InfoSec News

Nokia has cancelled the launch of a touchscreen phone that it planned to introduce exclusively with AT&T at the Mobile World Congress Show, The Wall Street Journal reported on Wednesday.
 
Facebook users who want to access the social-networking service on the go, but don't have smartphones, now have an app of their own -- in some countries.
 
Small businesses have a new scam to worry about: criminal job applicants who want to hack into online bank accounts.
 
IBM WebSphere MQ Invalid Message Remote Buffer Overflow Vulnerability
 
WordPress KSES Library Multiple HTML Injection Vulnerabilities
 
Pivot 2.0 helps developers build client-side apps that don't require a Web browser, but rather are downloaded and installed
 
GoGrid has rolled out a hosted private cloud offering designed to offer customers the benefits of the public cloud on dedicated hardware.
 
Oracle's fast growing product set may be hampering its ability to create patches for database flaws in a timely fashion, security experts say.
 
While his Black Hat DC Conference demonstration was not flawless, a University of Luxembourg student on Wednesday did show that it's possible to trick iPhone users into joining a fake GSM network.
 
OpenJDK 'IcedTea' plugin JNLPSecurityManager Remote Code Execution Vulnerability
 
FUSE fusermount Tool Race Condition Vulnerability
 
Apple yesterday made its strongest statement yet that soaring iPad sales are affecting the laptop market, saying that the problem should concern its rivals.
 
[USN-1045-2] util-linux update
 
[USN-1045-1] FUSE vulnerability
 
[ MDVSA-2011:013 ] hplip
 
Cisco Systems is beefing up wireless transaction security with new software features for its Wi-Fi access points. The vendor says the changes add needed protection over and above that mandated by the Payment Card Industry standard.
 
Steve Jobs said this week he will be taking a medical leave of absence from his position as Apple CEO, just days before the company announced it had again shattered Mac, iPhone and iPad sales records. Time to reflect: What's been Jobs' biggest contribution as chief executive?
 
Android SD Card Content Information Disclosure Vulnerability
 
Spain's Data Protection Agency and Google on Wednesday faced off in court where the search company defended its content linking policies and business model.
 
Hewlett-Packard and Microsoft's unveiling Wednesday of a series of data warehousing appliances has some observers sounding the death knell for HP's Neoview platform.
 
Multiple lawsuits are likely over the FCC's net neutrality rules, a group of experts says.
 
HP Linux Imaging and Printing System SNMP Protocol Remote Code Execution Vulnerability
 

Webroot Provides Channel Partners with Enhanced Email Security Management to ...
RealWire (press release)
... service continues to maintain the highest detection rates and functionality for our customers,” said Steve Malone, Director at Infosec Technologies. ...

and more »
 
Attack code for a Windows vulnerability that Microsoft patched last week was released by a researcher one day after the company fixed the flaw.
 
Advanced Micro Devices on Wednesday announced Fusion processors for embedded systems as it tries to put its chips in new devices such as set-top boxes and small form factor PCs.
 
Playboy will land on the iPad in March, but the uncensored version of the adult magazine will not be offered as a native application, the company confirmed today.
 
RETIRED: Oracle January 2011 Critical Patch Update Multiple Vulnerabilities
 
lighttpd Slow Request Handling Remote Denial Of Service Vulnerability
 
Simploo CMS Community Edition - Remote PHP Code Execution Issue
 
This year's shows included many announcements that will affect what IT shops do.
 
Starbucks on Wednesday began offering mobile payment systems at 7,500 of its coffee shops.
 
A Samsung Mobile Web site is promising the arrival of "something big" on Feb. 13 and also shows an obscured image of an upcoming device next to the Samsung Galaxy S.
 
Lenovo has setup a new business unit to create tablets and smartphones, two of the hottest emerging areas of the gadget sector.
 
Simploo CMS 'FTP-Server' Field Remote PHP Code Execution Vulnerability
 
Multiple Mini-stream Software Products '.m3u' File Remote Stack Buffer Overflow Vulnerability
 
Oracle Fusion Middleware CVE-2010-4417 Beehive Remote Code Execution Vulnerability
 
The passive keyless entry and start systems supported by many modern cars are susceptible to attacks that allow thieves to relatively easily steal the vehicles, say security researchers.
 
As decision-making becomes more collaborative while workforces grow more distributed and global, the days of compiling a spreadsheet, e-mailing it around, manually inputting updates and then re-sending it seem antiquated. Some companies are moving on.
 
Microsoft and Hewlett-Packard are teaming up to deliver a $2 million data warehouse appliance and four other hardware/software products in a bid to outshine recent moves by Oracle and IBM.
 
HTML5 Web Storage, Web Database, FileReader, FileWriter, and AppCaching APIs will transform Web pages into local applications, but not yet
 
Oracle Database and Enterprise Manager Grid Control Remote Code Execution Vulnerability
 
Oracle Fusion Middleware CVE-2010-4416 Remote Oracle GoldenGate Veridata Vulnerability
 
Oracle Audit Vault CVE-2010-4449 Remote Code Execution Vulnerability
 
Oracle Enterprise Manager Real User Experience Insight (RUEI) SQL Injection Vulnerability
 
During Blackhat DC, Microsoft released some updates to its secure development tools. Microsoft did some very nice work with these tools. While these tools are not necessarily limited to .Net, I highly recommend that .Net developers take a look at them.
The (at least to me) new tool is the Attack Surface Analyzer [1]. It compares the state of your system before and after you install software to determine the impact your software has on the system, what resources it depends on and what changes it makes. It will also enumerate possible security issues. A Microsoft SDL blog article has more details [2].
BTW: if you are managing developers, and want to know more about threat modeling and common vulnerabilities: I will be teaching the 1 day software security awareness class in San Francisco on March 9th.

[1] http://www.microsoft.com/security/sdl/getstarted/tools.aspx

[2] http://blogs.msdn.com/b/sdl/archive/2011/01/17/announcing-attack-surface-analyzer.aspx
------

Johannes B. Ullrich, Ph.D.

SANS Technology Institute

Twitter (c) SANS Internet Storm Center. http://isc.sans.org Creative Commons Attribution-Noncommercial 3.0 United States License.
 


Internet Storm Center Infocon Status