security bug

A bug was disclosed in Apple’s software that could be exploited by criminals to gain control over iPhones, iPads and iPod Touch devices.

On Wednesday the website www.jailbreakme.com released code that Apple customers can use to modify the iOS operating system through jaibreaking. Many Apple customers jailbreak their devices so that they could download and run applications that are not approved by Apple or use iPhone phones on networks of carriers that are not approved by Apple.

New updates have been released by Adobe to patch Reader PDF and Flash animation applications. The patches fix the flaws widely used by hackers to penetrate and take control of end user machines.

In the latest patch Adobe fixes a serious bug in Flash that allows attackers to remotely execute malicious code on machines that run the software, and there are reports it's being actively exploited, Adobe said.

A flaw found in Apple QuickTime Player can be exploited to remotely execute malicious code on Windows-based PCs, even those running the most recent versions of operating system. The bug was discovered by Ruben Santamarta of Spain-based security firm Wintercore. Before this time an unused parameter known as “_Marshaled_pUnk” remained undetected for at least nine years. The inclusion of this parameter is a backdoor because it is the work of an Apple developer who added it to the QuickTime code base and then, most likely, forgot to remove it when it was no longer needed.

A security researcher Acros reported this week that nearly 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system. While the critical flaw was patched in Apple's iTunes media player for Windows and VMware Tools, for other applications it will be necessary to create an individual patches, said Mitja Kolsek, CEO of application security consultancy Acros Security.

Experts found a new bug in Facebook login system that allowed attackers to match random email addresses with users’ first and last names in spite of members’ actions taken to protect their privacy. Such a bug could have been exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.

TippingPoint announced it will give vendors six months to fix bugs before it goes public with information on software vulnerabilities. The company that sells Intrusion Prevention Systems acquired by HP this year has rewarded security researchers for information about vulnerabilities via its long-running Zero Day Initiative (ZDI) program. It uses this information to apply rules blocking exploits to its IPS technology, historically putting no particular pressure on vendors to develop patches.

Mozilla reports that the cash it offers to individuals who find security bugs as a bounty is often rejected. The bug bounty program launched by Mozilla is already six years old. It was introduced to encourage tech savvy persons to help the open source company find bugs in its product.

Microsoft at last released an emergency patch for a critical vulnerability in all Windows machines that is exploited by criminals to install malware. As it promised last week Microsoft released the update outside of its normal patching schedule because the vulnerability is being actively targeted.

The bug first came to the surface three weeks ago when it was being used to attack SCADA — supervisory control and data acquisition — systems that control sensitive equipment at power plants, gas refineries, and other critical infrastructure.

Google announced on its web blog that it will block insecure plug-ins from running on top of its Chrome Internet browser so as to prevent perpetrators from exploiting the security bugs.

Google’s security team noted that the feature which is scheduled to be included into the browser in “medium term” will prevent Chrome from running "certain out-of-date plug-ins." It will also help users find updates.

Mozilla has announced the introduction of a web service that allows users of different browsers including Internet Explorer, Chrome, Opera, and Safari to check whether plugins for their web surfing applications are up-to-date and don’t contain bugs or vulnerabilities.

By coming to the page http://www.mozilla.com/en-US/plugincheck/ a user can see the report that shows the analysis of all the installed plugins. As it appears some of the plugins are still in research stage by Mozilla and there is no firm conclusion of whether they are safe or not.

A security vulnerability in older versions of Windows operating system is being investigated by the Microsoft team according to the company’s Jerry Bryant. The flaw allows attackers to execute malicious code on end user machines.

The vulnerability under probe combines scripts based on Microsoft's Visual Basic language with Windows help files for Internet Explorer. Attacker hosting a malicious website can remotely run arbitrary code by convincing the user to press the computer's F1 key in response to a popup window.

According to recent findings Android OS version 2.0.1 run on all modern Motorola Droids has a flaw which allows any person to easily access all the phone functions while successfully bypassing the phone’s screen-lock security mechanism.