Microsoft today released updates to sew up at least seven vulnerabilities in Windows and other software. The sole “critical” update in the bunch patches a particularly dangerous flaw in all supported versions of Windows that allows attackers to seize control over vulnerable systems remotely without authentication.
Hacked and phished email accounts increasingly are serving as the staging grounds for bank fraud schemes targeting small businesses. The scams are decidedly low-tech and often result in losses of just a few thousand dollars, but the attacks frequently succeed because they exploit existing trust relationships between banks and their customers.
Last month, scam artists hijacked private email accounts belonging to three different customers of Western National Bank, a small financial institution with seven branches throughout Central and West Texas. In each case, the thieves could see that the victim had previously communicated with bank personnel via email.
For the second time in less than a month, Adobe has issued an update to fix dangerous flaws in its Flash Player software. The update addresses two vulnerabilities rated “critical,” but Adobe says it is not aware of active attacks against either flaw.
Scott Henry scoured the Web for a good deal on buying TurboTax. His search ended at Blvdsoftware.com, which advertised a great price and an instant download. But when it came time to install the software, Henry began to have misgivings about the purchase, and reached out KrebsOnSecurity for a gut-check on whether trusting the software with his tax information was a wise move.
Five days after Henry purchased the product, blvdsoftware.com vanished from the Internet.
Adobe has issued a critical security update for its ubiquitous Flash Player software. The patch plugs at least seven security holes, including one reported by Google that is already being used to trick users into clicking on malicious links delivered via email.
In an advisory released Wednesday afternoon, Adobe warned that one of the flaws — a cross-site scripting vulnerability (CVE-2012-0767) reported by Google — was being used in the wild in active, targeted attacks designed to trick users into clicking on a malicious link delivered in an email message. The company said the flaw could be used to take actions on a user’s behalf on any website or webmail provider, if the user visits a malicious website. A spokesperson for the company said this particular attack only works against Internet Explorer on Windows.
Oracle has shipped a critical update that fixes at least 14 security vulnerabilities in its Java JRE software. The company is urging users to deploy the fixes as quickly as possible.
Computers running Microsoft’s antivirus and security software may be flagging google.com — the world’s most-visited Web site — as malicious, apparently due to a faulty Valentine’s Day security update shipped by Microsoft.
Not long after Microsoft released software updates to fix at least 21 security holes in its Windows operating system and other software, the company’s Technet support forums lit up with complaints about Internet Explorer sounding the malware alarm when users visited google.com.
The alerts appear to be the result of a “false positive” detection shipped to users of Microsoft’s antivirus and security products, most notably its Forefront technology and free “Security Essentials” antivirus software.
If you use Microsoft Windows, it’s time again to get patched: Microsoft today issued nine updates to fix at least 21 security holes in its products. Separately, Adobe released a critical update that addresses nine vulnerabilities in its Shockwave Player software.
Six of the patches earned Microsoft’s most dire “critical” rating, meaning that miscreants and malware can leverage the flaws to hijack vulnerable systems remotely without any help from the user. At least four of the vulnerabilities were publicly disclosed prior to the release of these patches.
Adobe has released a public beta version of its Flash Player software for Firefox that forces the program to run in a heightened security mode or “sandbox” designed to block attacks that target vulnerabilities in the software.
Sandboxing is an established security mechanism that runs the targeted application in a confined environment that blocks specific actions by that app, such as installing or deleting files, or modifying system information. The same technology has been built into the latest versions of Adobe Reader X, and it has been enabled for some time in Google Chrome, which contains its own integrated version of Flash. But this is the first time sandboxing has been offered in a public version of Flash for Firefox.
Security experts have spotted drive-by malware attacks exploiting a critical security hole in Windows that Microsoft recently addressed with a software patch. Separately, Symantec is warning users of its pcAnywhere remote administration tool to either update or remove the program, citing a recent data breach at the security firm that the company said could help attackers find holes in the aging software title.
