Internet Explorer security hole: Use other browser

TheTelegraph: Internet Explorer users might want to consider upgrading or switching to another browser after a massive security hole was discovered in Windows’ native web browser.

internetexplorer9logoAccording to security forum, Rapid7 , Internet Explorer 7, 8 and 9 operating on Windows XP, Vista and Seven contains what is known as a “zero day exploit” which allows attackers to gain access to your personal data while you browse.

The forum claimed the exploit would give cyber criminals “the same privileges as the current user”.

It claimed that 41 per cent of US and 32 per cent of global Internet Explorer users could be affected.

Microsoft confirmed that it was aware of the targeted attacks “potentially affecting some versions of Internet Explorer”.

Director of Microsoft Trustworthy Computer, Yunsun Wee, told Fairfax that Internet Explorer 10 is not affected by the issue.

“We recommend customers deploy Microsoft’s Enhanced Mitigation Experience Toolkit 3.0, which provides effective protections without affecting the web browsing experience,” he said. “We will continue to investigate this issue and take further actions as appropriate.”

Microsoft’s September Patch Tuesday closes important XSS holes

windows updateh-online: On its September Patch Tuesday, Microsoft released two security updates that are rated as important and which close holes in Visual Studio Team Foundation Server 2010 (TFS) and Systems Management Server 2003 and 2007. Both updates fix cross-site scripting (XSS) vulnerabilities in the web interfaces that allow attackers to execute arbitrary code in the victim’s browser.

As the holes enable an attacker to access the web interfaces at the user’s privilege level, Microsoft has classified them as privilege escalation vulnerabilities. The company notes that, to its knowledge, neither of the holes is being actively exploited for attacks.

Microsoft has also published a number of other patches for Windows, Windows Server and the Malicious Software Removal Tool; it considers these to be non-security-related. The company notes that, unlike its other September updates, users may have to restart their computers after installing these. The updates include a new set of ActiveX kill bits to prevent vulnerable Cisco plugins running.

While this Patch Day has turned out to be moderate, the next one may have far-reaching consequences: in October, Microsoft will use Windows Update to deploy a patch that will invalidate any certificates with an RSA private key length of less than 1,024 bits. Those who manage infrastructures that use such certificates should, therefore, replace them with certificates whose private key has the required minimum length before then. NIST currently recommends an RSA key length of at least 2,048 bits.

Adobe fixes ColdFusion security vulnerability

adobe_logo200h-Online: On the same day as Microsoft’s September Patch Tuesday, Adobe released an update for ColdFusion to close a security hole in its rapid web application development software. The hotfix for ColdFusion addresses a vulnerability (CVE-2012-2048), which the company rates as important, that could be exploited by a remote attacker to cause a denial-of-service (DoS) condition.

According to Adobe, the unspecified error affects versions 8.0, 8.0.1, 9.0 to 9.0.2, and 10 of ColdFusion for Windows, Mac OS X and UNIX. Installing the provided hotfix corrects the problem; download links and installation instructions for each affected version are provided on the APSB12-21 technote page. All users are advised to download and apply the hotfix. Adobe credits UK developer David Boyer for finding and reporting the problem.

Microsoft to patch Flash hole in Windows 8 shortly

internetexplorer9logoh-online: Microsoft has confirmed that it will deliver a security update for the bundled version of Flash Player used by Internet Explorer 10 (IE10) sooner than previously planned. In a statement sent to ZDNet, Yunsun Wee, Trustworthy Computing Director at Microsoft, said that the company is working closely with Adobe on an updated version of the Flash plugin which “will be available shortly”.

The forthcoming Windows 8 comes with Internet Explorer 10, which, in turn, includes its own version of Flash Player. This arrangement relies on Microsoft’s automatic updates system, Windows Update, for updating the version of Flash included in the web browser.

While Windows 8 has yet to become “generally available” (GA), Microsoft has been offering the final version of the operating system to its MSDN and TechNet subscribers since mid-August. A 90-day trial of Windows 8 Enterprise has also been available for organizations.

However, the version of Flash Player currently used by IE10 is based on Adobe Flash 11.3.372.94 from 19 July 2012, which contained multiple security vulnerabilities including several critical holes. Adobe has since closed these holes with an update to the 11.3.x branch and the release of version 11.4.402.265 at the end of August.

Microsoft had previously stated that it would only issue an update “through Windows Update in the GA timeframe” to fix the problems, but appears to have revised its plans following criticism from users already running the upcoming Windows 8 release. “Ultimately, our goal is to make sure the Flash Player in Windows 8 is always secure and up-to-date, and to align our release schedule as closely to Adobe’s as possible,” said Wee. Windows 8 is scheduled for official release on 26 October.

Google Acquires VirusTotal

This is what we read in latest post from VirusTotal in their blog:

vt-blog-logoOur goal is simple: to help keep you safe on the web. And we’ve worked hard to ensure that the services we offer continually improve. But as a small, resource-constrained company, that can sometimes be challenging. So we’re delighted that Google, a long-time partner, has acquired VirusTotal. This is great news for you, and bad news for malware generators, because:

  • The quality and power of our malware research tools will keep improving, most likely faster; and
  • Google’s infrastructure will ensure that our tools are always ready, right when you need them. 

VirusTotal will continue to operate independently, maintaining our partnerships with other antivirus companies and security experts. This is an exciting step forward. Google has a long track record working to keep people safe online and we look forward to fighting the good fight together with them.

VirusTotal Team

Symantec releases Norton 2013 security suites


BetaNews: Symantec has released brand new versions of its Norton security packages for Windows, Norton Anti-Virus 2013, Norton Internet Security 2013 and Norton 360 2013. It’s the first time all three packages have been updated simultaneously, while the branding has also been amended to remove all references to a date, simply naming each Norton Anti-Virus, Norton Internet Security and Norton 360, respectively.

The 2013 versions come with what Symantec describes as “five layers of patented protection”, which include stronger social networking and anti-scam protection. There’s also full, certified support for Windows 8 and the promise of better performance on multi-core CPUs.

Symantec has focused its efforts on two related areas of protection for the 2013 releases, providing stronger protection for those using social networking sites. One in ten social network users has, according to the current annual Norton CyberCrime Report, fallen prey to fake links or scams, and so a new Scam Insight tool provides warnings against potentially risky websites along with an improved Norton Safe Web for Facebook app, providing users with the ability to quickly scan their timeline for potential scams and fake links.

Other improvements to existing protection include more rapid updates for the Insight file reputation database, which now also tracks IP addresses to help determine where threats are originating from.

Norton’s 2013 product are also fully certified with Windows 8. This includes integration with Windows 8’s Early Launch of Anti-Malware (ELAM) technology that permits security software to be up and running much earlier in the boot process than was the case with Windows 7, and which helps nullify certain rootkits. Also implemented is a new memory heap manager for helping to block and minimize the dangers from memory exploits.

The user interface has also been tweaked to be more Windows 8-friendly, with touch support and tile-based buttons. Staying up to date has been made simpler too, with all product updates now delivered automatically, and reboots eliminated from the install and update process.

The 2013 product line comes with a Network Cost Awareness feature – choose Settings > Network Security Settings > Network Cost Awareness  and click Configure – that allows specific network connections to be set to Economy, to prevent unnecessary updates from being downloaded on bandwidth-limited connections such as 3G.

Finally, all three Norton 2013 products are engineered to take advantage of newer multi-core processors and inbuilt technologies in Windows 8 to deliver faster startup and shutdown times over its immediate predecessor. Sadly, boot times remain a little long in Windows 7, although the apps overall effect on system performance is light. Other performance tweaks include better support for digital media, plus reduced power consumption to help extend battery life.

Norton AntiVirus 2013 FINAL, Norton Internet Security 2013 FINAL and Norton 360 2013 are all available now as a free 30-day trial downloads for PCs running Windows XP SP2 or later. Prices start from $49.99 for a single-user, 12-month license of Norton AntiVirus 2013 FINAL, with three-user licenses for Norton Internet Security 2013 and Norton 360 2013 costing $79.99 and $89.99 respectively.

Symantec claims losses from cybercrime exceed $100 billion

symantec_logo200h-Online: According to Symantec’s 2012 Norton Cybercrime Report, worldwide, private individuals have suffered approximately $100 billion (more than £69 billion at the current exchange rate) in financial losses as a result of cybercrime. In the period from July 2011 to July 2012, losses averaged $197 (£124) per victim.

A total of 556 million adults are reported to have fallen victim to malware, phishing or similar virtual crimes. The report claims that there are 1.5 million victims of cybercrime each day, or about 18 per second. The security specialist’s report also states that two-thirds of internet users have been caught out by cybercriminals at some point in their lives, and almost half (46%) were victims during the period covered by the report. The results reveal that many of those affected are victims of their own carelessness. Around 40% of people don’t use complex passwords or don’t change their passwords regularly.

According to Symantec, 85% of financial costs are the result of fraud, repairs, theft and lossThere appears to be a clear trend of cybercriminals targeting social networks and mobile devices, with around 20% of users having suffered losses as a result of such attacks. The study also claims that 15% of social media accounts have been compromised and that 10% of users have fallen for fake links and scams on social networks. A total of 75% of those surveyed believe that cybercriminals are increasingly targeting social networking services.

Losses within the EU are reported to amount to $16 billion (over £10 billion). China emerges as the country whose citizens have suffered the greatest financial loss – $46 billion (nearly £29 billion) – while Russia has the largest number of victims, with 92% of users surveyed in the country having experienced problems with cybercrime. The report surveyed more than 13,000 online adults aged 18-64 in 24 different countries.

1 million Apple Device IDs leaked, claim hackers

appleAccording to the AntiSec hacker group, they claim to hold more than 12 million Apple iOS Unique Device IDs, in addition to other personal information from device owners. As a move to back up such a claim, the AntiSec hacker group is said to have released slightly more than a million Apple Device IDs to the masses. This particular expose was unveiled on Pastebin, which is said to hold a detailed description of the method that the hacking group were said to have obtained the IDs from the FBI.

AntiSec claims, “During the second week of March 2012, a Dell Vostro notebook, used by Supervisor Special Agent Christopher K. Stangl from FBI Regional Cyber Action Team and New York FBI Office Evidence Response Team was breached using the AtomicReferenceArray vulnerability on Java, during the shell session some files were downloaded from his Desktop folder one of them with the name of “NCFTA_iOS_devices_intel.csv” turned to be a list of 12,367,232 Apple iOS devices including Unique Device Identifiers (UDID), user names, name of device, type of device, Apple Push Notification Service tokens, zipcodes, cellphone numbers, addresses, etc.”

Just a little bit of background information here, Apple Unique Device Identifiers (UDID) are actually sequences which comprise of 40 letters and numbers that are unique to each Apple device. Alone, they do not tell much, but in obtaining them, hackers can also gain access to majority of the information which most iOS app developers are able to obtain. Do you think this alleged Device ID leak is true?


I want, I don’t want

I never could understand those people that afraid everything and everyone, why people don’t live in a normal and easy world? Why take it so hard?

I’m talking of the moment when I respect a boy and he behaves defensive because he thinks I’m looking for his money…

I’m talking of the moment when I respect a man and he behaves defensive because he thinks I’m looking to use his position…

I’m talking of the moment when I respect a girl and he thinks I’m looking for her body…

No, Dear world! Dear folks! People are not same! Dear young man, if one tried to use your money it does not mean your next friend is same, dear gentleman! if one tried to use your position it’s not mean everyone in the world is like that, Dear girl, I don’t blame you for being careful but if one or two or maybe more if you are pretty one only tried to reach to your body by calling themselves your friend, it does not mean every single ‘male’ human is same.

I talk of myself, I’m an easy person, and all that I expect in a friendship is ‘trust’, me trusting you and you trusting me, that way I’m happy, as I said before, I don’t expect much from my friends so I’m way more happy that way. Maybe my close friends have noticed that I even rejected their volunteer helps to me, because I wanted them to stay my friends and don’t let ‘giving service’ to each other affect our friendship, to don’t let them think if I’m their friend for their money or their support or their body or whatever, I only want their friendship, their trust.

It really hurts when I feel I’ve been ignored or not being trusted, even in a situation like when someone needed help and did not ‘trust’ me ask for help, or when they wanted to talk about a very common every day stuff and did not ‘trust’ me for understanding them!; Maybe I should be happy saying Thanks God they did not bother me but no! I don’t think that way.

Open your eyes, this world is too dirty, but not all spot of it.