Alert

NEWS - September 06, 2012

Apple Releases Fix for Critical Java Flaws

Apple has issued an update for Mac OS X installations of Java that fixes at least two critical security vulnerabilities in the software, including one flaw for which there is already a working exploit in circulation (CVE-2012-4681).

If you own a Mac, take a moment today to run the Software Update application and check if there is a Java update available. Delaying this action could set your Mac up for a date with malware. In April, the Flashback Trojan infected more than 650,000 Mac systems using an exploit for a critical Java flaw.

Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 are available for Java installations on OS X 10.6, OS X Lion and Mountain Lion systems, via Software Update or from Apple Downloads.

Apple stopped bundling Java by default in OS X 10.7 (Lion), but it offers instructions for downloading and installing the software framework when users access webpages that use it. The latest iteration of Java for OS X configures the Java browser plugin and Java Web Start to be deactivated if they remain unused for an extended period of time.

Continued : http://krebsonsecurity.com/2012/09/apple-releases-fix-for-critical-java-flaws/.

Also:
Apple Fixes Flaws, Updates Java 6 for OS X
Apple Patches Zero-Day Vulnerability in OS X

See Vulnerabilities & Fixes: Apple Mac OS X update for Java
Discussion is locked
Follow
Reply to: NEWS - September 06, 2012
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: NEWS - September 06, 2012
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
Apple denies handing UDIDs over to FBI

As the issue of the leaked million of Apple device IDs by the AntiSec hacker group and the alleged existence of a list of over 12 million of those and other personal information belonging to the users gets bigger by the day, the question is will we ever definitely know from where that list was stolen?

The FBI has vehemently denied AntiSec's claim that it was extracted from on of its laptops and that they ever had the information in question in their hands.

Apple has also issued a statement on Wednesday, saying that the agency has never requested this information from Apple, nor did Apple provided it to them or to any other organization.

"Additionally, with iOS 6 we introduced a new set of APIs meant to replace the use of the UDID and will soon be banning the use of UDID," Apple spokeswoman Natalie Kerris pointed out on Wednesday.

Continued : http://www.net-security.org/secworld.php?id=13536

Also:
UDID leak: Apple says it did not provide the list
Apple denies giving device IDs to FBI
Apple plots the end of the UDID, denies sharing them with the FBI

Related: Anonymous Leaks Apple UDIDs Following Alleged Hack of FBI

- Collapse -
Feds investigate alleged hacking of Romney's tax returns

"Quite possibly a giant waste of time for the Secret Service, an investigation has been launched into threats of stolen tax returns."

Covered by Venturebeat earlier today, the United States Secret Service is looking into a claim that hackers stole several years worth of Mitt Romney's tax returns from the offices of PriceWaterhouseCoopers in Franklin, Tennessee. Posted on Pastebin earlier this week, the hacking team that allegedly stole Romney's tax returns detailed an account of the theft. According to the account, the thieves gained access to the PriceWaterhouseCoopers office on August 25 through the third floor of the office building. Moving down to the second floor, the group allegedly accessed the PriceWaterhouseCoopers office in question and copied scans of all available Romney tax returns to a USB drive. After leaving the offices, the hacking team allegedly copied the documents onto three USB drives. They had flash drives delivered to the PriceWaterhouseCoopers office as well as the local branches of the Republican and Democratic party.

After the group threatened to release all files to the public on September 28, they posted a follow-up threat on September 4 regarding payment by Bitcoins. Detailed in the second Pastebin post, the group claims to have accessed the network file servers at the Tennessee office of PriceWaterhouseCoopers and copied the tax documents.

Continued : http://www.digitaltrends.com/computing/feds-investigating-alleged-hacking-of-romneys-tax-returns/

Also:
PWC: No evidence of breach in Romney tax return extortion case
Firm has no evidence that Romney's tax returns were stolen
Hacker Claims to Have Mitt Romney's Tax Records, Wants $1 Million in Bitcoins

- Collapse -
VUPEN Method Breaks Out of Virtual Machine to Attack Hosts

"Researchers may have figured out a way to break out of a virtual machine and take over the underlying host."

Researchers developed an "advanced exploitation method" which triggered a previously discovered vulnerability in order to escape a Xen virtual machine running on Citrix XenServer and get onto the host machine, Jordan Gruskovnjak, a security researcher at VUPEN Security wrote on the Vulnerability Research Team Blog on Tuesday. The vulnerability was discovered by Rafal Wojtczuk and presented during the recent Black Hat security conference in Las Vegas.

With this method, attackers who have root access on a guest virtual machine running under Xen can take over the host system and be able to execute arbitrary code with appropriate permissions, Gruskovnjak said. Once out of the virtual machine, attackers would be able to access all the other virtual machines running on that hardware.

"By controlling the general purpose registers, it is possible to influence the hypervisor behavior and gain code execution in the hypervisor context, escaping the guest context." Gruskovnjak wrote.

Continued : http://www.securityweek.com/vupen-method-breaks-out-virtual-machine-attack-hosts

Also: Virtual Machine Escape Exploit Targets Xen

- Collapse -
Hackers steal names & emails from 400 Sony mobile customers
..in China

"The Japanese electronics firm said at least one server run by a third-party Chinese company was compromised"

Hackers accessed about 400 names and email addresses of Sony mobile customers in China and Taiwan, but the electronics giant insists that no credit card or banking information was compromised.

The company said it began investigating immediately after a message was posted on the popular text-sharing website Pastebin on September 3 by a group called "NullCrew," claiming to have accessed Sony servers and listing logins and email addresses. Sony said Thursday it had confirmed details of the breach.

Sony said the information was taken from at least one server run by a third-party service provider based in China. The company is still investigating the details of the breach, but it appears no servers operated directly by Sony were compromised, company spokesman Hiroshi Okubo said.

The information was on customers of Sony Mobile Communications, the company's mobile arm, in the Asian countries.

The message posted on Pastebin on September 3 claims to have hacked Sony Mobile and lists hundreds of what appear to be login IDs and email addresses from the company's site.

Continued : http://news.techworld.com/security/3379586/hackers-steal-names-emails-from-400-sony-mobile-customers-in-china/

Also: Sony Mobile Confirms 400 Users' Data Stolen
- Collapse -
Huawei Calls for Global Security Standards
Huawei, the Chinese telecom giant subject to an investigation on Capitol Hill looking into their alleged ties to the PLA, has published a report on cyber security perspectives. The report is a mix of company promotion, as well as an indirect answer to Congress' claims.

Written by John Suffolk, Huawei's global cyber security officer, the report is labeled an "open and frank perspective of Huawei's viewpoints regarding cyber security."

Huawei has consistently denied claims that they are involved in corporate or government-sponsored espionage, and claims that their technologies pose a risk to critical infrastructure.

In 2011, the US Commerce Department blocked them from bidding on a contract to build a national wireless network for first responders, citing national security concerns. Moreover, the Pentagon has repeatedly singled out Huawei as a company that maintains close ties to the People's Liberation Army.

"...not a day goes by that we do not read or hear politically - or competitor-inspired negative commentary about cyber security," the report notes.

Continued : http://www.securityweek.com/huawei-calls-global-security-standards

Also: Huawei Denies Stealing State Secrets or Supporting Cyber Espionage
- Collapse -
Malicious FB Timeline Remover plugins still tricking users

It is a well-known fact that some Facebook users simply can't stand the (relatively) new Timeline interface and have actively sought for ways to revert their accounts to the old "look".

This fact hasn't escaped the notice of online scammers, who rushed to offer bogus apps and plugins that they claimed could do it, but only served to make users fill out surveys or share personal information.

With time, the users got wiser and stopped falling for these schemes - or so it seems at first.

Researchers from Barracuda Networks have decided to analyze six of these plugins offered on the Google Chrome Web store.

The all have some version of the words "Timeline" and "Remove" in their names, but a closer look showed that half of them also asked permission to access the users' data on Facebook and to their tabs and browsing activity, while the other three went even further and look for permission to access the users' data on all websites they visit.

Continued : http://www.net-security.org/secworld.php?id=13537

CNET Forums