escalation flaw

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

One-year-old (unpatched) Windows 'token kidnapping' under attack

One-year-old unpatched Windows 'token kidnapping' under attackMS should patch this but you do your readers a disservice by not mentioningMS should patch this but you do your readers a disservice by not mentioning that this requires IIS to be installed on the machine. Since the default install of Windows does...

Tags: cloud computing, SECURITY, Microsoft Windows, NonZealot, Microsoft IIS Server, Microsoft Corp., BAD MS, vulnerability, escalation flaw, Web application, desktop user, attack

Discussion threads 2009-03-16

MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flaw

MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flawCrumbsThe 10 year old mouse is out.Who'da thought?New news?Isn't this just rehashing news from three weeks ago? Not that it isn't a serious flaw, but it's old news. Can't we just wait for the next patch Tuesday, or is...

Tags: Microsoft Windows Vista (Longhorn), SECURITY, Operating systems, Nothing, flaw, local access, MS08-025, Microsoft Windows, Microsoft Windows kernel, Microsoft Windows Vista, Microsoft Corp., window

Discussion threads 2008-04-29

Additional Resources

Is it time to dump Adobe's Flash player?

Is it time to dump Adobe's Flash player?Yup it's time to do soI have disabled flash in both firefox and IE and only enable them when opening youtube. Unlike flash, Silverlight runs in a sand boxed environment. Remember Vista was hacked last year in that hacking contest? Vista was hacked...

Tags: Web browsers, SECURITY, Is It Time, Adobe Flash Player, Adobe Flash, Novell AppArmor, Adobe Systems Inc., IS IT, IE8

Discussion threads 2009-07-29

One-year-old (unpatched) Windows 'token kidnapping' under attack

Exactly one year after a security researcher notified Microsoft of a serious security vulnerability affecting all supporting version of Windows (including Vista and Windows Server 2008), the issue remains unpatched and now comes word that there are in-the-wild exploits circulating. The vulnerability, called token kidnapping (.pdf), was...

Tags: Attacker, Server, Microsoft Corp., Attack, Microsoft Windows, Security, Operating Systems, Software, Ryan Naraine

Blog posts 2009-03-16

Firefox security makeover: 11 vulnerabilities, 4 critical

 Mozilla has released a new version of its flagship Firefox browser to fix a total of 11 vulnerabilities that expose users to code execution, information stealing or denial-of-service attacks. Four of the 11 flaws covered with the new Firefox 3.0.4 are rated "critical" because of the risk...

Tags: Mozilla Firefox, Vulnerability, JavaScript, Web Browser, Mozilla Corp., Web Browsers, Security, Internet, Ryan Naraine

Blog posts 2008-11-12

Why did Microsoft wait 7 years to fix SMBRelay attack flaw?

One of the code execution vulnerabilities fixed in this month's Microsoft Patch Tuesday release dates back to 2001 when it was first disclosed by Cult of the Dead Cow hacker Sir Dystic pictured left. If that wasn't cause for worry, get this:  An exploit for the bug...

Tags: Flaw, Issue, Microsoft Corp., Security Administration, Patches, Security, Ryan Naraine

Blog posts 2008-11-12

Intel ships BIOS fix for Rutkowska's Black Hat flaw

Intel has shipped a BIOS update with a fix for a privilege escalation vulnerability that was used by rootkit researcher Joanna Rutkowska to bluepill the Xen hypervisor. The vulnerability was discussed by Rutkowska at the Black Hat briefings earlier this month but details on the exploit were...

Tags: Black Hat, Hypervisor, Motherboard, BIOS Update, Intel Corp., Flaw, System Management Mode, Level Privilege, BIOS, Virtualization, Hardware, Components, Ryan Naraine

Blog posts 2008-08-27

Windows broken ... I'm surprised it took this long

Windows broken ... I'm surprised it took this longBest security is to take computers off the NetFor my computers at home, there is now only one that has firewalled access to the Internet. My kids' computers DO NOT. My media server DOES NOT. The PC with my finance stuff and...

Tags: Microsoft Windows Vista (Longhorn), Operating systems, Web browsers, Microsoft Windows Vista, Microsoft Windows, UAC, administrative right

Discussion threads 2008-08-09

Apple finally ships DNS flaw fix, patches 16 other Mac OS X holes

Apple finally ships DNS flaw fix, patches 16 other Mac OS X holesScary combination of arbitrary code execution and privilege escalation!!!Very, very scary. Makes me glad I use more secure OSs.RE: Apple finally ships DNS flaw fixHi NZ, We are all grateful your unstinting efforts to point out the failings...

Tags: Microsoft Windows Vista (Longhorn), Domain names, Operating systems, DNS flaw, Microsoft Windows Vista, Apple Inc., DNS, Apple Mac OS X, flaw, patch management, Apple Macintosh, Apple Mac OS

Discussion threads 2008-07-31

Apple finally ships DNS flaw fix, patches 16 other Mac OS X holes

[ UPDATE: nCircle Andrew Storms reports that the DNS client on the OSX 10.4.11 distribution still has not been patched.  ] Apple has shipped a Mac OS X security update with patches for at least 17 documented vulnerabilities, including a fix for the serious DNS...

Tags: Apple Macintosh, DNS, Patch Management, Apple Inc., Issue, Arbitrary Code Execution, Flaw, Application Termination, Apple Mac OS X, Apple Mac OS, Domain Names, Operating Systems, Software, Internet, Ryan Naraine

Blog posts 2008-07-31

Trojan exploiting unpatched Mac OS X vulnerability in the wild

Trojan exploiting unpatched Mac OS X vulnerability in the wildAny Software can be exploitedThis is just another situation that proves that any software can be exploited if someone wants to devote the time to do so. So to everyone that thinks that Mac OS is so much more...

Tags: Spyware, Spyware, adware & malware, Viruses and worms, SECURITY, Operating systems, trojan horse, Apple Macintosh, Apple Mac OS, ARD, Apple Mac OS X

Discussion threads 2008-06-24

News to know: Yang's runway; Apple patch; Google; Gates' last week

Notable headlines: Larry Dignan: Yang's recovery runway: Months to days and board should go too. Techmeme Google's display ad gravy train rests with YouTube Richard Koman: Ad targeting technology violate privacy, groups say Ryan Naraine: Microsoft blames 'human issues' for...

Tags: Apple iPhone, Google Inc., Mozilla Firefox, Data Center, Apple Inc., Data Centers, Web Browsers, Storage, Hardware, Data Management, Internet, Larry Dignan

Blog posts 2008-06-20

Word up to Linux fan boys: Multiple Linux flaws show that Linux also has kernel issues

Not to defend Microsoft, as kernel exploits that provide privileged access are terrible flaws, but we had an interesting discussion in the talkbacks where several people acted as if Microsoft was the only place that could've made such mistakes.  Well, the proof is in the pudding that this is a common flaw...

Tags: Denial Of Service, Microsoft Word, Kernel, Debian, Flaw, Linux, Security, Operating Systems, Open Source, Software, Nathan McFeters

Blog posts 2008-05-01

News to know: Microhoo; Taming Vista UAC; iPhone; Google; CIO Sessions

Notable headlines: Ed Bott: Fixing Windows Vista, Part 2: Taming UAC. Images: Taming Vista's User Account Control right Larry Dignan: Microhoo: Wall Street gets antsy Mary Jo Foley: XP SP3 delayed by glitch New test releases...

Tags: Apple iPhone, Google Inc., Larry Dignan, Vista UAC, Jason O'Grady, Apple Inc., Microsoft Corp., Microsoft Windows, 3G, Operating Systems, Cellular Phones, Wireless, Software, Consumer Electronics, Personal Technology

Blog posts 2008-04-30

MS08-025: Microsoft Windows kernel vulnerable to local privilege escalation flaw

From Microsoft:  A local attacker who successfully exploited this vulnerability could take complete control of an affected system.  An attacker could then install programs; view, change, or delete data; or create new accounts.  This is an important security update for all supported editions of Windows 2000, Windows XP, Windows Server...

Tags: Window, Microsoft Corp., Kernel, Flaw, Updates, Microsoft Windows, Security Administration, Operating Systems, Security, Software, Nathan McFeters

Blog posts 2008-04-29

PCI Compliance gets clarified and neutered (further)

At one point, I thought that PCI certification was a great thing.  Now I realize that it's not really about security at all... it's about money and responsibility and transferring ownership of risk. The PCI certification just got a clarification: "6.6 Ensure that all web-facing applications...

Tags: Web, XSS, PCI, Web Application, TV, Attack, PCI Compliance, Web Application Firewalls, WAF, Security, Nathan McFeters

Blog posts 2008-04-17

Mozilla updates Firefox; Fixes multiple vulnerabilities

Mozilla has patched 10 vulnerabilities in Firefox 2.0 with update 2.0.0.13. In an update early Wednesday Firefox addressed the following: MFSA 2008-19  XUL popup spoofing variant (cross-tab popups) MFSA 2008-18 Java socket connection to any local port via LiveConnect MFSA 2008-17 Privacy issue with...

Tags: Mozilla Firefox, Vulnerability, Mozilla Corp., Web Browsers, Programming Languages, Java, Security, Internet, Software Development, Software/Web Development, Larry Dignan

Blog posts 2008-03-26

Adobe plugs vulnerabilities for Form Designer, ColdFusion, Reader

Adobe this week issued security bulletins and patches for products ranging from ColdFusion to Form Designer. In Adobe's security bulletin the company outlined the following in order of importance: CVE--2007-6253:  Adobe says "critical vulnerabilities have been identified in Form Designer 5.0 and Form Client...

Tags: Adobe Systems Inc., Allaire ColdFusion, Vulnerability, Flaw, Development Tools, Security, Software Development, Software/Web Development, Larry Dignan

Blog posts 2008-03-13

Security risk management vs. software development

Security risk management vs. software developmentI guess those few people who do use voice recognition don't count.It's like how they refused to fix the XP escalation exploit for more than 2 years and would have waited for 3+ years till XP SP3 of Metasploit hadn't included a ready-made sploit. ...

Tags: software, security professional, security, Security Risk Management, flaw, Microsoft Windows XP, software development

Discussion threads 2008-02-12

Mozilla delivers patches for Firefox; Plugs flat file vulnerability

Mozilla on Friday delivered its Firefox 2.0.0.12 update including patches that fix a Web forgery flaw, browsing history and forward navigation stealing and the directory traversal via chrome, which has been the most visible vulnerability of late. According to the Firefox security advisory, Mozilla filed the following...

Tags: Mozilla Firefox, Vulnerability, Patch Management, Web Browser, Mozilla Corp., MFSA, Web Browsers, Security, Internet, Larry Dignan

Blog posts 2008-02-07