NEWS - December 21, 2005

By Colin Barker
Special to CNET News.com
Published: December 21, 2005, 8:06 AM PST

Symantec's antivirus software contains a vulnerability that could be exploited by a malicious hacker to take control of a system, the company said late Tuesday.

According to Symantec, the bug, which affects a range of the company's security products, is a "high" risk. Denmark security company Secunia has labeled it "highly critical."

According to an advisory issued by Secunia, the bug affects most of Symantec's products, including enterprise and home user versions of Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security, across the Windows and Macintosh platforms.

The vulnerability is within Symantec AntiVirus Library, which provides file format support for virus analysis. "During decompression of RAR files, Symantec is vulnerable to multiple heap overflows allowing attackers complete control of the system(s) being protected," said security consultant Alex Wheeler, who first discovered the flaw. "These vulnerabilities can be exploited remotely, without user interaction, in default configurations through common protocols such as SMTP."

more here
http://news.com.com/High+risk+in+Symantec+antivirus+software+flaw/2100-1002_3-6004097.html?tag=html.alert

By Joris Evers
Staff Writer, CNET News.com
Published: December 21, 2005, 12:22 PM PST

Google has fixed a security flaw that had opened the door to phishing scams, account hijacks and other attacks, security researchers said Wednesday.

The flaw, known as a cross-site scripting vulnerability, existed because Google did not properly secure its mechanism for two error pages, according to Web security company Watchfire, which discovered the problem. Watchfire posted to a security mailing list an advisory on the issue.

Attackers could exploit the flaw to launch phishing scams or steal a user's credentials, said Ory Segal, director of security research at Watchfire. Phishing scams are designed to trick people into giving up sensitive information such as usernames, passwords, credit card details and Social Security numbers.

"When we looked at the Google site, we saw that they are very good with their Web application security, but it looked like they forgot about this obscure variant of cross-site scripting," Segal said.

more here
http://news.com.com/Google+plugs+obscure+phishing+holes/2100-1002_3-6004471.html?tag=html.alert

By Joris Evers, CNET News.com
Published on ZDNet News: December 21, 2005, 2:47 PM PT

Don't open media files from sources you don't trust--it may lead to your computer being hacked, a security researcher has warned.

Tom Ferris, an independent security researcher, has provided more details on a security flaw in Apple Computer's popular iTunes and QuickTime software that could put systems running Windows and Mac OS X at risk of attack. He first disclosed the flaw in early December.

more here
http://news.zdnet.com/2100-1009_22-6004635.html?tag=zdnn.alert