Ryan Naraine

For the first time since people started keeping track of this stuff, 2007 saw a noticeable decline in publicly reported security vulnerabilities. In fact, according to data from IBM ISS X-Force, there was a 5.4 percent decline in new vulnerability disclosures from the previous year, a drop that could represent an anomaly, a statistical correction […]

Blogging software provider WordPress has shipped an “urgent” security update to fix an XML-RPC implementation flaw that allows unauthorized third-party editing of blog posts. With WordPress 2.3.3, the open-source company patches a bug that could let attackers use specially crafted requests to edit posts of any other user on that blog. An attacker would need […]

As a follow up to two separate stories I wrote on vulnerable ActiveX controls affecting high-profile Web sites, here’s a quick primer on configuring Internet Explorer to handle ActiveX controls in a safe way. These recommendations come from the US-CERT (Computer Emergency Response Team) and have been modified slightly for IE 7, the most up-to-date […]

The US-CERT is urging Web surfers to immediately disable ActiveX controls from Internet Explorer to protect against a swath of publicly reported-and unpatched-software vulnerabilities.The US-CERT (Computer Emergency Response Team) recommendation follows the release of exploit code for multiple zero-day flaws in image uploaders used by Facebook and MySpace and bugs in the ActiveX control that […]

Security researchers have raised an alert for serious security problems with the MySpace and Facebook image upload feature. According to a warning from Symantec’s DeepSight threat analyst team, the issue centers around a buffer overflow in the ‘Action’ property of multiple ActiveX controls that’s used in the image upload process for the two popular social […]

The Google-backed StopBadware.org project has slapped a “badware” label on the widely deployed RealPlayer media player for problems associated with disclosure and uninstallation. For the most part, the non-profit group has reserved the badware label for sketchy spyware-related products but, in a new report, StopBadware.org singles out RealNetworks for failing to disclose that RealPlayer 10.5’s […]

More than a month ago, on Dec. 16, 2007, a Russian security research firm released an exploit for a zero-day vulnerability in RealNetworks’ RealPlayer software into a subscription-only exploit package. The vulnerability, which still exists in the most up-to-date version of the cross-platform media player, is still unpatched because RealNetworks has been unable to get […]

Microsoft has announced plans to add new anti-exploitation APIs into Windows Vista SP1, Windows XP SP3 and Windows Server 2008 as part of a larger plan to secure the Windows ecosystem. According to Michael Howard, a senior program manager in Microsoft’s security unit, the delivery of the new NX (/noexecute) APIs significantly lowers the barriers […]

Mozilla has slapped a “high severity” rating on an unpatched Firefox vulnerability that could let hackers steal session cookies — and sensitive user information — from Web surfers. Mozilla security chief Window Snyder (left) confirmed the issue in a blog entry late Tuesday, warning that Firefox users who have installed “flat” That packed add-ons (browser […]

Remember that MS08-001 worm hole that Microsoft claimed was “difficult and unlikely” to be exploited in real-world conditions? Well, a private pen-testing and vulnerability research outfit has released an exploit that fires against Windows XP SP2 (English), confirming fears that a Blaster-type network worm is theoretically very possible. Immunity, Inc., which ships exploits to paying […]