Latest Top Virus Warnings  
Google Desktop Search Vulnerable
Google has issued a patch for a serious vulnerability involving Google Desktop that would have allowed attackers to steal personal information and possibly take control of a system remotely.

Researchers at Watchfire found the product was susceptible to cross-site scripting attacks that hijack the Google Web interface in order to jump from the Internet to the desktop Web environment. The attack works by getting users to click on a link that loads malicious JavaScript.

Google Desktop serves as a fast search mechanism for documents, e-mails, instant messaging transcripts, archived Web pages and other data on PCs. A Google executive once described it as "the photographic memory of your computer." An attacker with control of Google Desktop can search for virtually anything on the computer, including Office documents, e-mails, media files and Web history cache.

Dan Allan, director of security research at Watchfire, said the tight integration between desktop and Web-based applications can be dangerous.

Man wins $102,000, casino cries malfunction

We're fully aware that getting too clever while in a casino is likely to land you behind bars, but a Pennsylvania man is now crying foul after he got the short end of the stick in an unfortunate "mishap." The retired carpenter, who had visited the Philadelphia Park casino before, dropped his two quarters into a Wheel of Fortune slot machine only to win $102,000 -- or so he thought. The machine proudly conveyed his winnings right alongside his actual name, sending his emotions into a jovial whirlwind, but apparently the machine wasn't exactly supposed to, you know, let people hit the jackpot, and now he's fighting just to get his due reward. A spokesperson for the venue stated that it "was just an error in the communication system," but added the mistake seems to have originated in the in-house computing system, not within the machine itself. The man was offered "two tickets to the buffet" (saywha?) and advised to read the disclaimer on the machine, nullifying any awards if the machine malfunctions, but he still feels that this "fault" is illegitimate. So if you're the next person to strike it rich in a questionable casino, try not to get your hopes up too high, alright?

Happy Birthday!

Today is tommEE pickles birthday. If you aren't at Birthdaycon, you don't know what you are missing.

Bush Reportedly Signs Law Allowing Warrantless Searches Of Mail

In an exclusive story this morning, the New York Daily News revealed that President Bush released a statement last month that authorizes him to direct the federal government to go through people's mail during a national emergency.

The statement came right after he signed a new postal reform bill that renewed protections of mail from warrantless searches.

A Bush spokeswoman denies the president is taking on new powers, saying the Constitution allows warrantless searches in certain

QuickTime zero-day bug threatens Macs, PCs

A newly disclosed security vulnerability in Apple Computer's QuickTime software could put both Macs and Windows PCs at risk of cyberattacks, experts have warned.

The publication on Monday of the vulnerability and detailed attack code kicks off the "Month of the Apple Bugs" project, which promises to feature a new Apple software bug each day in January.

The QuickTime vulnerability relates to how the media player software handles the Real Time Streaming Protocol, or RTSP, according to an advisory published on the Month of the Apple Bugs Web site. An attacker could create a special RTSP string in a rigged QuickTime file that would cause a buffer overflow, according to the advisory.

"The risk is having your system compromised by a remote attacker, who can perform any operation under privileges of your user account," said LMH, the alias of one of the two security researchers behind the Month of the Apple Bugs. "It can be triggered via JavaScript, Flash, common links, QTL files and any other method that starts QuickTime."

The vulnerability affects QuickTime 7.1.3, the latest version of the media player software released in September, on both Apple Mac OS X and Microsoft Windows, according to the Month of the Apple Bugs advisory. Previous versions could also be vulnerable, according to the advisory.

Security-monitoring companies Secunia and the French Security Incidence Response Team, or FrSIRT, rate the QuickTime flaw as "highly critical" and "critical," respectively.

In response to the publication of the QuickTime flaw, Apple spokesman Anuj Nayar said the company always welcomes feedback on how to improve security on the Mac, a standard company statement. Nayar did not comment on the specifics of the flaw or provide any indication of when Apple may deliver a patch.

QuickTime users can protect themselves against the vulnerability by disabling support for RTSP. The SANS Internet Storm Center, which tracks Internet threats, provides instructions on how to do this for both Windows PCs and Macs.

The Month of the Apple Bugs is meant to uncover security flaws in different Apple software and other applications for Mac OS X, according to the project Web site. "We can expect certainly many more critical issues being released during the month," LMH said.

"A positive side effect, probably, will be a more concerned user base and better practices from the management side of Apple," LMH and Kevin Finisterre, an independent security researcher, wrote on the Month of the Apple Bugs Web site.

On Tuesday, LMH and Finisterre published the second bug as part of their project. This time the flaw is not in Apple code but in the VLC Media Player, an open-source program available for Mac OS X and Windows. By supplying a specially crafted string, a remote attacker could cause an arbitrary code execution, LMH and Finisterre wrote in an alert.

In November, LMH started the "Month of Kernel Bugs" project, which also included some Apple software bugs. That initiative was inspired by the "Month of Browser Bugs" in July.

Watch out Google: IBM, Yahoo together offer free search software

To many it will seem an odd coupling, but on Wednesday IBM and Yahoo joined forces to announce the availability of IBM OmniFind Yahoo Edition, an entry-level search software for corporate Linux and Windows servers. The software is available at no cost from

"We think it's a very complementary relationship," says Marc Andrews, program director for information management strategies at IBM. "Yahoo brings that consumer view of the market and a view into small businesses, and also the awareness around Web search and easy search for the average user."

Andrews said IBM brings "an understanding of enterprise-oriented systems."

Apparently, the customer loyalty Yahoo and Google have gained by offering inexpensive software has had an affect on IBM.

"I think there's a recognition that people are looking for ease of use," says Andrews.

Those familiar with the often lengthy installation of such systems will be pleased to find that IBM OmniFind Yahoo Edition has been designed to install in five minutes, in three clicks or less.

The new search software caters to companies looking to add basic search functionality to intranets and websites. It integrates with Yahoo Search for Internet queries.

IBM is hoping that users of its free software will like what they see and want to add to more sophisticated tools that deliver more substantial revenue.

"We actually believe that search is really only the start of the value proposition for enterprises," says Andrews.

Yahoo, meanwhile, hopes to increase awareness of its services among businesspeople.

"We haven't been in the enterprise business space per se," says Eckart Walther, vice president of product management for Yahoo! Search, "but our products are used in the enterprise." He points to Yahoo Messenger, Yahoo Mail, Yahoo Small Business, and Yahoo HotJobs as examples.

Walther plays down the impact of an IBM/Yahoo alliance on Google, which has been working steadily since 2002 to get its search hardware inside enterprises.

"There're a lot of people in the enterprise search space," he says. "There's Verity, IBM, Oracle. So I don't think it's necessarily a shot across the Google's bow, but more just finding a great partner and working with them. I think we'd be doing this even if Google were not in this space."

But Forrester Research analyst Matt Brown sees the situation differently.

"I think this announcement is going to create headaches for Google Enterprise," says Brown. "Their Mini line of products has been very successful for them. Suddenly here's a downloadable search tool that has the capacity of the Google Search Appliance being given away for free."

The IBM/Yahoo software supports up to 500,000 documents per server, the same number as the Google Search Appliance.

Brown acknowledges that there's still a cost of ownership for IBM OmniFind Yahoo Edition, but adds that the servers required to run the software cost only a few hundred dollars, compared to 1,995 U.S. dollars for a Google Mini and 30,000 dollars for a Google Search Appliance.

IBM OmniFind Yahoo Edition is based on the open source Lucene indexing library. As Walther sees it, the increasing use of open source search technology by companies is significant.

"More and more, we see these kinds of products being commoditized by open source," he says. "Quite frankly, I think you're going to see us [Yahoo] more and more investing in open source to create some of the next generation infrastructure for search and for massive data management, clustering, parallelization and the like."

Demo Virus For Mac OS X Released

Heise Security has a report about new Proof of Concept virus for Mac entitled as OSX.Macarena by AV vendor Symantec. Symantec suffered from a slight lapse when it recommended in the first version of the virus description that users clean the system by deactivating the system restoration (Windows ME/XP). It is known that the virus infects other data in the folder in which it is started, regardless of extension, says Heise.


This page is powered by Blogger. Isn't yours?