[x]Blackmoor Vituperative

Friday, 2007-01-26

Another MS Word bug used in attacks

Filed under: Security,Software — bblackmoor @ 12:32

A fourth yet-to-be-patched security vulnerability in Microsoft Word is actively being exploited in cyberattacks.

In other news, water is wet, teen-agers are horny, and politicians lie and steal. Switch to OpenOffice, you blockheads.

Tuesday, 2007-01-02

Apple Vulnerability Project launches with QuickTime exploit

Filed under: Security — bblackmoor @ 19:00

An easy-to-exploit security vulnerability in Apple Computer’s QuickTime media player could put millions of Macintosh and Windows users at risk of code execution attacks.

The QuickTime flaw kicked off the Month of Apple Bugs project, which promises to expose unpatched Mac OS X and Apple application vulnerabilities on a daily basis throughout the month of January.

(from eWeek, Apple Vulnerability Project Launches with QuickTime Exploit)

I think this is great. Anything which helps educate Apple users and knocks their undeserved arrogance down a notch or three is a good thing.

Tuesday, 2006-12-19

Replace SMTP, damn it!

Filed under: Security — bblackmoor @ 00:38

Spam has exploded in the last several weeks. 9 out of 10 emails in 2006 were spam. It’s been so bad it has caused delays and even shutdowns on some networks. It’s ridiculous. The SMTP protocol is way, way past overdue for replacement with something that has authentication built in, and it really pisses me off that it hasn’t been replaced by now. I am sick to death of people saying that it isn’t practical — the choice will soon be either to replace SMTP or to stop using email at all. Stop making excuses and replace the damned protocol. Here’s one suggestion. Here’s another. Get it done.

At this point I don’t even think it’s worth the effort of reporting spam to services like SpamCop. That’s like calling the police every time you see someone driving over the speed limit. It’s just a waste of time, because it makes no difference.

Monday, 2006-12-18

High Assurance SSL

Filed under: Security,The Internet — bblackmoor @ 17:49

Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.

That little lock icon in the browser and the “https” in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.

Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.

A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be “Extended Validation,” but they are more widely known as “High Assurance” SSL certificates.

(from IIS Zone, High Assurance SSL)

e-Passport cracked in five minutes

Filed under: Security,Society — bblackmoor @ 11:34

Last month a panel of EU experts warned that the e-Passport’s security is “poorly conceived”, and a week later a British newspaper demonstrated a crack. Now another researcher has shown how to clone a European e-Passport in under 5 minutes. A UK Home Office spokesman dismissed it all, saying “It is hard to see why anyone would want to access the information on the chip.”

Friday, 2006-12-15

Third MS Word code execution exploit posted

Filed under: Security — bblackmoor @ 22:14

Exploit code for a third, unpatched vulnerability in Microsoft Word has been posted on the Internet, adding to the software maker’s struggles to keep up with gaping holes in its popular word processing program.

The attack code, available at Milw0rm.com, contains sample Word documents that have been rigged to launch code execution exploits when the file is opened.

Microsoft has not yet publicly acknowledged the vulnerability, but the United States Computer Emergency Readiness Team issued an alert to warn that Word documents can be manipulated to trigger code execution of denial-of-service attacks.

(from eWeek, Third MS Word Code Execution Exploit Posted)

At this point I just have to ask… why the hell is anyone still using MS Office? Fool me once, shame on you, fool me over and over and OVER AND OVER again, for years on end, and maybe I’m just too damned stupid to be permitted to operate a computer. I think anyone still using MS Office falls squarely into that category.

Thursday, 2006-12-14

‘Logic bomb’ backfires on idiot hacker

Filed under: Security — bblackmoor @ 11:21

A former UBS PaineWebber employee was sentenced to eight years in prison on Wednesday for planting a computer “logic bomb” on company networks and betting its stock would go down.

The investment scheme backfired when UBS stock remained stable after the computer attack and Roger Duronio lost more than $23,000.

(from ZDNet, ‘Logic bomb’ backfires on insider hacker)

Dumbass hackers.

Wednesday, 2006-12-06

Microsoft issues MS Word zero-day attack alert

Filed under: Security,Software — bblackmoor @ 14:03

Microsoft on Dec. 5 warned that an unpatched vulnerability in its Word software program is being used in targeted, zero-day attacks.

A security advisory from the Redmond, Wash., company said the flaw can be exploited if a user simply opens a rigged Word document.

[…]

There are no pre-patch workarounds available. Microsoft suggests that users “not open or save Word files,” even from trusted sources.

(from eWeek, Microsoft Issues Word Zero-Day Attack Alert)

Why are you still using MS Office? Does a house have to fall on you? Uninstall it and switch to OpenOffice, you knuckleheads.

Monday, 2006-11-06

For pete’s sake, disable ActiveX!

Filed under: Security — bblackmoor @ 12:07

The US Department of Homeland Security has warned that attackers are exploiting an unpatched flaw in Windows to compromise systems via malicious websites.

Microsoft on Friday said it was investigating reports of a newly discovered, unpatched bug in the XMLHTTP 4.0 ActiveX control, which it confirmed was being exploited on malicious sites. The bug has the potential to infect a large number of systems. Since it doesn’t require any user interaction, a user must merely use Internet Explorer to visit a site containing the exploit.

(from TechWorld, Windows hit by zero-day flaw)

Does a house have to fall on you people for you to get the message?

  1. Don’t use Internet Explorer!
  2. Don’t use or enable ActiveX!

Thursday, 2006-10-19

Spam on the rise

Filed under: Security — bblackmoor @ 14:14

Oct 19, 2006

SpamCop and others are monitoring a huge global increase in spam volumes that started late last week. Networks are reporting anywhere from 30-50% increases in spam volume. On our system, this is causing occasional mail delays as our filtering systems struggle with the load. We’re working on installing more systems in the filters to increase our capacity but this won’t be finished for around a week. In the meantime, we may have delays during the middle of the day. We’re aware of the problem and doing what we can to mitigate it until all the new systems are operational.

(from SpamCop Email System News)

I have been getting swamped with spam over the last few days. Most of it has subject lines like “Momentous letter. You must to read.”

We really need a replacement for SMTP. Like, five years ago.

« Previous PageNext Page »