Originally posted here: 
Chrome, Chrome OS Updated With First “Elite” Bug Squashed

BOSTON (Reuters) – Microsoft Corp issued its biggest-ever security fix on Tuesday, including repairs to its ubiquitous Windows operating system and Internet browser for flaws that could let hackers take control of a PC.

The new patches aim to fix a number of vulnerabilities including the notorious Stuxnet virus that attacked an Iranian nuclear power plant and other industrial control systems around the world.

Microsoft said four of the new patches — software updates that write over glitches — were of the highest priority and should be deployed immediately to protect users from potential criminal attacks on the Windows operating systems.

Microsoft said it also repaired other less serious security weaknesses in Windows, along with security problems in its widely used Office software for PCs and Microsoft Server software for business computers.

Microsoft released 16 security patches to address 49 problems in its products, many of which were discovered by outside researchers who seek out such vulnerabilities to win cash bounties as well as notoriety for their technical prowess.

“This is a huge jump,” said Amol Sarwate, a research manager with computer security provider Qualys Inc. “I think the reason for it is that more and more people are out there looking for vulnerabilities.”

The geeks who report such vulnerabilities to software makers are known as “white hat” hackers. Sarwate warned that there are also plenty of “black hats,” or criminal hackers who look for vulnerabilities in software that they can exploit to launch attacks on computer systems.

Indeed, the world’s biggest software maker said that the patches released on Tuesday include software to fix a vulnerability exploited by the Stuxnet virus — a malicious program that attacks PCs used to run power plants and other infrastructure running Siemens industrial control systems.

The virus, which infected computers at Iran’s Bushehr nuclear power plant, was discovered over the summer. Security research Symantec said that it detected the highest concentration of the virus on computer systems in Iran, though it was also spotted in Indonesia, India, the United States, Australia, Britain, Malaysia and Pakistan.

So far Microsoft has patched three of the four vulnerabilities exploited by Stuxnet’s unknown creators.

The total of 49 vulnerabilities exceeds the previous record of 34, which was set in October 2009 and matched in June and August of this year.

The constant patching of PCs is a time-consuming process for corporate users, who need to test the fixes before they deploy them to make sure they do not cause machines to crash because of compatibility problems with existing software.

Source” Yahoo!

Apple has released a software patch to address a recently described security flaw in the iPhone.

Experts revealed on Thursday that modified SMS messages could result in iPhones being disconnected from the network or hijacked altogether.

Apple said phones incorporating other mobile operating systems, such as Windows Mobile and Google Android, were also potentially vulnerable.

It added that no-one had actually used the flaw to gain access to an iPhone.

A spokesperson for O2, the iPhone’s service provider in the UK, said: “We will be communicating to customers both through the website and proactively. We always recommend our customers update their iPhone with the latest software and this is no different.”

Access all areas

Charlie Miller and Collin Mulliner told the Black Hat conference in Las Vegas that the hack works by slightly modifying the data – sent by the network and which the user does not see – that arrives as part of a text message.

The system that processes such messages is similar across different operating systems and can, once compromised, gain access across a range of applications including a phone’s address book or camera.

The team say that hackers could develop programs to exploit the weakness in as little as two weeks, but told the conference that publicising the means of attack was necessary to ensure the problem was addressed.

“If we don’t talk about it, somebody is going to do it silently. The bad guys are going to do it no matter what,” Mr Mulliner, an independent security expert, said.

The team wrote software to exploit the weakness, targeting iPhones on four networks in Germany as well as AT&T in the US. However, they believe it would work equally well in any country.

The approach is particularly dangerous because messages are delivered automatically, and users cannot tell that they have received the malicious code.

The problem could be fixed by directly patching the vulnerability in smartphones’ operating systems, or the network providers could scan for messages that look to be trying to gain access to phones via the malicious code.

The researchers said they had informed Google of the hack and that the company had already taken steps to address the problem.

The Black Hat gathering, part of a leading series of conferences for information and computer security experts, took place from 25 to 30 July.

Apple were not available to comment on the flaw.

Source: BBC News

They’re here–sort of. Twitter has launched the early beta phase of its “verified accounts” program, a background-check for celebrities and other prominent users of the service to weed out impersonators and fake accounts. If they pass the test, they get a graphic “badge” much like a PayPal verified account’s.

“We’re starting with well-known accounts that have had problems with impersonation or identity confusion,” an explanation from Twitter read. “We may verify more accounts in the future, but because of the cost and time required, we’re only testing this feature with a small set of folks for the time being. As the test progresses we may be able to expand this test to more accounts over the next several months.”

Twitter’s team is rolling this out a bit prematurely because there are some powerful people breathing down their necks: the manager of the St. Louis Cardinals has filed a lawsuit against the service after someone started using it to impersonate him. There have also been embarrassing snafus involving a fake Dalai Lama account and a prankster who impersonated the Austin, Texas police department. By rolling out even a very bare-bones verification program, Twitter at least looks like it’s doing something about the problem.

Right now, Twitter’s verified accounts are mostly well-known ones (like @mashable), which suggests that the verification process thus far hasn’t been particularly high-maintenance.

Here is the curious part: Twitter is currently only offering this service to individuals, not businesses. That raises the question of whether account verification will eventually be part of a paid “Twitter for business” account service that’s rumored to be in the works. The presence of lawsuits, however, may have derailed plans to charge for account verification.

Either way, I suppose, you could get caught up in the debate over individuals who are businesses (Robert Scoble, anyone?), but that’s a blog post for another day.

Source: CNET News

The malicious code, which Trend Micro named “XML_DLOADR.A,” is hidden in a Word document. On unpatched systems, when the file is opened an ActiveX object automatically accesses a Web site to open a backdoor that installs a .DLL (dynamic link library) file that can steal information, according to a Trend Micro blog entry. The code sends stolen data to another Web address via port 443, Trend Micro said.

As a result of the back door, “anybody can run commands on the affected system,” said Jamz Yaneza, a senior threat analyst and researcher at Trend Micro.

Microsoft released a security patch for the vulnerability, and others, a week ago. The vulnerability arises from the browser’s improper handling of errors when attempting to access deleted objects.

“It looks like a proof of concept or targeted attack,” Yaneza said. The exploit is similar to politically motivated attacks that were seen before the Olympics last year in which PDF files and Word documents contained exploit code and automatically connected computers to malicious Web sites, he said.

It appears that the site directed to is in China and there is Chinese terminology in the code, according to Yaneza. That and the fact that the 50th anniversary of the Tibetan uprising is approaching, on March 10, suggests that this attack could be politically motivated as well, he said.

“People need to speed up how they patch their OSes, or turn on auto update in Windows,” Yaneza said.

Source: CNET – by Elinor Mills

If your Web site is one of the more than 170,000 sites on the Internet that Google has tagged as hosting malware, you have a place to turn–StopBadware.org.

On Saturday, an error at Google changed the display of search results so that every site on the Internet was listed as having malware for about an hour. After that happened, StopBadware.org’s site was hit with so much traffic–67,000 or 13 times the normal daily number–that it led to a denial of service that had the site offline for nearly an hour and a half.

After initially saying StopBadware.org had contributed to the problem, Google retracted that and said it was solely the fault of the search engine. Meanwhile, StopBadware.org got 150 malware review requests over the weekend from people whose sites were tagged as harmful during the glitch.

“It was an unfortunate event, but it helps raise awareness of this real problem” of sites hosting malware, Maxim Weinstein, manager of the nonprofit StopBadware.org, said in an interview on Monday with CNET News.

An appeals body

From a five-person office on the Harvard campus in Cambridge, Mass., the organization serves as a sort of appeals body for people who argue that their sites shouldn’t be flagged as dangerous. In the high stakes game of e-commerce, getting tagged as dangerous can cost a Web site visitors and money.

The organization gets anywhere from 1,000 to 3,000 requests per month from Web site owners who think Google has unfairly tagged them as harmful to the Web surfing public, according to Weinstein.

For sites that host spyware, adware, or other software that interferes with peoples’ ability to control their computer, Google includes a warning along with the results that says: “This site may harm your computer.” If the searcher clicks on the result, a window pops up with a second warning that suggests trying a different search and offers direct links to StopBadware.org and related Google sites. To get to the flagged Web site a searcher has to type in the URL in the Web address bar.

Google offers an automated process for review requests, while StopBadware.org does the review manually.

Outside of the anomaly that occurred over the weekend, Google rarely has false positives, according to Weinstein. Many of the sites are indeed malicious, such as phishing sites hoping to steal sensitive data an unsuspecting visitor may type in thinking that the site is a legitimate bank site, for instance.

But most of the people who ask StopBadware.org for help are legitimate sites whose servers have been compromised, often because they are running Web server software with a vulnerability that has not been patched, he said.

Sometimes the malware is contained in the comments on a blog, and in other cases some people just aren’t using strong enough passwords to protect their Web hosting accounts.

A lot of bloggers use WordPress, which has a fair share of security weaknesses, and people don’t know they need to update the software, Weinstein said.

“Attackers run software scanning for WordPress blogs that are running vulnerable versions of the server software and then they run an attack that gets access to the site,” he said.

In the dog-eat-dog world of Web search, StopBadware.org shares a special status. The organization, launched in 2006 as a “neighborhood watch for the Internet,” was coordinated by Harvard Law School’s Berkman Center for Internet & Society. It gets data from Google, AOL, PayPal, Trend Micro, Lenovo and VeriSign, and Consumer Reports WebWatch is a special advisor.

“We’re independent but with friends in high places,” Weinstein said. “We get access to data from Google and other companies and…this allows for data analysis and research that no one else is able to do.”

In addition to offering a second opinion to aggrieved Web sites, StopBadware.org works on developing new approaches to addressing malware and offers the BadwareBusters.org forum where Web site owners can exchange information.

The organization has been focusing on identifying what it calls “borderline applications,” badware that isn’t obviously malicious but which exhibits behavior that malware does, such as installing extra software on the PC without informing the user and software that doesn’t uninstall when the user tries to get rid of it.

Representatives from Google, StopBadware.org’s closest partner, declined an opportunity to be interviewed about the organization following the weekend search snafu.

“We have a good ongoing relationship with StopBadware.org,” a Google spokesman said in an e-mail.

Source: CNET – Posted by Elinor Mills

Microsoft’s updated browser, Internet Explorer 8, promises an assortment of new features designed to help make Web browsing with IE safer, easier, and more compatible with Internet standards. We looked at the first release candidate of the new browser released to the public today, Release Candidate 1 (RC1). On the surface, IE 8 seems to be a lot like IE 7, but Microsoft has made a number of changes under the hood. You may have seen some of these new features already, however, in IE’s no-longer-upstart competitor, Mozilla Firefox 3.

Tabbed Browsing

If you accidentally close a browser window in IE 8, you can opt to restore it when you reopen the program (just as you can in Firefox). IE 8 will use color coding to group related tabs together. If you open a link from pcworld.com in a new tab, for example, it will open adjacent to the original tab, and the tabs themselves will have a matching color. You can move tabs from one group to another, but if you have three unrelated pages open, you cannot create a group out of them.

Perhaps the most novel addition in IE 8 is what Microsoft calls tab isolation. The feature is designed to prevent a buggy Web site from causing the entire Web browsing program to crash. Instead, only the tab displaying the problematic page will close, so you can continue browsing.

Of course, IE 8 RC1 retains some of the features introduced in the first beta, including WebSlices and accelerators; see “Updated Web Browsers: Which One Works Best?” for more details.

Searching

IE 8 can use multiple search engines besides Windows Live Search, and you can add other search engines to the mix. Also, IE 8 will give you search suggestions as you type. For example, I can type in ‘PC World’ into the search field, and IE 8 RC1 will give me Live Search suggestions such as ‘pc world magazine’ or ‘pc world reviews’. In addition, IE 8 lets you switch between search engines on the fly by clicking an icon at the bottom of the search field’s drop-down menu. IE 8 can search Yahoo and Ask.com, and you can install add-ins that give IE 8 the capability to search Wikipedia, Amazon, and the New York Times, among other sites.

Improved Security

Microsoft touts IE 8 as its most secure browser to date, and Microsoft has indeed added a good number of security features to the mix, ranging from phishing detection to private browsing, plus a new feature to prevent clickjacking, an emerging data theft threat.

IE 8 RC1 includes two security features under the ‘InPrivate’ label: InPrivate Browsing and InPrivate Filtering. Both existed in earlier prerelease versions of IE 8, but IE 8 RC1 lets you use the two features separately, whereas before each relied on the other.

If you enable IE 8′s InPrivate Browsing feature, the browser will not save any sensitive data–passwords, log-in info, history, and the like. Afterward it will be as if your browsing session had never happened. This feature is very similar to Private Browsing in Apple’s Safari browser, except that an icon in IE’s address bar makes InPrivate Browsing’s active status more obvious.

InPrivate Filtering–called InPrivate Blocking in earlier IE 8 builds–prevents sites from being able to collect information about other Web sites you visit. This feature existed in IE 8 Beta 2, but you could use it only while using InPrivate Browsing. In RC1, you can use InPrivate Browsing at any time.

The browser’s phishing filter–called SmartScreen–improves on its predecessor’s filter with such features as more-thorough scrutiny of a Web page’s address (to protect you from sites named something like paypal.iamascammer.com) and a full-window warning when you stumble upon a suspected phishing site. SmartScreen relies largely on a database of known phishing sites, so new, unknown phishing sites may slip through the cracks.

IE 8 displays sites’ domains in a darker text color, so you can more readily see whether you’re visiting a genuine ebay.com page, say, or a page simulating an eBay page on some site you’ve never heard of. Microsoft could still put a little more emphasis on the domain name (using a different color background, for example), but the highlighting is a welcome addition.

Finally, IE 8 RC1 includes a feature designed to prevent clickjacking, a method in which Web developers insert a snippet of HTML code into their Web page code to steal information from Web page visitors. When you use IE 8 to view such a page, IE 8 can identify an attempted clickjacking and will warn you of the attempt.

Web Compatibility

Creating a site that looks identical in Internet Explorer, Firefox, and Safari can be a challenge. IE 8 Beta 2 offers better support for W3 Web standards–a set of guidelines developed to ensure that a Web page appears the same in all browsers. The downside is that IE 8 will break some pages designed for earlier Internet Explorer versions.

To counteract this problem, Microsoft has added a compatibility mode: Click a button in the toolbar, and IE 8 will display a page in the same way that IE 7 does. In my testing, I found that most pages worked fine with the standard (new) mode, and that most errors were minor cosmetic ones. Unfortunately, the Compatibility Mode toggle button may not be obvious to most users, because it’s pretty small; a text label would have helped.

Though it probably won’t convince many Firefox users to jump ship, Internet Explorer 8 Release Candidate 1 shows promise, and may be worth considering for people who have not yet solidified their browser loyalties. (Keep an eye out for our report on the final release of IE 8.)

Source: PCWorld -