General discussion

NEWS - October 13, 2010

Java Update Clobbers 29 Security Flaws

Oracle today released a critical update to its widely-installed Java software, fixing at least 29 security vulnerabilities in the program.

Most consumers on Microsoft Windows PCs will have some version of Java installed (if you're not sure whether you have Java or what version might be installed, click this link). Existing users can grab the latest version - Java 6 Update 22 - by visiting the Windows Control Panel, clicking on the Java icon, and then selecting the "Update Now" button on the "Update" tab. If you don't already have this software, I recommend that you keep it that way.

Per Oracle's advisory, updates are available for Windows, Solaris and Linux versions of Java. Apple maintains its own version of Java for OS X systems, and typically issues fixes for its version several months after the official Java release.

Be aware that Java's updater may by default also include free "extras" that you may not want, such as the Yahoo! Toolbar or whatever other moneymaker they decide to bundle with their software this time around, so be sure to de-select that check box during installation if you don?t want the add-ons.

http://krebsonsecurity.com/2010/10/java-update-clobbers-29-security-flaws/

Discussion is locked

Follow
Reply to: NEWS - October 13, 2010
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - October 13, 2010
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Microsoft Will Look to Courts for Botnet Takedowns

Microsoft has seen a dramatic drop in the number of computers infected with Waledac, a piece of malicious software affiliated with a botnet that was once responsible for a massive amount of spam.

In the second quarter of this year, the company cleaned only 29,816 computers infected with Waledac, down from 83,580 computers in the first quarter of the year. Microsoft published the statistic in its latest biannual Security Intelligence Report released on Wednesday.

The drop in the number of infected machines shows the success of the legal action Microsoft took earlier in the year, said Adrienne Hall, general manager for Microsoft's Trustworthy Computing group.

Waledac was used to send spam and infect computers with fake antivirus software. It used a complicated peer-to-peer system to communicate with other infected machines.

Microsoft's legal moves against Waledac were unprecedented. The company was granted a rare ex parte temporary restraining order (TRO) to shut down malicious domain names that Waledac's controllers used to communicate with infected machines.

Going to court "gives you a blanket way to put on notice that you are going to look into the perpetrators," Hall said.

http://news.yahoo.com/s/pcworld/20101013/tc_pcworld/microsoftwilllooktocourtsforbotnettakedowns

See : Microsoft Security Intelligence Report (SIR)

Report Related:
Small but lethal Lethic is biggest junk mail villain
U.S. Reigns As Most Bot-Infected Country

- Collapse -
Microsoft tool now roots out Zeus malware

"MSRT detection could help the 45 percent of Zeus-infected machines that don't have current antivirus"

Two weeks after law enforcement broke up one of the criminal gangs behind the Zeus malware, Microsoft has taken steps to make it harder for criminals to install the software on PCs.

On Tuesday, Microsoft started detecting Zeus with its Malicious Software Removal Tool (MSRT) - a widely used virus removal program that's free for Windows users. That should make it harder for the many criminals who use Zeus to keep running their software on computers that don't have antivirus software installed - often an easy target up until now.

According to a September 2009 study by security vendor Trusteer, 45 percent of Zeus-infected machines have either no antivirus software or an out-of-date product (pdf). On the other hand, Zeus has been effective at avoiding the type of detection that Microsoft is now adding to its MSRT. According to that same report, 55 percent of Zeus infections were on machines that did have working antivirus programs installed.

Continued:
http://www.networkworld.com/news/2010/101310-microsoft-tool-now-roots-out.html

From the Microsoft Malware Protection Center: MSRT on Zbot, the botnet in a box

- Collapse -
Think Your Twitter DM Is Private? Think Again

Twitter has established itself as a means of broadcasting information to wide group of people all at once. But, for those times where you want to talk more intimately, Twitter also has the ability to send a Direct Message (DM) that is private between the two parties. Well, it's supposed to be private, but the reality is perhaps not as secretive as one might expect.

Every 140-character nugget of wisdom you tweet will be fed to anyone who follows your Twitter account, and is also publicly searchable by default. So, if you tweet "Getting sushi for lunch today, who's in?" your Twitter followers will instantly see the message in their Twitter feed, and anyone else that searches based on keywords like "sushi" or "lunch" might also uncover your tweet.

Your intended recipient may not be the only one capable of viewing the private DMs between the two of you. However, if you want to go out for sushi for lunch with your best friend, and you don't necessarily want the rest of the world to know about, or feel as if they have been invited by proxy to join the party, you probably shouldn't sent the tweet to the whole Twitterverse. Instead, send your friend a DM.

http://www.pcworld.com/businesscenter/article/207710/think_your_twitter_dm_is_private_think_again.html

- Collapse -
Creative Commons offers "Public Domain Mark" logo

[Screenshot: Logo]

The non-profit group Creative Commons is offering a Public Domain Mark (see above) for use on documents and files to declare them copyright-free.

Creative Common's description: "Using the Public Domain Mark, you can mark a work that is free of known copyright restrictions and clearly convey that status. When applied properly, the PDM allows the work to be easily discovered, and provides valuable information about the work."

Creative Commons is a nonprofit corporation "dedicated to making it easier for people to share and build upon the work of others, consistent with the rules of copyright."

As Posted @ the Sunbelt Blog

- Collapse -
Facebook introduces one-time passwords

"Users of sketchy PCs, take note"

Facebook began rolling out a new service on Tuesday that allows people using public computers to log into the site without having to enter their regular password.

Instead, users can login with a one-time password that, upon request, Facebook zaps to their mobile phones. The temporary access code is good for 20 minutes only. The new feature is designed to prevent account compromises that result when credentials are entered into machines that have been compromised by keyloggers and similar types of malware.

"We're launching one-time passwords to make it safer to use public computers in places like hotels, cafes or airports," Jake Brill, a Facebook product manager, blogged here. "If you have any concerns about security of the computer you're using while accessing Facebook, we can text you a one-time password to use instead of your regular password."

http://www.theregister.co.uk/2010/10/13/facebook_one_time_passwords/

Also : Facebook Tightens Security with One-Time Passwords

- Collapse -
Former US Official: Invest in Secure Internet Protocols

The state of security on the Internet has become so dire that research is needed in next-generation protocols, a former senior White House official for cybersecurity said on Wednesday.

Developing those protocols would be a better use of research money than investing in the next Xbox game system, said Richard A. Clarke, who served as a special advisor to president George W. Bush on cyber issues and now teaches at Harvard University's Kennedy School for Government.

Clarke wasn't taking an intentional jab at Microsoft per se, but during a 45-minute presentation at the RSA security conference in London on Wednesday, he outlined some of major issues affecting Internet security, including the concepts of cyberwarfare, cyberespionage and the proliferation of highly effective malicious software programs such as Stuxnet.

Stuxnet, which appears intended to manipulate SCADA (supervisory control and data acquisition) systems made by Siemens, used four different zero-day vulnerabilities. Stuxnet was a "narrowly targeted" guided missile, Clarke said.

http://www.pcworld.com/businesscenter/article/207652/former_us_official_invest_in_secure_internet_protocols.html

CNET Forums

Forum Info