Ryan Naraine

HD Moore’s Metasploit point-and-click hacking tool now has built-in support for breaking into Apple’s iPhone devices. Version 3.1 of the exploit development and attack framework shipped earlier today with full support for the Windows platform (including GUI), support for hacking into iPhones, more than 450 modules and about 265 remote exploits. The iPhone support is […]

PayPal, the online payments platform owned by eBay, has shelled out $170 million in cash to snap up Fraud Science, an Israeli company that markets fraud management technology. PayPal, which is high on the list of phishing and ID theft targets, said Fraud Sciences’ risk tools and analytics will enhance eBay and PayPal’s proprietary fraud […]

The Skype security problem I wrote about here and here is much more serious than originally reported, according to the hacker who found and reported the vulnerability. Aviv Raff showed me proof-of-concept code that fired a code execution exploit whenever I visited a booby-trapped Web page. The exploit worked even if Skype was not running–visiting […]

Mozilla security chief Window Snyder has confirmed an information disclosure flaw affecting fully patched versions of the Firefox browser. Snyder’s acknowledgment follows the public release of technical details–and proof-of-concept code–that shows how a vulnerability in the chrome protocol scheme allows directory traversal when a “flat” add-on is present in Firefox. This allows escaping the extensions […]

Anti-virus vendors have raised an alarm for a new worm squirming through mobile phone networks, using Bluetooth and MMS (Multimedia Messaging Service) to infect Symbian OS devices. According to F-Secure, the worm was detected in the wild, using social engineering lures to trick smart-phone uers into installing an incoming SIS application installation file. It affects […]

Microsoft has issued a high-priority security update to fix a pair of “critical” flaws that expose Windows users to remote code execution attacks. The software giant’s first batch of patches for 2008 includes a fix for at least two vulnerabilities in TCP/IP processing. The bugs, rated critical for all supported versions of Windows XP and […]

A serious security flaw in an ActiveX Control used by the HP Virtual Rooms online collaboration suite could put business users at risk of code execution attacks. According to an advisory posted to the Full Disclosure mailing list, the vulnerability is caused due to a boundary error in the HPVirtualRooms14.dll ActiveX control when handling strings […]

Skype has moved swiftly to block a security hole that allowed code execution attacks via the software’s video search feature. The vulnerability, exposed last week by researchers Aviv Raff and Petko D. Petkov, is a cross-zone scripting issue that allowed hackers to use rigged video files to launch full code execution (PC takeover) attacks. On […]

Larry Seltzer here, pointing you to this recent Knowledge Base article with Microsoft’s announcement that Internet Explorer 7 will be distributed through WSUS (Windows Software Update Services) on Feb. 12, 2008, which is the next Patch Tuesday. It will appear as an “Update Rollup.” The default configuration for WSUS is not to apply update rollups […]

Linux security guru Crispin Cowan is leaving the open-source world to join (gasp!) Microsoft’s Windows security team. Cowan (left), co-founder of the Immunix Linux distro and one of the brains behind several Linux hardening technologies, will work on the same team at Microsoft that created the oft-criticized UAC (User Account Control) technology. [ SEE: Microsoft: […]