Krebs On Security
Adobe, Microsoft and Oracle today each issued security updates to fix serious vulnerabilities in their products. Adobe released patches for AIR, Acrobat, Flash and Reader, while Microsoft pushed out fixes to shore up at least a half dozen security weaknesses in Windows and Office. Oracle released an update for Java that fixes at least three dozen security holes in the widely-used program.
The Final H Roundup
As The H closes its doors, we decided to have a look at some of the most popular articles and news items from the four and a half years since The H came into existence. The range is wide, from security alerts and skilled cracking, to interviews with open source luminaries and historical views of projects, from the latest news from the open source front to the potential future opened up by many projects. Here, for your final delectation, are the finest ten stories and features from The H.
Bits from Bill
February 02, 2013
Updating your Twitter Password Isn’t Enough
Today, the public news report is that information from approximately 250,000 Twitter accounts was stolen. Twitter has taken action but I recommend you do more than just change your password. Even if you don’t use Twitter this attack may still affect you.
Continued reading: http://billpstudios.blogspot.com/2013/02/updating-your-twitter-password-isnt.html
Less than 24 hours after Oracle patched a dangerous security hole in its Java software that was being used to seize control over Windows PCs, miscreants in the Underweb were already selling an exploit for a different and apparently still-unpatched zero-day vulnerability in Java, KrebsOnSecurity has learned.
Release Notes: http://www.oracle.com/technetwork/java/javase/7u11-relnotes-1896856.html
If you have disabled Java in the Java Control Panel, you will need to manually re-enable it after installing this release. You can find the check box in the Security tab of the Java Control Panel.
If you have previously disabled Java Plugin in the browser, you will need to manually re-enable it after installing this release. In Firefox, you can do this in the Add Ons -> Plugin screen. In Internet Explorer, this functionality is located in Tools -> Manage Add-ons.
As a consumer personally I’d choose to leave Java disabled in the browser, I haven’t noticed a difference in surfing.
New year, new Java zeroday!
Earlier this morning @Kafeine alerted us about a new Java zeroday being exploited in the wild. With the files we were able to obtain we reproduced the exploit in a fully patched new installation of Java. As you can see below we tricked the malicious Java applet to execute the calc.exe in our lab.
Zero-Day Java Exploit Debuts in Crimeware
What You Need to Know About the Java Exploit
US-CERT: Vulnerability Note VU#625617
If you are not sure if Java is installed on your computer one can check at:
Click “Do I have Java” > “Verify Java Version”
My result: “No working Java was detected on your system.” That’s because I removed it a long time ago.
January 7, 2013
The Right Remedies for Google’s AdWords API Restrictions
Last week the FTC closed its 21-month investigation of Google after Google made several small concessions, among them dropping certain restrictions on use of Google’s AdWords API — rules that previously limited how advertisers and tool-makers may copy advertisers’ own data from Google’s servers. Removing the restrictions is a step forward for advertisers and for competition. But the FTC could and should have demanded more from Google in order to address the harm resulting from seven years of these restrictions.
Benjamin Edelman and Wesley Brandi
Our automation continuously scours the web for rogue affiliates. In our query tool, we provide a basic sense of how much we’ve found. We have also written up scores of sample rogue affiliates, but the holiday season provides an impetus for more: Thanks to high online spending, affiliate fraud at this time of year is particularly profitable for perpetrators — and particularly costly to merchants.
Below, we report the ten Commission Junction affiliates and ten LinkShare affiliates most often seen by our automation. We focus on affiliates whose conduct violates the plain language of networks’ posted terms and conditions, specifically spyware and adware, cookie-stuffing, and typosquatting. Click an affiliate summary for details about the violation, a packet log showing the network traffic that performs the violation, and, for many affiliates, screenshot or video confirmation.
We will update this page from time to time with additions, both as to CJ and LinkShare and as to other affected networks.
The time has come to reflect on this year’s most popular posts, and emphasize on the key points about what made them special.