Adobe has released its second quarterly security update, which addresses 29 vulnerabilities in its Reader and Acrobat products. Exploitation of the majority of these flaws could result in arbitrary code execution and one of them is already being actively targeted in Web attacks since last week.On October 8, Adobe announced that an unpatched vulnerability affecting the latest versions of Adobe Reader and Acrobat was being exploited in the wild via maliciously crafted PDF files. This flaw, identified as CVE-2009-3459, has now been patched in the newly released Adobe Reader/Acrobat 9.2.0, 1.8.7 and 7.1.4, respectively.Ten other confirmed arbit... [read more >>] Attackers are exploiting a zero-day vulnerability in the latest versions of Adobe's Reader and Acrobat products to compromise computers. The company recommends disabling JavaScript as a temporary solution until a patch is shipped on October 13.The vulnerability, identified as CVE-2009-3459, can be used to remotely execute arbitrary code on a computer running the latest Windows flavor of Adobe Reader or Acrobat (9.1.3). In order to exploit it, attackers have to trick users into opening maliciously crafted PDF files.Adobe credits Chia-Ching Fang and the Taiwanese Information and Communication Security Technology Service Center with the d... [read more >>] A forged SSL certificate that could allow an attacker to trick users of IE, Safari or Chrome on Windows into thinking that a fake PayPal page is legitimate, has been publicly released. The cert exploits an yet-to-be-patched null byte poisoning vulnerability in Microsoft's CryptoAPI.A few months back, during the Black Hat security conference, a security researcher named Moxie Marlinspike demonstrated a proof-of-concept man-in-the-middle attack used on a null-prefix certificate. Such a certificate contains a null byte character \0 in the name of the host it was issued for.In programming, this character is employed to terminate a str... [read more >>] A Symantec blog post that belittles Microsoft's new free security offering, called Microsoft Security Essentials, was not received too well by users. Meanwhile, other security experts had a more moderate or even favorable opinion of the product.In case you haven't heard yet, a few days ago, the Redmond-based company officially released a free antivirus solution named Microsoft Security Essentials (MSE). Our software review department already had a run with it and gave it a 5-star rating. And even though the details of this test are beyond the scope of this article, please feel free to read them.What compelled us to write this piec... [read more >>] Multiple vulnerabilities discovered in the website of a UK-based company called OnlineFX, which conducts foreign exchange services, can be exploited to extract highly sensitive data from the underlying database. Credit card details and customer information are possibly compromised.According to its own website, OnlineFX is a financial company based in central London and offers foreign currency exchange at low rates, bank money transfers to over 70 countries, as well as IT, marketing and corporate services. The onlinefx.co.uk flaws were disclosed by Romanian grey hat hacker Unu, who specializes in finding SQL injection vulnerabilities in high... [read more >>] Using independently developed tools that scan tweets for threats, security researchers from Kaspersky and Trend Micro concluded that the micro-blogging platform has become a popular attack vector. The number of malicious URLs identified on Twitter suggest that the problem is slowly, but surely getting worse. Because the results of their independent research into the Twitter attacks problem were almost identical, Costin Raiu, chief security expert with Kaspersky Lab's Global Research & Analysis Team, and Mortom Swimmer, advanced threat researcher at Trend Micro, have decided to give a joint presentation of their findings during the Vir... [read more >>] Users of the LiveJournal blogging platform were the target of a malicious attack on Tuesday, when a social networking worm that spread by simply viewing an infected post was released on the website. The malware stole email addresses and made private blog entries accessible to everyone. The LiveJournal staff has posted a detailed announcement describing the attack, which is said to have only lasted for less than two hours. As a result, the ability to embed video files into blog entries has been suspended, but has since been restored for a few trusted services such as YouTube. The social networking worm propagated through an embedded flash v... [read more >>] A security researcher has exposed a vulnerable Yahoo Web service that has been abused by spammers to enumerate valid Yahoo! IDs or brute-force login credentials for years. The attacks are possible because the company failed to apply the same security checks to the API as it did to the webmail interface. Ryan Barnett, the director of application security research at Breach Security, has detected the intriguing brute force during his work as leader of the Web Application Security Consortium's (WASC) Distributed Open Proxy Honeypot Project. This project allows researchers to monitor attacks that make use of open proxies by deploying a fe... [read more >>] A report (PDF) released by a cyber-intelligence company called Cyveillance suggests that the antivirus industry is failing to keep up with the cybercriminal enterprise and the threats that are most likely to affect Web users. The anti-phishing protection included by default in modern browsers was found to be similarly inadequate. Cyveillance is a cyber-intelligence gathering company based in Arlington, VA, which monitors the Internet for various attacks and threats. According to its own account, the company is "collecting information from more than 200 million unique domain name servers and 150 million unique Web sites." The company was ac... [read more >>] The Romanian authorities are undergoing a massive effort to dismantle cybercriminal groups operating in the country. During the last ten days, two series of arrests and raids related to credit-card fraud were performed in major Romanian cities. On September 9, the Romanian Direction for Investigating Organized Crime and Terrorism (DIICOT) announced that criminal charges were brought against 22 people for forming an organized crime group specialized in access-device fraud, wire fraud and money laundering. The gang was based in the Timis county, western Romania, but some of its members also operated abroad. The fraudsters are said to have r... [read more >>] |