Posted Thursday, April 17, 2008 6:38 PM by MSRCTEAM
Hello, Bill here,
I wanted to let you know that we have just posted Microsoft Security Advisory (951306).
This advisory contains information regarding a new public report of a vulnerability within Microsoft Windows which allows for privilege escalation from authenticated user to LocalSystem. Our investigation has shown that this vulnerability affects Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008.
At this time, we are not aware of attacks attempting to use the reported vulnerability, but we will continue to track this issue. The advisory contains several workarounds that customers can use to help protect themselves. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release.
We will continue to monitor the situation and post updates to the advisory and the MSRC Blog as we become aware of any important new information.
In the meantime, we encourage customers to review the advisory and implement the workarounds.
Chinese hackers poised for anti-CNN attack over the weekend An announced denial-of-service attack against CNN is allegedly planned by Chinese hackers incensed over world scrutiny of the crackdown in Tibet. Read more...
Apple makes minor concession on pushing Safari to Windows users
CEO-phishing scam fires up anew
Kingston, IronKey announce new FIPS-certified USB drives
MySpace hack reveals profile visitors
Privacy advocates: Consumer education isn't enough
Study: LimeWire remains top P2P software; uTorrent fast-rising No. 2
Survey: 12% of U.S., U.K. consumers 'borrow' free Wi-Fi
Update: Apple patches Safari's $10,000 bug, fixes other flaws
Comcast's Net Neutrality Strategy
The news of Comcast effectively walking away from the entire Net neutrality process got me to draw lines between that and Microsoft's bid for ISO approval of OOXML. Comcast is clearly taking a different path. More
SANS solves mystery of mass Web site infections InfoWorld - Thu Apr 17, 1:02 PM ET
San Francisco - The SANS Institute has uncovered what they've termed a "rare gem" as far as computer security investigations go that sheds new light on how up to 20,000 Web sites have been hacked since January.
Court Battle over Video Game Ban Takes Strange Turn
Judges around the country generally haven't had much trouble in striking down laws that crack down on the sale of video games to minors. But a battle over a Minnesota statute has inspired some peculiar contortions by a federal appeals court judge.Section 325I.06 of the Minnesota code bars minors from buying or renting video games rated “Mature” or “Adult Only.” In a March 17 decision, the 8th U.S. Circuit Court of Appeals concluded it was not narrowly tailored to address the state’s compelling interest in protecting children from psychological and moral harm resulting from their interaction with violent video games.
http://www.onpointnews.com/
Potential Microsoft Works ActiveX Zero-Day Surfaces
Thursday April 17, 2008 at 11:15 am CSTPosted by Kevin Beets
1 CommentPermanent Link
A Microsoft Works ActiveX potential zero-day threat has been disclosed on a handful of Chinese blog sites. This threat was originally posted as a proof of concept that caused a Windows host to crash, but very soon after, a working exploit was posted. (Show of hands: Who’s surprised?)
Here’s the meat of this: The flaw lies in an ActiveX component of Microsoft Works Image Server (WkImgSrv.dll). Yes, it appears successful exploitation would allow for code execution via a controlled pointer. For this to occur, the victim would need to visit a malicious Web site.
On the plus side, this control is not marked safe, and attempts to use it should be accompanied with a warning from Internet Explorer. Even though this is the case, you will want to set the kill bit for clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 to help mitigate. Initial testing on Windows XP SP2 and Internet Explorer 7 shows this to be easily exploitable once past the “warning” hurdle.
In the mean time, McAfee Avert Labs will continue researching this issue.
Srizbi maintains large spam botnet April 18, 2008Srizbi maintains a large spam botnet using simple techniques to recruit new bot members.
Growing Number Of ISPs Injecting Own Content Into Websites
from the this-is-not-a-good-trend dept
With growing concerns over companies like Phorm and NebuAd enabling ISPs to insert their own ads into your web surfing, some researchers decided to see if this is already happening -- and were surprised to find it more prevalent than they expected. It's still not a huge number, but in tests, they found that there definitely are some ISPs already using such technology to inject ads, though they tend to be smaller "no name" ISPs. The one big exception was XO Communications -- though XO claims that any ad injections must be done by downstream resellers of its wholesale service. Either way, this ought to raise some questions about what rights ISPs have to get in the middle and alter the data that you requested and which was served by a third party.
13 Comments Leave a Comment..
NBC Universal Now Says It Should Be Apple's Responsibility To Stop Piracy
Los Angeles botmaster pleads guilty
Dan Kaplan April 17, 2008
A Los Angeles man pleaded guilty on Wednesday to charges he oversaw a collection of hundreds of thousands of zombie computers that he used to steal personal data and perpetrate identity theft.
Woman accused of using RootsWeb to steal IDs of dead people
A California woman has been accused of using the Social Security Administration's Death Index and popular genealogy site RootsWeb to obtain social security numbers of recently deceased individuals for the purpose of credit card fraud.
April 18, 2008 - 09:47AM CT - by Ryan Paul
DoJ wants more money to scour P2P networks for child porn
The DOJ is looking for more money to monitor not only P2P networks, but web sites and chat rooms, all in the name of fighting child porn.
April 18, 2008 - 06:10AM CT - by Jon Stokes
Effects of Earth's Magnetotail on the MoonEarth’s powerful magnetic field is shaped by the solar wind into a tear-like elongate... [read >>]
in Space, 18 April, 12:33 GMT
Targeted spear phishing attacks
Posted by Nathan McFeters @ 11:33 pm
A colleague of mine, Dave Wong, from Ernst & Young’s Advanced Security Center in New York, pointed me to a really interesting article on targeted spear phishing attacks by John Markoff of the New York Times. Phishing has been really interesting to me lately, as I’ve seen a wave of discussions, black hat presentations, and technologies abound that deal with phishing and identity theft. In fact, this article comes just one day after I watched another colleague, Nitesh Dhanjani, provide a presentation to a Security Interest Group here in Chicago, organized by Kevin Richards of Ernst & Young and involving numerous large companies from the Midwest area. The phishing and identity theft talk that Nitesh gave really raised some eyebrows, especially when he discussed the targeted spear phishing attacks.
Oklahoma Data Leak
Usually I don't bother blogging about these, but this one is particularly bad. Anyone with with basic SQL knowledge could have registered anyone he wanted as a sex offender.
One of the cardinal rules of computer programming is to never trust your input. This holds especially true when your input comes from users, and even more so when it comes from the anonymous, general public. Apparently, the developers at Oklahoma’s Department of Corrections slept through that day in computer science class, and even managed to skip all of Common Sense 101. You see, not only did they trust anonymous user input on their public-facing website, but they blindly executed it and displayed whatever came back.
The result of this negligently bad coding has some rather serious consequences: the names, addresses, and social security numbers of tens of thousands of Oklahoma residents were made available to the general public for a period of at least three years. Up until yesterday, April 13 2008, anyone with a web browser and the knowledge from Chapter One of SQL For Dummies could have easily accessed and possibly, changed any data within the DOC’s databases. It took me all of a minute to figure out how to download 10,597 records SSNs and all from their website.
Posted on April 18, 2008 at 06:16 AM • 27 Comments •
View Blog Reactions
CA Products DSM gui_cm_ctrls ActiveX Control Code Execution - Highly critical - From remoteIssued 1 day ago. A vulnerability has been reported in various CA products, which can be exploited by malicious people to compromise a vulnerable system.
Safari Multiple Vulnerabilities - Highly critical - From remoteIssued 1 day ago. Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to conduct cross-site scripting attacks or potentially to compromise a user's system.
Mozilla Firefox Javascript Garbage Collector Vulnerability - Highly critical - From remoteIssued 1 day ago. A vulnerability has been reported in Mozilla Firefox, which can potentially be exploited by malicious people to compromise a user's system.
Windows Vista Service Pack 1: Not for the Impatient
Microsoft has released a bundle of security and stability updates for Windows Vista users. What follows is a long-overdue primer on this package of goodies from Redmond known as Service Pack 1.
http://blogs.washingtonpost.com/securityfix/
No comments:
Post a Comment