2014Mon28Apr

And the hits keep on rolling.. AOL hacked; passwords taken.

Permalink | Shortlink | Comments (0) | TrackbackFiled in SecurityTags: , ,

And the Internet Security Trifecta is complete.   AOL announced on their blog today that they have “determined that there was unauthorized access to information regarding a significant number of user accounts“.  The information access includes “users’ email addresses, postal addresses, address book contact information, encrypted passwords and encrypted answers to security questions.

So head on out to AOL and change your passwords and sec questions.   Might want to change any passwords for any sites you use AOL email as the security contact for as well.

 

Posted by scott April 28, 2014 at 9:16 pm
2014Mon28Apr

And… Another one. This time in Flash.

Permalink | Shortlink | Comments (0) | TrackbackFiled in Linux, Microsoft, OS-X, SecurityTags: , , , , ,

Look.  Another security exploit.  This time in that bastion of ultimate security.. er.. hang on.. what’s this?  It’s in Flash?  This is news?  Oh, a *NEW* one in Flash.  Got it.

Ok.  Where were we?  Looks like another security vuln in the wild.  This one’s in Flash and effects all three major OSes.  Yep, that’s right you penguins..  Linux is included in this one.  So get your YUM and APT repos spun up and update those boxen.

Krebs has the details here: Adobe Update Nixes Flash Player Zero Day

So there you have it.  Two major web exploitable vulns in two days.  Waiting for the other two shoes to drop; Java and Acrobat.

PS: Is it strange that I’m using a terminal window to cut/paste text from websites to strip it of hidden formatting?  Yes?  It is?  Good.

Posted by scott April 28, 2014 at 8:41 pm
2014Mon28Apr

Code execution flaw in ALL versions of IE since 6.

Permalink | Shortlink | Comments (0) | TrackbackFiled in Microsoft, SecurityTags: , , , ,

April has been the month of monumental holes in security on the net.  First there was Heartbleed (and as always, XKCD has a great explanation of what the Heartbleed vulnerability is: http://xkcd.com/1353/)

Not to be outdone by a mere open source project, Microsoft has announced a new 0-day vulnerability in all versions of IE since IE 6.  How you can call something “0-day” when it’s been there 12 or 13 years I’m still kind of fuzzy on.

As I understand the bug, it allows an attacker to use a specifically crafted html page execute arbitrary code on the user’ machine under the credentials IE was assigned at launch.   If you’re running as an administrator (who does that in Windows??), you’re pretty much wide open.

Microsoft released a tech bulletin about the flaw over the weekend that goes into a bit of depth about the flaw and lists what versions of IE are vulnerable.  Basically all of them.  If you’re running Server 2008 R2 or later, you *should* be ok if you’re still running IE under limited credentials.

The bulletin is here: Microsoft Security Advisory 2963983

Microsoft hasn’t released a patch yet, but I suspect we’ll see something in a day or so as an out-of-band release.  I can’t imagine even Microsoft waiting around for this one.

 

Posted by scott April 28, 2014 at 3:16 pm
Categories
Click to view/hide
Calendar
Click to view/hide
April 2014
M T W T F S S
 123456
78910111213
14151617181920
21222324252627
282930