Microsoft Suspends Hotmail Attach-Photo Feature
Microsoft has temporarily suspended the Attach-Photo feature in Hotmail because of security issues. The problem lies in the way the feature interacts with Internet Explorer (IE). Hotmail users can still attach photos to their messages through other methods. Attach-Photo was disabled in late July; Microsoft plans to restore the feature by the end of September. Users complained because they were not notified that the feature would be removed.
http://www.theregister.co.uk/2009/08/21/hotmail_attach_photo_pulled/
http://www.computerworld.com/s/article/9136958/Microsoft_Hotmail_users_angry_over_pulled_photo_feature?source=rss_news
Tuesday, August 25, 2009
Criminal Targeting Smaller US Firms
Cyber Criminals Targeting Smaller US Firms; Get Millions
Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.
The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one.
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews
Organized cyber-gangs in Eastern Europe are increasingly preying on small and mid-size companies in the United States, setting off a multimillion-dollar online crime wave that has begun to worry the nation's largest financial institutions.
The attacks are amazingly simple and the amount of money taken is large. The firms do not know how to protect themselves. In some cases where credit card theft has occurred, they have had to shut down because they lost the ability to process credit cards. Small businesses are being affected greatly by poor security practices. It isn't a risk issue. It is a survival one.
http://www.washingtonpost.com/wp-dyn/content/article/2009/08/24/AR2009082402272.html?hpid=topnews
Wednesday, August 12, 2009
Facebook and Twitter, Spam Campaign?
The denial-of-service attacks that hobbled Twitter and Facebook last week were not conducted through botnets, but instead were the result of a spam campaign aimed at a taking out accounts that belong to a pro-Republic of Georgia blogger. The social networking and blogging sites suffered deteriorating service as spam recipients clicked on links that pointed to accounts belonging to the blogger known as Cyxymu. The links pointed to Cyxymu's accounts on YouTube and LiveJournal as well. The blogger has written an open letter asking Russian President Dmitry Medvedev to launch an investigation to find the culprits.
- http://www.theregister.co.uk/2009/08/07/twitter_attack_theory/
- http://www.computerworld.com/s/article/9136379/Security_researchers_zero_in_on_Twitter_hackers
- http://www.theregister.co.uk/2009/08/10/cyxymu_letter_to_medvedev/
- http://news.bbc.co.uk/2/hi/technology/8194395.stm
- http://voices.washingtonpost.com/securityfix/2009/08/twitter_facebook_google_attack.html
Secret, Stubborn Cookies
Researchers from the University of California, Berkeley have reported that more than half of the Internet's websites are using Adobe Flash cookies to track users' behavior and interests, but these cookies are mentioned in just four privacy policies, though other suites mention the use of "tracking technology." Flash cookies differ from regular cookies because they are unaffected by browser privacy controls. Flash cookies are even being used to re-establish cookies for users after those users delete the more familiar cookies. The researchers' report was submitted earlier this week as a comment on the deferral government's proposal to re-establish the use of cookies on federal websites. For more information, see
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
http://www.wired.com/epicenter/2009/08/you-deleted-your-cookies-think-again/
http://papers.ssrn.com/sol3/papers.cfm?abstract_id=1446862
Tuesday, August 11, 2009
Microsoft Fixes 19 Windows Security Flaws
Microsoft today issued a raft of software updates to plug at least 19 security holes in its various Windows operating systems and other software, 15 of which earned the company's most dire "critical" rating.
This month's batch of patches fix some fairly dangerous flaws. Redmond labels a security flaw "critical" if attackers could use it to seize control over a vulnerable system without any help from the victim. What's more, a dozen of the flaws earned the highest rating on Microsoft's "exploitability index," which is the software maker's best estimation of the likelihood that criminals will soon develop reliable ways to exploit them to break into Windows-based machines.
Patches are available for Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft said none of the vulnerabilities affect Windows 7, its newest operating system. Windows users can download the updates from Windows Update or via Automatic Updates
Many of the flaws fixed this month stem from faulty ActiveX controls, tiny programs built to work with Internet Explorer that have full access to the Windows operating system. As a result, flaws in ActiveX controls can give hackers extremely powerful tools with which to take over vulnerable systems. In my opinion, ActiveX flaws are among the prime reasons to browse the Web with an alternative browser, such as Firefox or Opera. Indeed, according to Microsoft, all of these ActiveX vulnerabilities can be exploited merely by convincing an Internet Explorer user to visit a hacked or malicious Web site.
At least five of the vulnerabilities are ActiveX flaws associated with a software development "template" or code library that Microsoft makes available to other software makers and uses throughout Windows. Last month, Microsoft issued an emergency update to fix this flawed template, known as an "active template library" or ATL, and the company says attackers are currently exploiting at least one of those ATL flaws.
Today's release also fixes four ActiveX flaws that shipped with most supported versions of Microsoft Office, including Office 2000 Web Components, Office XP, and Office 2003. Microsoft warns that at least one of these Office flaws is actively being exploited online.
Another notable update shipped this month fixes a pair of critical flaws in the way Windows processes .AVI files, meaning attackers could use this vulnerability to hijack Windows computers just by getting someone to open a booby-trapped video file.
As usual, please drop a line in the comments if you experience any problems installing these patches, or stability or usability issues after installing them. A breakdown of the vulnerabilities fixed in this month's patch release is available here.
This month's batch of patches fix some fairly dangerous flaws. Redmond labels a security flaw "critical" if attackers could use it to seize control over a vulnerable system without any help from the victim. What's more, a dozen of the flaws earned the highest rating on Microsoft's "exploitability index," which is the software maker's best estimation of the likelihood that criminals will soon develop reliable ways to exploit them to break into Windows-based machines.
Patches are available for Windows 2000, XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft said none of the vulnerabilities affect Windows 7, its newest operating system. Windows users can download the updates from Windows Update or via Automatic Updates
Many of the flaws fixed this month stem from faulty ActiveX controls, tiny programs built to work with Internet Explorer that have full access to the Windows operating system. As a result, flaws in ActiveX controls can give hackers extremely powerful tools with which to take over vulnerable systems. In my opinion, ActiveX flaws are among the prime reasons to browse the Web with an alternative browser, such as Firefox or Opera. Indeed, according to Microsoft, all of these ActiveX vulnerabilities can be exploited merely by convincing an Internet Explorer user to visit a hacked or malicious Web site.
At least five of the vulnerabilities are ActiveX flaws associated with a software development "template" or code library that Microsoft makes available to other software makers and uses throughout Windows. Last month, Microsoft issued an emergency update to fix this flawed template, known as an "active template library" or ATL, and the company says attackers are currently exploiting at least one of those ATL flaws.
Today's release also fixes four ActiveX flaws that shipped with most supported versions of Microsoft Office, including Office 2000 Web Components, Office XP, and Office 2003. Microsoft warns that at least one of these Office flaws is actively being exploited online.
Another notable update shipped this month fixes a pair of critical flaws in the way Windows processes .AVI files, meaning attackers could use this vulnerability to hijack Windows computers just by getting someone to open a booby-trapped video file.
As usual, please drop a line in the comments if you experience any problems installing these patches, or stability or usability issues after installing them. A breakdown of the vulnerabilities fixed in this month's patch release is available here.
Subscribe to:
Comments (Atom)
