TechBlog

Adobe wrote: Today, Flash Player 11.3.300.270 for Windows was released to address a crash that was occurring in the Adobe Flash Player Update Service (FlashPlayerUpdateService.exe). There are no other fixes or changes provided with this build. This release is available for Windows only, and affects the Active X and Plug-in installers, uninstaller, and msi’s (available on the distribution page.) No other platforms are affected. Please be aware that this release is not available from the Product Download Center (http://get.adobe.com/flashplayer) which will continue to provide 11.3.300.268. We realize that this might cause confusion for some users. Due to the severity of this issue, we decided to make this build available immediately to help customers affected by this bug. Due to logistical issues and time constraints, we were unable to update the release on the Product Download Center. The next release of Flash Player will correct this disparity. Please note that unless you have been affected by the FlashPlayerUpdateService.exe crash, both 11.3.300.270 and 11.3.300.268 will be functionally identical. ...

TheRegister.co.uk wrote: Attack Surface Analyzer explains what apps do to your beautiful Windows installation Developers, developers …. *&^%%!!# developers who break Windows! That may well be a refrain that motivated Redmond to release a new software tool, Surface Analyzer 1.0, which explains how new apps impact Windows’ ability to repel the various varieties of naughtyware. Microsoft explains the tool’s powers thusly: Attack Surface Analyzer looks for classes of security weaknesses Microsoft has seen when applications are installed on the Windows operating system, and it highlights these as issues. The tool also gives an overview of changes to the system that Microsoft considers important to the security of the platform, and it highlights these changes in the attack surface report. Some of the checks performed by the tool include analysis of changed or newly added files, registry keys, services, Microsoft ActiveX controls, listening ports and other parameters that affect a computer’s attack surface. ...

BBC: Hacking group Anonymous has aided a global search for a cyber-vandal who defaced a charity website. Members of Anonymous helped track the attacker down to Madrid following a plea from the owner of the RedSky video production company. New Zealand-based RedSky asked for help after an attacker penetrated its website, erased data and left graffiti. The attack was reportedly carried out in a bid to impress Anonymous and join its ranks as a member. ...

h-online: With the release of Chrome 21, web applications can now directly access the local system’s built-in camera and microphone. Instead of requiring a special plugin, the major stable update to the WebKit-based web browser includes a new HTML5 <a href="http://www.html5rocks.com/en/tutorials/getusermedia/intro/">getUserMedia</a> API – currently a W3C Editor’s Draft – to provide web apps with access to the camera and microphone. For security purposes, users will be prompted to grant apps permission to access the hardware. ...

h-online: Three weeks after releasing LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice productivity suite can be exploited by attackers to compromise a victim’s system. According to the project’s security advisory, these include multiple heap-based buffer overflow vulnerabilities in the XML manifest encryption tag parsing code. Successful exploitation of the vulnerabilities could lead to the execution of arbitrary code on a system with the privileges of a local user. For an attack to be successful, a victim must first open a specially crafted Open Document Format (ODF) file. Versions up to and including LibreOffice 3.5.4 are affected; upgrading to version 3.5.5 or later fixes these problems. All users are advised to upgrade. ...

Cross-posted from Surelist The appearance of a new Android malware family is not that surprising at all today. Especially when we talk about SMS Trojans which are one of the most popular and oldest type of threats created for extracting money from users. A new family of SMS Trojans named Vidro appeared a few days ago but we’ve already collected a lot of APK files with very similar functionality. At the moment all the samples we have found target users only from Poland. ...

Mashable Wrote: The team behind Outlook.com revealed in a tweet that one million people signed up for the new email service in just six hours. Microsoft unveiled its Hotmail replacement Tuesday at noon Eastern, and by dinnertime it had cracked seven digits. That’s an impressive spike, illustrated in the chart that @Outlook attached to the tweet (shown below). However, it’s still a tiny fraction of the user base of Hotmail, which comScore pegs at about 350 million — making it the most popular free email service in the world. ...

Mashable: Iran’s Grand Ayatollah Ali Khamenei joined Instagram last week and so far has posted four photos. Iran’s supreme leader since 1989 chose to share shots that likely show scenes of Ramadan. It comes as a surprise to some that a person who has been slow to get onboard with social media trends — not to mention Iran’s stance toward its citizens’ use of the social media — has joined Instagram. His Twitter account has 4,337 followers so far, and links to his Instagram account. Also posted on his Twitter account are links to YouTube videos and stories about his visits with other world and religious leaders. ...

h-online: At the Black Hat hacker conference in Las Vegas, encryption expert Moxie Marlinspike promised that his CloudCracker web service was able to crack any VPN or WiFi connection secured using MS-CHAPv2 within 24 hours. The cost? Around $200. MS-CHAPv2 is based on the eminently crackable encryption algorithm DES. The problem was first documented in 1999 by Bruce Schneier working with two other researchers. A large number of processor cores are still required to crack the encryption within a reasonable time – the number of possible keys makes trying to perform a brute force attack on a normal PC a hopeless task. ...

h-online: A data leak at the meetOne dating site allowed anyone to access private data including the plaintext passwords, email addresses and real names of the site’s approximately 900,000 members. To obtain the data, an attacker simply needed to increment a URL parameter. After they were informed by The H‘s associates at heise Security, the operators soon closed the hole. When news of a data leak in one of the dating portal’s custom APIs was disclosed to heise Security, the editors managed to reproduce the problem and access the data of a specially created test profile. The API disclosed information including the email address and password of the test user, which allowed access to the user’s profile. ...