Security

H-Online: The phpMyAdmin developers have announced the release of versions 3.4.4 and 3.3.10.4 of their open source database administration tool. According to the security advisory, these maintenance and security updates close a hole (CVE-2011-3181) in the Tracking feature that leads to multiple cross-site scripting (XSS) vulnerabilities. The exploit was discovered by Norman Hippert and is caused due to improper sanitisation when input is passed to the table, column and index names. For an attack to be successful, an attacker must be logged in via phpMyAdmin. Versions 3.3.0 to 3.4.3.2 are affected and the developers consider the problem to be serious. Updating to phpMyAdmin 3.3.10.4 or 3.4.4 fixes the problem. Alternatively, users can apply the provided patches. ...

Java™ SE 6 Update 27 The full internal version number for this update release is 1.6.0_27-b07 (where “b” means “build”). The external version number is 6u27. Highlights This update release contains important enhancements for Java applications: Improved performance and stability Certification for Firefox 5 Update release notes: http://www.oracle.com/technetwork/java/javase/6u27-relnotes-444147.html Complete bug fix list: http://www.oracle.com/technetwork/java/javase/2col/6u27bugfixes-444150.html

This article is originally posted at Norman Security Blog, Credit to my friend ‘Pondus’ for sharing. Introduction During recent months, we have seen several examples of attempts and suggestions to restrict access to different types of net resources, and in some cases the Internet itself. Is this a method that accomplishes its end, or is it more of a “shooting the messenger” type of action? We shall give some examples and discuss different issues in this article. ...

H-Online: The German Federal Office for Information Security (BSI) is warning of online shops which infect users with malicious software by exploiting security vulnerabilities in the user’s browser, operating system or applications. The affected shops have themselves been hacked by attackers exploiting security vulnerabilities in outdated versions of open source online shop software osCommerce. As reported by The H two weeks ago, osCommerce shops are currently being hacked en masse. The vulnerabilities used for the hack were fixed in November last year with the release of osCommerce 2.3, but many companies running online shops have yet to update to a secure version. ...

Sophos Labs: Twitter users are being hit today by messages claiming to link to a new app from Twitter which will track your stalkers. However, the messages are really designed to steal your Twitter usernames and passwords. Here’s a typical message that users are seeing: Twitter finally released an app that tracks your “Stalkers” get it here [LINK] If you click on the link you are taken to what appears to be a legitimate Twitter page, asking you to confirm your username and password before the “Stalkers” app can access your account. ...

H-Online: Officially, Adobe’s current update for Flash Player has closed only 13 holes, but unofficially it is said to have closed several hundred. Security specialist Tavis Ormandy, who works for Google, claims that he discovered 400 holes and notified Adobe of them. The specialist has now complained that, while the holes have been closed, they haven’t been mentioned in the official advisory, and he hasn’t been given credit for their discovery. ...

Posted by the Stop. Think. Connect. Campaign on Homeland Security Cyber predators are real. They use the anonymity of the Internet to target victims, especially today’s youth, with unwanted solicitations, harassment, and fraud. It’s important that parents discuss ways to stay safe online with their children, particularly before they use social networking sites. US-CERT offers the following tips for parents to help ensure their children stay safe online: Monitor computer activity – Keep your computer in an open area and be aware of what your children are doing, including who they’re talking to and what websites they’re visiting. Inform children of online risks – Discuss appropriate Internet behavior that is suitable for the child’s age, knowledge, and maturity. Talk to children about the dangers and risks of the Internet so that they recognize suspicious activity and secure their personal information. Keep lines of communication open – Let your children know that they can approach you with any questions or concerns about behaviors or problems they may have encountered on the Internet. Stop. Think. Connect. Protect yourself and help keep the web a safer place for everyone. For more information on Stop.Think.Connect., please visit www.dhs.gov/stopthinkconnect. ...

SOFTPEDIA: According to statistics gathered by cloud security provider Zscaler, 56.4% of enterprise users have out of date Adobe Reader plug-in versions inside their browsers. The company gathered statistics about browser plug-ins and presented the results in its “State of the Web” report [pdf] for the second quarter of 2011. “Nearly every browser is running some combination of plug-ins, add-ons or extensions. As with most software, older versions of plug-ins typically have more security vulnerabilities. This adds up to a tempting target for hackers,” the company warns. ...

H-Online: Security specialist Sophos reports that it has discovered new spam email messages that claim to be an advisory related to an update to the open source Firefox web browser. The fake advisory asks users to update their Firefox installations, “for security reasons”, and includes a download link to the supposed update. According to Graham Cluley of Sophos, the download leads to an executable file that bundles an installer for the Windows version of Firefox 5.0.1 and a password-stealing trojan (Troj/PWS-BSF). As noted by Cluley, users should always exercise caution when clicking on links in emails. ...

The Hacker News: Microsoft has announced that it will release 13 bulletins to address 22 vulnerabilities in Windows, Office, Internet Explorer, .NET and Visual Studio on its next Patch Tuesday. Another “critical” bulletin affects Windows server operating systems, and addresses a code-execution risk on unpatched systems. Also of note is an update restricted to newer versions of Windows (Windows 7 and Windows 2008) that tackles a potential, though difficult to exploit, code-execution risk. ...