Vista Service Pack Patched

Microsoft has released a reliability update for Windows Vista Service Pack 1 (SP1) that fixes several bugs in the OS update, including one that threw off errors when users tried to run large applications, such as Microsoft’s own Excel 2007 and Windows Media Player.

The update, which Microsoft posted Tuesday to its download servers, will be pushed to users automatically next month via Windows Update, a company engineer said on a support forum yesterday.

Although Microsoft regularly issues reliability updates separate from its normal monthly security fixes, this is the first time it has released one specifically for Windows Vista SP1. Microsoft released Vista SP1 to the general public in late March.

Among the fixes included with the update is one that Microsoft characterized as an issue “in which large applications cannot run after the computer is turned on for extended periods of time,” according to an accompanying description of the update’s contents. “For example, when you try to start Excel 2007 after the computer is turned on for extended periods of time, a user may receive an error message that resembles the following: EXCEL.EXE is not a valid Win32 application.”

Users reported the problem on a Vista support forum as early as April 1, claiming that they saw the error message when trying to run Office 2007 applications, including Excel and Access, as well as when launching Vista’s built-in screen capture tool and Windows Media Player.

Read the rest of the story…

Posted in Security, Windows | No Comments

Google Calendar Phishing

A couple of minutes ago an interesting attempt to phish for Google account credentials made it to my inbox. It had me blink my eyes because while I suspected phishing there were some things with this one that had me check twice to see how it’s done, as things looked quite official on the surface. As you may know, phishing emails are sent out by abusers to make the recipient in some way reply with their password or click through to enter their password, but the more official looking they are, the more easily they’re believed.

Read the rest of the story…

Posted in Internet, Privacy, Security, Software | No Comments

Zero-day flaw haunts Internet Explorer

An unpatched cross-domain vulnerability in Microsoft’s flagship Internet Explorer browser could expose Windows users to cookie hijacks and credentials theft attacks, according to a warning from security researchers.

The zero-day flaw, which has been reported to Microsoft, is a variation of Eduardo Vela’s IE Ghost Busters talk:

Do you believe in ghosts? Imagine an invisible script that silently follows you while you surf, even after changing the URL 1,000 times and you are feeling completely safe. Now imagine that the ghost is able to see everything you do, including what you are surfing and what you are typing (passwords included), and even guess your next move.

No downloading required, no user confirmation, no ActiveX. In other words: no strings attached. We will examine the power of a resident script and the power of a global cross-domain. Also, we will go through the steps of how to find cross-domains and resident scripts.

Details of the new variation have been posted online by the Ph4nt0m Security Team (translation here).

It affects Internet Explorer 6 on Windows XP SP2 and SP3.  The new IE 7 browser is not affected because Microsoft changed the way Javascript protocol URLs are handled to prevent these types of attacks.

Read the rest of the story…

Posted in Coding, Internet, Privacy, Security, Windows | No Comments

Yahoo fixes email cross-site scripting flaw

Yahoo has fixed a vulnerability that could allow a hacker to get access to a person’s webmail account.

The problem was in the way Yahoo’s mail interacts with version 8.1.0.209 of its IM application, according to web application security company Cenzic.

Cenzic notified Yahoo of the problem in May, and the company has now fixed it.

If a hacker using the IM application starts chatting with a victim who is using the IM function of Yahoo’s web email, a new chat tab is opened in the victim’s web browser. The attacker can then manipulate his presence status message to send a malicious script via IM. That script would then be executed in the context of Yahoo’s email service on the person’s PC.

The script can reveal the victim’s session ID to the attacker, who can then get access to information stored in that account, Cenzic said.

Cenzic classified the vulnerability as a cross-site scripting flaw, where scripts or commands from one web application that shouldn’t run in another are successfully executed. Security experts contend that cross-site scripting vulnerabilities are rampant on websites, posing dangerous risks to web users.

Read the rest of the story…

Posted in Coding, Internet, Privacy, Security, Software | No Comments

VoIPER 0.06 released

VoIPER is a security toolkit that aims to allow developers and security researchers to easily, extensively and automatically test VoIP devices for security vulnerabilties. It incorporates a fuzzing suite built on the Sulley fuzzing framework, a SIP torturer tool based on RFC 4475 and a variety of auxilliary modules to assist in crash detection and debugging.

Download here…

Posted in Internet, Networking, Privacy, Security | No Comments