Microsoft investigating new Windows flaw

Microsoft said on Tuesday that it is looking into reports of a new Windows flaw that could compromise the security of machines running older versions of the operating system.

In an advisory on its Web site, Secunia said that the vulnerability is due to a boundary error in a function included in Windows XP and Windows 2000 that, if exploited, could allow malicious code to be executed. The firm rated the vulnerability as "moderately critical."

"Microsoft is investigating new public claims of a possible vulnerability in Windows 2000 and Windows XP," group manager Jerry Bryant said … Read more

Twitter, FTC reach agreement on security

An investigation that the Federal Trade Commission launched into Twitter's allegedly lax security practices following two high-profile hacking incidents last year has been settled, the company announced Thursday.

Twitter general counsel Alexander MacGillivray, who joined the company last summer after serving as a member of Google's legal team, posted an entry on the company blog Thursday explaining the situation. "Early in 2009, when Twitter employed less than 50 people, we faced two different security incidents that impacted a small number of users," the post explained. "Put simply, we were the victim of an attack and … Read more

Unpatched Windows XP-related hole exploited in attacks

Malicious hackers were found to be exploiting a hole on Tuesday affecting Windows XP that a Google researcher disclosed last week before Microsoft had a chance to fix it, the software giant confirmed.

There was "limited exploitation" of the unpatched vulnerability, Jerry Bryant, group manager for response communications at Microsoft, said in an e-mail statement. The exploits have been taken down from the Web, but Bryant said he expects there to be further attacks "given the public disclosure of full details of the issue."

"We want to reiterate that customers using Windows 2000, Windows Vista, … Read more

Googler criticized for disclosing Windows-related flaw

Microsoft and outside security researchers accused a Google engineer of failing to follow the responsible disclosure etiquette his own company promotes by disclosing a Windows XP-related flaw on Thursday, publishing code to exploit it and giving Microsoft only five days to fix it.

Tavis Ormandy informed Microsoft about the vulnerability--located in the online Windows Help and Support Center feature that offers customers technical support--on Saturday. He then announced details of the hole and offered proof-of-concept attack code in a post to the Full Disclosure security e-mail list on Thursday.

"I would like to point out that if I had … Read more

Adobe to plug Flash hole this week

Adobe Systems said it will issue a patch for a critical hole being exploited in the wild by delivering an update for Flash Player by Thursday, and for Adobe Reader and Acrobat by June 29.

The update of Flash Player 10.x will support Windows, Macintosh, and Linux, while the date for the release of a Solaris version is still to be determined, Adobe said late Monday. Meanwhile, the Adobe Reader and Acrobat update to come in three weeks will support Windows, Mac, and Unix.

Adobe released the advisory late last week and said there had been reports of the … Read more

Adobe patches 'critical' holes in Photoshop CS4

Photoshop users like to expand what the software can do by downloading new brushes, gradients, and color swatches, but the ability to make those additions also turns out to have been a potential avenue for attack.

Adobe Systems on Wednesday released a Photoshop 11.0.2 security update to its earlier CS4 version of Photoshop for both Windows and Mac OS X versions to close off that avenue.

"Critical vulnerabilities have been identified in Photoshop CS4 11.0.1 and earlier for Windows and Macintosh that could allow an attacker who successfully exploits these vulnerabilities to take control of … Read more

Microsoft to fix holes in Windows, Office

Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.

The bulletins, part of the company's monthly Patch Tuesday fixes, affect Windows 2000, XP, Vista, Windows 7, Server 2003 and Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, and Microsoft Visual Basic for Applications and Visual Basic for Applications software development kit. Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, however, the company said in a … Read more

Security researchers demo Cisco Wi-Fi flaws

Two generations of Cisco Systems' wireless LAN equipment contain a range of vulnerabilities, researchers said at this week's Black Hat Europe security conference.

Enno Rey and Daniel Mende of German testing firm ERNW demonstrated how to hack into two separate generations of the Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit.

In a presentation called "Hacking Cisco Enterprise WLANs" on Wednesday, the researchers demonstrated an attack aimed at Cisco's first-generation equipment Cisco Structured Wireless Aware Network (Swan).

Read more of "Security researchers demo Cisco Wi-Fi flaws" at … Read more

Java flaw exposes Windows users to attacks

A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.

Google engineer Tavis Ormandy released details on the Full Disclosure e-mail list and Ruben Santamarta, an engineer for Wintercore, wrote about it on his company's blog site.

The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.

"The toolkit provides only minimal validation of the … Read more