Blog

The H-Online: A developer preview of Mac OS X 10.8 is now available to registered Mac developers after Apple announced the new version, named Mountain Lion, and previewed a number of its features. Among those features is Gatekeeper which Apple says “helps prevent you from unknowingly downloading and installing malicious software”. The Gatekeeper feature has three levels of security for running applications downloaded from the Internet; “Mac App Store”, “Mac App Store and identified developers” and “Anywhere”. The first setting only runs applications downloaded from the Mac App Store, in a style similar to the iPhone only running apps from the App Store. Unlike the iPhone though, Gatekeeper lets users allow applications from other sources. The “Mac App Store and Identified Developers” option only allows applications from the store and from developers who have signed their program with an Apple-issued Developer ID, while “Anywhere” allows any program to be downloaded and run. It is unclear how Gatekeeper interacts with software loaded from other media, such as a USB memory stick or CD/DVD. ...

SophosLabs: Facebook users overwhelmingly agree that it’s rude to post photos or videos of them without asking permission first. Some even think it should be illegal. Sophos has polled over 800 Facebook users, asking whether people should seek permission before posting photographs or videos online of others. Although a large majority – 83% – of polled Facebook users think it’s just common courtesy to ask permission before posting a photo or video of someone else (and a further 8% felt it should be illegal not to have received approval), some respondents believed that Facebook’s existing tagging controls allowed you to remove a picture that you didn’t want published online. ...

H-Online: Adobe has released updates for Flash Player closing seven holes in the application. Six of the holes can be exploited to allow an attacker to infect a PC using crafted web pages. The seventh is a cross site scripting hole that Adobe says is already being exploited in “active targeted attacks”. The attacks, which are only aimed at Internet Explorer on Windows, try to trick the user into clicking on a malicious link. Adobe say the hole “could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website”. ...

I’ve been reading from Mozilla Blog and I liked it and agree with that, so I share it with you: I read an article on the Web somewhere that there was a new LibreOffice version. It’s been several years since I gave OpenOffice a try and I’ve been interested to see what OpenOffice had evolved into, so I thought, “Hey, maybe they’ve improved some. I’ll install it and see.” Here is what happened. ...

The H-Online: Oracle has fixed 14 security holes in the Java Standard Edition (Java SE) with a critical patch update. The vulnerabilities allow attackers to use specially crafted Java WebStart applications or web services in order to install malicious code on computers that run flawed versions of Java. Oracle says that such flawed versions are particularly likely to exist on Windows computers because Windows users tend to have admin privileges. The risk is smaller under operating systems such as Linux and Solaris, the company added. ...

SophosLabs: The death of pop superstar Whitney Houston made headlines around the world this weekend, and it didn’t take long for fraudsters and cybercriminals to cash in on the singer’s death. For instance, messages have been seen shared on Facebook claiming to link to a video of Whitney Houston’s autopsy. According to the messages, the video of Whitney Houston’s autopsy “reveals a shocking secret that explains her death”. Here’s what a typical message looks like: ...

The H-Online: According to a report, hackers, allegedly from China, had access to telecoms equipment manufacturer Nortel‘s IT systems over a period of several years – access that they took full advantage of. Citing an internal investigation, the Wall Street Journal reported on Tuesday that, using seven passwords stolen from senior managers, intruders had access to almost all confidential information within Nortel from 2000 onwards. Brian Shields, the manager who led the Nortel investigation, is quoted as saying that the hackers “had access to everything”. Huge volumes of technical documents, research and development (R&D) reports, business plans and emails were downloaded over the course of several years. “They had plenty of time,” said Shields, “All they had to do was figure out what they wanted.” The seven stolen passwords included the password belonging to the company’s then CEO. The attackers have not been identified, but the WSJ notes that they appear to have been working from China. ...

The H-Online: Twitter has announced that it has now enabled HTTPS by default for all users signed into the micro-blogging service. By using HTTPS, all user information including log-in credentials transmitted to the company’s servers are sent using SSL encryption. This means that all data is transmitted in encrypted form and can no longer be read and exploited for fraudulent activities by attackers using tools such as the Firesheep extension for Firefox. ...

SophosLabs: Scammers don’t just lure you into visiting their websites via email, Facebook and Twitter – you can be targeted on your mobile phone too. For instance, there have been numerous people on the internet who have reported receiving messages like the following: Apple needs iPhone5 testers! The first 1000 users who visit [LINK] and enter code 4444 will get to test & keep the new iPhone5. Of course, the promotion has nothing to do with Apple (who do not do public tests of their upcoming products), and – as the iPhone 5 hasn’t even been announced yet – you have close to zero chance of receiving a free smartphone. ...

The H-Online: As expected, Microsoft has released nine bulletins to close a total of 21 holes in its products. Four of the bulletins close critical vulnerabilities in Windows, Internet Explorer, .NET and Silverlight, including an issue in the Windows kernel-mode drivers that became publicly known in December of last year. The company advises those responsible for prioritizing update deployment to focus on the critical patches for Internet Explorer and the C Runtime Library in Windows, as these could be exploited by an attacker to remotely execute arbitrary code on a victim’s system. For an attack to be successful, a user must first visit a malicious web page or open a specially crafted file. The other critical bulletins fix issues in .NET and Silverlight, as well as the Windows kernel. Microsoft notes that it has yet to see any active attacks exploiting these issues in the wild. ...