Up Front: Patent scuffles, psychos with iPod Shuffles, and earnings kerfuffles
Microsoft-Yahoo: Carl Icahn weighs in
Morning of July 20, 2009 • Still no official word on that rumored deal between Microsoft and Yahoo on the advertising front, but Reuters phoned up one of the heavy hitters and asked him for his thoughts last week. It's probably no surprise that principal Yahoo investor Carl Icahn, though not willing to discuss anything current, still seems inclined to make a deal -- even if it wasn't the deal he tried to broker for the two companies in 2008.
Google addresses its own security bugs in Chrome stable release update
The stable channel for Google's Chrome Web browser (Chrome 2) has not seen a lot of action in recent weeks, perhaps indicating just how stable it has been. But a pair of exploitable defects that Google's engineers rate as "high" and "critical" have prompted the company to issue an automatic update to its deployed Chrome 2 Web browsers, beginning after midnight last night.
Although code running in Chrome is supposed to be tightly sandboxed, as engineers admitted very early this morning, the possibility existed for a maliciously crafted regular expression (RegEx, used in local searches) to generate a heap overflow, creating a situation where arbitrary code could be executed without the need for privilege. That was the "high" problem, which could lead to the ability to trigger the "critical" problem: An already compromised browser could then be maliciously maneuvered into allocating inordinately colossal memory buffers, thus slowing down the computer (denial of service) and possibly crashing the browser along the way.
Elance data breaches by parties unknown (but possibly Ukranian)
A data breach affecting users' contact information has been uncovered at Elance, an online contractor-gig site used by many tech professionals. A notice was sent out to various registered members and reposted to a Trust & Safety page of the site on Thursday.
According to the notice, some of the information in the pilfered data table -- which includes names, phone numbers and the like but not bank information or Social Security numbers -- has turned up on an unrelated site called outsourcingroom.com.
What's Now: Society's to blame for the pilfering of Twitter
Twitter, Google Apps, TechCrunch -- Why can't everyone be to blame for that hack?
The morning after the morning after... • Watching TechCrunch spool out those 300-odd documents lifted from Twitter has been fascinating; the two companies have been talking throughout the process about what is and isn't reasonable to reveal. Very socially-networked of them, as TheNextWeb points out. (Or, says Biz Stone, not.) Now, whom shall we keelhaul for all this?
Security and the e-textbooks proposal
I have a test of nerves for you. I want you to go grab $200 in twenties and some plastic wrap. (Look in the kitchen for the plastic wrap; you're on your own for the cash.) Wrap the cash in the plastic. Now find a kid, preferably one of about elementary-school age. An assortment of kids of various ages is better, if you have multiple instances of plastic-wrapped bills, though the ease of finding extra cash around the house is of course inversely related to the number of kids present.
Each child should come naturally equipped with a backpack, which they use to haul stuff to school, playdates, and the homes of other family members as well as for random covert storage purposes. Now, I want you to reach into each backpack (don't be scared!) and place a plastic-wrapped bundle of money in there. Tell the child that the money is her responsibility from now on; it must be present and accounted for at all times; they will spend much of every day looking at it but will not be allowed to use it as they please; damaged money or plastic will get the child into trouble.
First TraceMonkey vulnerability poses new priorities for Firefox 3.5.1
Developers on the "Shiretoko" track for Mozilla's new open source Firefox 3.5 Web browser now have very good reason to expect a ship date for the first round of bug fixes and vulnerabilities. A very big vulnerability has turned up in just the wrong place: a public site for posting exploits.
The problem is a new permutation of an old exploit technique that, ironically, was first brought to prominence in 2006 by a package called "Internet Exploiter." It's called a heap spray, comprised of shellcode that's set to be distributed into an area in blocks, a bit like spraying bricks into a wall. The resulting pattern may contain executable code that can be triggered through an overflow; and in this case, it's version 3.5's embedded font support, using the <FONT> tag, that's the trigger.
Office Web Components vulnerability flaps in the breeze
Tomorrow, Microsoft has a Patch Tuesday collection slated to include a fix for a hole known to Microsoft and outside security researchers for nearly a year and a half. Today, Redmond's got another, newly revealed, major flaw to contend with.
The vulnerability in Office Web Components' ActiveX implementation, versions 10 and 11, is currently known to be under attack, according to a post by Fermin J. Serna of Microsoft Security Response Center's Engineering team. If a user running Internet Explorer goes to a malicious Web site that hosts the exploit, the attacker could gain whatever rights the user has (translation: owned) and execute malicious code in the usual fashion.
What's Now: Angry day around the Net includes Microsoft, Apple, Amazon, Mono
Microsoft has known about 0-day vulnerability for months
Since spring 2008 • Really, Microsoft? All the work you've put into getting right with the security community, and this is the result? Computerworld's mighty Gregg Keizer leads the charge on the news that Redmond has known about the recently publicized DirectX vulnerability for years. Years.
GAO pen test brings the hammer down on federal rent-a-cops
I have a little personality test for you today: Which of the following GAO findings released Wednesday made you laugh hardest about the Federal Protective Service's contract security guard program?
· The armed guard photographed at a Level IV (high volume / high public contact / high sensitivity) facility asleep at his desk after taking Percocet, a bottle of which is in front of him in a photo in the GAO report;
What's Next: Chrome OS will have at least some friends in high places
The problem with awful neighbors is that the drama never ends, as South Korea would doubtless be the first to tell you. Officials there, having scanned the code that powered the recent DDoS attacks on that nation (and, apparently, the US), were braced for attacks Thursday afternoon (local time) on seven agencies.
South Korea under cyber-attack again
Data sharing among online advertisers: Is sanity in sight?
[Before we start, a note to everyone expecting a column about the Social Security Guess Mess: Something's come up re the topic and I'm going to hold off for a bit while I figure out if it's an interesting "something." Thanks for your interest and stay tuned.]
The paper titled "Self-Regulatory Program for Online Behavioral Advertising," brought to you by the four largest online advertising trade associations, is 15 pages long and includes sentences such as "The Principles apply to online behavioral advertising, defined as the collection of data online from a particular computer or device regarding Web viewing behaviors over time and across non-affiliate Web sites for the purpose of using such data to predict user preferences or interests to deliver advertising to that computer or device based on the preferences or interests inferred from such Web viewing behaviors."
What's Next: Circling the wagons against cell phone exclusivity deals
Hey, guess what? Your Social Security number!
Afternoon of Monday, July 6, 2009 • Carnegie Mellon researchers have run the numbers, and with information on just your date and place of birth, they can predict with decent accuracy some or all of the digits of your Social Security number. The problem's especially severe for the 21-and-under crowd, whose numbers were uniformly assigned soon after birth and therefore conform especially closely to certain well-known numbering patterns. The authors of the survey said they were able to ID all nine numbers of test subjects' SSN in fewer than 1,000 tries for 8.5% of that population, making those numbers "no more secure than a three-digit PIN." In smaller states such as Delaware, they could guess 1 out of 20 numbers in 10 or fewer attempts. The research is available at the link above and will be presented today (Tuesday) on the Proceedings of the National Academy of Sciences. The authors will also present at Black Hat later this month.
Don't wait for Microsoft's patch: Secure Windows now from Monday's 0-day
There's an old ActiveX control hanging around many Windows systems that's still accessible to Internet Explorer, whose original purpose was to tune into MPEG2 transport streams -- typically live video streams sent from a server using MPEG2 format. Yes, MPEG2 transport streams still exist, but any more, browsers including IE8 have appropriate plug-ins to handle them -- Windows Media Player is one, Apple's QuickTime is another.
But still there's this ActiveX control sitting there doing nothing, waiting to be leveraged for an attack. Earlier today, Microsoft acknowledged a SANS Internet Storm Center report saying that there's an active exploit of this disused bit of functionality published on Chinese Web sites. Apparently malicious users are utilizing it now in "drive-by" attacks that could result, say security experts including Sophos' Graham Cluley, in installation and execution of nearly any malicious payload.
Symantec goes live with Norton 2010 betas
Fire in downtown Seattle data center knocks out businesses, online services
A fire that started at around 11:15 PDT Thursday night has taken a wide assortment of Seattle businesses, media outlets, and government services offline. It's believed that a fire in a data center at Fisher Plaza set off the automatic sprinklers, which in turn soaked the generators.
A partial list of affected businesses in Seattle shows the importance of the Fisher vault, which is located near Seattle Center and the Space Needle. (Grey's Anatomy fans will believe it to be the location of Seattle Grace.) The payment service provider Authorize.net was knocked out; that company has set up a Twitter account to keep clients posted as they work their way back online. Adhost.com is also offline, right down to the phone system.
© 1998-2026 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.
