Vulnerability in Internet Explorer Could Allow Remote Code Execution

April 27, 2014 – 11:20 AM

Microsoft is aware of limited, targeted attacks that attempt to exploit a vulnerability in Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9, Internet Explorer 10, and Internet Explorer 11.

The vulnerability is a remote code execution vulnerability. The vulnerability exists in the way that Internet Explorer accesses an object in memory that has been deleted or has not been properly allocated. The vulnerability may corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. An attacker could host a specially crafted website that is designed to exploit this vulnerability through Internet Explorer and then convince a user to view the website.

On completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a solution through our monthly security update release process, or an out-of-cycle security update, depending on customer needs.

We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. For information about protections released by MAPP partners, see MAPP Partners with Updated Protections.

Microsoft continues to encourage customers to follow the guidance in the Microsoft Safety & Security Center of enabling a firewall, applying all software updates, and installing antimalware software.

Source:
https://technet.microsoft.com/en-US/library/security/2963983

Verizon Wireless to expose customers’ browsing to advertisers

April 26, 2014 – 9:10 AM

As far as corporate notices go, they don’t get much creepier than this recent alert from US telco Verizon Wireless.

The company says it’s “enhancing” its Relevant Mobile Advertising program, which it uses to collect data on customers’ online habits so that marketers can pitch stuff at them with greater precision.

“In addition to the customer information that’s currently part of the program, we will soon use an anonymous, unique identifier we create when you register on our websites,” Verizon Wireless is telling customers.

“This identifier may allow an advertiser to use information they have about your visits to websites from your desktop computer to deliver marketing messages to mobile devices on our network,” it says.

The company will then share that additional data with marketers.

Joanne Schwartz, 65, of Tustin, California, received the Verizon Wireless notice last week.

“Verizon makes it seem like they are doing us a great favour,” she told me. But what the company is really doing, she said, is collecting data on her whole family’s computer usage and sharing it with its business partners.

Schwartz’s verdict: “Horrible.”

Even worse, Verizon is enrolling customers in the “enhanced” program by automatically downloading software onto their computers, which customers may not even know is happening.

Source:
http://www.smh.com.au/technology/technology-news/verizon-wireless-to-expose-customers-browsing-to-advertisers-20140426-zqzzq.html

3 Million Customer Credit, Debit Cards Stolen in Michaels, Aaron Brothers Breaches

April 17, 2014 – 5:48 PM

Nationwide arts and crafts chain Michaels Stores Inc. said today that two separate eight-month-long security breaches at its stores last year may have exposed as many as 3 million customer credit and debit cards.

The disclosure, made jointly in a press release posted online and in a statement on the company’s Web site, offers the first real details about the breach since the incident was first disclosed by KrebsOnSecurity on January 25, 2014.

The statements by Irving, Texas-based Michaels suggest that the two independent security firms it hired to investigate the break-ins initially found nothing.

“After weeks of analysis, the Company discovered evidence confirming that systems of Michaels stores in the United States and its subsidiary, Aaron Brothers, were attacked by criminals using highly sophisticated malware that had not been encountered previously by either of the security firms,” the statement reads.

Source:
http://krebsonsecurity.com/2014/04/3-million-customer-credit-debit-cards-stolen-in-michaels-aaron-brothers-breaches/

LaCie admits to year-long credit card breach

April 15, 2014 – 6:14 PM

LaCie is the latest major retailer and tech company finding itself to be the target of a major security breach by unknown assailants.

The French hardware company confirmed in a statement on Tuesday that malware successfully made its way through to access sensitive customer information stemming from transactions on its website.

Here’s where things get really bad: Virtually everyone who shopped on LaCie’s website in the last year is at risk.

LaCie, which is set to merge with American hard drive maker Seagate, said it was informed about the breach on March 19, 2014 by the FBI.

But the hardware company speculated that all transactions between March 27, 2013 and March 10, 2014 were possibly affected.

Brian Krebs, the former Washington Post reporter who first broke the Target security breach story last winter, reiterated on his security blog on Tuesday that he previously published evidence about the LaCie attack last month.

Krebs said that had the digital storefront had “been compromised by a group of hackers that broke into dozens of online stores using security vulnerabilities in Adobe’s ColdFusion software.”

Source:
http://www.cnet.com/news/lacie-admits-to-year-long-credit-card-breach/#ftag=CAD590a51e

The Heartbleed Bug

April 7, 2014 – 8:23 PM

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop communications, steal data directly from the services and users and to impersonate services and users.

Source:
http://heartbleed.com/

(Patch OpenSSL now!)