CNET reported on a recent study by Sophos about the web habits of Facebook users. Their study found that 41-46% of users blindly accepted friend requests from two unknown people. Sophos was then able to access "up to 89 percent of the users' full dates of birth, all of their e-mail addresses, where they went to school, and more."
"Multiple buffer and integer overflow vulnerabilities in the Java
Runtime Environment with processing audio and image files may allow an
untrusted applet or Java Web Start application to escalate privileges.
For example, an untrusted applet may grant itself permissions to read
and write local files or execute local applications that are accessible
to the user running the untrusted applet."
"Adobe is planning to release an update for Adobe Flash Player
10.0.32.18 and earlier versions, and an update to Adobe AIR 1.5.2 and
earlier versions, to resolve critical security issues. Adobe expects to
make these updates available on December 8, 2009."
Every once in a while, I get a question about the safety of wireless keyboards. For example, if I'm going to type in my credit card, SSN or birthdate, is it safe to use a wireless keyboard. The short answer is, probably not. Watch the video in the link below for an example as to why not.
Facebook founder Mark Zuckerberg wrote an open letter describing some changes to the privacy of Facebook accounts (linked from above article). It appears that regional networks are going to disappear, which may end up disclosing more information than you had intended. He suggests that all Facebook users review their account privacy settings and update them accordingly.
"BlackBerry Attachment Service is prone to multiple remote
code-execution vulnerabilities when handling specially crafted PDF files.
Attackers can leverage these issues to corrupt memory and execute
arbitrary code in the context of the vulnerable service, possibly with
SYSTEM-level privileges. Successful exploits will compromise the server.
Failed attacks will likely result in denial-of-service conditions. "
"The Linux Kernel is prone to multiple remote denial-of-service
An attacker can exploit these issues to cause a kernel panic, denying
service to legitimate users."
It should be noted that this affects the mac80211 code in the kernel
which deals specifically with the 802.11 wireless lan standard.
Seasoned Unix admins may already know the pitfalls of blindly running
ldd on unknown executables. However, since this article was recently
released, I thought it might be good as a reminder to everyone to be
careful when using it.
This article shows some techniques on how to cause ldd to run arbitrary
code, and how easy it is to trick a sysadmin into executing that code as
"Cacti is prone to multiple cross-site-scripting and HTML-injection
vulnerabilities because it fails to properly sanitize user-supplied
input before using it in dynamically generated content.
Updated Java JRE packages and Tomcat packages address several security
issues. Updates for the ESX Service Console and vMA include kernel,
ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is
also updated for ESXi userworlds.