Vulnerabilities & attacks

A new report (PDF) from Secunia is raising awareness about the need to patch vulnerabilities and block malware from desktops.

The report found that "security vendors do not focus on vulnerabilities." And while Symantec Norton Internet Security 2009 bests the 11 other suites tested, Secunia found that Symantec "detected a mere 64 out of 300 exploits, or less than one-fourth, leaving 236 exploits undetected." Overall the dozen products all received an "F" on the report.

The Secunia test departed from the traditional testing done by organizations such as AV-test.org and AV-comparatives.org, which … Read more

Along with the vulnerabilities that Microsoft patched Tuesday, the software giant's customers have a new problem to grapple with: a fake notification e-mail that looks remarkably legitimate.

Attackers are apparently taking advantage of Microsoft's Patch Tuesday to send legitimate-looking e-mails that include a Trojan virus. Trojan.Backdoor.Haxdoor allows attackers to execute files and steal information from compromised computers. The fake mailing includes a legitimate-looking PGP signature, as well as purporting to come from a real Microsoft employee.

Christopher Budd, a security program manager in the Microsoft Security Response Center, offers this perspective on the e-mails in a … Read more

Microsoft on Tuesday released its October 2008 security bulletin. The four critical bulletins concern Windows, Internet Explorer, Microsoft Host Integration Server, and Microsoft Excel. The patch for Internet Explorer is cumulative.

Microsoft is now sharing the technical details of new vulnerabilities in advance of so-called Patch Tuesday to give software developers a chance to update affected products before the public announcement.

Microsoft is also including within each bulletin this month an "exploitability index" to help system administrators prioritize the patches--1 is for consistently functioning exploits (of most concern), 2 is for inconsistently functioning exploits (of moderate concern), and … Read more

Back in 2002, Microsoft executives realized they had a serious problem at hand. As the primary target of a growing global community of amateur hackers and professional cybercriminals, Microsoft knew it had to do something to improve the security of its code or it was likely to become a party pooper at the online fiesta. The Bill Gates Trustworthy Computing e-mail of January 2002 got lots of PR focus, but Microsoft's real security work horse was a new development process called the Security Development Lifecycle (SDL).

Since 2004, all new Internet-facing software developed by Microsoft has gone through SDL. … Read more

The man accused by the U.S. government of accessing more than 73,000 U.S. military machines has lost his second appeal to the British Home Office against extradition.

Gary McKinnon's recent diagnosis of having Asperger's syndrome, a condition on the autistic spectrum, had not changed Home Secretary Jacqui Smith's decision that the self-confessed NASA hacker be extradited, McKinnon attorney Karen Todner said Monday.

"The secretary of state has advised via the treasury solicitors that, despite Mr. McKinnon's diagnosis with Asperger's, she will now be making arrangements for his extradition, pursuant to her … Read more

If you think there are a lot of phishing scams cramming your e-mail in-box now, just wait--fraudsters have more tricks up their sleeve.

That's the message from McAfee Security Journal, due out Monday. Most of the articles deal with ways in which scammers use social engineering --not hacking--to dupe people into downloading malicious software to their computers or giving out their personal information, passwords, and bank account details to malicious Web sites.

One of the more interesting articles is titled "Vulnerabilities in the Equities Markets."

There have been headlines about people scamming the equities market by circulating … Read more

The computer network used by the World Bank Group has suffered a series of at least six intrusions since mid-2007, according to a report.

The World Bank Group was first notified of the intrusions by the FBI in September 2007, when the bureau was investigating another cybercrime case involving transactions out of Johannesburg, South Africa. Fox News said it has an internal memo (PDF) describing the initial intrusion to World Bank Group employees.

The World Bank Group did not respond to a request for comment.

The World Bank Group, based in Washington, D.C., is not a traditional bank. It … Read more

On Tuesday, Adobe issued a workaround for a serious issue that could allow attackers to change the security settings within Flash.

Termed "clickjacking," the process gives "an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable," wrote WhiteHat Security CTO Jeremiah Grossman in a blog posting last month. He went on to say that while "guarding against Clickjacking was largely the browser vendors' responsibility," both he and Robert Hansen agreed to withhold further information and even canceled their talk recently at OWASP NYC AppSec 2008 Conference at … Read more

CA on Tuesday announced it acquired identity management company IDFocus.

With the acquisition, CA plans to use IDFocus' Ace identity management technology to provide employees with multiple authorizations in their company's employee resource planning (ERP) system to automatically have those authorizations checked against the information they are seeking or the task they're trying to conduct.

Specifically, the CA Identity Manager aims to give employees various authorizations, then run a check against the segregation of duties (SOD) policies set up in the IDFocus software. If a policy has been violated, the CA Identity Manager is designed to kick in … Read more