Jul 30
Wednesday, July 30th, 2008
RealNetworks has shipped a new version of its RealPlayer software to plug at least four serious security holes in the program. Updates are available for RealPlayer versions 10, 10.5 and 11 for Linux, Mac and Windows systems. Windows versions of RealPlayer are affected by all four vulnerabilities (two of the flaws are once again ActiveX related), while the Linux and Mac versions are exposed to just one of the holes. Regardless, the company is urging all users, regardless of platform, to upgrade their software. To see which version of RealPlayer you’re using, select “Help,” then “About in the program’s menu. Windows users can use the “Check for updates” option. Linux and Mac updates are available here. Regular readers of this blog know that I am not a huge fan of RealPlayer. But there are alternatives. If you just need to hear streaming Real audio, the free and excellent VLC [...]
Read more…
Posted in News, Security | No Comments »
Jul 30
Wednesday, July 30th, 2008
Three-quarters of all Web sites that try to foist malicious software on visitors are legitimate sites that have been hacked, a report released today found. Even worse, most of these compromised sites are social networking communities and some of the Internet’s most popular destinations. Those numbers come from stats (PDF) collected in the first six months of this year by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers. Websense found that 60 percent of the Top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites. “The majority of these attacks are using Web properties as repositories for malware, mainly because they let users upload content,” said [...]
Read more…
Posted in News, Security | No Comments »
Jul 30
Wednesday, July 30th, 2008
A security researcher has released a set of tools that make it simple for attackers to exploit weaknesses in the auto-update feature of many popular software titles. By targeting widely deployed programs such as Java, OpenOffice, Winamp and Winzip, that don’t use a digital signature on their product updates, attackers can impersonate those companies and trick users into believing they are updating their software, when in reality the users may be uploading a package designed to compromise the security of their computer. Software companies should include these signatures in all of their updates, so that a user’s computer can validate that the update was indeed sent by the vendor. For example, Microsoft signs all of its updates with an encryption key that only it knows, and Windows machines are configured to ignore any incoming software update alerts that are not signed with that key. For whatever reason, Java, Winamp, [...]
Read more…
Posted in News, Security | No Comments »