TechBlog

Microsoft announced that it has collaborated with WordPress and now onwards it will be the default blogging platform for Windows Live users. This means Microsoft is killing it’s own blogging platform and suggesting users to go for better platform called ‘WordPress’. In TechCrunch Disrupt conference, Windows Live Director ‘Dharmesh Mehta’ announced that all existing Windows Live Spaces users will be migrated over to an account at WordPress.com. So now onwards users who sign up for a Windows Live account get free Hotmail , the Xbox Live site , a free blog from WordPress.com and other services. ...

The New York Times is reporting a rising number of law suits against some major players because of their use of persistent web tracking: — Fox Entertainment Group — NBC Universal — Specific Media — Quantcast The Times said the suits are claiming that the companies used Flash cookies to collect data on browsing activities in spite of the fact that users had privacy settings on to block them. Those Local Shared Objects (LSOs) are persistent cookies that are stored in several ways and in some cases will restore themselves when deleted. One is available, with a detailed description here. ...

Twitterers are still clogging the micro-blogging service with little messages about the cross-site-scripting problem earlier today. Twitter has announced that the problem has been fixed. A cross-site scripting vulnerability using “onmouseover” was being widely exploited to spread worms and redirect viewers to malicious sites. Story here from The Register.

We received new spam emails which contain a JavaScript redirector in form of a HTML attachment. The emails we received have the subject “Consultation Appointment”. The decrypted JavaScript consists of new JavaScript code. This JavaScript redirector loads yet another JavaScript from the internet. The domain which is hosting the malicious .js is registered to someone from Malaga. Domain tools show that this person has registered about 2.400 other domains. ...

On Twitter a new security flaw gets currently exploited. Hackers found a way to inject malicious JavaScript code into tweets with the onMouseOver event. This can lead to pop-ups appearing, redirecting to websites, re-tweeting spam, or even worse things like cookie stealing (compromising the user accounts). The problem is that Twitter doesn’t properly filter out some tags in tweets. Users should be very cautious when seeing colored text blocks (background and text colors are the same, called “rainbow tweets”) – these are currently mostly used to exploit the security vulnerability. Hopefully, Twitter closes the security hole soon! Until then, using the NoScript web browser extension or disabling JavaScript on Twitter helps against the attack. Also, using twitter applications which rely upon the Twitter API aren’t affected.

Adobe fixed the vulnerability in Flash Player in a record time again. Just one week after the 0-day became public and started to get exploited, an update is available to close the security hole. Even though Adobe Reader and Acrobat are affected (which are supposed to get an update in 2 weeks), until now we’ve only seen exploits against the Windows Flash Player. Users and administrators should update their Flash Player as soon as possible! The version 10.1.85.3 fixes the issue for Windows, Unix, Solaris and is available through Adobe’s download center. Android users can get the update to 10.1.95.1 on the Android Market Place.

Resident Evil. Man, those films are terrible. Frankly, I’m happy to end the writeup right there, but if I did you’d miss out on all the fun. Resident Evil Afterlife is now in cinemas (unfortunately) and scammers are all too happy to cash in. watchresidentevil4(dot)com is our port of call today: Try to watch the film, and you’re prompted to install ClickPotato (from Pinball Corp). There’s also four other items preticked, which is nice of them. Installing that lot gives you a prompt to “see premium content”. ...

One unique security feature of Android is the permission check when installing 3rd party apps. The system lists all permissions that an app requires and asks the user to check if that’s alright. Such permissions are the ability to receive your location, send or receive text messages, internet access, phone calls and many more. The user can be sure that the app is not doing any of such activities without the appropriate permission. In case the developer forgets to add a particular permission then the operating system will simply block the corresponding function which leads to a “Force Close”, which means the app will be terminated. ...

Google released version 6.0.472.59 of its Chrome web browser. It fixes 10 security vulnerabilities; 1 is only affecting Mac OS X and critical, 6 are rated “high” in their severity. As usual, the update should get delivered and installed automatically – but it doesn’t hurt to check via the “Info about Chrome” option in the “settings” menu whether the new version is already installed. The Mozilla developers pulled the update to Firefox 3.6.9 due to some stability issues some users experienced. Now Firefox 3.6.10 is available which fixes the security vulnerabilities like 3.6.9 and also the instabilities. It is available via “Help” – “Check for Updates” and should be installed ASAP, too.

We have started to see again a large increase in the amount of emails pretending to come from Facebook. There are two types of emails which are being sent in large amounts currently. Both of them use classical types of social engineering techniques. The first type is using the old trick with “the photos”. The final target is a website where SMSes can be sent for “free” (note the quotes). I would like to emphasize again that there is nothing out there for free. Even if you don’t pay for it, those who offer the service (or whatever is given for “free”) do get something in exchange. It might be your telephone number, your email address or something similar which is worth a lot on the Internet. ...