Ad: Manage updates with the Download App
  • CNET
  • All security posts

security

Apple releases Mac OS X 10.4.10 with security update

Apple today announced Mac OS X 10.4.10 along with a new security update. The updated version 10.4.10 includes fixes for Bluetooth and USB connections, plus several minor enhancements of the operating system. The security update, the sixth in what appears to be a monthly release cycle for 2007, addresses a vulnerability in the IPv6 networking protocol. It affects users of Mac OS X 10.4 and later, and is available from within Mac OS X via the Software Update pane in System Preferences, or from Apple's software downloads page.

Patch for Networking This patch affects … Read more

Apple issues Apple TV security fix

Apple today issued an update for its Apple TV device. The update fixes the mDNSResponder buffer overflow vulnerability, CVE-2007-2386. This vulnerability was patched last month in Security Update 2007-05 for desktop and laptop users of Apple Mac OS X 10.4 up to 10.4.9.

The Apple TV device will automatically pick up this update during its weekly schedule. Depending on the day that your Apple TV device checks for updates, this process may take up to a week to complete. Should you want the update sooner, it is also possible to force a manual update by using the … Read more

PHP exploit code plants itself in GIF

Security researchers on Tuesday found PHP exploit code embedded in a GIF on a major image hosting site. The exploit code slipped through the proverbial gates with the aid of a legitimate image at the beginning of the file, according to a posting on the Sans Internet Storm Center.

"It is a clever way to pass exploit code to others without it setting off alarms or attracting attention all while bypassing network security tools," the Sans security blog noted.

Malicious attackers planted PHP coded exploit script within an image file. PHP is often used as a programming language … Read more

Let's do this thing

Well, the Macalope's faithful and well-groomed readers know that he doesn't suffer silly punditry lightly. And this may be only his second post over at his new digs (hey, did you check out the fussball table?!), but let's see if he's become a domesticated animal or if he still rolls the way he used to.

Before linking to the piece in question, let's take a look at a quote.

Apple excels in creative and innovative marketing. Often it's what they don't tell you that creates the most buzz. For example, we know next … Read more

Report: French officials skirt BlackBerry limits

Apparently even dire warnings about the threat of snooping by American spies aren't enough to keep some top French government officials from nursing CrackBerry addictions on the sly.

According to a report to be published in Wednesday's edition of the French newspaper Le Monde, bureaucrats continue to lament--and in some cases, quietly ignore--a warning dispatched 18 months ago from the head of France's national defense agency. Reissued recently, the notice reportedly bars certain categories of government officials from using their Research in Motion BlackBerries to circulate sensitive government information.

French security officials are still working on finding … Read more

Dangerous Web sites, strings attached

As the automated Mpack attack continues to turn thousands of legitimate Web sites into compromised sites offering drive-by downloads of malicious software, security researcher Roger Thompson over at Exploit Prevention Labs reminds us there are other exploits compromising legitimate sites, and some are as easy to find as entering a simple search string on Google. For more than a week (starting before the current Mpack attack), Thompson has been posting a list of dangerous search strings on his blog site. I've collected these and indicated in parentheses some of the known exploits associated.

atlas mountains country (WebAttacker 2 or … Read more

Trillian critical security update released

Cerulean Studios on Monday released a "highly critical" security update for its Trillian multi-protocol chat software.

Attackers could exploit vulnerabilities in the character encoding for Trillian 3.1.5.1--specifically, the word-wrapping handling of UTF-8, the Unicode Transformation Format used for encoding characters in e-mail, instant messages and Web pages, iDefense Labs warned in its security advisory. The vulnerabilities potentially could affect earlier versions of the Trillian software as well, iDefense said.

Trillian, which supports Yahoo's Instant Messenger, AOL's AIM, MSN Messenger, and Internet-relay chat and ICQ ("I seek you") instant-messaging protocols, could be … Read more

Congress to grill Homeland Security on cyberweaknesses

A congressional panel that has been none too pleased about various federal agencies' responses to cyber threats plans on Wednesday to put the Department of Homeland Security's chief information officer in the hot seat.

The title of the latest House of Representatives Homeland Security Committee hearing--"Hacking the Homeland: Investigating Cybersecurity Vulnerabilities at the Department of Homeland Security"--suggests another bruising may be on the horizon for CIO Scott Charbo and the oft-criticized agency chiefly responsible for overseeing the nation's cybersecurity efforts.

The event follows an April hearing that focused primarily on cyberattacks involving computers at the State and Commerce Departments. … Read more

What's behind the security acquisition spree?

It must be buying season in the security industry, because there seems to be a new acquisition announced each day. Two recent purchases grabbed my attention. Last week, IBM bought application firewall vendor Watchfire, adding the company to its Rational Software division. Not to be outdone, Hewlett-Packard on Tuesday grabbed application vulnerability tools vendor SPI Dynamics, adding value to another recent addition, Mercury. Why all the activity in the application security space?

1. Web applications are the binary equivalent of Swiss cheese. Many are written rapidly by developers who are paid to add new business logic and meet deadlines. Security … Read more

HP acquires SPI Dynamics

HP today announced its acquisition of SPI Dynamics. The company specializes in Web application security; and SPI Dynamics' technology is already integrated with HP Quality Center software.

According to HP, the acquisition adds quality management services to its software portfolio and builds on its Business Technology Optimization (BTO) strategy.

Privately held SPI Dynamics is headquartered in Atlanta, has 140 employees, and serves more than 1,000 customers in the federal government, financial services, and health care industries. Expected to close in the third quarter of 2007, the acquisition is subject to certain closing conditions. Upon completion, SPI Dynamics will become … Read more