Spammers are using an automated method to create bogus pages on Google's Blogger service, again highlighting the diminishing effectiveness of a security system intended to stop mass account registrations, according to security vendor Websense. The spammers are sending coded instructions to PCs in their botnets, or networks of computers that have been infected with malicious software, wrote Sumeet Prasad, a threat analyst, on Websense's blog. Those sophisticated instructions tell PCs how to register a free account on Blogger. The spammers also figured out a way to solve the CAPTCHA (Completely Automated Public Turing test to Tell Computers and Humans Apart), the warped text that has to be deciphered in order to complete an account registration. The compromised PC sends a request to an external host that tries to solve the CAPTCHA and then sends the answer back to the PC. Websense estimates the process has an 8 to 13 percent success rate.
Microsoft Blames Poor Coding Practices for Massive SQL Injection Attack
Microsoft on Friday found itself trying to clarify that it has nothing to do with the poor coding practices that have enabled a massive SQL injection attack to affect Web sites using Microsoft IIS Web Server and Microsoft SQL Server. "The attacks are facilitated by SQL injection exploits and are not issues related to IIS 6.0, ASP, ASP.Net, or Microsoft SQL technologies," said Bill Sisk, a communications manager at Microsoft, in a blog post. "SQL injection attacks enable malicious users to execute commands in an application's database." Sisk said that to defend against SQL injection attacks, developers should follow secure coding practices. SQL injection attacks involve insufficiently filtered code submitted to SQL databases through user input mechanisms. On Friday, U.S. CERT issued a warning about SQL injection attacks that have compromised a large number of legitimate Web sites. Affected Web sites contain injected JavaScript that attempts to exploit several known vulnerabilities. U.S. CERT recommends disabling JavaScript and ActiveX.
Microsoft: We Took Out Storm Botnet http://www.computerworld.com/action/article.do?command= viewArticleBasic&articleId=9079653&source=rss_topic17
Microsoft Corp. today took credit for crushing the Storm botnet, saying that the malware search-and-destroy tool it distributes to Windows users disinfected so many bots that the hackers threw in the towel. "They realized they were in our gun sights," said Jimmy Kuo, a principal architect with Microsoft's malware protection center, the group responsible for the Malicious Software Removal Tool (MSRT). Microsoft updates and automatically redistributes the software tool to Windows users each month on Patch Tuesday. Last year, said Kuo, the criminals behind the Storm Trojan - malware designed to compromise PCs and add them to a botnet, or collection of infected machines - tried to keep pace with Microsoft and the MSRT.
Researcher Finds New Flaw in QuickTime for Windows
A security think tank says it has found a vulnerability in Apple Inc.'s QuickTime multimedia player that can be exploited remotely to compromise Windows Vista PCs upgraded to Service Pack 1, as well as those with Windows XP SP2. According to the scant details published on the GNUCitizen blog, the exploit involves a maliciously crafted media file. When a user opens the file, which can be hosted on a Web site, the vulnerability in QuickTime allows the hacker to take complete control of the machine, according to Petko D. Petkov, known to the hacking community as "pdp." Petkov doesn't think users are in danger of being attacked as of yet. "I highly doubt that anyone knows how to exploit this vulnerability," Petkov said.
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum You cannot attach files in this forum You can download files in this forum
