From Arstechnica:
Microsoft has issued a notification it is releasing tomorrow for Internet Explorer at approximately 10 am PST. The patch will fix vulnerabilities in IE6, IE7, and IE8 on supported editions of Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2—vulnerabilities notably exploited in the recent series of Chinese-based attacks against Google and 30 other tech companies.
The patch is now available via Windows Update and on the Microsoft Download Center. Here are all the links you need:
News, Security
Internet Explorer, Microsoft, Windows Update
In recent weeks there has been an increasing number of attackers exploiting a vulnerability with insecure osCommerce installations, which allows admin access without a password usually resulting in spam mail-outs to your users.
As always, it is highly important to stay on top of security updates with all scripts, such as shopping carts and also to be proactive and ensure that you are taking adequate measures to secure your installation.
There are several useful threads discussing recent vulnerabilities for the different release versions of osCommerce on the osCommerce community forums including the following topic with updated reference information for securing your osCommerce installation:
How to Secure your osCommerce Site – http://forums.oscommerce.com/index.php?showtopic=313323
Scripting & Coding, Security, Web Development
hackers, osCommerece, Patch, Security, Vulnerability
WordPress was updated to version 2.8.6 last week, with a couple of new security holes patched up. You can view full information about the new version on the WordPres Blog.
Users who have installed WordPress using Fantastico, can upgrade automatically using Fantastico, or of course automatically from the WordPress dashboard.
Security, Wordpress
Wordpress developers have warned users their popular CMS is under attack from a ‘clever’ worm that automatically compromises unpatched versions of the Wordpress system. The particularly nasty bug crawls the web for vulnerable Wordpress installations, installing malware, deleting content, and generally wreaking havoc wherever it can on unpatched installations.
Wordpress founder Matt Mullenweg eloquently implored Wordpress bloggers to update more frequently. Originally, updating the Wordpress system was a rather laborious process. However, newer versions offer fast and simple one-click upgrades. The two most recent versions of Wordpress (2.8.3 and 2.8.4) cannot be attacked by the worm discovered this week, and blogs hosted at Wordpress.com are also apparently immune.
Moral of the story, update and update often!
Blogging, CMS, Security, Wordpress
CMS, Malware, Patch, Security, Update, Wordpress, worm
The Joomla Project has announced the release of Joomla 1.5.14, which contains fixes for two material bugs that were introduced in version 1.5.13 and one low level security issue. Instead of waiting for the normal 6 to 8-week release cycle, this release has been made available to users now and we recommend all users of Joomla to upgrade.
You can find the latest release or appropriate upgrade package by following the link below.
http://www.joomla.org/announcements/release-news/5244-joomla-1514-released.html
CMS, Joomla, PHP Applications, Scripting & Coding, Security, Web Development
WordPress has just patched a security vulnerability in version 2.83 which allowed anyone to remotely lockout an admin user by resetting the password, by means of a special URL link.
“The bug … is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Typically, requests to reset a password are handled using a registered email address. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required.”
WordPress have quickly fixed the vulnerability in version 2.84 and it is recommended you patch ASAP. Full information available at the link below and as always, users managing their WP installations via Fantastico should follow the correct backup procedures before upgrading.
http://wordpress.org/development/2009/08/2-8-4-security-release/
Blogging, News, Security, Wordpress
2.83, 2.84, Blog, Patch, Security, Vulnerability, Wordpress
LAS VEGAS. Earlier this year security researcher Moxie Marlinspike turned the world of SSL security on its head with a presentation at Black Hat DC. Here in Vegas, he’s expanding his tool SSLstip with a series of improvement that will make the tool even more powerful.
“On the web SSL is not usually encountered directly,” Marlinspike said. “It’s usually a redirect where someone types in bankofamerica.com (or any other site) and then they get forwarded to an SSL page.”
What the original SSLstip tool did was to take advantage of that fact to trick browser into thinking an HTTP connection was actually an SSL connection. Marlinspike noted that its an automated process to get a regular SSL certificate. The way the process works by first getting a whois lookup to admin contact.
“They only look for the root of the domain.the don’t give a shit about subdomains,” Marlinspike said.
As such a person could get a certificate for a null domain like *0\.attackersite.bankname.com that would validate. He commented that such a wildcard gives SSLstrip great power, providing what looks like a real certificate. To make matters worse he’s now also built in a technique to prevent the wildcard certificate from being revoked by the certificate authority as well.
“In short, we’ve got your passwords, your communications and control over the software that runs on your computer,” Marlinspike said.
There is however a solution. In response to a question from the audience Marlinspike noted that all the SSL vendors would have to do is validate the whole domain, not just the last bit of it.
News, Security
Moxie Marlinspike, Security, SSL
File Under “Faulty Plumbing”: For nearly three months, malware planted by hackers on servers operated by Network Solutions intercepted more than 573,000 credit and debt card numbers used to services rendered by the domain registration and hosting service provide.
Read more…
Blogging, Domain Names, Domains, Security
Updates for Drupal versions 6.13 and 5.19 have been released this week with a host of maintenance fixes as well as some critical security vulnerabilities which have been fixed.
As always, upgrading and keeping your installations up to date is highly recommended. As always follow the Drupal upgrading procedures with a current and tested backup of your site.
CMS, PHP Applications, Scripting & Coding, Security, Web Development, drupal
CMS, drupal, Patch, php, Security, Upgrade
What is Greylisting?
Greylisting is a new method of blocking significant amounts of spam at the mailserver level, but without resorting to heavyweight statistical analysis or other heuristical (and error-prone) approaches. Consequently, implementations are fairly lightweight, and may even decrease network traffic and processor load on your mailserver.
Read more…
Email, Security, Spam Protection
greylisting, mailserver, Spam Protection, spamassassin, spamdyke
“The people who bring you the DroneBL DNS Blacklist services, while investigating an ongoing DDoS incident, have discovered a botnet composed of exploited DSL modems and routers. OpenWRT/DD-WRT devices all appear to be vulnerable. What makes this worm impressive is the sophisticated nature of the bot, and the potential damage it can do not only to an unknowing end user, but to small businesses using non-commercial Internet connections, and to the unknowing public taking advantage of free Wi-Fi services. The botnet is believed to have infected 100,000 hosts.”
Taken from: Slashdot
Security
Botnet, Modem, Router
One in 20 Australians is the victim of a scam each year.
During National Consumer Fraud Week, from March 2-8, the Australasian
Consumer Fraud Taskforce, a group of 19 Australian and New Zealand
government agencies is raising awareness of fraud in the community.
The aim of the Taskforce is to work together to reduce the incidence and
impact of frauds and scams, and each year it creates a co-ordinated
information campaign for consumers, timed to coincide with global consumer
fraud prevention activities.
Taskforce Chair and Australian Competition and Consumer Competition Deputy
Chair Peter Kell, says while people are generally aware that scams occur,
few think they will be the target.
“Most people know someone who has been scammed or lost money to fraud, but
most people still don’t think it will happen to them, but anyone can be
the target of a scam,” said Mr Kell.
Read more…
News, Rambles, Security
Facebook has been targeted by malicious hackers seeking to steal valuable data from members.
The social network site has been hit by five separate security problems in the last seven days, say security experts.
By creating fake messages padded with details of Facebook members the thieves are capitalising on the trust and social links that drive the network.
Security firms warn that the popularity of social networking sites makes them a tempting target for hi-tech thieves. Read more…
News, PHP Applications, Rambles, Scripting & Coding, Security, Software
