Consumer software and hardware

Microsoft will issue fixes for five critical holes affecting Windows and a variety of other software on Patch Tuesday next week.

The critical holes, which could allow an attacker to remotely run code on a PC and take control of it, affect Windows 2000, Windows XP, Windows Vista, Windows Server 2003 and 2008, Windows Client for the Mac, Office 2000, XP and 2003, Microsoft Office Small Business Accounting 2006, Visual Studio .NET 2003, Microsoft Internet Security and Acceleration Server 2004 and 2006, and BizTalk Server 2002, according to a Microsoft security advisory released on Thursday.

Four additional vulnerabilities, rated "… Read more

If you're a criminal and you want to break into a network, a common attack method is to exploit a hole in software that exists on most computers, has its fair share of holes, and isn't automatically updated.

In 2002, that would have been Windows. Today, it's likely to be Adobe Reader or Flash Player, whose share of vulnerabilities and exploits are on the rise while Microsoft's is falling.

Nearly half of targeted attacks exploit holes in Acrobat Reader, which is used to read PDF (portable document format) files, according to F-Secure. Meanwhile, the number of … Read more

Apple on Wednesday issued a security update that fixes 18 vulnerabilities including several that put computers running Mac OS X at risk of remote code execution if a maliciously crafted image is viewed.

In addition to fixing a problem with how PNG images are handled, Security Update 2009-003 fixes issues related to ImageIO's handling of OpenEXR images, EXIF metadata, as well as Canon RAW images and images with an embedded ColorSync profile.

The update, which arrives as part of the release of Mac OS X v10.5.8, extends the list of content types the Mac OS X will … Read more

We're on the tail end of the summer vacation season, which according to the FBI is one of the peak periods of home burglaries. Chances are good you're about to head out of town, leaving your dwelling to fend for itself against intruders.

Got a house sitter or an alarm system? Good for you. If not, there are a handful of ways to turn a computer into a tool that will alert you if someone's there who shouldn't be.

For the sake of this guide we're keeping things simple and limiting our list to free apps that work on PCs, Macs, or both. A few simply use your browser. Later on we also have a section on specialty hardware that can take you beyond what most Webcams are capable of.

Software can offer a definite piece of mind over browser-based solutions. Most of these apps can run quietly in the background, and can save footage to your hard drive for archiving. High-end Webcams often come with their own security software, so in the spirit of this guide, we're going with generic software that should work with any model:

Yawcam (PC) Yawcam is free and PC-only. It's a complex program but not too complex to set-up. The app lets you set whether you want to capture all of the motion within the frame or just a part of it. I used it to track motion in a specific part of my workplace: CNET colleague Rafe Needleman's office door. Any time he came in or out of his office it took a photo. At home this is more useful if you point it toward something like a door or entry way, which can keep it from picking up one of your pets moving around.

The app does an exceptional job at letting you pick various ways you want to be notified. You can have it upload screen shots to an FTP site or as an e-mail. It can also play any sound on your computer, or start another program (such as a lock-down or keyboard locking application).

I set mine up with Gmail, which was a snap. You just have to have plug in the outgoing settings on Google's help page and it will send a high-quality screen shot of whatever motion it's captured just a few seconds after it happens. Using this with your phone's e-mail address will give you a live alert and a saved copy of all the shots in Gmail's sent folder.

HomeCamera (PC) This software runs a streaming video client that can be accessed from any computer with a browser. You can view either live video or snapshots that can be taken at intervals or on-demand. HomeCamera's secret sauce is… Read more

LAS VEGAS--Two researchers from Israeli security firm Radware have figured out a way to trick computers into downloading malware or take over a computer by hijacking the communications during the update process for Skype and other applications.

About 100 applications, many among the most popular on CNET's Download.com, can be targeted, said Itzik Kotler, team leader of Radware's security operations center, before his presentation here at the Defcon conference.

Kotler and colleague Tomer Bitton are releasing a tool called Ippon (which means "game over" in Judo) that enables the attack and offers a 3D view … Read more

At about 8 a.m. PDT Friday, Firefox crossed the billion-download threshold--a notably large number for Mozilla's open-source Web browser but one that doesn't tell the whole story.

Firefox fans love their statistical milestones, and Mozilla enjoys fanning the flames by providing plenty of opportunities for self-congratulation. In 2008 was the Firefox Download Day, with more than 8 million downloads in 24 hours. Next came the Firefox 3.5 debut and its download tracker.

And now we have the billion-download figure on the Spread Firefox site. That includes updates people have fetched deliberately, not automatic updates, Mozilla said. … Read more

Alex Kochis, Microsoft's director of Genuine Windows, posted a blog late Thursday addressing the "leak of a special product key" of Windows 7 RTM (release to manufacturers). This confirmed the rumor on Tuesday that an ISO file of Windows 7 RTM sent to Lenovo that contains a master key--a number used to verify the authenticity of the software--was leaked to the Internet.

According to the blog, "The key is for use with Windows 7 Ultimate RTM product that is meant to be preinstalled by the OEM (original equipment manufacturer) on new PCs to be shipped later … Read more

LAS VEGAS--In one of a handful of SMS-related presentations here at the Black Hat security show, researchers demonstrated on Thursday how they can force certain types of smartphones to visit a malicious URL or install an app without user approval.

The vulnerability only affects phones that have been misconfigured by the original equipment manufacturer so that they accept any message sent through WAP Push (Wireless Application Protocol), a service that runs on top of SMS, said researcher John Hering.

WAP Push messages should only be accepted when sent by a trusted party such as the mobile operator, said Hering, chief … Read more

LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.

This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.

The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior … Read more