vulnerabilities

Photoshop users like to expand what the software can do by downloading new brushes, gradients, and color swatches, but the ability to make those additions also turns out to have been a potential avenue for attack.

Adobe Systems on Wednesday released a Photoshop 11.0.2 security update to its earlier CS4 version of Photoshop for both Windows and Mac OS X versions to close off that avenue.

"Critical vulnerabilities have been identified in Photoshop CS4 11.0.1 and earlier for Windows and Macintosh that could allow an attacker who successfully exploits these vulnerabilities to take control of … Read more

The United States Computer Emergency Readiness Team (US-CERT) has found a security hole in Safari, with which a hacker could run arbitrary code at the privilege level of the current user account if the victim visits a malicious Web page.… Read more

Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.

The bulletins, part of the company's monthly Patch Tuesday fixes, affect Windows 2000, XP, Vista, Windows 7, Server 2003 and Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, and Microsoft Visual Basic for Applications and Visual Basic for Applications software development kit. Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, however, the company said in a … Read more

Two generations of Cisco Systems' wireless LAN equipment contain a range of vulnerabilities, researchers said at this week's Black Hat Europe security conference.

Enno Rey and Daniel Mende of German testing firm ERNW demonstrated how to hack into two separate generations of the Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit.

In a presentation called "Hacking Cisco Enterprise WLANs" on Wednesday, the researchers demonstrated an attack aimed at Cisco's first-generation equipment Cisco Structured Wireless Aware Network (Swan).

Read more of "Security researchers demo Cisco Wi-Fi flaws" at … Read more

A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.

Google engineer Tavis Ormandy released details on the Full Disclosure e-mail list and Ruben Santamarta, an engineer for Wintercore, wrote about it on his company's blog site.

The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.

"The toolkit provides only minimal validation of the … Read more

Mozilla released Firefox 3.6.3 on Thursday to close a critical security hole.

The hole, a memory corruption flaw, could have let a remote attacker run arbitrary code on a person's computer. The problem doesn't affect Firefox 3.5 or other earlier versions, Mozilla said.

Mozilla released Firefox 3.6.2 just over a week earlier, also for security reasons.

Update at 7:12 a.m. PDT: The new vulnerability was disclosed at the CanSecWest conference in March, according to a message from Mozilla security team member Dan Veditz.

An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.

An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.

Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.

Basically, the hole could allow an attacker … Read more

Microsoft said on Friday it is testing a patch to fix a new hole in Internet Explorer 6 and IE 7 following the release of exploit code on the Internet.

With the announcement it seems increasingly likely that the company will be issuing a patch for the hole before the next Patch Tuesday in about four weeks, if the testing of the patch goes quickly.

Microsoft warned about the hole, which it said was being targeted in attacks and could allow an attacker to take control of a computer, in an advisory on Tuesday. The next day, Israeli researcher Moshe … Read more

Microsoft warned of a new hole on Monday that could be exploited by attackers to take control of older Windows systems running Internet Explorer and for which proof-of-concept exploit code has been released publicly.

The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.

In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog … Read more