Last Updated: 2008-03-19 23:42:43 UTC
by Adrien de Beaupre (Version: 1)
When your provider seems to own it?
A reader sent us a link to a story which ends well, a gentleman who's spouse had passed away had asked his VM provider to restore the greeting she had made. My first reaction was isn't that wonderful! Then Darren and I started to discuss the implications. The original story is here.
- Who owns your voicemail?
- if you delete a VM message, is it deleted?
- If you delete a VM, can it be restored if you ask?
- Who authorized the backups of my VM?
- Are the backups subpoenable?
- Do providers adequately authenticate requests to retrieve VM?
- What logs are kept of such requests?
I think we have only scratched the surface of the privacy and security implications raised by this case.
Adrien de Beaupré
Last Updated: 2008-03-19 23:34:02 UTC
by Adrien de Beaupre (Version: 2)
We have two separate reports of BBB targeted phishing (AKA spear phishing) attacks. Both are using the URL: hxxp://www.national-bbb.com
The site tries to initiate an ActiveX install.
Adrien de Beaupré
Last Updated: 2008-03-19 20:45:24 UTC
by Adrien de Beaupre (Version: 5)
The first service pack from Microsoft for Vista is out. Please let us know your experiences downloading and applying the 434.5 MB Windows Vista Service Pack 1 Five Language Standalone (KB936330).
Update 1: If Vista SP1 will not install, or is not being offered as a option you should read the following article. You may have to update drivers first or other issues. If you run into any other problems please let us know. (Thanks Susan!): Windows Vista Service Pack 1 is not available for installation from Windows Update and is not offered by Automatic Updates
Update 2: Before you install the final release of Windows Vista SP1, you must uninstall any previous releases (Thanks Chris!). As detailed in this article.
Adrien de Beaupré
Last Updated: 2008-03-19 04:06:24 UTC
by Raul Siles (Version: 1)
Last month we announced a critical VMware vulnerability where it was possible for a program running in a guest virtual machine to gain access to the host's complete file system and create or modify executable files in sensitive locations (that is, a true escape). The problem was due to a directory traversal vulnerability on the VMware share folder capabilities on Windows.
VMware has announced a new security advisory that includes a set of updates for VMware Workstation, Player, Server, ACE, and Fusion (VMSA-2008-0005), resolving this vulnerability plus a few other relevant security issues:
- a. Host to guest shared folder (HGFS) traversal vulnerability (CVE-2008-0923)
- b. Insecure named pipes (CVE-2008-1361, CVE-2008-1362)
- c. Updated libpng library to version 1.2.22 to address various security vulnerabilities (CVE-2007-5269)
- d. Updated OpenSSL library to address various security vulnerabilities (CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339)
- e. VIX API default setting changed to a more secure default value
- f. Windows 2000 based hosted products privilege escalation vulnerability (CVE-2007-5618)
- g. DHCP denial of service vulnerability (CVE-2008-1364)
- h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file (CVE-2008-1363)
- i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service (CVE-2008-1340)
The latest versions are:
- VMware Workstation 6.0.3
- VMware Workstation 5.5.6
- VMware Player 2.0.3
- VMware Player 1.0.6
- VMware ACE 2.0.3
- VMware ACE 1.0.5
- VMware Server 1.0.5
- VMware Fusion 1.1.1
Update as soon as possible!