Sign up for our Technology Newsletter 
Microsoft Gives Money To Hackers
Microsoft has given out more than $250,000 in prize money to Black Hat hackers who found ways to protect its software. Redmond’s first Blue Hat prize were unveiled at a hip club at a mobbed party complete with dancers, high-energy DJ, and explosions of shimmering confetti.
The top prize of $200,000 went to doctoral student Vasilis Pappas. Pappas came up with a method to countering “the most popular attack technique” that Redmond is seeing at the moment. This is called Return-Oriented Programming which is a hacker technique that is often used to disable or circumvent a program’s computer security controls. Pappas came up with something called kBouncer which blocks anything that looks like an ROP attack from running.
Microsoft security response center senior director Mike Reavey said that Redmond posed a challenge to the researcher community and asked them to shift their focus from solely identifying and reporting individual vulnerabilities to investing in new lines of defensive research that could mitigate entire classes of attacks.
Patches Released For Firefox and Thunderbird
Comments Off on Patches Released For Firefox and Thunderbird
The release of Firefox 7 is important because the new version features better memory management and is the first step in Mozilla’s long term plan to make the browser more resource friendly.
Nevertheless, users who upgrade to it will also benefit from improved security as this release fixes six critical and two moderate severity security vulnerabilities.
Four of the critical patches are shared with Thunderbird 7 and address a use-after-free condition with OGG headers, an exploitable crash in the YARR regular expression library, a code installation quirk involving the Enter key and multiple memory hazards.
A moderate severity patch that provides defence against multiple Location headers caused by CRLF injection attacks is also common to both products.
In addition to these patches Firefox 7 also contains fixes for two critical and one moderate severity vulnerabilities, with one of them resulting in a potentially exploitable WebGL crash.
It’s worth pointing out that Microsoft previously motivated its decision to not include support for WebGL in Internet Explorer by saying that the 3D graphics library opens a large attack surface.
So far several serious vulnerabilities have been identified and patched in WebGL, which partially supports Microsoft’s assessment, but the library’s supporters claim this is no different than with other technologies.
Firefox 7 also updates Websocket, a protocol disabled in the past because of security issues, to version 8, which is no longer vulnerable to known attacks.
Adobe Patches Security Holes in Flash
Comments Off on Adobe Patches Security Holes in Flash
Adobe has released a security update for Flash Player in order to address several critical vulnerabilities, including one that is being exploited in the wild.
The Flash Player 10.3.183.10 for Windows, Mac and Linux, and Flash Player 10.3.186.7 for Android, contain patches for six security flaws.
One of them is a cross-site scripting (XSS) weakness that can be exploited to execute rogue actions on behalf of web sites or webmail providers if victims click on maliciously-crafted links.
“There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe warns in its security advisory.
XSS vulnerabilities are the result of improper user input validation and allow attackers to execute rogue code in the context of the current web site. For example, they can be leveraged to extract session cookies or load rogue forms into legitimate pages, which makes for very credible phishing attacks.
Adobe credits Google for reporting this cross-site scripting vulnerability, which is identified as CVE-2011-2444. This means it might have been detected in attacks against Gmail users.
Two other patched vulnerabilities allow for arbitrary code execution and are located in the AVM stack. One of them can also lead to a denial of service condition. Two remote code execution logic errors and a Flash Player security control bypass have also been addressed.
Users should deploy the new update as soon as possible because browser plug-ins like Java, Adobe Reader or Flash Player are amongst the most attacked pieces of software one can have on a computer. However, unlike Adobe Reader X (10.0) which features sandboxing technology, Flash Player doesn’t have any anti-exploitation mechanism built-in.
Flash Player 11 Launched With 3D Gaming
Comments Off on Flash Player 11 Launched With 3D Gaming
Adobe Systems announced Flash Player 11 and Adobe Air 3 software Wednesday to assist developers in building more sophisticated applications with dozens of new features across smartphones and tablets as well as desktop computers.
The releases are Adobe’s biggest in two years, and will be available free of charge in early October, said Anup Murarka, Adobe’s director of product marketing. The related tools, Flash Builder and Flex, will support new features in Flash Player 11 and Adobe Air 3 by the end of the year.
The releases will enable delivery of 2D and 3D games over the Internet to various devices, Murarka said. Developers of enterprise applications will also find the 3D capabilities popular for data-centric apps. Enterprises, for example, will be able to build application dashboards to “visualize complex data sets” with 3D images, he said.
Developers will also be able to use the tools to more deeply integrate business software like Excel and Outlook in devices and to access hardware programming interfaces for functions such as Near-Field Communication being used more widely in smartphones, Murarka said.
The new versions will also help developers build more secure applications with the ability to leverage cryptographically secure random number generation, he said.
Alibaba Debuts Smartphone Running Its Cloud OS
August 3, 2011 by admin
Filed under Smartphones
Comments Off on Alibaba Debuts Smartphone Running Its Cloud OS
Alibaba Group unveiled its first self-developed mobile operating system and smartphone on Thursday in a bid to capture a slice of China’s burgeoning mobile Internet market.
The cloud computing-based operating system, Aliyun, will run the K-Touch Cloud Smartphone, to be launched at the end of July in 10 colors, said Wang Jian, president of Alibaba Cloud Computing, a unit of Alibaba Group.
A tablet PC running the Aliyun OS, which is based on a customized Android system, will also be launched in China by the end of the year, Wang told reporters after a presentation in Beijing.
Handset manufacturer Tianyu will manufacture the K-Touch as well as the tablet, Wang said.
“Mobile users want a more open and convenient mobile OS, one that allows them to truly enjoy all that the Internet has to offer, right in the palm of their hand, and the cloud OS, with its use of cloud-based applications, will provide that,” said.
The Aliyun operating system will feature cloud services such as email, Internet search and support for web-based applications. Users will not be required to download or install applications onto their mobile devices, Wang said.
Alibaba Cloud plans to integrate the operating system with other devices including mobile phones with larger screens and tablet computers in the coming months.
Wang said the company was looking to launch tablet computers running Aliyun by the end of the year.
The company is currently in talks with Qualcomm Inc to develop a lower-end chipset optimized to run Aliyun OS in lower-end mobile phones, Wang said. The K-Touch phones use a high-end chipset from Nvidia Corp for crisp display of intricate games.
Microsoft Delivers Massive Security Updates
Comments Off on Microsoft Delivers Massive Security Updates
Microsoft today patched a whopping 64 vulnerabilities in Windows, Office, Internet Explorer (IE), and other software, including 30 bugs in the Windows kernel device driver and one in IE that was exploited at the Pwn2Own hacking contest last month.
The company also delivered a long-discussed “backport” to Office 2003 and Office 2007 that brings one of the newer security features in Office 2010 to the older editions.
The 17 updates, which Microsoft dubs “bulletins,” tied a record set late last year, but easily beat the October 2010 mark for the total number of flaws they fixed. Altogether, today’s updates patched 64 vulnerabilities, 15 more than in October and 24 more than in the former second-place collection of December 2010.
Nine of the 17 bulletins were pegged “critical,” Microsoft’s highest threat ranking, while the remainder were marked “important,” the next-most-serious label.
Microsoft and virtually every security expert pegged several updates that users should download and install immediately.
“There are three we think are top priorities,” said Jerry Bryant, group manager with the Microsoft Security Response Center (MSRC), in an interview earlier today. Bryant tagged MS11-018, MS11-019 and MS11-020 as the ASAP updates.
Hacker Writes Trojan For Apple’s Mac
As Apple’s popularity continues to increase, so too does the malicious interest of hackers in their famed products. Researchers at Sophos say they’ve uncovered a new Trojan horse program written for the Mac.
It’s called the BlackHole RAT (the RAT part is for “remote access Trojan”) and it’s pretty easy to find online in hacking forums, according to Chet Wisniewski a researcher with antivirus vendor Sophos. There’s even a YouTube video demo of the program that details what its capable of doing.
Sophos hasn’t seen the Trojan used in any online attacks -it’s more a bare-bones, proof-of-concept beta program right now – but the software is pretty easy to use, and if a criminal could find a way to get a Mac user to install it, or write attack code that would silently install it on the Mac, it would give him remote control of the hacked machine. Read More….