Security

Copied from LA-Times: A man who hacked the email accounts of celebrities should pay movie star Scarlett Johansson $66,179.46 in compensation, federal prosecutors said. The hacker also should serve 71 months in prison and pay a total of $150,000 in compensation to all his victims, prosecutors said in court papers filed this week. Christopher Chaney, 35, of Jacksonville, Fla., who pleaded guilty in Los Angeles federal court to nine counts of computer hacking, for two years hacked almost daily into email accounts of 50 people in the entertainment industry. ...

Version 3 of Personal Software Inspector (PSI), Secunia‘s free program updater, has been released with a much simplified user interface, enabling less technically astute users to keep their Windows applications up to date as well. According to Secunia, the automatic updater has also been enhanced. PSI is now able to keep programs from more than 3,000 companies up to date, though, as before, PSI only cares about updates which fix security vulnerabilities. Version 3 also includes additional translations, including German. The software checks the user’s computer for outdated program versions known to contain vulnerabilities and either installs updates or provides links to download them. ...

The WordPress developers have released version 3.4.1 of their popular open source publishing platform, fixing a number of bugs and closing security holes, one of which is rated as important. WordPress 3.4, which has already been downloaded 3 million times since being released two weeks ago, contains a important privilege escalation flaw that accidentally allowed all administrators and editors on multi-site installations to use unfiltered_html. This could have been exploited by users for cross-site scripting (XSS) attacks by, for example, publishing posts containing malicious code. ...

Google has closed a total of 23 vulnerabilities with the release of Chrome 20. Of those vulnerabilities, 14 are rated critical, enabling attackers to execute code in the browser’s sandbox, among other things. Integer overflow vulnerabilities in the code for processing PDF files and Matroska containers (.mkv) have also been fixed. Chrome 20 also includes the latest version of Adobe’s Flash Player on Linux, using the new cross-platform Pepper API. In testing at The H, it was confirmed that the Flash Player support also works on 64-bit Linux systems. ...

Adobe Reader X runs in a sandbox at a very restricted privilege level. Important system calls are supposed to be handled by a special broker process that will subject them to extensive testing. However, a small design flaw allows attackers to escape from this sandbox and execute arbitrary code – despite having both ASLR (Address Space Layout Randomisation) and DEP (Data Execution Prevention). As described by Guillaume Delugré, the broker process is at the heart of the exploit as it uses a memory page allocated via VirtualAllocEx to store the overwritten code of system calls which have been redirected to the broker. Despite having ASLR, however, the memory address returned by VirtualAllocEx is not randomised. This means that the Windows system function call will end up in a predictable, “nearly constant” location which the exploit can then access directly. ...

With the release of version 5.63 of Winamp, Nullsoft, a division of AOL Music, has eliminated four critical security vulnerabilities in the media player. Three of these were heap-based buffer overflows in Winamp’s bmp.w5s component that could have been exploited by an attacker to execute arbitrary code on a victim’s system. For an attack to be successful, a user must first open a specially crafted AVI file. It has been confirmed that the vulnerability affects version 5.622; other builds may also be affected. The update also addresses unspecified errors in the in_mod.dll module that could have been used to corrupt memory and could possibly result in arbitrary code being executed. Upgrading to Winamp 5.63, specifically build 3234 (5.6.3.3234), fixes these problems. ...

v3.co.uk: Card processing firm Global Payments has provided more detail on the attack on its computer systems earlier this year, warning that the attackers may have had access to unspecified personal data. Global Payments confirmed the attackers had access to details of 1.5 million cards, but it said the attack had now been contained. Global Payments also revealed the attacks had gained access to servers containing personal information “from a subset of US merchant applications”. While it could not ascertain whether the data had been copied, it would be notifying affected customers in the coming days. ...

Is this the perfect recipe for a cybercriminal ?: Hacking LinkedIn’s password (and possibly user-) database. Sending an email to all obtained email addresses, which is urging you to check your LinkedIn inbox as soon as possible. A user unawarely clicking on the link. An exploit gets loaded. Malware gets dropped. Malware gets executed. User’s computer is now a zombie (part of a botnet). I would definitely say YES. A reader of my blog contacted me today, he had received an email from LinkedIn which was looking phishy. We can verify that Step 1 is accomplished, by the simple fact that in the “To” and/or “CC” field of the email below, there are about ~100 email addresses. A quick look-up of a few of them on LinkedIn reveals the unconvenient truth… Here’s the email in question: ...

The H-Online: Microsoft has released seven security bulletins fixing a total of 27 security holes, 13 of them in Internet Explorer. The rest of the patches affect all currently supported Windows versions, the .NET Framework, Remote Desktop, Lync and Dynamics AX. A patch that had been announced for Visual Basic for Applications has yet to be released. The most important updates are bundled in the cumulative Internet Explorer patch (MS12-037), which includes fixes for the holes that were targeted by Pwn2Own exploits. Microsoft is the last of the companies to close the exposed holes that were targeted during the Pwn2Own competition; Google and Mozilla fixed their browsers in March. According to Michael Kranawetter, Microsoft’s Chief Security Advisor in Germany, the IE patch also affects the Windows 8 Consumer Preview, and therefore Internet Explorer 10. ...

The H-Online: Adobe has announced the release of an update for Flash Player on Windows, Mac, Linux, Android 3.x and 4.x, and within its own AIR runtime. The update addresses several critical vulnerabilities which involve memory corruption, stack overflows, integer overflows, security being bypassed, null dereferencing and binary planting (DLL hijacking). All, except the security bypass, could lead to code execution. The updates also include a number of security enhancements on various platforms. The Windows version of Flash Player now offers a production version of “Flash Player Protected Mode for Firefox” which brings a sandbox to the running of Flash, making it harder for attackers to get at other processes. ...