here on Slashdot, the New Zealand State Services Commission has some problems with open source software. The new version of their legal guidelines document for OSS in NZ government, however, is a breath of fresh air."

Korean cloners facing possible jail time. reporter writes "In a stunning conclusion to the saga of the Korean cloning scientist who fabricated his results, the Korean government wants to throw him in prison. The BBC reports, "The South Korean cloning scientist who faked his stem cell research has been charged with fraud and embezzlement. [...] Prosecutors claim he [, using grant funds,] bought a car and paid contributions to politicians and company officials who helped to arrange his grants. [...] The misuse of state funds carries a jail term of up to 10 years, while a violation of bio-ethics laws can mean up to three years in prison.'"

The fight for .xxx to continue? Robert writes "ICANN has played down the role that the conservative US government had in its decision to reject a plan to launch a porn-only internet domain, while the company backing the .xxx proposal said it was considering an appeal. From the article: 'Stuart Lawley, president of ICM, after spending at least two years and over $2m on campaigning for .xxx to be approved, told us he thought the deal was shot down for political reasons, and said he was weighing a response. [...] The reason people suspect that US concerns were key, and the reason that the media keeps harping on about it, is because ICANN's powers are granted under a contract with the US Department of Commerce. That contract ends in four months, and so far nobody seems to know what happens after it expires.'"

More details on the Diebold problem. An anonymous reader writes "SecurityFocus' Rob Lemos has published an article with many more details on the critical Diebold problems, implications for upcoming state elections next week, and quotes from key scientists who have detailed knowledge of how easily the flaws can be exploited." Relatedly eldavojohn writes "USA Today is reporting that Diebold CEO Walden O'Dell has resigned. From the article: "The board of directors and Wally mutually agreed that his decision to resign at this time for personal reasons was in the best interest of all parties," said John Lauer, Diebold's non-executive chairman of the board."

Supreme Court sides with eBay in patent suit. theodp writes "In a unanimous decision, the Supreme Court sided with eBay in a fight over the use of its 'Buy It Now' feature, which will make it easier for companies to avoid court injunctions barring the continued use of technology after a patent infringement finding, such as the one used by Amazon against Barnes & Noble in the midst of the Christmas holiday season over its soon-to-be-reexamined 1-Click patent."

AT&T denied a closed hearing. guygee writes "According to the San Francisco Chronicle, AT&T has lost its '11th hour bid' to force closed hearings on unsealing critical documents in EFF's class-action lawsuit alleging AT&T's illegal transfer of its customer's telephone and Internet records and communications to the National Security Agency. According to the report, 'An AT&T lawyer sent a letter by fax to Chief U.S. District Judge Vaughn Walker on Tuesday asking that the courtroom be closed during any discussion of its trade secrets or confidential information.' EFF is also reporting the breaking news on the case." Relatedly DarkAudit writes "A commissioner for the FCC wants an investigation into whether or not phone companies broke the law by handing over their records to the NSA."

Sony's Blu-Ray demo on the level. eaglebtc writes "Gearlog.com has retracted a previous accusation against Sony regarding their alleged use of a DVD+R instead of a Blu-Ray disc in a demonstration. In the original announcement, Gearlog.com claimed that Sony was using a DVD+R to demonstrate Blu-Ray technology, in an attempt to show that Sony was not ready to market the product."

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

whitehatlurker writes "Dave Korn announced on the Full Disclosure and Bugtraq security lists that Microsoft is bypassing local lookups for some hosts, meaning that you can't locally block some sites through your HOSTS file. All of these sites are MicroSoft controlled sites. The general feeling in the rest of the thread is that this was to obfuscate these hosts and prevent them from being blocked by malware. However, there are no non-MicroSoft hosts listed, giving a competitive advantage for MicroSoft's anti-malware tools over other brands."

vandon submitted a Security Focus bit about liability and identity theft. The article talks about a contractor's laptop containing a half a million records of private student loan information being stolen. The court ruled that since "Reasonable" precautions had been taken, the loan company need not be held strictly liable for their customers damages.

user24 writes "Security focus reports that RFID injections are now required for access to the datacenter of a Cincinnati company. From the article 'In the past, employees accessed the room with an RFID tag which hung from their keychains, however under the new regulations an implantable, glass encapsulated RFID tag from VeriChip must be injected into the bicep to gain access ... although the company does not require the microchips be implanted to maintain employment.'"

Liudvikas Bukys writes "Michal Zalewski identifies a new class of attacks on users of web applications, dubbed Cross Site Cooking. Various browsers' implementations of restrictions on where cookies come from and where they're sent are weaker than you think. Web applications that depend on the browser enforcing much will offer many opportunities for mischief."

Artem Tashkinov wrote to mention a SecurityFocus article which discusses a disturbing new threat to computer security: Rootkits that target a computer's BIOS. From the article: "One rootkit expert at the conference predicted that the technology will become a fundamental part of rootkits in the near future. 'It is going to be about one month before malware comes out to take advantage of this,' said Greg Hoglund, a rootkit expert and CEO of reverse engineering firm HBGary. 'This is so easy to do. You have widely available tools, free compilers for the ACPI language, and high-level languages to write the code in.'" Update: 01/27 14:28 GMT by Z : John Heasman wrote with a link to the slide presentation on this topic given at the Black Hat Conference (pdf).

XMilkProject writes "Current research indicates that some "350,000 networks--many belonging to the military and government--contain computers affected by [Sony's rootkit]." This is down from over half a million last month. "The security researcher worked from a list of 9 million domain-name servers.. asking each to look up whether an address used by the XCP software--in this case, xcpimages.sonybmg.com--was in the systems' caches." Will Sony face future repercussions for this potentially long-term damage?"

An anonymous reader writes "The upcoming version 4.3 of OpenSSH will add support for tunneling allowing you to make a real VPN using OpenSSH without the need for any additional software. This is one of the features discussed in SecurityFocus' interview of OpenSSH developer Damien Miller. The interview touches on, among other things, public key crypto protocols details, timing based attacks and anti-worm measures."

geo_2677 writes "Someone had put up for auction on eBay the details of an exploit in Microsoft Excel according to a recent article on Securityfocus. According to the article Microsoft has confirmed that this vulnerability exists, but in the meantime the original listing on eBay has been pulled. " The now pulled auction, but it does appear that Microsoft has confirmed the vulnerability in an eweek article.

An anonymous reader writes "Nessus is one of the world's most popular (open source) vulnerability scanners, used in over 75,000 organizations world-wide. Many of the world's largest organizations are realizing significant cost savings by using Nessus to audit business-critical enterprise devices and applications. With the recent news of going closed source Ron Gula took a few minutes to talk to SecurityFocus. From the article: 'I speak to a lot of different open source project managers and they say similar stuff -- it's mostly free users and not really code contributors.' What would happen now? Nessus 3 will provide an average 5x speed improvement compared to the old, but open source, 2.x version, and a lot of new features."

An anonymous reader writes "The search giant has moved to fix a problem in Google Base which didn't properly block pornographic material in their search results. According to Google, the filter was broken for 'some period of time' but the company didn't elaborate. Nathan Weinberg could have been one of the first to report the incident on his blog, Inside Google, writing: 'Holy crap, there is a lot of porn at Google Base! Looks like, just like Google Images, Google Base could become a huge source of porn, and eventually a place where porn will be sold. I even noticed some movie reviews.'" They've also recently corrected a problem with their search appliance. geo_2677 wrote to mention a Securityfocus.com article discussing the rapid patching of the Google search boxes in response to a vulnerability.