DP's Security Bits

According to the report, which was developed by the IBM Internet Security Systems (ISS) X-Force® research and development team, there were 7,247 new vulnerabilities recorded and analyzed by the X-Force in 2006, which equates to an average of 20 new vulnerabilities per day. This total represents a nearly 40 percent increase over what ISS reported in 2005. Over 88 percent of 2006 vulnerabilities could be exploited remotely, and over 50 percent allowed attackers to gain access to a machine after exploitation.

Continues

Priceline, Travelocity, and Cingular, three high-profile companies that advertised through nuisance adware programs have agreed to pay fines and reform their practices, according to the New York Attorney General.

“Advertisers will now be held responsible when their ads end up on consumers’ computers without full notice and consent,” Andrew Cuomo said. “Advertisers can no longer insulate themselves from liability by turning a blind eye to how their advertisements are delivered, or by placing ads through intermediaries, such as media buyers. New Yorkers have suffered enough with unwanted adware programs and this agreement goes a long way toward clamping down on this odious practice.”

Story

The security research firm known that first came to prominence in 2001 after having discovered the gaping security hole in Microsoft Internet Information Services exploited by the worm it dubbed "Code Red," has thrown its hat all the way into the security software ring. This morning, eEye becomes an anti-virus company, going to bat against Symantec and McAfee, and integrating Norman anti-virus technology into its Blink Professional security suite.

BetaNews 

BitDefender®, an award-winning provider of antivirus software and data security solutions, announced the availability of BitDefender v10 security solutions for Microsoft Windows Vista based on 32bit. Available through BitDefender’s web site BitDefender Internet Security v10, AntiVirus Plus v10 and AntiVirus v10 offers solutions with a wide range of protection created for different needs in the consumer and SMB segment. By now fully supporting Windows Vista, BitDefender offers consumers and SMBs the industry’s highest levels of anti-malware.

BitDefender

Apple has released Security Update 2007-001 to correct a buffer overflow vulnerability in Apple QuickTime. The flaw is in the way that QuickTime handles Real Time Streaming Protocol (RTSP) URL strings. By persuading a user to access a specially crafted QuickTime file, a remote attacker may be able to execute arbitrary code or cause a denial of service on a vulnerable system. US-CERT is also aware of publicly available proof-of-concept code that exploits this vulnerability.

http://www.us-cert.gov/current/current_activity.html#apup0701 

Google has removed a few user names and passwords posted inadvertently to a phishing blacklist it compiles and makes publicly available on the Web, the Mountain View, California, company said Monday.

The login information was contained in 15 URLs submitted through Google's Firefox toolbar, which lets users report Web pages they suspect to belong to phishing sites. Most of the URLs on the list didn't have login information.

Google said it also has implemented a mechanism that detects when a submitted URL contains login data and prevents that information from getting posted to the list.

"We are in the process of notifying the users who inadvertently disclosed this information and suggesting that they reset associated passwords," Google said in an e-mailed statement.

InfoWorld 

With version 7.5, users receive improved virus detection based on better heuristics and NTFS data streams scanning, smaller update files and improved user interface. Anti-Virus Free Edition 7.5 is also Windows Vista-ready and is available via Windows Security Center as a security solution. To upgrade to free version 7.5, users can visit visit: http://free.grisoft.com.

Announcement

Sun Microsystems has issued a critical security patch to address vulnerabilities in Sun's Java Runtime Environment when it processes graphics interchange format, or GIF, images.

The security flaws could allow an attacker to gain control of a user's system via an untrusted Java applet, which in turn could allow attackers to grant themselves permission to read and write local files or execute applications on the user's computer, according to an advisory issued by Secunia on Wednesday.

Story at news.com.com 

Oracle on Tuesday released fixes for 51 vulnerabilities that affect its software products.

The update is part of the Redwood City, Calif., company's quarterly patch cycle. Oracle preannounced its patch release Thursday, when, for the first time, it published an advance notification so customers could plan ahead to apply the fixes.

Story continues news.com.com 

Symantec Corp. will add a new defense to its consumer security flagship products Norton AntiVirus and Norton Internet Security early next month to protect PCs from zero-day exploits, the company said Wednesday.

Sonar, for Symantec Online Network for Advanced Response, is based on technology acquired in the 2005 purchase of WholeSecurity, a Texas-based maker of anti-phishing and intrusion prevention software. "It's a new behavioral technology," says Ed Kim, director of product management in Symantec's consumer product group. "It's a zero-day defense that doesn't use signatures."

Informationweek 

Symantec first dismissed the threat, but worm attacks that exploit a known security hole in the company's corporate antivirus tool are proving to be persistent.

The attacks target computers running older versions of Symantec Client Security and Symantec AntiVirus Corporate Edition. Compromised systems are turned into remotely controlled zombies by the attacker and used to relay spam and other nefarious activities. Symantec's Norton consumer software is not affected.

CNet News

Google has patched a cross-site scripting vulnerability in one of its Web-hosting services.

If left unpatched, the cross-site scripting (XSS) vulnerability could have allowed hackers to modify third-party Google documents and spreadsheets and to view e-mail subjects and search history, according to the Google Blogoscoped blog.

Story at news.com.com 

Websense Security Labs has discovered that Brazilian-based malicious code authors are now utilizing a popular web exploit kit which originates in Russia. This combination of the groups working together is relevant because previously we have not seen such collaboration. The Web Attacker toolkit allows attackers to place code on their website to infect users when the site is visited. This toolkit is the most popular exploit kit on the web today.

eBay is getting ready to offer its PayPal users a password-generating key fob that promises to increase the security of the online payment service.

The device displays a new one-time password in the form of a six-digit code about every 30 seconds. PayPal clients who opt to use the device will enter this password along with their regular credentials when signing into the service. The key fob is meant as another weapon in the battle on data-thieving phishing scams.

Story continues at news.com.com 

iDefense will pay $8,000 for each submitted vulnerability that allows an attacker to remotely exploit and execute arbitrary code on either of these two products. Only the first submission for a given vulnerability will qualify for the award, and iDefense will award no more than six payments of $8,000. If more than six submissions qualify, the earliest six submissions (based on submission date and time) will receive the award.

This Security Bulletin addresses several vulnerabilities, including issues that have already been disclosed. An update is available for a cross-site scripting (XSS) vulnerability in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow remote attackers to inject arbitrary JavaScript into a browser session. This vulnerability, previously reported in APSA07-01 on January 4, 2007, has been assigned an important severity rating. Additional vulnerabilities have been identified in versions 7.0.8 and earlier of Adobe Reader and Acrobat that could allow an attacker who successfully exploits these vulnerabilities to take control of the affected system. These vulnerabilities have been assigned a critical severity rating. A malicious file must be loaded in Adobe Reader by the end user for an attacker to exploit these vulnerabilities. It is recommended that users update to the most current version of Adobe Reader or Acrobat available.