'Highly critical' security bug bites HP Virtual Rooms
,----[ Quote ]
| The vulnerability in HP Virtual Rooms resides in the ActiveX client used to
| install the service on users' PCs, according to this advisory posted Tuesday
| on the Full-Disclosure mail list. Vulnerability tracking service Secunia
| rates it "highly critical," because it can be used by attackers to compromise
| a user's machine.
`----
http://www.theregister.co.uk/2008/01/22/hp_virtual_rooms_security_bug/
Related (other recent cases of ActiveX-inflicted chaos):
'Bricking' bug threatens most HP, Compaq laptops
,----[ Quote ]
| In a post to the milw0rm.com Web site Wednesday, a Polish security researcher
| who used the alias "porkythepig" spelled out a pair of vulnerabilities in an
| ActiveX control used by HP's Software Update, the patch management program
| bundled with virtually every HP- and Compaq-branded laptop.
`----
http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9053818&intsrc=hm_list
Rogue ActiveX controls menace users
,----[ Quote ]
| Flaws in ActiveX controls are being increasingly used to run security
| exploits.
|
| [...]
|
| An attack exploiting this vulnerability can lead to arbitrary code execution
| by a remote attacker," a blog posting by Symantec researcher Parveen
| Vashishtha warns.
`----
http://www.theregister.co.uk/2007/10/24/activex_vulns/
RealPlayer Attack Circulating
,----[ Quote ]
| The attack exploits a flaw in an ActiveX browser helper object, software that
| RealPlayer employs to help users who are experiencing technical difficulties,
| so the PC must be using the Internet Explorer browser to be affected by this
| particular attack, Symantec said.
`----
http://news.yahoo.com/s/pcworld/20071020/tc_pcworld/138706
Yahoo! battered by second ActiveX vulnerability
,----[ Quote ]
| The vulnerabilities affect versions of Yahoo! Messenger 8.x prior to version
| 8.1.0.419, released late last week. Users are urged to upgrade.
`----
http://www.theregister.co.uk/2007/09/03/yahoo_activex_vuln/
Way Too ActiveX
,----[ Quote ]
| Today, over at Symantec's Security Response Weblog, Greg Ahmad
| reveals startling--and I do mean shocking--increases in ActiveX
| vulnerabilities. According to Symantec, ActiveX vulnerabilities
| stayed in the 12- to- 15-a-year range from 2002 to 2005. For
| 2006, the number of vulnerabilities "reached 50," with 42 in
| the second half of the year--coincidentally, the same time
| period Microsoft finished up and released Internet Explorer 7.
`----
http://www.microsoft-watch.com/content/security/way_too_activex.html?kc=MWRSS02129TX1K0000535
http://tinyurl.com/33cfno
Acer puts Active X hole on laptops
,----[ Quote ]
| Laptop outfit Acer seems to have placed an Active X control on its
| computers that seems to allow webpages to execute any program.
|
| This huge hole in network security has been installed on board Acer
| lap-tops since 1998.
`----
http://www.theinquirer.net/default.aspx?article=36773
Adobe Confirms 'Critical' Reader, Acrobat Exploits With IE
,----[ Quote ]
| A critical security vulnerability in an ActiveX control used by
| Internet Explorer could allow malicious hackers to use Adobe's
| Reader and Acrobat software to launch PC hijack attacks,
| according to a warning from Adobe Systems.
`----
http://www.pcmag.com/article2/0,1895,2066079,00.asp
Month of ActiveX bugs project begins with two Office flaws
,----[ Quote ]
| A hacker known as shinnai kicked off his "Month of ActiveX Bugs"
| (MoAxB) project with a bang by exposing a number of severe
| vulnerabilities affecting OCX controls in Microsoft Office.
`----
http://scmagazine.com/us/news/article/654659/month-activex-bugs-project-begins-two-office-flaws/
Vista security overview: too little too late
,----[ Quote ]
| So, what have we got here? An adequately secure version of Windows,
| finally? I think not. We have got, instead, a slightly more secure
| version than XP SP2. There are good features, and there are good
| ideas, but they've been implemented badly. The old problems never
| go away: too many networking services enabled by default; too
| many owners running their boxes as admins and downloading every
| bit of malware they can get their hands on. But MS has, in a
| sense, shifted the responsibility onto users: it has addressed
| numerous issues where too much was going on automatically and
| with too many privileges. But this simply means that the ownerw
| ill be the one making a mess of their Windows box.
|
| Data hygiene is still an absolute disaster on Windows. In fact,
| it's worse than it ever was in some ways, and that's very bad
| indeed. Browser traces still in the registry, heavy and
| complicated indexing to improve search, new locations where data
| is being stored. It all adds up to a privacy nightmare. Keeping
| a Vista box "clean" is going to be impossible for all but the
| most knowledgeable and fastidious users.
|
| So don't rush out to buy Vista in hopes of getting much in
| return security-wise. I do like some of the changes, at least
| in theory, or as a decent platform on which to build an
| adequately secure version of Windows one day. But that day,
| if it ever comes, will be well in the future.
`----
http://www.theregister.co.uk/2007/02/20/vista_security_oversold/
Symantec: Microsoft conflict of interest is damaging internet
,----[ Quote ]
| Symantec's chief executive has lambasted Microsoft for a dangerous
| conflict of interest as both the provider of an operating system
| and seller of software designed to secure its users.
|
| [...]
|
| Thompson told RSA delegates: "You wouldn't want the company that is
| keeping your books to audit your books. The same logic should apply.
| You wouldn't want the company that created your company's operating
| platform to be the one that is securing it from a broad range of
| threats. It's a huge conflict of interest."
`----
http://www.theregister.co.uk/2007/02/07/symantec_thompson_microsoft/
|
|
