Security

H-Security Online: Version 7.7 of QuickTime is now available for users running Windows XP SP2 or later and Mac OS X v10.5.8 Leopard. The maintenance and security update addresses a total of 14 security vulnerabilities in the multimedia application. QuickTime 7.7 closes holes on both platforms that could be used by an attacker to, for example, crash the application or execute arbitrary code on a victim’s system. For an attack to be successful, a victim must first open a specially crafted file or a malicious web site. A cross-origin issue that may lead to the disclosure of video data from another web site has also been fixed. The company notes that, for Mac OS X 10.6 users, these holes have already been addressed in 10.6.8; the latest version of Mac OS X, 10.7 Lion, is not affected. ...

ghacks.net: Microsoft has just released a beta of a system recovery software. Microsoft Standalone System Sweeper has been designed to aid users in starting an infected PC and performing offline malware scans to remove viruses, trojans, rootkits and other forms of malware effectively. It is also used if malware is hindering the user to install or start an antivirus software on the infected system, or if the applications used to detect malware are not able to find the malware on the PC. ...

Facebook Security: Facebook is committed to bringing you a safe experience on the Internet, and today we are announcing several new features to help protect you while online. Partnership with Web of Trust First, we’re happy to announce a partnership with Web of Trust . Web of Trust is a free safe surfing tool that tells you which websites you can trust based on the ratings supplied by other Web of Trust community members. Facebook already has a system that automatically scans links to determine whether the websites associated with those links are spammy or contain malware. ...

Since 2003, the number of exploitable vulnerabilities has fallen considerably in Microsoft’s Office suite. H-Online: Independently of each other, security specialists Dan Kaminsky and Will Dormann from Carnegie Mellon University’s CERT have found that, in the past few years, the number of flaws and exploitable vulnerabilities in individual versions of Microsoft Office has fallen dramatically, achieving results that are even below those ofOpenOffice. However, their findings should be treated with caution, as they are based on automatic evaluations and say little about the actual threat potential. ...

Avira TechBlog: Today some updates need attention – they fix critical security issues and should be installed immediately! The update reign starts off with Apple. Critical security vulnerabilities are closed within the Safari web browser 5.0.5 – they allowed cyber criminals to smuggle in malware. For Mac users, additionally a security update is available for the Snow Leopard operating system. It fixes an issue with stolen certificates which arose a three weeks ago at Comodo and is amazingly tiny for an Apple security update, only 4 MByte. And then for iPhone, iPad and iPod Touch users the update to iOS 4.3.2 is available which basically closes the same security holes for the mobile devices as well. ...

Follow up from: Hacker Gains Access To WordPress.com Servers Tech Crunch: WordPress.com has revealed that someone has gained root-access (“low-level,” as in deep) to several of its servers this morning and that VIP customers’ source code was accessible. WordPress.com VIP customers are all on “code red” and in the process of changing all the passwords/API keys they’ve left in the source code. “Tough note to communicate today: Automattic had a low-level (root) break-in to several of our servers, and potentially anything on those servers could have been revealed. ...

H-Online: It’s a record for Microsoft: 9 critical and 8 important updates close a total of 64 security holes. In the worst case, a number of the vulnerabilities allow for remote code execution; in other words, arbitrary code can be injected and executed, such as from specially crafted documents and websites. Microsoft put 44 of them in the category Exploitability Index 1, meaning that the code that exploits the flaw will probably go into circulation soon. ...

H-Online: Following on from last week’s S3M vulnerability in the VLC media player, a new advisory warns of a buffer overflow when playing MP4/MPEG-4 files.The bug, reported by Aliz Hammond, requires that a user open a specially crafted MP4 file. According to Secunia, the vulnerability is found in the MP4_ReadBox_skcr()function in the demultiplexer and is rated as “highly critical”. All versions from 1.0.0 to 1.1.8 are affected by the problem. ...

from Schneier on Security by Schneier: This isn’t good: The hacker, whose March 15 attack was traced to an IP address in Iran, compromised a partner account at the respected certificate authority Comodo Group, which he used to request eight SSL certificates for six domains: mail.google.com, www.google.com, login.yahoo.com, login.skype.com, addons.mozilla.org and login.live.com. The certificates would have allowed the attacker to craft fake pages that would have been accepted by browsers as the legitimate websites. The certificates would have been most useful as part of an attack that redirected traffic intended for Skype, Google and Yahoo to a machine under the attacker’s control. Such an attack can range from small-scale Wi-Fi spoofing at a coffee shop all the way to global hijacking of internet routes. ...

Thanks to my friend, Pondus! Ars Technica: Hundreds of thousands of URLs have been compromised—at the time of writing, 694,000 (it’s over millions of site when you are reading this)—in an enormous and indiscriminate SQL injection attack. The attack has modified text stored in databases, with the result that pages served up by the attacked systems include within each page one or more references to a particular JavaScript file. ...