Vulnerabilities & attacks

Details describing how someone hacked into Sarah Palin's Yahoo Mail account emerged on Thursday, and it appears to have been done with little more than social engineering, the process of acquiring personal information through social manipulation.

Meanwhile, the Knoxville News Sentinel is reporting that a 20-year-old University of Tennessee student has been contacted in connection to the federal investigation of the break-in. Further details are not known.

Since Tuesday, anonymous posters using a forum on the 4Chan.org Web site have been circulating password-protected zip files containing the contents of the now-deleted e-mail account once belonging to the Republican … Read more

A serious new flaw was disclosed on Thursday that affects the latest versions of Apple's QuickTime and iTunes applications.

The National Vulnerability Database entry CVE-2008-4116 describes a heap-based buffer overflow vulnerability within Apple's QuickTime 7.5.5 and iTunes 8.0 programs.

To infect a computer, a maliciously coded long-type attribute within a QuickTime tag might be placed on a Web page, or within a .mp4 or .mov file. This could allow remote attackers to crash the applications (known as a denial of service) or possibly execute arbitrary code on a compromised computer.

The announcement comes one week … Read more

Security firm Sophos warned on Thursday that e-mails being circulated on the Web that purport to offer a free iPhone game instead are carrying a Trojan horse that can take control of infected Windows machines.

The e-mails have subject lines like "Virtual iPhone games!" and "Apple: The most popular game!" The attachment is called "Penguin.Panic.zip," which refers to the iPhone game of the same name.

The Trojan has been identified as Troj/Agent-HNY, Sophos said.

Sophos has not yet seen versions that run on Mac OS X, the Apple iPhone, or other … Read more

There has historically been a clash between security researchers who find security flaws in software products and the companies that make those products.

But two recent examples of cooperation between researchers and vendors show hope for future truces.

Leading by example was Dan Kaminsky, director of penetration testing for IOActive, who warned security software vendors about a fatal flaw in the DNS (Domain Name System) months before going public so vendors could release patches.

"What he and others he took into his confidence did over the last few months was not only responsible but extraordinary," my colleague Robert … Read more

Want to download a Brad Pitt screen saver? What about images of Beyonce? If you're using a site you're not familiar with, you may want to reconsider.

According to McAfee's new "riskiest celebrities in cyberspace" list, when searching for "Brad Pitt," "Brad Pitt downloads," or Brad Pitt wallpaper, screen savers, and pictures, Internet users experience an 18 percent chance of stumbling upon sites containing malicious code. This includes drive-by malware that can infect your PC without asking you to download anything. Such social engineering, once reserved for e-mail, is now being … Read more

With the release of Mac OS X 10.5.5 on Monday, the Cupertino, Calif., computer company provided patches for almost three dozen software flaws. Some of the fixes are specific to Apple features, such as image processing and Finder. Other fixes are updates to various open-source projects including Bind, ClamAV, OpenSSH, and Ruby.

Version 10.5.5 can be obtained from the Apple Software Downloads page.

ATS This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update addresses the issue in CVE-2008-2305 in which viewing a document containing a maliciously crafted font may lead to arbitrary code execution. Apple credits Chris Ries of Carnegie Mellon University Computing Services for reporting this vulnerability.

BIND This patch affects users of Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5 through v10.5.4, and Mac OS X Server v10.5 through v10.5.4. The update upgrades users to BIND version 9.4.2-P2, which addresses performance issues associated with BIND version 9.4.2-P1.

ClamAV This patch affects users of Mac OS X Server v10.4.11 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerabilities detailed within CVE-2008-1100, CVE-2008-1387, CVE-2008-0314, CVE-2008-1833, CVE-2008-1835, CVE-2008-1836, CVE-2008-1837, CVE-2008-2713, and CVE-2008-3215 by updating Mac OS users to ClamAV version 0.93.3.

Directory Services This patch affects users of Mac OS X v10.5 through v10.5.4 and Mac OS X Server v10.5 through v10.5.4. The update addresses the vulnerability detailed in CVE-2008-2329, in which a person with access to the log-in screen may be able to list user names. Apple says an information disclosure issue exists in Log-in Window when it is configured to authenticate users with Active Directory. "By supplying wildcard characters in the user name field, a list of user names from Active Directory may be displayed."

Directory Services II This patch affects users of Mac OS X Server v10.4.11, Mac OS X Server v10.5 through v10.5.4. The update addresses the insecure file operation vulnerability within CVE-2008-2330, in which a local user may obtain the server password if an OpenLDAP system administrator runs slapconfig. … Read more

Updated at 2:25 p.m. PDT with "BusinessWeek" comment.

Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, a security researcher said on Monday.

It's unclear how long the site has been compromised and there is no evidence that BusinessWeek.com readers have been affected, but also no evidence that they haven't, said Graham Cluley, senior technology consultant at Sophos.

The hackers used an increasingly common form of attack called SQL … Read more

Hackers broke into a computer system at CERN's Large Hadron Collider, targeting a system that was "one step away" from a control computer, but otherwise appear to have done no major damage, according to a report on Friday in the British newspaper The Telegraph.

The system that was breached monitors the Compact Muon Solenoid Experiment, which will be analyzing data during subatomic particle collisions in the particle accelerator located along the French-Swiss border. Experiments, which began on Wednesday, are designed to help scientists explore particle physics theories.

During the attack on Tuesday and Wednesday, hackers left behind … Read more

One of the hackers accused of involvement in the massive data breach targeted at T.J. Maxx's parent company, arguably the largest security breach worldwide, reportedly pleaded guilty on Thursday.

Damon Patrick Toey pleaded guilty to wire fraud, credit card fraud, and aggravated identity theft, and will be released subject to electronic monitoring, according to a report on the Wall Street Journal's Web site. Eleven defendants total are facing charges in federal court in Boston.

TJX Companies, the parent company of T.J. Maxx and Marshall's, said in March 2007 that 45.7 million accounts were compromised … Read more