Ad: Manage updates with the Download App
  • CNET
  • All Security posts

Security

Intego questions Symantec's use of name

In a statement issued Tuesday, Macintosh security company Intego accused Symantec of infringing on its copyright. At issue is the new box copy for Norton Antivirus for Macintosh. In the upper right corner, Symantec has prominently placed the words "Dual Protection," a reference to the product's use on both the Mac OS X and Windows operating systems when using Apple Boot Camp.

The Austin, Texas-based Intego said in a press release, "Intego is the owner of a trademark registration for the mark DP DUAL PROTECTION in France (registered on January 17, 2007) and an international trademark … Read more

Safari 3.1 update fixes 13 security flaws

Apple on Tuesday released Safari 3.1 for users on Mac OS X and Windows. Along with new features are 13 security updates for the Safari browser, WebCore, and WebKit. Most of the vulnerabilities address cross-site scripting flaws. A cross-site scripting attack can inject malicious code onto a victim's computer usually via a script tag appended to a specially formed URL. The Security Update APPLE-SA-2008-03-18 can be downloaded and installed from Apple Downloads, or you can simply download the new version of Safari 3.1 directly.

Safari--certificate validation This patch only affects users of Safari on Windows XP or … Read more

Web code locks up iPhones and iPod Touch

A new exploit will either lock up your iPhone or iPod Touch or crash your Safari browser on your PC or Mac OS desktop if you simply visit a maliciously coded Web site. Unlike an earlier exploit that required users to click to become infected, the new code published by iPhoneWorld requires no user interaction.

So far, Apple has had no comment.

The code was first reported in January and exhausts the memory in Safari, which in turn will cause your iPhone or iPod Touch to freeze, or your desktop Safari to crash. "Given the nature of this issue,&… Read more

Convicted Ukrainian hacker starts political party

Would you hire a former criminal hacker? Better question: would you elect a former criminal hacker to political office?

Credit goes to Brian Krebs over at the Washington Post's Security Fix blog for recognizing that Dmitri Ivanovich Golubov, a 24-year-old from Odessa, has started the "Internet Party of Ukraine." Golubov, whose hacker nickname is "Script," was arrested and even jailed in 2005 in connection with Carderplanet.com, a site that bought and traded credit and debit card credentials. After only six months in prision, Ukrainian politicians convinced a judge to set Golubov free.

What's … Read more

Harvard student database hacked, posted on BitTorrent

Harvard says about 10,000 of last year's applicants may have had their personal information compromised. At least 6,600 Social Security numbers were exposed. Worse, a compressed 125 M-byte file containing the stolen student data is currently available via BitTorrent, a peer-to-peer network.

In a statement published Monday night Harvard officials said the database containing summaries of GSAS applicant data for entry to the Fall 2007 academic year, summaries of GSAS housing applicant data for the 2007-08 and 2006-07 academic years, and administrator information had been compromised. The server had been taken offline for several days last month … Read more

Microsoft fixes a dozen Office flaws in four patches; all are critical

Microsoft today released its March 2008 security bulletin, which includes four bulletins, all deemed critical by Microsoft.

The most serious of these affects Microsoft Excel, which alone has six specific "Common Vulnerablities and Exposures" vulnerabilities noted, one of which has been exploited in the wild. The next most serious affects Microsoft Outlook. In that one, a vulnerability in how the software parses "mailto" URIs could lead to remote code execution. A third bulletin affects how various Microsoft Office apps open maliciously crafted files. The final bulletin concerns how Office interfaces with the Web and includes one … Read more

RealPlayer vulnerable in Internet Explorer

If you use the RealPlayer on Internet Explorer, watch out. Researcher Elazar Broad has posted to the Full Disclosure mailing list a so-called heap overflow vulnerability that makes it possible for an attacker to modify heap blocks after they are freed and overwrite certain registers. This could allow code execution on a compromised machine. The vulnerability affects all versions of RealPlayer running under Internet Explorer.

Exploit code for this flaw has not yet been made public.

Without a patch from RealPlayer, security experts recommend disabling the killbit for the following ActiveX ClassIDs:

2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA Please note that disabling the killbits … Read more

Can you trust that Web site?

The other day I heard a radio commercial claim that more than half of all health-related Web sites are fronts for law firms trolling for potential malpractice-suit clients. I immediately doubted the ad's claim. First, it didn't cite a source for the high percentage of illegitimate health sites it stated. Second, it was an ad itself (for a law firm trolling for potential malpractice-suit clients, of all things). And third, it glossed over the actual name of the firm, but repeated its toll-free number over and over.

Still, the ad got me thinking about all the bogus Web … Read more

Wiretapping focus shifts to e-mail communications

The FISA fight is all about the e-mails, according to public comments made on Tuesday by a Department of Justice official.

For months, the debate has centered around immunity for telecom companies including AT&T, Verizon, and Sprint. The primary focus has been on the warrantless wiretapping of the phone calls made by millions of Americans. In comments made at a public meeting on Tuesday, Assistant Attorney General for National Security Kenneth Wainstein made clear that the FISA fight is not about foreign-to-foreign calls, but actually about Internet data. The Washington Post reports:

At the breakfast yesterday, Wainstein highlighted … Read more

Security researchers to unveil pacemaker, medical implant hacks

A team of respected security researchers known for their work hacking RFID radio chips have turned their attention to pacemakers and implantable cardiac defibrillators.

The researchers will present their paper, "Pacemakers and Implantable Cardiac Defibrillators: Software Radio Attacks and Zero-Power Defenses," during the "Attacks" session of the 2008 IEEE Symposium on Security and Privacy, one of the most prestigious conferences for the computer security field.

The authors of the paper are listed as: Shane S. Clark, Benessa Defend, Daniel Halperin, Thomas S. Heydt-Benjamin, Will Morgan, Benjamin Ransford, Kevin Fu, Tadayoshi Kohno, William H. Maisel.

Kevin Fu, an assistant professor at the University of Massachusetts Amherst, … Read more