Information Filled Under ‘Web Service Security’ Category
A new version of Acunetix Web Vulnerability Scanner is available in beta, and what a version! It has been one long year of development, testing and late nights at the office, though it was all worth it, and the results speak for themselves! Most of the core components have been rewritten, such as the crawler, scanner, vulnerability checks and the HTTP stack. Acunetix WVS Version 7 is around 75% faster and more intelligent scanner than its predecessors. Most of the web vulnerability checks have been migrated from VulnXML format to Scripts. This allows us to have more advanced and flexible security checks, while reducing false positives. It is also easier for you to develop your own web vulnerability checks. Version 7 also includes much more meticulous web security tests, some of which were not possible before.
Below are updated instructions for MSE installation for 32 bit or 64 bit versions of Windows: 1. Uninstall any previous Anti-virus products (esp. the 60 day trial AV products that may have come with your system) 2
Read the original here:
Microsoft Security Essentials – Latest 32/64 bit Installation guidelines
At this point, you’ve probably read there are vulnerabilities in Apple’s iOS that allow drive-by jailbreaks . And you also know that those vulnerabilities can be used for other drive-by exploits such as malicious attacks. Many reports have mentioned that attackers could exploit iPhone owners by tricking them into visiting a specially crafted webpage.
See the rest here:
How many ways can you remotely exploit an iPhone?
Microsoft will release an out of band update today to address the LNK Vulnerability ( 2286198 ) that is being exploited . The security update will be released at approximately 10:00 Pacific Daylight Time. From the Microsoft Security Response Center : “We are releasing the bulletin as we’ve completed the required testing and the update has achieved the appropriate quality bar for broad distribution to customers.
View original post here:
Out of Band Microsoft Update for LNK Vulnerability
Tuesday’s edition of the Wall Street Journal reported on a security flaw in Citi’s mobile banking application for the iPhone . Customers are advised to update . From the WSJ: “Citi said its iPhone app accidentally saved information—including account numbers, bill payments and security access codes—in a hidden file on users’ iPhones.” Oops — not good.
Read more here:
Is your iPhone backup file secure?
Here’s the bad news: several additional malware families are now attempting to exploit Microsoft’s LNK vulnerability ( 2286198 ). But here’s the good news: so far, the new exploit samples are detected by us, and by many other vendors
Go here to see the original:
LNK Vulnerability: Chymine, Vobfus, Sality and Zeus
Microsoft has updated Security Advisory 2286198 (version 1.2). It’s quite evident that the folks at Microsoft are working very diligently on this issue. Our concerns have been addressed and the advisory no longer lists Windows 7 AutoPlay as a mitigation .
Read more:
LNK Vulnerability: Embedded Shortcuts in Documents
There’s a couple of new developments in the Stuxnet rootkit case . Last night, the analysts in our Kuala Lumpur lab added detection for another digitally signed Stuxnet driver. This one uses a certificate from JMicron Technology Corporation
View original post here:
Another Signed Stuxnet Binary
Microsoft has updated Security Advisory 2286198 and it now clarifies that: “The vulnerability exists because Windows incorrectly parses shortcuts in such a way that malicious code may be executed when the icon of a specially crafted shortcut is displayed.” Displayed is the important keyword. This is good and addresses our earlier concerns .
Read the original post:
Update on Security Advisory 2286198
If you’re not following Mikko’s Twitter feed , you may have missed yesterday’s news that public proof of concept exploit code for the Windows shortcut (.lnk) vulnerability has been released on exploit-db.com. This further escalates the danger of the shortcut vulnerability
Read more here:
Code for Shortcut Zero-Day Exploit is Public
A Security Advisory has been posted in regards to upcoming Adobe Reader and Acrobat updates scheduled for the week of August 16, 2010. The updates will address critical security issues in the products, including CVE-2010-2862 which was discussed at the Black Hat USA 2010 security conference on Wednesday, July 28, 2010. These security updates will be made available for Windows, Macintosh and UNIX.
View original post here:
Prenotification: Out-of-band Security Updates for Adobe Reader and Acrobat
Making Web application security work is more than simply telling developers they need to write better code. We can scream “Write better code!” and “Integrate security into the application lifecycle!” at developers until end of time but that’s not going to fix the fundamental problems we have with unsecure software. Developers, by and large, know they need to write better code and integrate security into the application lifecycle.
Read more:
Getting developers on board with security – once and for all
Here’s another amazing premium WordPress theme from ThemeShift for our premium members . deLucide is a very sleek and elegant portfolio WordPress theme to showcase your photos or any other work in a professional and lucent design.
Shortcut exploits have made the news in malware circles this month. After Stuxnet first used them , it wasn’t long before other malware started exploiting the zero-day vulnerability – Sality is among their numbers. The authors of the Sality family added a new executable component, which we detect as Troj/Sallink-A , that enumerates network resources, dropping two files where it can
Visit link:
Sality Links
I have to admit that I am not a huge fan of Las Vegas, but, when the reason to visit is as good as attending Blackhat and Defcon I instantly forget the heat, endless rows of slot machines, big crowds, kitschy hotels, bars and everything that makes Vegas, Vegas. I have missed the last two Blackats but I am glad that I am back and that not many things changed
See the original post here:
Greetings from Blackhat USA
Facebook rates as the second most popular website on the internet with 400 million active users. When such a website has common web application security flaws, they are going to be abused for one’s gain.
Read more:
Discovered XSS on Facebook can lead to account hijack
Q. What is the average size of a typical malware file? Of course there is no definitive answer to this question, and different kinds of malware can have vastly different sizes, but for those wanting an answer I ran a quick calculation over some of SophosLabs’ monthly collections of malware samples.
Visit link:
How large is a piece of Malware?
There’s a never ending supply of information out there for us web designers. If there’s something we need to learn, we can find it in one form or another.
See the rest here:
10 Free Online Books for Web Designers
Here at SophosLabs we have recently been seeing samples of Zbot (also known as the Zeus crimeware kit) that refuse to execute on any of our testing machines. Often when this happens it is because the sample is corrupt or will only execute on specific versions of Windows, or maybe because the file will only run on a specific date, or because a certain payload is only activated on a certain date (e.g
Go here to read the rest:
Why won’t my sample run?
Mozilla launched its security bounty program in 2004 and while the original mission of protecting users by supporting security research has not changed, the security environment has changed tremendously. In recognition of these changes we are updating our security bounty program to better support constructive security research. For new bugs reported starting July 1st, 2010 UTC we are changing the bounty payment to $3,000 US per eligible security bug
See more here:
Refresh of the Mozilla Security Bug Bounty Program