vulnerability

For years, one of the arguments for using open-source software instead of proprietary software held that open source was more secure. After all, having thousands of eyes looking at the code can't but help find and mitigate potentially dangerous bugs. A new report from Fortify challenges that assertion.

Open-source software can be found in over half of the enterprises today. And open source code can be found within the Mac OS 10 operating system. But how are open source vulnerabilities and, more importantly, their patches handled?

This week a report from Fortify found that, while vulnerabilities exist and are … Read more

Greg Hoglund is no stranger to security. In the last few years, he's founded Bugscan, Cenzic, and HBGary, where he is currently CEO. He is also the co-author of Exploiting Software, Rootkits: Exploiting the Windows Kernel, and Exploiting Online Games. Hoglund has presented at numerous Black Hat Briefings and taught several training sessions there as well.

This week he stopped by the Security Bites studio for a conversation with CNET's Robert Vamosi on rookits, software vulnerabilities, and online gaming.

Using virus and malware-laden software used to just be a bad for one's productivity. As it turns out, it can also be a bad idea for one's career.

Michael Fiola, formerly an investigator with the Massachusetts Department of Industrial Accidents, was charged with possession of child pornography. He lost his community's respect, many of his friends, and his family. His crime? He was given a Windows-based laptop that was riddled with vulnerabilities that were or became prey to malware.

An investigation showed he hadn't downloaded the pornography. His computer did:

When the DIA issued Fiola his Dell Latitude laptop in November 2006, it was so badly configured that it may well have already been hacked, said Tami Loehrs, a forensics investigator hired by Fiola's defense team. The Microsoft Systems Management Server software on the laptop was misconfigured and was not receiving critical software updates, and the laptop's Symantec antivirus software was either misconfigured or not working properly, she said.

"He was handed a ticking time bomb," she said.

In this case, it's called Windows. Or, more accurately, an IT department that inflicted a poorly implemented Windows environment on Mr. Fiola. Could this have happened with Linux or the Mac? Yes and maybe. Yes, because weak IT yields weak security. But maybe, because both of these Unix-based systems handle security much better than Windows traditionally has. But that's not really the point.… Read more

Apple has released a QuickTime security update to address "highly critical" security flaws in its media player that could allow malicious attackers to take control of a user's system.

The security flaws affect QuickTime 7 versions running on the Mac OS X and Windows. Users are advised to update to QuickTime 7.4.5, according to an Apple advisory issued Wednesday.

Apple issued 11 security updates designed to prevent malicious attackers from disclosing users' sensitive information, executing arbitrary code, or causing an application to suddenly crash.

Users can be hit with such evil dealings when visiting a … Read more

Microsoft issued a security advisory late Tuesday that malicious attackers are targeting versions of its Office Excel with vulnerabilities.

Microsoft Office Excel 2003 with Service Pack 2; Excel Viewer 2003; Excel 2002; Excel 2000; and Microsoft Excel 2004 for the Mac are affected by the security vulnerabilities, according to the advisory.

People who open a malicious e-mail attachment or visit a malicious Web site may find that their systems are compromised and that arbitrary remote code is executed. Computers configured to allow the user to have administrative user rights are at greater risk that those with few user rights on … Read more

The results of a fifteen-month study accessing the time to patch software associated with electronic health record (EHR) systems were published today by the eHealth Vulnerability Reporting Program. The program is a collaboration of health care industry organizations, technology companies and security professionals that is attempting to establish best practices within the emerging field of electronic health records in the adoption and reliance of eHealth systems, including electronic medical records (EMR), picture archiving and communication system (PACS), and medical devices. The 39-page report found much room for improvement.

It's one thing to have your credit card information compromised--that can … Read more

Microsoft is expanding the detail available in its service to notify people of upcoming security fixes, the company said Wednesday.

On the first Thursday of each month, Microsoft's Advance Notification Service (ANS) tells those who've signed up for it some particulars of patches the company issues the following Tuesday. Currently, Microsoft shares some aggregate information about the patches--for example, how many are severe--but beginning June 7, it will offer more information for each of the bulletins in the notification, according to Microsoft's Security Response Center blog.

Specifically, Microsoft will share for each vulnerability bulletin its maximum severity, … Read more

-- IE 7 reaches 100 million users. Even with all those users, it still comes in second to Internet Explorer 6, which makes sense considering IE6 is the default browser on nearly every single PC. (News.com)

-- Google plugs account hijack holes. The vulnerabilities in question affected both Google Documents and GMail, giving hackers full access to your e-mail and spreadsheets. (News.com)

-- Report: Apple to charge some Mac users for wireless technologies. 802.11n, the next-generation wireless protocol, has secretly been shipping in Apple's computers for the past several months, but that functionality hasn't been … Read more