Vulnerabilities & attacks

Apple released a Mac OS X security update on Thursday that contains fixes for more than two dozen vulnerabilities, including one in Safari RSS that could lead to arbitrary code execution and one in Remote Apple Events that could disclose sensitive information.

Also fixed are a vulnerability in AFP Server that could trigger a denial of service and vulnerabilities in Apple Pixlet Video, ClamAV, CoreText, Python, SMB, and X11 that could lead to arbitrary code execution. Another fix closes a hole in Printing that could allow a local user to get system privileges and one in DS Tools that could … Read more

A researcher who found a security hole in the Android mobile platform in October has found another one that he says is serious enough for him to recommend people not use the Android browser until the patch is installed.

Charlie Miller, a principal analyst at consultancy Independent Security Evaluators, said on Thursday that a patch for the vulnerability is available on Google's source code repository, but has not yet been made available for download onto the phones via the T-Mobile service.

Like the previous hole, the new vulnerability could allow an attacker to remotely take control of the browser, … Read more

Correction, 1:08 p.m. PST: This story initially misstated the amount of the reward. It is $250,000.

Microsoft on Thursday said it is offering a $250,000 reward for information that leads to the arrest and conviction of whoever is responsible for creating the Conficker Internet worm that has infected millions of PCs.

Microsoft said it is offering the reward because the worm constitutes a "criminal attack" and offering compensation should hasten prosecution. Residents of any country are eligible for the reward and should contact their international law enforcement authorities, the company said in a statement. … Read more

Twitter stopped a clickjacking attack on Thursday that quickly spread because it took advantage of social engineering and peoples' natural curiosity.

Tweets began appearing that said "Don't Click" followed by a link. Naturally, people clicked. When they did so, a tweet was sent from their account with the same "Don't Click" message and link.

"We patched the "don't click" clickjacking attack 10 minutes ago. Problem should be gone," John Adams, aka Netik, an operations engineer at Twitter, tweeted around 11 a.m. PST.

The clickjacking appeared to be harmless … Read more

To my friends on Facebook:

If you get a message from me asking for money because I've been robbed while on vacation somewhere, please don't send cash.

First off, I can't afford any big vacations for the foreseeable future. Secondly, if I encountered some trouble I definitely wouldn't blast a plea for help out to my hundreds of Facebook friends.

A relatively new Facebook scam has been surfacing in which a user's account is hacked and then used to send messages of alarm to get the user's friends to send money.

Hacking into Web … Read more

A Romanian hacker site said on Wednesday it was able to breach the Web site of Helsinki-based security firm F-Secure just as it had gained access to the sites of two other security companies earlier in the week.

F-Secure is "vulnerable to SQL Injection plus Cross Site Scripting," an entry on the HackersBlog site said. "Fortunately, F-Secure doesn't leak sensitive data, just some statistics regarding past virus activity."

An F-Secure spokesman said the company had taken the affected server down and that it was a low-level server that was not critical to the company and … Read more

MobileMe users are being targeted by a phishing scam.

Users of MobileMe, which automatically sends e-mail, contacts, and calendar events to your computer, iPhone, or iPod, have been receiving a new e-mail that looks like it comes from Apple. It warns that attempts to renew the MobileMe subscription have failed because of a problem with charging the credit card and prompts the recipient to log in and update information on a site that looks legitimate but is not, Macworld reported on Wednesday.

A similar phishing scam targeting MobileMe users was discovered in August, according to Macworld.

Tips for MobileMe users … Read more

Microsoft on Tuesday released security updates that fix four critical vulnerabilities in Internet Explorer and Exchange Server that could allow an attacker to take control of an affected computer remotely.

Microsoft Security Bulletin MS09-002 plugs two critical holes in IE that could allow remote code execution if an IE user views a Web page that has malicious code, according to Microsoft's notification.

"Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights," … Read more

A server at the U.S. Federal Aviation Administration was illegally accessed online and personal identity information of employees was stolen, the agency said.

Two of the nearly 50 files on the breached computer had personal data about more than 45,000 FAA employees and retirees who were on the FAA rolls as of three years ago, the FAA said in a statement released on Monday.

The server that was breached was not connected to the air traffic control system or other operational systems, according to the statement.

The agency is notifying all affected employees by mail and is investigating … Read more