Ryan Naraine

Apple’s Safari browser is beginning to look like a bullet-ridden car in Iraq. According to a warning posted to security mailing lists, there are multiple security flaws in Safari 3.1.1 that put users at risk of ID-theft spoofing attacks or, worse, expose them to drive-by malware downloads. I have confirmed the spoofing bug based on […]

Malware researchers have flagged a massive outbreak of JavaScript injection attacks that have compromised thousands of Web sites, including .gov sites in the United Kingdom. This alert from Websense Security Labs explains: “When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com. The JavaScript […]

There’s a serious brain drain affecting the OLPC (One Laptop Per Child) initiative and it’s not a good sign for security. The latest high-profile defector from the nonprofit organization is Walter Bender, a former MIT Media Lab executive who was very instrumental in efforts to change the desktop computer security model. (See Slashdot and Techmeme […]

Security researcher Petko D. Petkov (aka pdp) has discovered a gaping hole in fully patched versions of Apple’s QuickTime for Windows Media Player. The zero-day vulnerability allows an attacker to use rigged movie (.mov) files to take full control of Windows XP and Vista machines. Petkov (left), an ethical hacker from the GNUCitizen think-tank, provided […]

Adobe has issued a prepatch advisory for a critical vulnerability in Photoshop Album Starter Edition 3.2, its free image-manipulation software product. The flaw, which affects Windows users, could be exploited to launch code execution attacks if the target is tricked into opening a malicious BMP file. The vulnerability remains unpatched. “Adobe categorizes this as a […]

Hackers are having fun exposing security holes in Barack Obama’s official campaign site. According to a post over at XSSed.com, a site that catalogs cross-site scripting vulnerabilities, one of the multiple holes in Obama’s site was exploited to redirect traffic to HillaryClinton.com. Netcraft reports that visitors who viewed the Community Blogs section of BarackObama.com were […]

Microsoft’s Windows XP SP3 (Service Pack 3) is finally here, offering several subtle security goodies alongside thousands of bug fixes. The biggest security feature in this service pack is the inclusion of NAP (Network Access Protection) to help organizations that use Windows XP to take advantage of new features in the Windows Server 2008 operating […]

Microsoft has chosen a new song to continue its public slow dance with the white hat hacking community: online properties like *.microsoft.com, *.msn.com and *.live.com. According to Dan Goodin reporting from Toorcon Seattle, Microsoft security strategist Katie Moussouris pledged that the software vendor will not sue or press charges against ethical hackers who responsibly find–and […]

The notorious Rock Phish gang is pushing the envelope again, adding a sophisticated crimeware Trojan to its identity theft arsenal. The Russian group, which is responsible for about half of all phishing attacks, is now doing browser-based drive-by attacks to load a variant of Zeus, a Trojan toolkit that sells online for $700. “This is […]

A planned cyber-attack against CNN.com fizzled over the weekend, but The Sports Network did not survive the DDoS (distributed denial-of-service) assault by Chinese hackers. At 10:00 a.m. on Monday morning, The Sports Network home page carried this note: ““The Sports Network website and other major news sites have been hacked by a political entity from […]