Spyware, Viruses, & Security forum

Alert

NEWS - October 17, 2012

by Carol~ Forum moderator / October 17, 2012 2:20 AM PDT
Critical Java Patch Plugs 30 Security Holes

Oracle on Tuesday pushed out a bevy of security patches for its products, including an update to Java that remedies at least 30 vulnerabilities in the widely-used program.

The latest versions, Java 7 Update 9 and Java 6 Update 37, are available either through the updater built into Java (accessible from the Windows control panel), or by visiting Java.com. If you're not sure which version you have or whether you've got the program installed at all, click the "Do I have Java" link below the red download button on the Java homepage.

Apple maintains supplies its own version of Java. Given the rapidity with which they have followed Oracle's Java updates (ever since April 2012, when the Flashback worm used an unpatched Java flaw to infect more than 650,000 Macs), I would expect Apple to have an update ready soon.

Broken record alert: If you need Java, update it now. Cyber thieves and malware love to use unpatched Java holes to break into systems, and miscreants are always looking for new Java exploits to use. If you don't need Java, uninstall it; you can always reinstall it later.

If you need it for a specific Web site, I'd suggest unplugging it from the browser and adopting a two-browser approach. For example, if you normally browse the Web with Firefox, for example, consider disabling the Java plugin in Firefox, and then using an alternative browser (Chrome, IE9, Safari, etc.) with Java enabled to browse only the site that requires it.

Continued : http://krebsonsecurity.com/2012/10/critical-java-patch-plugs-30-security-holes/

Related:
Stormy October patch day for Oracle
Oracle patches 109 vulnerabilities
Post a reply
Discussion is locked
You are posting a reply to: NEWS - October 17, 2012
The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to our CNET Forums policies for details. All submitted content is subject to our Terms of Use.
Track this discussion and email me when there are updates

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

You are reporting the following post: NEWS - October 17, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Collapse -
Oracle Leaves Fix for Java SE 0-Day Until Feb Patch Update
by Carol~ Forum moderator / October 17, 2012 2:34 AM PDT

Oracle will not patch a critical sandbox escape vulnerability in Java SE versions 5, 6 and 7 until its February Critical Patch Update, according to the researcher who discovered the flaw. Adam Gowdiak of Polish security firm Security Explorations told Threatpost via email that Oracle said it was deep into testing of another Java patch for the October CPU released yesterday and that it was too late to include the sandbox fix.

Gowdiak said he plans to present technical details on the flaw Nov. 14 at the Devoxx Java Community Conference in Belguim. His team did share a technical description of the issue and source and binary codes of proof-of-concept exploit code.

The vulnerability and exploit were announced in late September. Gowdiak's exploit successfully beat a fully patched Windows 7 computer running Firefox 15.0.1, Chrome 21, Internet Explorer 9, Opera 12 and Safari 5.1.7. The exploit relies on a user landing on a site hosting the exploit; an attacker would use a malicious Java applet or banner ad to drop the malware and ultimately have full remote control of a compromised machine.

Oracle did not respond to a request for comments.

Continued : https://threatpost.com/en_us/blogs/oracle-leaves-fix-java-se-zero-day-until-february-patch-update-101712

Collapse -
Computer Viruses "Rampant" on Medical Devices in Hospitals
by Carol~ Forum moderator / October 17, 2012 5:06 AM PDT

"A meeting of government officials reveals that medical equipment is becoming riddled with malware."

Computerized hospital equipment is increasingly vulnerable to malware infections, according to participants in a recent government panel. These infections can clog patient-monitoring equipment and other software systems, at times rendering the devices temporarily inoperable.

While no injuries have been reported, the malware problem at hospitals is clearly rising nationwide, says Kevin Fu, a leading expert on medical-device security and a computer scientist at the University of Michigan and the University of Massachusetts, Amherst, who took part in the panel discussion.

Software-controlled medical equipment has become increasingly interconnected in recent years, and many systems run on variants of Windows, a common target for hackers elsewhere. The devices are usually connected to an internal network that is itself connected to the Internet, and they are also vulnerable to infections from laptops or other device brought into hospitals. The problem is exacerbated by the fact that manufacturers often will not allow their equipment to be modified, even to add security features.

Continued : http://www.technologyreview.com/news/429616/computer-viruses-are-rampant-on-medical-devices/

Related:
Medical Device Security in Need of Major Upgrade
Pacemaker hack can deliver deadly 830-volt jolt

Collapse -
Spoofed WebEx, PayPal Emails Lead to Rogue Flash Update
by Carol~ Forum moderator / October 17, 2012 5:06 AM PDT

TrendLabs Malware Blog:

Without verifying its legitimacy, users who may be anticipating a WebEx conference are at risk of downloading variants of a notorious info stealing malware.

Last week, we received two spoofed emails that redirect users to a fake Adobe Flash Player update. These messages use different approaches to lure users into downloading the malicious file update_flash_player.exe (detected as TSPY_FAREIT.SMC).

The first email is disguised as a WebEx email containing an HTM attachment. Once users execute this attachment, they are lead to a malicious site hosting TSPY_FAREIT.SMC. Employees may be trick into opening this as it appears to be an alert coming from a business tool they often use. The second sample, on the other hand, is a spoofed PayPal email that features transaction details. Curious users who click these details are then directed to the webpage hosting the rogue Flash update file.

[Screenshot: Spoofed WebEx Email] - [Screenshot: Spoofed PayPal Email]

The said site in question is a spoofed Adobe Flash Player update. To the undiscerning eye, this site may pass off as the real Adobe Flash Player website as it is an exact copy of the legitimate Adobe site. But looking closer into the site's address, reveals that it is everything but authentic.

Continued : http://blog.trendmicro.com/trendlabs-security-intelligence/spoofed-webex-paypal-emails-lead-to-rogue-flash-update/

Collapse -
Apple resumes User Tracking with iOS 6. How to disable it.
by Carol~ Forum moderator / October 17, 2012 5:06 AM PDT

Apple got caught with its hand in the cookie jar when privacy experts protested the use of a universal device identifier, or UDID, to track the online preferences of iPhone and iPad users.

The problems with that model became all too apparent after hackers compromised systems belonging to digital media firm Bluetoad and made off with close to a million device IDs.

Enough is enough, right? Well, maybe not.

It looks like device tracking is back with iOS 6, courtesy of a new tracking technology: IDFA, or identifier for advertisers.

Like the UDID, the IDFA uniquely identifies your Apple device.

Websites that you browse with your iPhone or iPad device can request the IDFA. Unlike UDID, however, the IDFA can't be traced back to individuals, it merely links a pattern of online behavior with a specific device.

Continued : http://nakedsecurity.sophos.com/2012/10/17/how-to-disable-apple-ios-user-tracking-ios-6/

Collapse -
Report: Steam poses security risk
by Carol~ Forum moderator / October 17, 2012 5:20 AM PDT

Security firm ReVuln has analysed the browser protocol that Steam servers use to execute commands via users' browsers. During the analysis, the company's researchers discovered security issues that could potentially allow attackers to infect PCs with malicious code such as spyware.

Among other things, Valve's Steam platform is used to distribute games and also functions as a central hub of the company's digital rights management concept. During installation, it registers the steam:// URL protocol which is capable of connecting to game servers and launching games, for example via: steam://run/id/language/url_encoded_parameters

In the simplest case, an attacker can use this to interfere with the parameters that are submitted to the program. For example, the Source engine's command line allows users to select a specific log file and add items to it. The ReVuln researchers say that they successfully used this attack vector to infect a system via a batch file that they had created in the autostart folder. Popular games such as Half-Life 2 and Team Fortress 2 use the Source engine and are distributed through Valve's Steam platform. In the even more popular Unreal engine, the researchers also found a way to inject and execute arbitrary code. Potential attackers would, of course, first have to establish which games are installed on the target computer.

Continued : http://www.h-online.com/security/news/item/Report-Steam-poses-security-risk-1731562.html

Also: Steam vulnerability can lead to remote insertion of malicious code

Collapse -
Facebook partners with Panda Security
by Carol~ Forum moderator / October 17, 2012 5:21 AM PDT

Panda Security signed a collaboration agreement with Facebook to protect users. Facebook users will be able to download a free 6-month version of Panda Internet Security 2013 from the AV Marketplace. Additionally, both companies will share their databases of malicious URLs to protect users while surfing the Web.

"Starting today, the people who use Facebook will be able to benefit from Panda's software and technology with their malicious URL data and inclusion in the AV Marketplace. We look forward to better protecting the people who use our service with this partnership," explains Joe Sullivan, Facebook CSO.

Panda Internet Security 2013 is specifically designed to protect users' identity while using social networking sites and other Internet services. Its Panda Safe Browser module is particularly useful for users who want to preserve their privacy and security.

Continued : http://www.net-security.org/secworld.php?id=13787

Popular Forums
icon
Computer Help 51,224 discussions
icon
Computer Newbies 10,453 discussions
icon
Laptops 20,090 discussions
icon
Security 30,722 discussions
icon
TVs & Home Theaters 20,937 discussions
icon
Windows 10 1,295 discussions
icon
Phones 16,252 discussions
icon
Windows 7 7,684 discussions
icon
Networking & Wireless 15,215 discussions

CNET EDITORS' CHOICE

Roku Streaming Stick 2016

Roku has the most apps, the simplest interface and the best search, making it CNET's favorite way to stream Netflix, Amazon, Hulu, HBO and all the rest.