All the world's a Stagefright

Here’s how security vulnerabilities are supposed to be handled. One, a researcher discovers an issue. Two, the people who make the software find a solution. And three, the solution is then made available, ideally by automatic update. That’s what Windows does, and what Apple does. It isn’t always as fast as it should be, but at least once the fix exists it’s available almost instantly. ...

October 9, 2015 · 1 min · 202 words · Omid Farhang

Apple closes QuickTime vulnerabilities on Windows

Apple has released a security update for its QuickTime media framework for Windows. Version 7.7.4 of the software closes 12 critical security holes causing memory corruption and buffer overflows when processing a number of media formats. The vulnerabilities affect Windows 7, Vista and XP SP2 or later and could be exploited to cause arbitrary code execution and application crashes. The vulnerabilities affected the playback of MP3, H.263, H.264, TeXML, JPEG, QTIF, Sorenson Video and FPX files as well as the handling of dref, enof and mvhd atoms within the program. All of the problems were reported by researchers working with HP’s Zero Day Initiative, five of them by Tom Gallagher and Paul Bates from Microsoft. ...

May 23, 2013 · 1 min · 162 words · Omid Farhang

New Adobe Vulnerabilities Being Exploited in the Wild

Adobe posted a vulnerability report warning that vulnerabilities in Adobe Reader and Acrobat XI (11.0.1) and earlier versions are being exploited in the wild. Adobe is currently investigating this issue. According to the FireEye blog posted earlier today, the malicious file arrives as a PDF file. Upon successful exploitation of the vulnerabilities, two malicious DLL files are dropped. ...

February 14, 2013 · 1 min · 176 words · Omid Farhang

Internet Explorer security hole: Use other browser

TheTelegraph: Internet Explorer users might want to consider upgrading or switching to another browser after a massive security hole was discovered in Windows’ native web browser. According to security forum, Rapid7 , Internet Explorer 7, 8 and 9 operating on Windows XP, Vista and Seven contains what is known as a “zero day exploit” which allows attackers to gain access to your personal data while you browse. ...

September 18, 2012 · 1 min · 174 words · Omid Farhang

Adobe fixes ColdFusion security vulnerability

h-Online: On the same day as Microsoft’s September Patch Tuesday, Adobe released an update for ColdFusion to close a security hole in its rapid web application development software. The hotfix for ColdFusion addresses a vulnerability (CVE-2012-2048), which the company rates as important, that could be exploited by a remote attacker to cause a denial-of-service (DoS) condition. According to Adobe, the unspecified error affects versions 8.0, 8.0.1, 9.0 to 9.0.2, and 10 of ColdFusion for Windows, Mac OS X and UNIX. Installing the provided hotfix corrects the problem; download links and installation instructions for each affected version are provided on the APSB12-21 technote page. All users are advised to download and apply the hotfix. Adobe credits UK developer David Boyer for finding and reporting the problem. ...

September 12, 2012 · 1 min · 126 words · Omid Farhang

Oracle rushes out patch for critical 0-day Java exploit

TheRegister: In an uncommon break with its thrice-annual security update schedule, Oracle has released a patch for three Java 7 security flaws that have recently been targeted by web-based exploits. “Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible,” Eric Maurice, the company’s director of software security assurance, said in a blog post published on Thursday. ...

August 31, 2012 · 2 min · 370 words · Omid Farhang

Java zero day vulnerability actively used in targeted attacks

ZDNet: Security researchers from FireEye, AlienVault, and DeependResearch have intercepted targeted malware attacks utilizing the latest Java zero day exploit. The vulnerability affects Java 7 (1.7) Update 0 to 6. It does not affect Java 6 and below. Based on related reports, researchers were able to reproduce the exploit on Windows 7 SP1 with Java 7 Update 6. There’s also a Metasploit module available. ...

August 27, 2012 · 1 min · 189 words · Omid Farhang

Not so secure: Text messaging on iPhone can be hacked

FirstPost: A hacker Friday revealed a security flaw that he claimed could make Apple’s iPhone particularly vulnerable to text message cheating. The flaw has existed since iPhone was first launched in 2007, and is still not solved in the beta version of iOS 6, the next operating system for iPhone, the hacker under the name “Pod2g” said in a blog post, reported Xinhua. ...

August 19, 2012 · 2 min · 238 words · Omid Farhang

PostgreSQL patches XML flaws

h-online: A flaw in the built-in XML functionality of PostgreSQL (CVE-2012-3488) and another in its optional XSLT handling (CVE-2012-3489) have been patched, and the developers have released updated versions of the open source database with relevant fixes. The holes being patched are related to insecure use of the widely used libxml2 and libxslt open source libraries and the PostgreSQL developers advise anyone using those libraries to check their systems for similar problems. ...

August 19, 2012 · 2 min · 333 words · Omid Farhang

LibreOffice vulnerable to multiple buffer overflows

h-online: Three weeks after releasing LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice productivity suite can be exploited by attackers to compromise a victim’s system. According to the project’s security advisory, these include multiple heap-based buffer overflow vulnerabilities in the XML manifest encryption tag parsing code. ...

August 2, 2012 · 1 min · 156 words · Omid Farhang