vulnerability

Microsoft on Tuesday will issue two critical bulletins that will fix vulnerabilities in Windows and Office, which if exploited successfully, could allow a remote attacker to take control of the computer, the company said Thursday.

The bulletins, part of the company's monthly Patch Tuesday fixes, affect Windows 2000, XP, Vista, Windows 7, Server 2003 and Server 2008, Office XP, Office 2003, 2007 Microsoft Office System, and Microsoft Visual Basic for Applications and Visual Basic for Applications software development kit. Windows 7 and Server 2008 R2 customers are not vulnerable in their default configurations, however, the company said in a … Read more

Two generations of Cisco Systems' wireless LAN equipment contain a range of vulnerabilities, researchers said at this week's Black Hat Europe security conference.

Enno Rey and Daniel Mende of German testing firm ERNW demonstrated how to hack into two separate generations of the Cisco Wi-Fi kit. They said that the flaws were fairly easy to find and exploit.

In a presentation called "Hacking Cisco Enterprise WLANs" on Wednesday, the researchers demonstrated an attack aimed at Cisco's first-generation equipment Cisco Structured Wireless Aware Network (Swan).

Read more of "Security researchers demo Cisco Wi-Fi flaws" at … Read more

A vulnerability in Java technology could be exploited by attackers and used to compromise computers running Windows if they visit a Web page hosting malicious code, two researchers warned on Friday.

Google engineer Tavis Ormandy released details on the Full Disclosure e-mail list and Ruben Santamarta, an engineer for Wintercore, wrote about it on his company's blog site.

The problem is with the Java Web Start framework, which allows developers an easy way to create Java applications. Disabling the Java plug-in will not protect against an attack, according to Ormandy.

"The toolkit provides only minimal validation of the … Read more

Mozilla released Firefox 3.6.3 on Thursday to close a critical security hole.

The hole, a memory corruption flaw, could have let a remote attacker run arbitrary code on a person's computer. The problem doesn't affect Firefox 3.5 or other earlier versions, Mozilla said.

Mozilla released Firefox 3.6.2 just over a week earlier, also for security reasons.

Update at 7:12 a.m. PDT: The new vulnerability was disclosed at the CanSecWest conference in March, according to a message from Mozilla security team member Dan Veditz.

An unpatched weakness in Microsoft's Virtual PC could leave companies using the virtualization software vulnerable to attack, Core Security Technologies said on Tuesday.

An exploit writer at Core Security discovered the vulnerability in Virtual PC hypervisor and reported it to Microsoft in August 2009, Core Security said in an advisory.

Microsoft indicated that it plans to solve the problem in future updates to the vulnerable products: Microsoft Virtual PC 2007, Windows Virtual PC, and Virtual Server 2005, the advisory says. Microsoft Hyper-V technology is not affected by the problem, Core Security said.

Basically, the hole could allow an attacker … Read more

Microsoft said on Friday it is testing a patch to fix a new hole in Internet Explorer 6 and IE 7 following the release of exploit code on the Internet.

With the announcement it seems increasingly likely that the company will be issuing a patch for the hole before the next Patch Tuesday in about four weeks, if the testing of the patch goes quickly.

Microsoft warned about the hole, which it said was being targeted in attacks and could allow an attacker to take control of a computer, in an advisory on Tuesday. The next day, Israeli researcher Moshe … Read more

Microsoft warned of a new hole on Monday that could be exploited by attackers to take control of older Windows systems running Internet Explorer and for which proof-of-concept exploit code has been released publicly.

The vulnerability affects Windows 2000-, XP- and Server 2003-based systems. It exists in the way that Visual Basic Scripting, or VBScript, interacts with Windows Help files, Microsoft said in its security advisory. VBScript is an Active Scripting language for executing functions embedded in Web pages.

In an attack scenario, victims would somehow be lured to visit a malicious Web site that displays a specially crafted dialog … Read more

Adobe issued a fix on Tuesday for a critical vulnerability in its Download Manager program that could be used by an attacker to download malware onto a user's PC.

People who downloaded Adobe Reader for Windows from Adobe's Reader download site or Flash Player for Windows from Adobe's Flash Player site prior to the release of the security bulletin on Tuesday are vulnerable, the company said. The issue is resolved for any new downloads of Reader and Flash Player from those sites.

Download Manager is a tool that helps users efficiently download files from Web servers. It … Read more

Microsoft is warning customers of a hole in the kernel of 32-bit versions of Windows that could allow someone to install programs, change data, or create new accounts with full user rights.

The vulnerability, caused by the Windows kernel not properly handling certain exceptions, affects 32-bit versions of Windows 7, Vista, XP, 2000, and Server 2003 and 2008, according to the security advisory released on Wednesday night. It does not affect 64-bit versions of Windows.

"We are not currently aware of any active attacks against this vulnerability, and Microsoft believes the risk to customers, at this time, is limited,&… Read more