ActiveX
ActiveX
Component Object Model (COM) is a Microsoft platform for software componentry introduced by Microsoft in 1993. It is used to enable interprocess communication and dynamic object creation in any programming language that supports the technology. COM is often used in the software development world as an umbrella term that encompasses the OLE, ActiveX, COM+ and DCOM technologies. Although COM was introduced in 1993, Microsoft did not begin emphasizing the name COM until 1997.
Definitions provided by Wikipedia - The Free Encyclopedia
ActiveX Related Products
ActiveX Related Industry News
Microsoft deactivates ActiveX If a single technology could represent Microsoft's past preference for features over security, that technology would likely be ActiveX. Microsoft introduced the scripting language as a way to create interactive Web site components. But while many Web sites use ActiveX components or controls for that purpose, more malicious sites could use ActiveX to run code on a visitor's computer.
For years, security experts have complained that Microsoft's introduction of Ac......
[more] Virus alert: Bagles all round as four more appear The Bagle computer virus has almost run out of letters of the alphabet. Virus writers' penchant for modifying the source code for the program has resulted in four new variants -- Bagle.Q, Bagle.R, Bagle.S and Bagle.T -- in the past two days, antivirus firms have confirmed.
The viruses attempt to use an ActiveX vulnerability, discovered in August, to automatically upload and run a program on the victim's computer, without needing the user to r......
[more] Flaw stymies Norton Internet Security A software component of Norton Internet Security could allow hackers to use the application as a backdoor into a person's computer system, security researchers warned Friday. The flaw occurs in an ActiveX component used by security firm Symantec's flagship desktop security program, Norton Internet Security, according to an advisory published by research firm NGSSoftware. The security hole could be used to run an attack program that would then take control o......
[more] Scripting flaws threaten Norton software Symantec has released a fix for a pair of potentially troublesome flaws that create a mechanism to turn its Norton security software packages against their owners.
The vulnerabilities have not yet been coded into script-kiddie-friendly packages and Symantec is not aware of any malicious exploitation. But there's no reason for complacency about the "high risk" flaws.
The flaws include a buffer overrun vulnerability in Norton AntiSpam 2004 and a re......
[more] Net watchers wary of Sasser fallout Although the damage wrought by Sasser failed to reach the levels of MSBlast and other major infections, security experts are warning that there could still be more trouble to come from the worm. One researcher said Thursday that the group of online vandals suspected of creating both the Sasser worm and several variations of the Netsky virus could combine the two threats.
The resulting blended threat could dodge security inside corporate systems via e-mail......
[more] Web Braces for Netsky.V's Attack Worm's latest variant exploits old vulnerabilities and spreads without an attachment. The latest variant of the hugely effective Netsky series of worms is causing trouble by spreading without the use of an attachment. Slipping past many e-mail gateways, it can launch simply by being viewed in an e-mail program.
Rather than attaching the worm's executable code to an e-mail message, Netsky.V uses two separate vulnerabilities in Microsoft software to download th......
[more] HTML e-mail not worth the risk Many people are sending HTML e-mail for no obvious reason or benefit. HTML e-mail can be recognized by colored backgrounds or typefaces. It sometimes has designs or other decorations in the messages. Unfortunately, HTML e-mail is a security risk.
HTML messages can easily contain unwanted, mislabeled links, Web bugs, harmful active content, and outright worms and viruses.
Richard Smith warned of emerging e-mail vulnerabilities in 1999, when he listed dozens......
[more] Symantec Warns Of Flaw In Antivirus Program The flaw within Norton AntiVirus 2004 could let attackers take over a system and disable the application. Symantec Corp. is warning its customers about a security vulnerability within its antivirus application. The Internet security vendor ranks the flaw as "medium," while security research group Secunia pegged the flaw as "moderately critical."
The flaw, which resides within Symantec's Norton AntiVirus 2004 application, could let attackers run code......
[more] When spyware crosses the line One of my friends called me in a panic the other day. It seems his eight-year-old daughter was surfing the Internet, searching for Barbie dolls, games designed for children, and other things of interest to eight-year-old girls, when something bad popped up on the screen. She may not have understood what she saw, but she knew it was bad and so she called Mom and Dad.
You can probably guess what popped on the screen. That's right, a page with explicit, graphic por......
[more] When spyware crosses the line One of my friends called me in a panic the other day. It seems his eight-year-old daughter was surfing the Internet, searching for Barbie dolls, games designed for children, and other things of interest to eight-year-old girls, when something bad popped up on the screen. She may not have understood what she saw, but she knew it was bad and so she called Mom and Dad.
You can probably guess what popped on the screen. That's right, a page with explicit, graphic por......
[more] IT Admins Find Breaking Up with IE Hard to Do Frustrated by the barrage of security problems surrounding Microsoft Corp.'s Internet Explorer, some enterprises are looking for ways to prevent employees from using the dominant browser and are casting about for alternatives.
But as they turn to removing the browser as a safeguarding measure, some are finding the task not so simple. In fact, doing so can trigger a cascade of negative consequences.
That's because the file at the heart of IE, ie......
[more] XP SP2 glitches to trip up one in 10 upgrades - report One in 10 corporate PC users will encounter difficulties in upgrading to Windows XP Service Pack 2, according to AssetMetrix. Smaller firms will be hit hardest by compatibility problems between their applications and the much anticipated update of Microsoft's flagship operating system, the Canadian asset management firm says.
Microsoft has issued a list of applications that require modification in order to work properly with XP SP2. The li......
[more] 'Drag-and-Drop' IE Flaw Persists Microsoft officials confirmed the existence of two vulnerabilities within Internet Explorer 6.0 that affect all versions of Windows, including Windows XP Service Pack 2 users.
It's a continuation of the "drag-and-drop" flaw security officials at Microsoft have spent more than two months fixing.
The flaws, rated "highly critical" by security outfit Secunia Research in a report Wednesday, when used in conjunction, can allow the owner of a Web site to dump a mali......
[more] ActiveX often marks spyware spot A technology called ActiveX is the main reason Microsoft's dominant Internet Explorer browser has become so susceptible to invasive spyware, security experts say.
ActiveX, which permits an outsider to silently upload programs to a Web-connected computer via the browser, has become the tool of choice for spyware distributors.
The most common type of spyware — called adware — tracks Web-surfing habits and reports back to advertisers. But cybercrooks are increasi......
[more] Is Microsoft creating tomorrow's IE security holes today? Internet Explorer's problems can be traced to Microsoft's shortsightedness during the browser wars of the 1990s. Is the company sowing tomorrow's security woes today? One day early last summer, I looked out my window and saw my neighbor planting a seedling just two feet from the side of his house. I knew that decades from now this particular type of tree would grow huge, and being that close it would certainly damage his house's foundatio......
[more] Spyware still hijacking Internet Explorer Beware CoolWebSearch, a spyware program that can change IE's security settings and wreak havoc on your system Anti-spyware companies have warned users to be aware of a malicious program that hijacks Web searches and disables security settings in the Internet Explorer (IE) browser.
According to anti-spyware company Webroot on Tuesday, spyware program CoolWebSearch self-installs malicious HTML applications and exploits security flaws in IE.
"This has ve......
[more] Worst spyware queues up CoolWebSearch is most dangerous item on a top 10 list of the worst spyware and adware programs. Beware of CoolWebSearch, a program that can change Microsoft Internet Explorer's security settings and wreak havoc on computers.
Anti-spyware company Webroot Software said Tuesday that CoolWebSearch self-installs malicious HTML applications and exploits security flaws in IE.
"This has vexed all of us," said Nick Lewis, managing director of Boulder, Colo.-based Webroot. "For......
[more] Netsky Takes The Biggest Worm Of 2004 Award Although getting anti-virus vendors to agree is like getting Bill O'Reilly and Michael Moore to share a cab, it seems Netsky has the dubious honor of taking the top spot of most 2004 threat rankings.
According to Helsinki-based security firm F-Secure, Netsky.p, a variation that debuted in March 2004, was the most common piece of malicious code in the wild, accounting for nearly one in four (24.3 percent) viruses or worms. Four other Netsky variants m......
[more] Study Urges Corporate Caution Before Downloading Firefox Popular new browser is not immune to attacks, researchers say. Companies should think twice before jumping on the Firefox bandwagon, says a respected research group.
The open-source browser has been gaining market share steadily over the past few months, helped by industry support and user enthusiasm, but Firefox isn't the unstoppable juggernaut it might seem, according to a recent Gartner study.
Browser switching is taking place at the......
[more] Microsoft warns of unpatched IE flaw Microsoft has issued a security advisory for Internet Explorer, after a research firm published a working exploit to demonstrate how attackers could take advantage of the flaw. The vulnerability, discovered by SEC Consult, mean that attackers could cause the browser to unexpectedly exit and execute arbitrary code. Versions of IE affected by the flaw include IE 6.0 on Windows 2000 with Service Pack 1, 3 and 4, and on Windows XP with Service Pack 1 and 2.
"M......
[more] Microsoft to offer fix for another IE vulnerability Microsoft has released software that can be used to mitigate a critical vulnerability in Internet Explorer. The bug, which concerns the way IE handles ActiveX components, can cause the browser to crash and could be used by an attacker to run unauthorised software on the IE user's machine, according to Microsoft.
The company has released software that in the registry disables a file called Javaprxy.dll, which is used to run these components in......
[more] Microsoft's Piracy Check Hacked Again Yet another hack that claims to circumvent Microsoft's mandatory Windows Genuine Advantage (WGA) piracy check has been posted to the Internet.
WGA is intended to crack down on pirated use of Windows by requiring validation before letting users download non-security software from Microsoft. But according to the Web site noted in a posting to the Full Disclosure mailing list last Thursday, users can easily side-step the check by generating a code on a PC run......
[more] Microsoft gets hacker feedback on IE Version 7 Beta 2 It sought advice at the Hack in the Box Security Conference Microsoft Corp. showed off the preliminary work it has done on the second beta version of its popular Internet Explorer Version 7 at the Hack in the Box Security Conference in Kuala Lumpur, Malaysia, and came away with good feedback, company officials said today.
"It's the first time we've ever come out ahead of a product release to present and get feedback," said Tony Chor, group p......
[more] Microsoft in about-turn on hackers Microsoft has stepped into the lion's den and revealed some the work that's been done on Internet Explorer 7 to a group of hackers.
The company showed the beta at the Hack in the Box Security Conference in Kuala Lumpur, Malaysia and was pleased with the result.
"It's the first time we've ever come out ahead of a product release to present and get feedback," said Tony Chor, group program manager at Microsoft's Internet Explorer team.
Chor, and colleague Andr......
[more] Microsoft fixes smorgasbord of IE flaws Microsoft on Tuesday provided a fix for a "critical" security flaw in Windows that is being exploited in online attacks against Internet Explorer users.
The software maker released the patch in security bulletin MS05-054, as part of its monthly patching cycle. The update also plugs three other security holes in Internet Explorer. One of the other flaws is also deemed critical but Microsoft said it is not aware of any malicious code that takes advantage o......
[more] You've got problems: AOL patches photo flaw America Online users may want to upgrade to the latest version of the company's software following the discovery of a critical flaw in the AOL suite of client software. The bug, which was reported Monday on the FrSIRT (French Security Incident Response Team) Web site, could be used by attackers to run unauthorized software on an unpatched computer.
The flaw concerns an ActiveX control in AOL's YGP Picture Finder Tool, used by AOL's You've Got Pictur......
[more] OS X attracting hacker attention Apple may become the victim of its success as increased sales, high profile, and its move to the Intel architecture so familiar to Windows hackers put the spotlight on OS X as this year's hacker target.
SecurityFocus reports that a recent SchmooCon hacking conference resulted in a security researcher having his own Apple laptop hacked, despite having all reasonable security precautions in place. However, subsequent investigation revealed no clue as to how this......
[more] Microsoft Unveils "Non-Security" Update For IE Microsoft Tuesday updated Internet Explorer 6 for Windows XP SP2 and Windows Server 2003 SP1, but denied that the changes were security related. "The update is labeled as 'non-security' given that it does not include any new updates that affect the security of IE," said a company spokesman Tuesday afternoon.With the update in place, IE 6 won't run some ActiveX controls until they've been explicitly enabled by the user. Last December, Micr......
[more] Bumper crop of Microsoft patches on the way Microsoft customers should brace for an onslaught of security updates. As part of a monthly patching cycle, the software maker plans to release on Tuesday a dozen security bulletins with fixes for flaws. Nine of the bulletins address problems in Windows, two relate to Office and one to the Exchange e-mail server software. At least one of the Windows and one of the Office alerts is deemed "critical," Microsoft's highest risk rating, the compa......
[more] Office hit by another security problem A weakness in how Office applications handle Macromedia Flash files exposes Microsoft customers to cyberattacks, experts have warned. Flash files embedded in Office documents could run and execute code without any warning, Symantec said in an alert sent to customers on Thursday. The security issue is the third problem reported within a week that affects Microsoft Office users. "A successful attack may allow attackers to access sensitive information an......
[more] ActiveX security faces storm before calm HD Moore is at it again.Using a custom-built data fuzzing tool, the security researcher pinpointed more than 100 vulnerabilities in the ActiveX controls included with the default installation of Microsoft's Windows XP operating system.Data fuzzing tools combine knowledge of the input parameters accepted by a software package with a tenacious and systematic mangling of the data to discover how applications react to various permutations, whether valid or i......
[more] Warnings grow over unpatched IE flaw Security experts warn a new, unpatched vulnerability in Internet Explorer might be used to spread malware. A flaw in Microsoft's Direct Animation Path (daxctle.ocx) ActiveX control, rated as critical by Secunia and other security watchers, has spawned proof of concept code but has not yet become the subject of widespread, hostile attack. Memory corruption is possible even on a fully patched Windows XP system.A patch is unlikely until next month's Patch Tuesd......
[more] PowerPoint exploit adds to Microsoft's busy week Another exploit for a popular Microsoft program has been found in the wild during an already hectic week for the software giant. Experts from McAfee's Avert Labs said on a company blog this week that they found a new exploit for Microsoft PowerPoint in the wild. Microsoft Office 2000, XP and 2003 are affected by the exploit, virus researcher Craig Schmugar said on Avert Labs' blog. News of the new exploit came during a week when Redmond had alread......
[more] Learn about Vista's changes to user security Vista's long-awaited release is getting closer, and Mike Mullins is taking the opportunity to look at some of the changes to user security controls you can expect in Microsoft's newest OS. Get the scoop in this edition of Security Solutions. As the long-awaited release of Windows Vista approaches, it's a good idea to get acquainted with some of the security enhancements we can expect in Microsoft's latest operating system. With Vista, Microsoft has m......
[more] Unofficial patches defend against further IE flaw Two groups of security researchers have released unofficial patches designed to protect surfers against an outstanding Internet Explorer vulnerability in the absence of available security updates from Microsoft.The Zeroday Emergency Response Team (ZERT), a new ad-hoc group of security pros that came to prominence with the release of an unofficial fix designed to address a Vector Markup Language (VML) component vulnerability in IE, released a pat......
[more] Microsoft to fix Windows, Office security flaws With hackers exploiting unpatched vulnerabilities in its Windows and Office software, Microsoft plans to issue 11 security updates next Tuesday. Some of the Office and Windows updates will be for critical flaws that could be exploited by attackers with no action on the part of users. Six of the patches will be for Windows, and four of them will be for Office, Microsoft said Thursday in a note on its Web site. The 11th update will be for a fla......
[more] Microsoft Plans Nearly Dozen Patches Critical vulnerabilities in Microsoft's (Quote, Chart) Windows operating system and the widely-used Office application suite are part of 11 patches slated to be released next week, according to a Microsoft. Six of the patches -- at least one deemed critical by Microsoft -- affect Windows users, while four address vulnerabilities in Office, one of them critically important. Another security bulletin targets a moderate security risk in Microsoft's .NET (d......
[more] SurfControl Warns Internet Users of a Malicious Web Site Posing as Italian Google Site SurfControl (LSE: SRF), the leading provider of global on-demand, network and endpoint IT security solutions, is currently tracking a malicious Web site posing as the Italian Google site. The spoofed Web site utilizes typosquatting, a technique that mimics a legitimate looking domain and delivers a fraudulent Google page that looks identical to the original. The fraudulent Google site attempts to install Acti......
[more] Prepare for Internet Explorer 7 After one of the most widely tested beta products in Microsoft's history and trial downloads by millions of users, Internet Explorer 7 Version 1.0 is finally ready. The tentative release date is Oct. 18, followed by Windows Update and Automatic Updates availability on Nov. 2So come that day, IE 7 will start appearing in a large percentage of the world's auto-patching inboxes. Although users and administrators will not be forced to install it (there are several wa......
[more] New, critical Microsoft Windows 0-day appears Another new zero-day exploit for Microsoft systems has appeared, capable of compromising fully patched IE 6/7 systems when a user visits a malicious website.Microsoft has issued an advisory on the ActiveX vulnerability and exploit, first discovered by Secunia and labeled as "extremely critical." All Microsoft systems except Windows Server 2003 are vulnerable. Users may fall victim just by visiting a maliciously crafted website.Deflecting r......
[more] AOL patches ICQ vulnerability TippingPoint researchers warned AOL ICQ users this week about a vulnerability that allows attackers to execute malicious code onto a vulnerable PC without user interaction. AOL fixed the instant messaging (IM) service flaw on Oct. 31, but users who haven't logged on to the ICQ network since then could still be at risk, TippingPoint warned this week. The update was immediately applied to ICQ version 5.1 users when they logged on to the network, according to a Tipping......
[more] Second zero-day hole sinks Windows A serious security flaw in Visual Studio 2005 disclosed by Microsoft last week is already being attacked, the software giant has admitted. The incident represents the latest black eye for Microsoft over security, and is part of an increasingly common trend - attackers taking advantage of an unpatched or "zero-day" flaw well before a fix is available. Just last week, Microsoft acknowledged attacks exploiting a newly discovered, different, unpatched bu......
[more] Adobe falls down gaping security hole Adobe has acknowledged that recent versions of Reader and Acrobat contain unpatched bugs that could allow attackers to take over Windows systems via Internet Explorer. The bugs were discovered by security company FrSIRT and reported to Adobe a week ago, the company said in an advisory this week. Both FrSIRT and Adobe classified the bugs as "critical", since they could be exploited by simply luring an Internet Explorer user to a malicious website.......
[more] Some websites reporting common error code contain adware Web surfers are accustomed to seeing a 404 error message when they try to reach a website that is not available. But now hackers are using that common occurrence to their advantage by creating fake sites containing the error message to load spyware and adware, security researchers said today. One particular site - http://404dnserror(dot)com - "tries to install an ActiveX control and the installation message communicates that page is n......
[more] Adobe urges upgrade to avoid critical bug Adobe on Tuesday warned users of a critical flaw in Download Manager that can be exploited to compromise a user's machine. The same day, the company released an updated version of Reader to address multiple flaws reported last week.The "highly critical" bug, in versions 2.1 and earlier, is caused by the handling of section names when the application processes AOM files, according to Secunia. Attackers can exploit the flaw to cause a stack-based......
[more] Six fixes this Patch Tuesday, but Microsoft mum on Word flaw Microsoft is planning to push out six patches on Tuesday, presumably including one for a critically flawed ActiveX control in Visual Studio 2005. The Redmond, Wash. software giant is issuing five other patches to correct unnamed vulnerabilities in Windows, at least one of which is labeled critical. Some security observers were upset Microsoft did not offer a patch for the Visual Studio bug in its November release.Redmond first warned o......
[more] A Patch Tuesday surprise from Microsoft - plus six other fixes Microsoft released seven patches today for 11 vulnerabilities, including a surprise fix for two zero-day flaws in Windows Media Player. The update also addresses a flawed WMI Object Broker ActiveX control in Visual Studio 2005, a widely used Microsoft development platform. The vulnerability emerged days before the November patch release and was not addressed in that fix.But perhaps the biggest news out of today's release was what was......
[more] Yahoo Fixes Messenger Flaw Yahoo Inc. has patched a critical vulnerability in its Windows instant messaging client and has recommended that all users download and install an updated edition. The bug, characterized as "Highly critical" by Danish vulnerability tracker Secunia, is caused by a flawed Yahoo Messenger ActiveX control that could be used by attackers to crash a chat session, bring down the Internet Explorer browser, or execute malicious code on a victimized PC.Yahoo down......
[more] MSN messenger serves up dodgy alerts Banner advertisements for a security application said to report false or inflated threats appeared for at least a few days on Microsoft's IM (instant-messaging) program, prompting warnings from security analysts. Microsoft appears to have removed the ads, which were displayed in the contacts panel for its IM program, Windows Live Messenger, said Sandi Hardmeier, a Microsoft Most Valued Professional, a designation the company gives to people who have expertis......
[more] Yahoo updates to patch Messenger ActiveX vulnerability Yahoo has updated its instant messaging platform to protect against a vulnerability that can allow remote attacks. Versions of Yahoo Messenger installed before March 13 contain a flaw that can allow remote code attacks, Yahoo said Monday in an security advisory.The flaw is caused by a boundary error within the AudioConf ActiveX control (yacscom.dll), according to an advisory from Secunia.The vulnerability can be exploited to cause a stack-ba......
[more] Microsoft delivers seven patches including DNS fix Microsoft today released seven patches - all critical - addressing 19 vulnerabilities, including a promised fix for the well-publicised but sparsely exploited zero-day DNS server flaw. While that bug drew the majority of headlines over recent weeks, researchers today said the most significant patch appears to be MS-0726, which provides a fix for a critical Microsoft Exchange vulnerability that could result in remote code execution should a user......
[more] Hackers Launching Attacks Against Yahoo Messenger Bugs Websense researchers report 40 to 50 malicious sites are taking advantage of critical vulnerabilities in the instant messenger. Malware writers have latched on to the exploit code for the critical bugs in Yahoo Messenger, setting up 40 to 50 malicious Web sites to attack unsuspecting, and unpatched, users. "This threat is critical," said Stephan Chenette, manager of Websense Security Labs, in an interview. "The use of [the ex......
[more] XP better patched than Vista Microsoft data shows that the company has left more security holes open in Windows Vista than it did in XP. A Microsoft security executive released data showing that, six months after shipping Windows Vista, his company has left more publicly disclosed Vista bugs unpatched than it did with Windows XP. In total, Microsoft has patched 12 out of 27 disclosed Vista vulnerabilities in the six months after it first shipped last November. During XP's first six months, Micr......
[more] Researchers release LinkedIn bug A public exploit code for a severe vulnerability affecting the Internet Explorer toolbar for business networking site LinkedIn, has been posted by a pair of security researchers. The client-side ActiveX flaw, which garnered Secunia's highest severity rating of "extremely critical," can permit an attacker to remotely execute arbitrary code, Jared DeMott, one of the vulnerability's discoverers, told SCMagazine.com today.Users are exploited when they visit......
[more] McAfee warns of Yahoo Messenger Webcam bug Users of Yahoo's instant messaging platform are being warned to avoid webcam invites from unknown sources after a vulnerability in the platform was disclosed this week. The zero-day flaw was first published on Chinese security forums, but researchers at McAfee said this week that they recreated the flaw on Yahoo Messenger version 8.1.0.413.The vulnerability "seems like a classic heap overflow that can be triggered when the victim accepts a webcam i......
[more] AOL Claims AIM is Safe Perhaps the most dangerous type of online vulnerability is the one where the user doesn't actually do anything in order to become infected. It is that type of vulnerability that security researchers claim AOL's popular instant messaging client, AIM, was at risk from. Core Security has issued an advisory noting that AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite were at risk from a vulnerability that could remotely execute code on an AIM user's computer without user interact......
[more] Six new bugs found in RealPlayer For the second time in eight days, new critical vulnerabilities that could be used to hijack machines have been fingered in the RealPlayer media player. The patched editions released last Friday for Windows, however, are not vulnerable to the half-dozen bugs, RealNetworks said. Hard on the heels of the revelation that RealPlayer sported a major flaw and that the bug had been exploited by hackers who had compromised an ad server owned by 24/7 Real Media to spread......
[more] Alicia Keys' MySpace page hacked, serves up attacks Multiple MySpace pages, including the official page of popular R&B singer Alicia Keys, have been hacked and are spewing both socially engineered attacks and behind-the-scenes drive-by exploits, a security researcher said late Thursday. Although it's unclear how the MySpace pages were originally compromised, they're now dangerous places to visit, said Roger Thompson, chief technology officer for Exploit Prevention Labs Inc. Among the attack......
[more] Most HP, Compaq notebooks ship with code bugs Nearly two-dozen different laptop models sold by Hewlett-Packard Co. ship with software plagued with multiple zero-day vulnerabilities, security researchers said today. Later in the day, HP confirmed the bugs and said a patch would be made available Thursday. The bugs are in an ActiveX control included with the HP Info Center software preinstalled on both HP- and Compaq-branded laptops running Windows 2000, XP, Server 2003 and Vista, Symantec Corp.......
[more] 'Bricking' bug threatens most HP, Compaq laptops The hacker who posted an exploit last week that threatened a large swath of Hewlett-Packard Co.'s laptop lineup followed up yesterday with new attack code that can "brick" nearly every HP laptop. In a post to the milw0rm.com Web site Wednesday, a Polish security researcher who used the alias "porkythepig" spelled out a pair of vulnerabilities in an ActiveX control used by HP's Software Update, the patch management program bundled with v......
[more] Hackers quickly move to exploit Bhutto assassination Within hours of yesterday's assassination of former Pakistani Prime Minister Benazir Bhutto, malware makers exploited the breaking news to dupe users into downloading attack code, security researchers said Friday. Searches for news about Bhutto's killing and the ensuing chaos in Pakistan listed sites pimping a bogus video coder/decoder (codec), said analysts at McAfee Inc., Symantec Corp. and WebSense Inc. For instance, WebSense found such a......
[more] Critical flaws found in MySpace, Facebook ActiveX controls Bugs in the ActiveX controls on popular social networking sites Facebook and MySpace can be used by hackers to snatch control of Windows PCs, security experts said today. Initially made public by researcher Elazar Broad on the Full Disclosure security mailing list, the vulnerabilities are in a pair of ActiveX controls that Facebook and MySpace provide to users for uploading images to their pages via Microsoft's Internet Explorer (IE) br......
[more] Disable ActiveX, security experts warn A wave of bugs in the plug-in technology used by Microsoft 's Internet Explorer (IE) browser has led some security experts, including those at US_CERT, recommending that users disable all ActiveX controls. The US Computer Emergency Readiness Team (US-CERT), part of the government's Department of Homeland Security, was explicit in advisories posted this week: "US-CERT encourages users to disable ActiveX controls," it stated. US-CERT's advice was p......
[more] Researcher posts attack code for RealPlayer bug A noted ActiveX researcher yesterday revealed a bug in RealNetworks' RealPlayer that could be exploited by attackers to hijack Windows machines running Internet Explorer. Elazar Broad, who has uncovered other ActiveX control vulnerabilities in MySpace, Facebook and Yahoo software in the last two months, posted findings to the Full Disclosure security mailing list on Monday that fingered RealPlayer as flawed. "It is possible to modify heap blo......
[more] Microsoft patches Excel zero-day bug, releases three other fixes Microsoft issued four "critical" patches, including one for the zero-day Excel vulnerability reported in January, in its March Patch Tuesday round of bug fixes. In all, the company corrected 12 vulnerabilities, all client-side problems associated with its Microsoft Office productivity suite. "Every single patch is critical and needs to be seriously considered for remediation," Paul Zimski, senior director of ma......
[more] Password-stealing hackers infect thousands of Web pages Hackers looking to steal passwords used in popular online games have infected more than 10,000 Web pages in recent days. The Web attack, which appears to be a coordinated effort run out of servers in China, was first noticed by McAfee researchers on Wednesday morning. Within hours, the security company had tracked more than 10,000 Web pages infected on hundreds of Web sites. McAfee isn't sure how so many sites have been hacked, but "g......
[more] New DNSChanger Trojan variant targets routers Secure Computing researchers have discovered a new variant of the DNSChanger Trojan in the wild that attacks routers, meaning any Web surfing computer on that network could be at risk of being redirected to a malicious Web site. The DNSChanger Trojan changes the DNS settings to point to a host Web site address supplied by the attackers, Sven Krasser, director of data mining research at Secure Computing, said in an interview with CNET News.com on Tu......
[more] Microsoft warns of new Access attack Cybercriminals are exploiting a bug in software used by Microsoft's Access database program in a new online attack, Microsoft warned Monday. The flaw lies in the Snapshot Viewer ActiveX control, which ships with "all supported versions of Microsoft Office Access except Microsoft Access 2007," Microsoft said in a security advisory, published Monday. Microsoft released few details of how the bug is actually being exploited, but said that it is investigating an......
[more] RealNetworks patches four critical bugs in multimedia player RealNetworks has issued four critical patches for several versions of its RealPlayer running on Windows, Linux, and Apple's Mac OS X. The flaws could allow a hacker to run malicious code on a PC or cause the computer to reveal information, according to an advisory from Secunia, a security vendor based in Denmark. RealPlayer is an application that plays audio and video streamed over the Internet. RealNetworks has publ......
[more] Attackers ramp up zero-day ActiveX exploits Attacks taking advantage of a zero-day vulnerability in a Microsoft Active X control are increasing in prevalence, nearly a month since the flaw and ensuing exploit code first was announced. The bug, which enables an attacker to gain privileges of a logged-on user to launch remote code, affects the ActiveX control for the Snapshot Viewer in Office Access 2000, 2002 and 2003, Microsoft has said. "We've been closely monitoring this exploit sin......
[more] Microsoft promises 12 patches next week Microsoft Corp. today said it will deliver a dozen security updates next week to fix critical vulnerabilities in Windows, Office, Internet Explorer (IE) and the media player bundled with Vista. Of the 12 updates it sketched out in the advance notification issued this morning, Microsoft pegged seven as "critical," its highest threat rating. The remaining five were labeled "important," the second-highest ranking. "We almost have a baker's dozen,"......
[more] Microsoft fixes IE, Office in big month of security updates Microsoft released patches to fix 19 critical vulnerabilities in its software Tuesday, including five flaws in its Internet Explorer browser that security experts advise IT administrators to patch immediately. The total of 11 security updates released for August is the largest round of Patch Tuesday updates Microsoft has released since last February and should give IT administrators plenty to do to secure their companies' systems.......
[more] Microsoft issues mammoth security update, biggest in five years Microsoft Corp. today patched 28 vulnerabilities, nearly all of them marked "critical," in the biggest batch of fixes it has issued since it switched to a regular monthly update schedule more than five years ago. Of the 28 bugs quashed today, Microsoft ranked 23 of them critical, the top rating in its four-step scoring system. Of the five others, three were judged to be "important," the next step down, and two were peg......
[more] New attack singles out IE flaw Microsoft warned last week that it would be easy for cybercriminals to build new attacks using bugs it patched in the Internet Explorer browser; now that prediction has come true. On Tuesday, security vendor Trend Micro said that it had spotted the first attack taking advantage of one of two flaws patched a week ago. Microsoft has said that either of these vulnerabilities would be easy to exploit in online attacks. Over the weekend, Trend Micro researchers spotted......
[more] Japanese cybercrime stats bode ill for e-crime in Western nations Finjan, a supplier of secure web gateway products, says that 2008 cybercrime figures from Japan - details of which have just been published and show a 15.5 per cent year-on-year annual growth - do not bode well for e-crime in Western nations. "Anecdotal evidence suggests that the volume and value of cybercrime has soared again in 2008 and, with the current economic recession, we fully expect the number of Internet scams, hac......
[more] Adobe promises patch for zero-day PDF bug by next Tuesday Adobe has promised to patch the newest zero-day vulnerability in its popular Adobe Reader software no later than next Tuesday, potentially adding another update to the month's busiest patch day for the second time in three months. May 12 is also Microsoft's regularly-scheduled monthly Patch Tuesday. On Friday, Adobe's security team announced that it would issue updates to Adobe Reader and Acrobat -- versions 9.x, 8.x and 7.x for Windows,......
[more] Microsoft confirms attacks against IE6, IE7 For the second time in six weeks, Microsoft today confirmed that hackers are exploiting an unpatched bug in DirectX, this time by attacking Internet Explorer (IE). The company's security team issued an advisory Monday around 1 p.m. ET acknowledging reports of in-the-wild attacks and providing more information about who is vulnerable. Earlier today, security researchers at a pair of Danish firms had announced that thousands of legitimate Web sites hack......
[more] Newest IE bug could be next Conficker, says researcher The critical bug that Microsoft confirmed Monday but has yet to patch is a prime candidate for another Conficker-scale attack, a security researcher said. "It's better than [the vulnerability used by] Conficker," Roger Thompson, chief research officer at AVG Technologies, said yesterday. "It exposes the whole world, and can be exploited through the firewall. That's better than Conficker, which mostly did its damage once it got inside a netw......
[more] Three 'critical' Windows fixes due on Patch Tuesday Microsoft on Tuesday plans to release updates patching three critical Windows security vulnerabilities, two of which are already under attack. One of the updates plugs a hole in an Internet Explorer component that handles online video. Hundreds of thousands and possibly millions of websites - mostly catering to Chinese-speaking visitors - have been hijacked so that they secretly point to servers that exploit the critical vulnerability, creating......
[more] Researcher says IE bug could spread quickly A critical ActiveX vulnerability used by hackers to exploit Microsoft Corp.'s Internet Explorer browser is a prime candidate for another Conficker-scale attack, security experts said. On July 6, just hours after security companies reported that thousands of compromised sites were serving up exploits, Microsoft acknowledged the flaw in the ActiveX control that can be accessed using IE. The bug has been used by hackers since at least June 9. Microsoft......
[more] Microsoft admits new ActiveX zero-day bug For the second time in a week, Microsoft Corp. is warning users that hackers are exploiting an unpatched, critical bug in a company-made ActiveX control, putting people running Internet Explorer at risk. The company has been busy lately acknowledging "zero-day" vulnerabilities. Today's admission was the third in the last two months and the fifth since February. According to the security advisory that Microsoft released early today, the vulner......
[more] iPhone SMS attack to be unleashed at Black Hat Apple has just over a day left to patch a bug in it's iPhone software that could let hackers take over the iPhone, just by sending out an SMS (Short Message Service) message. The bug was discovered by noted iPhone hacker Charlie Miller, who first talked about the issue at the SyScan conference in Singapore. At the time, he said he'd discovered a way to crash the iPhone via SMS, and that he thought that the crash could ultimately lead to working atta......
[more] Tiny typo blamed for massive IE security fail One small typo in Microsoft's code caused the security vulnerability that prompted Microsoft to release an out of sequence patch on Tuesday, it has emerged. A rogue ampersand ("&") created a security hole in a the MSVidCtl ActiveX control that hackers began exploiting early this month. A blog posting on Microsoft's Security Development Lifecycle (SDL) by Michael Howard, a security program manager at Microsoft, explained that the minor typo corrupted......
[more] Top websites using Flash cookies to track user behavior Users often delete HTTP cookies to enhance their privacy, but some of the most popular websites are circumventing these efforts by utilising little-known Flash cookies, researchers at the University of California have found. The UC Berkeley research, which was submitted to the federal government for consideration as part of a new policy on the use of tracking technologies, found that Flash cookies were used on 54 of the top 100 websi......
[more] MS warns of forced Messenger update Microsoft has outlined plans to push a mandatory Windows Live Messenger upgrade in order to plug a security hole related to a vulnerable code library. The security vulnerability stems from the use of a vulnerable version of Microsoft's Active Template Library (ATL). A programming error involving the inclusion of an extra "&" character meant that any software packages that made use of the ATL library template inherited a critical software flaw. Software develo......
[more] Microsoft Fixes Eight Flaws, But Three Remain Open Microsoft on Tuesday released five Security Bulletins addressing eight vulnerabilities, but left three zero-day vulnerabilities untended. Paul Henry, forensic and security analyst for Lumension, said in an e-mail that the three zero-day vulnerabilities need to be addressed soon. Two are IIS vulnerabilities that were made public when exploit code was posted online about a week ago. The third is a vulnerability affecting Microsoft SMB2, for which......
[more] The 5 essential patches of 2009 Fact: Everyone who patches is safer. Fact: Not everyone patches. The gap between the two facts is too deep for even security experts to explain, although they try, with theories running from the conspiratorial -- pirates hate to patch, they say, because they're afraid vendors, Microsoft mostly, will spy them out -- to the prosaic ... that people are, by nature, just lazy. So rather than recite 2009's patch history -- dismal as it was, with Microsoft, for instance......
[more] IE Windows vuln coughs up local files If you use any version of Internet Explorer to surf Twitter or other Web 2.0 sites, Jorge Luis Alvarez Medina can probably read the entire contents of your primary hard drive. The security consultant at Core Security said his attack works by clicking on a single link that exploits a chain of weaknesses in IE and Windows. Once an IE user visits the booby-trapped site, the webmaster has complete access to the machine's C drive, including files, authentication......
[more] Adobe patches critical bug in Flash, Reader download tool Adobe today patched a critical vulnerability in the Windows utility used to download the company's two most popular products, Adobe Reader and Flash Player. It was the second time in the last six weeks that Adobe fixed a flaw in Download Manager, the program it installs on PCs when customers download Reader or Flash Player. The bug, Adobe acknowledged in an advisory, "potentially allow[s] an attacker to download and install unauthorized......
[more] Overlooked online threats There's the danger you know, and then there's the danger you don't know. Most of us are rightfully wary of downloading and running programs that have no pedigree, or of performing day-to-day operations as an administrative user. But with each passing year, new security threats march in to eclipse the old, many of them not getting their share of attention until it's too late. Threats go unappreciated for various reasons. Some seem too obscure or unlikely to be valid unt......
[more] Java code-execution vuln exploited in drive-by attack A popular song lyrics website has been found serving attack code that tries to exploit a critical vulnerability in Oracle's Java virtual machine, which is installed on hundreds of millions of computers worldwide. The site, songlyrics.com, is serving up javascript that invokes the weakness disclosed last week by security researcher Tavis Ormandy. After determining that the bug made it trivial for attackers to remotely execute malicious code o......
[more] 2010 smashes vulnerability records Vulnerability disclosures reached record levels in the first half of 2010,according to the latest report from IBM‘s X-Force security team. The team's mid-year trend and risk report documented 4,396 disclosed software vulnerabilities in the first six months of the year, a 35 per cent increase on 2009. This was attributed to software vendors disclosing more data and the increased number of security researchers now focused on finding flaws in code. "Thr......
[more]
