responsible disclosure

ZDNet Resources

• sort by:
• Relevance
• Date
• Popularity

Blue Pill Project extends VM rootkit cat-and-mouse tussle

LAS VEGAS - The intellectual cat-and-mouse tussle over hiding and finding virtual machine rootkits has hit a new gear with a team of researchers dismissing the notion of "100 percent undetectable" malware and the release of source code for a new "Blue Pill" rootkit.As previously reported, Thomas Ptacek, co-founder of...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Spyware and Adware, Rootkits, Responsible disclosure, Pen testing, Patch Watch, Microsoft, Metasploit, Hackers, Exploit code, Data theft, Browsers, Botnets, Black Hat

Blog posts 2007-08-02

OpenBSD team mocked at first ever 'Pwnie' awards

LAS VEGAS -- The OpenBSD team has won an award for the most spectacular "mishandling" of a critical security vulnerability.Here's why:The OpenBSD team refused to acknowledge the bug as a security vulnerability and issued a "reliability fix" for it. A week later Core Security had developed proof of concept code...

Tags: Zero-day attacks, Wireless, Windows Vista, Wi-Fi security, Vulnerability research, Viruses and Worms, Responsible disclosure, Pen testing, Patch Watch, Mozilla, Microsoft, Hackers, Google, Firefox, Exploit code, Data theft, Browsers, Botnets, Apple

Blog posts 2007-08-02

Hacker movements: Murphy joins Apple; Caceres to Matasano

LAS VEGAS - On the heels of Google's hire of browser hacking whiz Michal Zalewski comes news that another well-known vulnerability researcher is moving over to the vendor side.Matthew Murphy, an outspoken hacker who is credited with several major flaw discoveries, has confirmed he is joining Apple as a product...

Tags: Windows Vista, Vulnerability research, Viruses and Worms, Responsible disclosure, Punditocracy, Pen testing, Patch Watch, Mozilla, Microsoft, Hackers, Firefox, Exploit code, Data theft, Browsers, Botnets, Black Hat, Apple

Blog posts 2007-08-01

Remembering five years of vulnerability markets

Guest Editorial by David EndlerWhile compiling some stats this week for our Zero Day Initiative two year anniversary, I came across this recent news article by the Associated Press, Researchers Seek Cash for Software Flaws. It's the latest in a long line of media coverage on the launch of...

Tags: Botnets, Black Hat, Apple, Zero-day attacks, Wireless, Windows Vista, Wi-Fi security, Vulnerability research, Viruses and Worms, Symantec, Rootkits, Responsible disclosure, Punditocracy, Pen testing, Patch Watch, Passwords, Open source, Mozilla, Microsoft, Metasploit, Hackers, Google, Firefox, Exploit code, Data theft, Browsers

Blog posts 2007-08-01

Apple monster update fixes iPhone, Safari, Mac OS X flaws

LAS VEGAS -- Apple has issued a monster update with patches for about 50 security vulnerabilities affecting iPhone, Safari and Mac OS X users.In a race against the clock, the company rushed out iPhone v1.0 with fixes for four different vulnerabilities that could allow hackers to take full control of...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Spyware and Adware, Responsible disclosure, Pen testing, Patch Watch, Open source, Mozilla, Metasploit, McAfee, Hackers, Google, Digital rights management, Data theft, Browsers, Botnets, Black Hat, Apple

Blog posts 2007-07-31

Mozilla fixes its end of URL protocol handling saga

Mozilla has fixed its end of the controversial URL protocol handling vulnerability that puts Windows users at risk of PC takeover attacks.Exactly a week after admitting that Firefox was just as guilty as Internet Explorer when it comes to passing dangerous data to third party applications, the open-source group shipped...

Tags: Zero-day attacks, Vulnerability research, Viruses and Worms, Spyware and Adware, Responsible disclosure, Pen testing, Patch Watch, Passwords, Open source, Mozilla, Microsoft, Metasploit, Hackers, Google, Firefox, Exploit code, Data theft, Apple

Blog posts 2007-07-31

Google hires browser hacking guru

Google has snapped up one of the sharpest minds in the hacker community, luring Michal Zalewski to help lock down its long list of Internet facing products.Zalewski, a 26-year-old computer security whiz from Poland, joined the search engine giant about a week ago to work as an Information Security Engineer.He...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Spyware and Adware, Spam and Phishing, Responsible disclosure, Pen testing, Patch Watch, Passwords, Open source, Mozilla, Microsoft, Metasploit, Hackers, Google, Firefox, Exploit code, Data theft, Browsers, Botnets, Black Hat

Blog posts 2007-07-30

Can Trend Micro's botnet identification service make a difference?

Trend Micro today rolled out its SecureCloud software-as-a-service platform with a new Botnet Identification Service BIS to help find botnet command-and-control servers and block communications between them and the zombie PCs they control.Geared towards ISPs and enterprise customers, the botnet ID service can be used to block communication to/from command-and-control...

Tags: Vulnerability research, Viruses and Worms, Symantec, Spyware and Adware, Spam and Phishing, Rootkits, Responsible disclosure, Punditocracy, Pen testing, Patch Watch, Microsoft, Passwords, Metasploit, McAfee, Hackers, Google, Firefox, Exploit code, Data theft, Browsers, Botnets

Blog posts 2007-07-30

German hacker denied entry into U.S. for Black Hat training

Thomas Dullien, a prominent security researcher who has been a fixture at the annual Black Hat security conference, has been denied entry into the U.S. to attend and conduct training at this year's confab.Dullien left, a German reverse engineering whiz known in hacker circles as "Halvar Flake," said he was...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Responsible disclosure, Pen testing, Patch Watch, Passwords, Microsoft, Metasploit, Hackers, Exploit code, Digital rights management, Data theft, Cisco, Browsers, Botnets, Black Hat

Blog posts 2007-07-29

Code execution hole in Yahoo Widgets

A serious security flaw in an ActiveX control that ships with the Yahoo Widgets could put users at risk of PC takeover attacks.The vulnerability, rated "highly critical" by Secunia, is caused due to a boundary error within the YDPCTL.YDPControl.1 (YDPCTL.dll) ActiveX control when handling the "GetComponentVersion" method. This can be...

Tags: Zero-day attacks, Vulnerability research, Viruses and Worms, Symantec, Spyware and Adware, Spam and Phishing, Responsible disclosure, Pen testing, Patch Watch, Passwords, Open source, Microsoft, Hackers, Google, Firefox, Exploit code, Data theft, Browsers, Botnets

Blog posts 2007-07-27

Protocol abuse adds to Firefox, Windows security woes

Security researchers have discovered a new set of protocol abuse problems with Mozilla Firefox, warning that the popular open-source browser is a sitting duck for code execution exploits.Billy BK Rios, a hacker who has warned repeated about risky and unnecessary URIs registered on Windows, has released proof-of-concept exploits that shows...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Spyware and Adware, Rootkits, Responsible disclosure, Pen testing, Patch Watch, Passwords, Google, Firefox, Exploit code, Data theft, Browsers, Botnets, Apple, Spam and Phishing, Hackers

Blog posts 2007-07-26

Critical ActiveX flaw haunts LinkedIn toolbar

The flaw, which is not yet patched, was discovered by researchers at VDA Labs. A proof-of-concept demo has been released to show how a PC can be hijacked if a LinkedIn toolbar user is lured to a booby-trapped Web site.The toolbar is marketed by the social network site to...

Tags: Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Microsoft, Mozilla, Passwords, Patch Watch, Responsible disclosure, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Blog posts 2007-07-24

Free utility looks for missing security patches

Secunia has shipped a downloadable version of a free utility that scans Windows machines to find missing software patches.The tool, an enhancement to the Secunia Software inspector (a Web-based scanner I've covered before), can be used to inspect and monitor more than 4,200 different PC applications to flag dangerous vulnerabilities.This...

Tags: Hackers, Metasploit, Spyware and Adware, Botnets, Google, Firefox, Exploit code, Vulnerability research, Patch Watch, Data theft, Browsers, Windows Vista, Pen testing, Apple, Viruses and Worms, Passwords, Open source, Responsible disclosure, Mozilla, Microsoft

Blog posts 2007-07-24

Mozilla caught napping on URL protocol handling flaw

Uh-oh. The latest twist in the URL protocol handling vulnerability saga has left eggs on the faces of the security folks at Mozilla.It turns out that Mozilla's Firefox is just as guilty Microsoft's Internet Explorer when it comes to passing dangerous data to third party applications.Over the last two...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Spyware and Adware, Viruses and Worms, Responsible disclosure, Pen testing, Patch Watch, Open source, Mozilla, Microsoft, Metasploit, Google, Firefox, Exploit code, Data theft, Browsers, Botnets, Black Hat

Blog posts 2007-07-23

CEO out in Core Security shake-up

Core Security Technologies, one of a handful of companies hawking penetration testing tools to businesses, is looking for a new CEO to replace Paul Paget.According to an analyst report from The 451 Group, there are red flags about the future of Core after news emerged that Paget and product manager...

Tags: Zero-day attacks, Vulnerability research, Spyware and Adware, Responsible disclosure, Pen testing, Patch Watch, Passwords, Open source, Microsoft, Metasploit, Hackers, Google, Firefox, Exploit code, Digital rights management, Data theft, Browsers, Botnets, Black Hat

Blog posts 2007-07-23

Code execution exploit dings iPhone

Apple's iPhone has failed the security smell test.Researchers at Security Evaluators have found what is believed to be the first remote code execution flaw affecting the device -- a bug that can be used to take full control of an iPhone surfing to a rigged Web site.Dr Charlie Miller, a...

Tags: Wi-Fi security, Vulnerability research, Viruses and Worms, Responsible disclosure, Pen testing, Patch Watch, Passwords, Mozilla, Microsoft, Metasploit, Hackers, Firefox, Exploit code, Data theft, Browsers, Botnets, Black Hat, Apple

Blog posts 2007-07-23

Microsoft: 'Very difficult' to block IE attack vector

A member of Microsoft's Internet Explorer team says it is "very difficult" to put protections in place to block the protocol handlers attack vector exposed by the recent IE-to-Firefox code execution vulnerability.Markellos Diorinos, a product manager on the IE team, insists it is the responsibility of the receiving called application...

Tags: Zero-day attacks, Vulnerability research, Viruses and Worms, Spyware and Adware, Spam and Phishing, Rootkits, Responsible disclosure, Pen testing, Patch Watch, Mozilla, Microsoft, Metasploit, Google, Firefox, Exploit code, Data theft, Browsers, Botnets

Blog posts 2007-07-20

MPack exploit kit creator speaks

SecurityFocus.com reporter Rob Lemos has a fascinating interview with one of the developers of MPack, the exploit kit used in thousands of drive-by malware attacks.In the interview, presented from multiple IRC conversations and edited/reordered for clarity, Lemos does a nice job of peeking behind the dark curtain of exploit writing...

Tags: Zero-day attacks, Windows Vista, Vulnerability research, Viruses and Worms, Spyware and Adware, Spam and Phishing, Rootkits, Responsible disclosure, Pen testing, Patch Watch, Passwords, Microsoft, Metasploit, Hackers, Google, Firefox, Exploit code, Data theft, Browsers, Botnets, Black Hat

Blog posts 2007-07-20

Opera plugs nasty code execution hole

You can add Opera to the list of Web browsers singing the security blues.A new version of the cross-platform browser was released today to plug a highly critical code execution bug in the way Opera integrates support for BitTorrent downloads.The skinny from an iDefense alert:When parsing a specially crafted BitTorrent...

Tags: BitTorrent, Botnets, Browsers, Data theft, Exploit code, Firefox, Hackers, Metasploit, Microsoft, Mozilla, Opera Software ASA, Passwords, Patch Watch, Pen testing, Responsible disclosure, Rootkits, Ryan Naraine, Spyware and Adware, Vulnerability research

Blog posts 2007-07-19

Firefox raises barrier to cross-site scripting attacks

Mozilla has quietly fitted a new security feature into the latest Firefox update, adding the ability for the browser to prevent cross-site scripting attacks.The change, which was not officially announced, implements httpOnly cookies in Firefox 2.0.0.5, the most recent refresh of the open-source browser.Web application security experts are welcoming the...

Tags: Zero-day attacks, Windows Vista, Wi-Fi security, Vulnerability research, Viruses and Worms, Spyware and Adware, Spam and Phishing, Rootkits, Responsible disclosure, Pen testing, Patch Watch, Passwords, Open source, Mozilla, Microsoft, Hackers, Google, Firefox, Exploit code, Digital rights management, Data theft, Browsers, Botnets, Apple

Blog posts 2007-07-19