Metasploit’s HD Moore was in the midst of researching the recently patched LNK (Windows shortcut) vulnerability when he stumbled upon a serious problem that exposes more than 40 different Windows software programs to remote code execution attacks.
Penn State researchers managed to identify the pass code patterns on two Android smartphones (the HTC G1 and the HTC Nexus One), 68% of the time, using photographs taken under different lighting conditions, and camera positions.
This week’s Malware Watch features three currently active malware campaigns – fake Patch Tuesday emails, BREDOLAB-malware serving emails, fake MSRT tool, and the the first (reported) SMS-trojan targeting Android users.
The NTLMv1-2 challenge-response protocol provides absolutely no protection against credentials forwarding/relay or reflection attacks. This means that an active attacker (such as a man-the-middle) can redirect the login of the legitimate user to authenticate his own session.
The iOS 3.2.2 update corrects two flaws — a stack buffer overflow in FreeType’s handling of CFF opcodes, and a privilege escalation issue in IOSurface — that combined to expose Apple’s devices to takeover if a user simply surfs to a rigged Web site.
