Archive RSS Feed: Washingtonpost Security Fix

Apple Patches iPhone Security Hole

Apple iPhone users should soon be prompted to install a software update that plugs a much-publicized security hole in the devices. The critical vulnerability patched by Apple was the very same used by iPhone developers to power "Jailbreak," software that allows iPhone users to install third-party (non-Apple made) applications. According to Computerworld, this latest update makes it difficult (but not impossible) for users of brand-new iPhones to install Jailbreak. The update is available only through iTunes and won't appear in the bundled Software Update application or at the Apple Downloads site. Apple advises iPhone users to make sure they have the latest version of iTunes (7.5) installed before applying the update.

Microsoft Plugs Critical Windows Security Hole

Microsoft today issued two software updates to remedy security vulnerabilities in its Windows operating systems, including one that criminal groups have been targeting lately to break into and steal data from vulnerable machines. One of the patches fixes a critical flaw found in Windows XP and Windows Server 2003 systems that also have Internet Explorer 7 installed. This vulnerability is not present in Windows Vista. For more than a month now, cyber criminals have been blasting out spam e-mails containing malicious links or Adobe PDF documents that try to install spyware programs when users click the links or open the files. The PDF attacks first surfaced about a month ago, after Adobe issued a patch to prevent PDFs from being used to exploit the Windows flaw. Experts said virus writing groups quickly disassembled that patch to pinpoint the weakness, which is caused by the way certain Windows installations validate things

Storm Worm Victims Get Stock Spam Pop-Up

If you're a Windows users and today received a surprise pop-up advertisement urging you to invest in an obscure penny stock, it is highly likely that your computer is infected with the virulent Storm worm, a nasty intruder that currently resides on an estimated 200,000 PCs worldwide. Criminal groups that control the pool of Storm-infected computers have traditionally used those systems to pump out junk e-mail ads touting thinly traded penny stocks as part of an elaborate and ongoing series of "pump-and-dump" schemes. But today, according to security researchers, the Storm worm authors went a step further by causing a pop-up ad for a particular penny stock to be shown on all infected machines. Atlanta-based SecureWorks tracked the latest Storm activity, which began earlier this morning. The pop-up, shown in the image to the right, touts a microcap stock for Hemisphere Gold Inc. [HPGI.PK] as a "strong buy." Joe Stewart,

ZoneAlarm Anti-Spyware Free for Today

Check Point Software Technologies, the company that makes the popular ZoneAlarm suite of security products, is giving away its ZoneAlarm Anti-Spyware product today. The software includes the firewall and free anti-spyware updates for a year. Check Point says the offer is good until 8 p.m. ET today. The promotion began Tuesday in what was supposed to be a 24-hour offer, but the company says it's extending the offer through today to "due to overwhelmed servers." It looks like this software only works on Windows 2000 and Windows XP, and not Windows Vista. If that's not the case, I will update this post. If you're interested, check the offer out here.

Apple Plugs 44 Security Holes

Apple released updates to fix at least 44 different security vulnerabilities in its software for Mac OS X and Windows. Forty of the flaws reside in OS X itself, while the rest are specific to Apple's version of the Safari Web browser built for Windows. All of the OS X-specific flaws addressed in the patch bundle were for OS X 10.4 (Tiger) and earlier. There don't appear to be any updates pushed out for Leopard, Apple's most recent version of its operating system. Also among the fixes is a patch to plug a security hole in Apple's version of the Adobe Flash Player, a vulnerability that Adobe issued its own update to fix back in July. Apple users who have Software Updates set to automatically check for updates should be prompted to install the fixes sometime over the next few days. The update bundle should also be available at Apple

A Fresh Round of Targeted E-mail Attacks

Another series of sophisticated e-mail attacks were launched over the past 24 hours, addressing recipients by name and warning of complaints filed against them and/or their company with the Justice Department and the Better Business Bureau. E-mail security firm MessageLabs said it spotted the spike in targeted e-mail attacks designed to look as though they were sent from the Better Business Bureau. The messages address recipients by name and list corresponding employer information both in the body of the e-mail and the subject line. The missives reference an attached "complaint," which is actually a screensaver file that harbors password-stealing software. Websense, meanwhile, is warning of a very similar attack made to look like an e-mail sent from the Justice Department, claiming that a complaint has been filed against the recipient's company. The attached "complaint" file also is a Trojan horse program wrapped in a screensaver file. Websense reports that none

Credit Card Thieves Flood Wikimedia With Pennies

The Wikimedia Foundation, the parent organization of the free online encyclopedia Wikipedia and other open-source projects, recently increased the minimum amount it will accept in donations after scammers apparently began testing the validity of stolen credit cards by sending a series of 1-cent "donations" to the group. On Nov. 8, Wikimedia saw hundreds of penny donations come in over a very short period of time. In many cases, Wikimedia donors leave messages of support or praise for the organization along with their gift, but all of the fake donations were anonymous and contained no greeting, suggesting their submission may have somehow been automated. Wikimedia spokesperson Sandra Ordonez said the group wants to keep a low minimum contribution amount so as not to discourage donations from people in countries where a dollar may be a substantial sum and a very generous gift. "But for those one-penny donations, it was costing us

MPAA University 'Toolkit' Raises Privacy Concerns

The Motion Picture Association of America is urging some of the nation's largest universities to deploy custom software designed to pinpoint students who may be using the schools' networks to illegally download pirated movies. A closer look at the MPAA's software, however, raises some serious privacy and security concerns for both the entertainment industry and the schools that choose to deploy the technology. On Oct. 24, MPAA sent a letter to the presidents of 25 universities that the association has identified as top locations for the downloading of pirated movies over online file-sharing networks. In the letter, the group said it "has developed the University Toolkit, an application which can produce a report that is strictly internal and therefore confidential to illustrate the level of file sharing on [your school's] network. In addition, we will send a hard copy in the near future to your university's Chief Information Officer." Security

Exploit Released for Unpatched QuickTime Flaw

Instructions for exploiting a previously undocumented security hole in Apple's QuickTime media player software are now available online, and security firms are warning that it may not be long before we start seeing criminal groups taking advantage of the flaw to break into vulnerable computers. According to an advisory from the US-CERT, the vulnerability stems from a weakness in the way QuickTime handles a type of media-streaming communications called the "real time streaming protocol" (RTSP). Attackers could exploit the flaw merely by convincing users to click on a poisoned link, open a malicious e-mail attachment, or visit a specially crafted Web page. US-CERT says the vulnerability is present in QuickTime versions 4.0 through 7.3 (the latest version) on both Windows and Mac systems. Interestingly, researchers at Symantec say they tested the publicly available exploit code for this flaw and found that it failed to work properly against Internet Explorer 6/7

Feds Put More Botmasters, Phishers Behind Bars

The FBI today released details of several cybercrime cases against individuals accused of defrauding banks, companies and consumers of more than $20 million with the help of "botnets," large groupings of hijacked personal computers. The computer crime crackdown is Part Two of "Operation Bot Roast," a series of investigations the FBI first detailed this summer. To date, the operation has has identified more than two million individual PCs compromised by at least 10 individuals who have since pleaded guilty, been indicted or sentenced for various bot-related computer crimes. Click on the name of the individual below for a copy of his indictment and more details on the case: * Ryan Brett Goldstein, 21, of Ambler, Pa., was indicted on Nov. 1 for orchestrating attacks from a botnet of 50,000 PCs against various online chat networks. Goldstein, a student at the University of Pennsylvania, is accused of working with an individual