vulnerability

If there's a competition to uncover security holes in Google's browser, Sergey Glazunov is winning it.

Yesterday Google awarded him $3,133.70 ("eleet") for finding a critical vulnerability that Google patched with a new release of Chrome yesterday.

It's the first time Google paid out this top bounty, but not the first time it's paid Glazunov. He's also been paid $1,337 four times for the "leet" level of vulnerabilities, eleven times for the $1,000-level, and once at the $500 level.

The critical vulnerability relates to a "stale … Read more

Microsoft today issued two bulletins fixing three holes in Windows, including one rated critical for Windows XP, Vista, and Windows 7 as part of Patch Tuesday.

"We are not aware of proof-of-concept code or of any active attacks seeking to exploit the vulnerabilities addressed in this month's release," the company wrote in a Microsoft Security Response Center blog post.

The critical vulnerability is addressed in Bulletin MS11-002. The bulletin fixes the critical hole and an "important" vulnerability, both in Microsoft Data Access Components, that could allow an attacker to take over the computer if a … Read more

Microsoft warned today of a Windows vulnerability that could allow an attacker to take control of a computer if the user is logged on with administrative rights.

To be successful, an attacker would have to send an e-mail with an attached Microsoft Word or PowerPoint file containing a specially crafted thumbnail image and convince the recipient to open it, Microsoft said in its advisory, which also contains information on workarounds.

An attacker also could place the malicious image file on a network share and potential victims would have to browse to the location in Windows Explorer.

The flaw, which is … Read more

A security researcher who created a tool he used to find numerous bugs in major browsers has released it to the public, saying the importance of its distribution is heightened by the leak to the Web of an unpatched vulnerability in Internet Explorer.

Michal Zalewski, a Google security researcher based in Poland, announced in a blog post this weekend that he was releasing a tool called "cross_fuzz" and said its distribution was a priority because at least one of the vulnerabilities discovered by the tool appears to be known to a mysterious third party.

"I have reasons … Read more

It's the last full week of the 404 Podcast before we take off for the holidays, and Mark Licea comes in to help us out with the story rundown that includes the weekend box office with a spoiler-free review of "Black Swan," a "Tron"-inspired hotel room in Sweden, and this weekend's Gawker security breach.

Also, be sure to join us after the break when we open a present from a special listener and introduce a new host on the show!

The online Web publisher Gawker Media is the latest victim of a security compromise that exposed the passwords of over 200,000 users last weekend.

The tech news and gossip site told its readers about the security breach in a blog post that urges all registered users to change their log-ins and passwords, especially if they use the same password for multiple accounts online.

A group of hackers called Gnosis took credit for the hack and has made all 200,000 passwords available for download on The Pirate Bay. Their motivations are still unclear, but Gawker may have brought the attack on itself after a blog posted last week mocking the group's hacking skills.

Gawker says it's in the process of improving security to prevent further breaches, but who knows how long that will take. And in other very serious hacking news, be sure to change your e-mail passwords if you subscribed to the McDonalds e-mail list, because that got hacked, too.

U.K. designers Ben Rousseau and Ian Douglas-Jones of Extreme Design are the masterminds behind a "Tron"-inspired hotel room made entirely out of ice and snow.

Located in Jukkasjaviri, Sweden, the hotel rooms look like they're cut directly from the movie, replete with lighting technology built right into the ice to recreate the laser motifs. Rousseau and Douglas-Jones are both "massive fans" of the "Tron" movies, and drew much of their inspiration from the 3D update's unique nightclub scene involving Daft Punk, who also scored the film.

Go see "Black Swan" as soon as you can. The ballet-themed thriller is directed by Daren Aronofsky, who also masterminded "Pi," "Requiem for a Dream," and "The Wrestler," and stars Natalie Portman as a dancer slowly losing her mind from the pressures of her company and a lead role in an updated version of "Swan Lake." This episode is spoiler free, so check out the trailer and see it for yourself!

We're in the process of recording several holiday episodes that will air while we're on vacation, but we need your help for ideas! Shoot us an e-mail at the404(at)cnet(dot)com with your favorite 404 episodes from 2010 and any questions for the hosts.

They can be personal or work-related, or anything else you'd like to know about me, Jeff, or Wilson! We'll send our thanks on the air if we choose your question, but be sure to either write "Favorite 404 episode from 2010" or "Question for The 404" in the subject line to make sure it gets read. Thanks!

Microsoft said today that next week's Patch Tuesday will bring 17 updates plugging 40 holes and featuring two rated "critical," including one in Internet Explorer that was targeted in attacks last month.

The critical IE vulnerability was written for IE 6 and 7 but IE 8 is also vulnerable, Microsoft said when it issued a warning about it in November.

Also fixed on Tuesday will be the final of four holes in Windows that the Stuxnet malware used.

"This is a local Elevation of Privilege vulnerability and we've seen no evidence of its use in … Read more

Spam may be down but malware marches merrily on.

That's the message from the "November Threat Landscape Report" released yesterday by security vendor Fortinet.

Global spam levels ultimately fell 12 percent in November after Dutch authorities took down a large Bredolab network made up of 140 different servers. The Bredolab botnet was typically used by cybercriminals to send out spam selling fake drugs, according to Fortinet. Spam had actually fallen as much as 26 percent the week after the network was dismantled but was able to stage a bit of a recovery afterward.

The ever-present Koobface botnet, … Read more

Chrome was the application with the most number of high-severity vulnerabilities that impacted end users this year, followed by Safari, Microsoft Office, Adobe Reader and Acrobat, and Firefox, according to a list to be released today.

Chrome had 76 reported serious vulnerabilities, Safari had 60, Office had 57, Acrobat and Reader had 54, and Firefox had 51, according to Bit9's annual "Dirty Dozen" list.

The fact that Chrome is at the top of the list does not necessarily mean it is less secure than other applications, said Harry Sverdlove, chief technology officer at Bit9.

"Chrome is … Read more

Google pulled an app from the Android marketplace that was created to illustrate a flaw in the mobile framework that allowed apps to be installed without a user's knowledge. It then issued a fix for bug.

Jon Oberheide, chief technology officer of Scio Security, created a proof-of-concept app disguised as an expansion for the popular Angry Birds game. After the app was downloaded, three additional apps were installed without the user's knowledge that had permission to perform malicious activities but were benign, he told CNET in an interview.

Oberheide and Zach Lanier, a senior consultant at Intrepidus Group, … Read more