Month: January 2007

Outlook Express MHTML URI Handler Information Disclosure Vulnerability (updated: affects IE7 in Vista) Outlook express is prone to a cross-domain information-disclosure vulnerability. This vulnerability may let a malicious website access properties of a site in an arbitrary external domain in the context of the victim user’s browser. Attackers could exploit this issue to gain access to sensitive information (such as cookies or passwords) that is associated with the external domain. This issue was previously reported as an Internet Explorer vulnerability, but the affected component is found to be part of Outlook Express. Microsoft confirmed that this is an Outlook Express … Continue reading Outlook Express MHTML URI Handler Information Disclosure Vulnerability (updated: affects IE7 in Vista)

US-CERT is aware of a memory corruption vulnerability in the PGP Desktop service. The PGP Desktop service fails to validate user-supplied data. By sending a specially crafted object to the PGP Desktop service, a remote, authenticated attacker may be able to execute arbitrary code with potentially elevated privileges on a vulnerable system. PGP states that upgrading to the latest version of PGP Desktop will address this vulnerability. See https://pgp.custhelp.com/cgi-bin/pgp.cfg/php/enduser/std_adp.php?p_faqid=703 http://www.us-cert.gov/current/index.html#pgp0valdt

NetNucleus, makers of the Mirar Toolbar sent a cease and desist letter to Sunbelt Software (maker of CounterSpy antispyware).  They are demanding removal of their product in CounterSpy’s spyware database. CounterSpy respond.  See http://www.sunbelt-software.com/ihs/alex/Sunbelt_20NetNucleus_20Ltr_20070131Final.pdf (pdf format) Sunbelt will continue to protect its customers against the said toolbar [Y]

Microsoft Security Response Center blog today the following: An issue has been identified publicly where an attacker could use the speech recognition capability of Windows Vista to cause the system to take undesired actions. While it is technically possible, there are some things that should be considered when trying to determine what the threat of exposure is to your Windows Vista system. Read more about it at http://blogs.technet.com/msrc/archive/2007/01/31/issue-regarding-windows-vista-speech-recognition.aspx

“Microsoft applauds the Riverside County Sheriff’s Department’s efforts to stop the production and sale of counterfeit software. The arrest of an individual allegedly involved in a piracy operation worth hundreds of thousands of dollars is a great success and sends a strong message that counterfeiting has the potential to carry significant criminal penalties for those who choose to engage in it. “The Sheriff’s Department’s CATCH (Computer And Technology Crime High-Tech Response) Team should be congratulated for its professionalism and tenacity in the eight-month investigation that led to yesterday’s arrest. The Riverside team is one of five task forces in California … Continue reading Microsoft praises effort of California law enforcement

CDs’ Embedded Content Protection Software Posed Security Risks, Limited CD Use, and Monitored Users’ Listening Habits on their Computers, Without Consumer Consent Sony BMG Music Entertainment has agreed to settle Federal Trade Commission charges that it violated federal law when it sold CDs without telling consumers that they contained software that limited the devices on which the music could be played, restricted the number of copies that could be made, and contained technology that monitored their listening habits to send them marketing messages. According to the FTC, the software also exposed consumers to significant security risks and was unreasonably difficult … Continue reading Sony BMG Settles FTC Charges

A vulnerability has been identified in Captcha and Textimage (modules for Drupal), which could be exploited by remote attackers to bypass security restrictions. This issue is due to an input validation error when processing certain responses, which could be exploited by attackers or automated systems to bypass the captcha validation and post arbitrary data. Affected ProductsCaptcha (module for Drupal) versions prior to 4.7.x-1.2Captcha (module for Drupal) versions prior to 5.x-1.1Textimage (module for Drupal) versions prior to 4.7.x-1.2Textimage (module for Drupal) versions prior to 5.x-1.1 SolutionUpgrade to Captcha version 4.7.x-1.2 or 5.x-1.1 :http://drupal.org/project/captcha Upgrade to Textimage version 4.7.x-1.2 or 5.x-1.1 :http://drupal.org/project/textimage … Continue reading Captcha and Textimage Modules for Drupal Security Validation Bypass Vulnerability

Two vulnerabilities have been identified in Windows Mobile, which could be exploited by attackers to cause a denial of service.The first issue is due to an error in Internet Explorer when handling malformed data, which could be exploited by attackers to crash a vulnerable browser by tricking a user into visiting a specially crafted web page. The second issue is due to an error in the Pictures and Videos application that fails to properly handle malformed JPEG images, which could be exploited by attackers to cause a vulnerable device to hang, creating a denial of service condition. Affected ProductsMicrosoft Windows … Continue reading Microsoft Windows Mobile Internet Explorer and Pictures and Videos Denial of Service

http://www.betanews.com/article/Apple_Offers_199_80211n_Upgrade/1170176139  Apple Offers $1.99 802.11n Upgrade – Apple has begun offering a $1.99 USD software patch that would enable use of 802.11n wireless networking on select Intel-based Mac models. However, the update has not come without controversy. I’m happy that Dell did NOT ask me to pay when I returned my Dell XPS M1210 last time and requested a new replacement.  Also, when I returned the first shipped notebook, it has Dell Wireless 350 Bluetooth Internal Module.  When I received the new replacement notebook, the Dell Wireless 350 Bluetooth Internal Module is gone.. it was replaced by Dell with Dell … Continue reading What? They need to pay $1.99 for a patch!?!

“On January 17th, Symantec announced a new technology, SONAR, which stands for Symantec Online Network for Advanced Response. In the week of the announcement, SONAR already played a critical role as an early warning system and Zero Hour detection for the PeaComm threat….. “ Read how SONAR played a critical role as early warning system and 0-hour detection for the said threat at http://www.symantec.com/home_homeoffice/blog/detail.jsp?blogid=sonar&profileid=laura_garcia-manrique