Why fixing the Java flaw will take so long

"By now you've heard about the latest, very serious problem with Oracle's Java runtime. You may also have heard that it could take a very long time to fix. Here's why: The flaw uncovered by security researchers last week devolves not to one issue, but to a series of issues, one knocking into the other like dominoes. Oracle has fixed one of the dominos with a patch, but there are likely to be other ways to tip over the entire row.

Emergency response
The vulnerability patched by Oracle resides in a version of Java 7 designed to extend Web browsers. The defect made it possible for a malicious Java applet on a Web page to execute arbitrary code on the underlying computer.

While this sort of defect would usually be kept secret until a fix was available, it was disclosed last week because malicious crackers had already found the defect and were exploiting it as part of a dirty-tricks toolkit used by scammers and other thieves, giving Oracle zero days to fix the code. As more researchers evaluated this "zero-day exploit," it became clear it was exceptionally serious.

With terrific speed, Oracle's engineers created a fix for the problem over the weekend andreleased it Monday. Yet security researchers weren't impressed. Why was that? I asked Oracle to brief me, but I was refused and simply referred to a blog posting on the subject, which offered little explanation.

Instead I turned to the open source community for help. Java 7 is actually based on an open source project called OpenJDK, and Oracle had also released patches for that. I was able to quickly find explanations of both the defect and the fix."

Read the full article at http://www.infoworld.com: Why fixing the Java flaw will take so long

Macintosh = Hacker-Proof?

Charlie Miller has a habit of upending Apple's security claims.

Charlie A. Miller loves his Macbook Pro laptop. And his four other Apple ( AAPL - news - people ) PCs, the iPhone he uses daily and two older iPhones he keeps for tinkering. But his relationship with the company that created those gadgets is somewhat more complicated.

In March, for instance, the 36-year-old security researcher publicized his discovery of 20 security vulnerabilities in Apple's software. Each would allow a cybercriminal to take over the computer of a user who's tricked into opening a certain PDF attachment or who simply visits an infected Web page using Apple's Safari browser.

That haul of bugs is a record even for Miller, who over the last four years has become perhaps the world's most prominent Mac hacker. It may also be definitive proof that Apple devices aren't safe "right out of the box," as the company has claimed for years. "When I first began saying that Macs were less secure than Windows, everyone thought I was an idiot," says Miller. "So I had to prove it again and again and again."

In 2007 Miller became the first to hack the iPhone, using a flaw in its Safari browser to remotely gain control of the not-so-smart phone. Six months later he hacked a Macbook Air in two minutes at a competition in Vancouver. Last summer he revealed a method that allowed him to virally hijack the iPhone using text messages spread via a user's contact list.

Miller says his latest research doesn't aim to show off his elite hacking skills,most of which he learned over five years as a global network exploitation analyst for the National Security Agency. Instead, he wants to show just how easy it is to find chinks in the armor of commonly used software. Miller used a technique known as "dumb fuzzing" to find flaws. He ran the procedure more persistently than most hackers, leaving his fuzzing program to throw junk information at each target for three weeks before mining the data for exploitable flaws.

As for Apple, Miller says the company has learned to accept, if not appreciate, his work. He usually gives Apple weeks of notice before publicly describing its bugs. "They're always very polite," he says. "But I suspect they wish I didn't exist."

Read the full story at Forbes.com by Andy Greenberg

Updated:
Apple Patches Pwn2Own Bug

Fake antivirus attacks PCs with ransom demand

The Fake antivirus phenomenon has taken an unpleasant turn with the discovery of a Windows program that not only cons users into buying an unnecessary license but appears to lock files and applications on the victim's PC.

According to security company Panda Security, rogueware program Total Security 2009 starts out in conventional fashion with the 'discovery' of a non-existent malware infection for which it demands an unusually ambitious $79.95 (£50), and even has the cheek to ask a further $19.95 for 'premium' technical support.

Read the full story by John E. Dunn , TechWorld

Sneaky Microsoft plug-in puts Firefox users at risk

"Computerworld - An add-on that Microsoft silently slipped into Mozilla's Firefox last February leaves the browser open to attack, Microsoft's security engineers acknowledged earlier this week.

One of the 13 security bulletins Microsoft released Tuesday affects not only Internet Explorer (IE), but also Firefox, thanks to a Microsoft-made plug-in pushed to Firefox users eight months ago in an update delivered via Windows Update.

"While the vulnerability is in an IE component, there is an attack vector for Firefox users as well," admitted Microsoft engineers in a post to the company's Security Research & Defense blog on Tuesday. "The reason is that .NET Framework 3.5 SP1 installs a 'Windows Presentation Foundation' plug-in in Firefox."

The Microsoft engineers described the possible threat as a "browse-and-get-owned" situation that only requires attackers to lure Firefox users to a rigged Web site."

Read the full story by Gregg Keizer

Snow Leopard Critical Bug Found -- Guest Login Can Delete Account Data

A "critical flaw has been found in Snow Leopard. Reportedly, Snow Leopard users have been making the unpleasant discovery that logging into a guest account and then logging out can delete user information on all accounts. Apple computers store user info such as pictures, documents, and downloads in a common location, much like Windows "My Documents".

Describes user "parshallnet" to Apple, "When I logged into my MacBook Pro this morning, it was as if I had logged into my Guest Account and not my standard user profile. No icons on the desktop, the desktop wallpaper was the default 'space' photo and not the one I had assigned, no documents in the docs folder, apps behaved as if I'd never opened them before.”

Continue reading the full story by Jason Mick

Data losses in Snow Leopard bug

Users of the new Apple operating system Snow Leopard are experiencing massive data losses when logging into their machines under a guest account.

The problem appears to affect those who had a guest account enabled before upgrading to Snow Leopard.

The problem appears to affect those who had a guest account enabled before upgrading to Snow Leopard.

Users have in some cases lost their entire main profile, including sites, pictures, videos and documents.

The problem, reported by more than 100 users on discussion forums, surfaced shortly after the OS's August release.

Indications are that the Snow Leopard bug simply treats the principal account like a guest account - meaning that the account profile is wiped clean when logging out.

Users who first log into a guest account and then into their normal account have found it to be completely reset to factory default settings, with none of their personal data or files visible.

Continue reading the BBC story

Snow Leopard data-munching bug predates Snow Leopard

Howls of Jobsian distress date to November 2007!

Fanboi complaints of a mystery data-munching Mac OS bug began well before the arrival of Snow Leopard, Apple's latest desktop operating system. Similar tales of woe date back to at least November of 2007, when Jobsian cultists were still using the previous Mac OS version, just plain Leopard.

"Nooooo!!! This morning I had access to Guest Account and than all my data were lost!!!" wrote one user over the weekend. "I had 250GB of data without backup and I lost everything: years and years of documents, pictures, video, music!!! Is it possible to recover something? Please help me!!!!"

But it appears the same bug predates Snow Leopard (aka Mac OS X 10.6). Sebastian Mondial, a Hamburg-based journalist with the German News Service, reported what would appear to be an identical problem with a postto the Apple support forum on November 13, 2007. Mondial was hit after a clean install of just plain Leopard (version 10.5.1).

See the full story by Cade Metz in San Francisco

Microsoft may have known about critical IE bug for months

Researchers uncovered latest bug in 2007; Microsoft mum on timing

The vulnerability that sent Microsoft scrambling yesterday and is being used by hackers now to attack Internet Explorer (IE) users may have been reported 18 months ago or more.

In the security advisory it issued yesterday, Microsoft credited a pair of researchers -- Ryan Smith and Alex Wheeler -- with reporting the bug. Smith and Wheeler once worked together at IBM's ISS X-Force, although Wheeler now is at Texas-based 3Com's TippingPoint DVLabs.

Wheeler confirmed that he and Smith uncovered the vulnerability, but he gave most of the credit to Smith. Wheeler declined, however, to say when the bug was reported to Microsoft. "I don't feel comfortable talking about that," he said, citing a non-disclosure agreement related to the vulnerability that he signed at the time. Instead, he steered questions to his former employer, ISS X-Force.

Wheeler suggested switching browsers. "Unless they're specially configured, other browsers will face substantially lower risk," said Wheeler. Browsers such as Mozilla's Firefox, Google's Chrome and Apple's Safari don't rely on ActiveX technology to drive add-ons, as does IE.

Read the full Computerworld story by By Gregg Keizer