BlackBerry Falls Behind In Workplace

More workers use iPhone and Android smartphones combined than BlackBerry devices, according to a survey of 1,681 U.S.-based workers released today by Forrester Research.

That finding highlights what many have known for a while about the entrenched workplace smartphone veteran: the BlackBerry faces trouble from its competitors.

The BlackBerry, made by Research in Motion, still leads among U.S. workers, with 42%, the survey said, with Apple’s iPhone accounting for 22% and Android devices, 26%.

The survey also found that nearly half, or 48% of the group, said that they chose the primary smartphone used for their work without considering what their company supports. Only 29% said they chose the smartphone from a list of phones the company supports, while 23% said they had no choice in the matter.

Often, corporate IT shops will choose BlackBerry smartphones when requiring a worker to use a specific smartphone, partly because of the perceived security benefits, many analysts, including at Forrester, have found. The growth in Android phones and the iPhone — many of them brought to workplaces by workers independently — are forcing IT shops to rethink that decision, however.

Ted Schadler, a Forrester analyst, said the survey points to two major trends. The first is that more workers than ever are bringing consumer-focused devices, such as Android and iPhone smartphones, to use for work, and more companies are supporting those devices.

Read More…..

Adobe Patches Security Holes in Flash

Adobe has released a security update for Flash Player in order to address several critical vulnerabilities, including one that is being exploited in the wild.

The Flash Player 10.3.183.10 for Windows, Mac and Linux, and Flash Player 10.3.186.7 for Android, contain patches for six security flaws.

One of them is a cross-site scripting (XSS) weakness that can be exploited to execute rogue actions on behalf of web sites or webmail providers if victims click on maliciously-crafted links.

“There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message,” Adobe warns in its security advisory.

XSS vulnerabilities are the result of improper user input validation and allow attackers to execute rogue code in the context of the current web site. For example, they can be leveraged to extract session cookies or load rogue forms into legitimate pages, which makes for very credible phishing attacks.

Adobe credits Google for reporting this cross-site scripting vulnerability, which is identified as CVE-2011-2444. This means it might have been detected in attacks against Gmail users.

Two other patched vulnerabilities allow for arbitrary code execution and are located in the AVM stack. One of them can also lead to a denial of service condition. Two remote code execution logic errors and a Flash Player security control bypass have also been addressed.

Users should deploy the new update as soon as possible because browser plug-ins like Java, Adobe Reader or Flash Player are amongst the most attacked pieces of software one can have on a computer. However, unlike Adobe Reader X (10.0) which features sandboxing technology, Flash Player doesn’t have any anti-exploitation mechanism built-in.

Read More……

Flash Player 11 Launched With 3D Gaming

Adobe Systems announced Flash Player 11 and Adobe Air 3 software Wednesday to assist developers in building more sophisticated applications with dozens of new features across smartphones and tablets as well as desktop computers.

The releases are Adobe’s biggest in two years, and will be available free of charge in early October, said Anup Murarka, Adobe’s director of product marketing. The related tools, Flash Builder and Flex, will support new features in Flash Player 11 and Adobe Air 3 by the end of the year.

The releases will enable delivery of 2D and 3D games over the Internet to various devices, Murarka said. Developers of enterprise applications will also find the 3D capabilities popular for data-centric apps. Enterprises, for example, will be able to build application dashboards to “visualize complex data sets” with 3D images, he said.

Developers will also be able to use the tools to more deeply integrate business software like Excel and Outlook in devices and to access hardware programming interfaces for functions such as Near-Field Communication being used more widely in smartphones, Murarka said.

The new versions will also help developers build more secure applications with the ability to leverage cryptographically secure random number generation, he said.

Read More…..

Is HP Going To Court?

HP and its top executives have been accused of misleading investors before a slump in its stock price.

HP is facing a class action lawsuit filed by Robbins Geller Rudman and Down alleging that CEO Leo Apotheker and CFO Cathie Lesjak misled investors before making announcements that included the possible spin-off of its PC business, dumping WebOS devices and the purchase of British software outfit Autonomy.

Those announcements, all made in one afternoon, led to a 20 per cent drop in HP’s share price the following day. That, according to Reuters, was the largest one day decline in HP’s share price since 1987.

The lawsuit against HP does not specify damages but it serves to highlight the growing concern at the way Apotheker is leading HP. The firm’s announcement that it was considering leaving the PC business was a shock to many, but its decision to dump its WebOS devices was perhaps the biggest shock of the lot.

While HP’s PC business was always seen as a low margin operation, WebOS was viewed as a core part of HP’s future strategy. The firm kept banging on about slipping WebOS into as many devices as possible, however all that talk evaporated, just like HP’s Touchpads when it sold them off at fire sale prices for a massive loss.

Read More Here…..

Microsoft To Overhaul Hotmail

Microsoft will debut next month a major overhaul of its Hotmail webmail service, with upgrades across the board, including in areas like spam, security and performance.

“We listened. We learned. We reinvented Hotmail from the ground up,” reads an invitation sent on Friday to journalists for press events to be held on Oct. 3 simultaneously in New York and San Francisco.

“Forget everything you thought you knew about Hotmail. Just don’t forget this date,” reads the invitation.

Hotmail’s primary competitors are Google’s Gmail and Yahoo Mail. The last time the consumer webmail market got a product jolt was in 2004, when Google surprised the world with Gmail and its then-unprecedented amount of email storage.

At that point, innovation in webmail services had stagnated for years but Gmail shook Microsoft, Yahoo and other webmail providers like AOL out of their comfort zone, as they quickly responded by increasing the size of their email inboxes.

Read More…

Apple Blasted For Not Blocking Stolen Certificates

A security researcher blasted Apple for what he called “foot dragging” over the DigiNotar certificate fiasco, and urged the company to act fast to update Mac OS X to protect users.

“We’re looking at some very serious issues [about trust on the Web] and it doesn’t help matters when Apple is dragging its feet,” said Paul Henry, a security and forensics analyst with Arizona-based Lumension.

Unlike Microsoft, which updated Windows Tuesday to block all SSL (secure socket layer) certificates issued by DigiNotar, Apple has not updated Mac OS X to do the same.

DigiNotar, one of hundreds of firms authorized to issue digital certificates that authenticate a website’s identity, admitted on Aug. 30 that its servers were compromised weeks earlier. A report made public Monday said that hackers had acquired 531 certificates, including many used by the Dutch government, and that DigiNotar was unaware of the intrusion for weeks.

Because almost all the people who were routed to a site secured with one of the stolen certificates were from Iran, many experts suspect that the DigiNotar hack was sponsored or encouraged by the Iranian government, which could use them to spy on its citizens.

Microsoft isn’t the only software maker to block all DigiNotar certificates: Google, Mozilla and Opera have also issued new versions of their browsers — Chrome, Firefox and Opera — to completely, or in Opera’s case, partially prevent users from reaching websites secured with a DigiNotar certificate.

Users of Safari on Mac OS X, however, remain at risk to possible “man-in-the-middle” attacks based on the fraudulently obtained certificates.

Because Safari relies on the underlying operating system to tell it which certificates have been revoked or banned entirely, Apple must update Mac OS X. The Windows edition of Safari, which has a negligible share of the browser market, taps Windows’ certificate list: That version is safe to use once Microsoft’s Tuesday patch is applied.

Read More….

Microsoft: Stolen SSL Certs No Good

Microsoft has officially stated that a digital certificate stolen from a Dutch company could not be used to force-feed customers malware through its Windows Update service.

The company’s assertion came after a massive theft of more than 500 SSL (secure socket layer) certificates, including several that could be used to impersonate Microsoft’s update services, was revealed by Dutch authorities and several other affected developers.

“Attackers are not able to leverage a fraudulent Windows Update certificate to install malware via the Windows Update servers,” said Jonathan Ness, an engineer with the Microsoft Security Response Center (MSRC), in a Sunday blog post. “The Windows Update client will only install binary payloads signed by the actual Microsoft root certificate, which is issued
and secured by Microsoft.”

Seven of the 531 certificates now known to have been fraudulently obtained by hackers in July were for the domains update.microsoft.com and windowsupdate.com, while another six were for *.microsoft.com.

Read More…..

The Linux Kernel Got Hacked

Servers that are part of the Linux kernel.org infrastructure were affected during a recent intrusion where attackers managed to gain root access and plant Trojan scripts.

According to an email sent out to the community by kernel.org chief administrator John Hawley, known as warthog9, the incident started with the compromise of a server referred to as Hera. The personal colocated machine of Linux developer H Peter Anvin (HPA) and additional kernel.org systems were also affected.

“Upon some investigation there are a couple of kernel.org boxes, specifically hera and odin1, with potential pre-cursors on demeter2, zeus1 and zeus2, that have been hit by this,” Hawley wrote.

The intrusion was discovered on 28 August and according to preliminary findings attackers gained access by using a set of compromised credentials. They then elevated their privileges to root by exploiting a zero-day vulnerability that the kernel.org administrators have yet to identify.

Fortunately, logs and parts of the exploit code were retained and will help the investigation. A Trojan was added to the startup scripts of affected systems, but gave itself away through Xnest /dev/mem error messages.

According to the kernel.org admins, these error messages have been seen on other systems as well, but it’s not clear if those machines are vulnerable or compromised. “If developers see this, and you don’t have Xnest installed, please investigate,” the administrators advised.

The good news is that the exploit failed on systems running the latest Linux kernel version, 3.1-rc2, which was released two weeks ago. This is possibly the fortunate consequence of one of the bugfixes it contains.

Read More…

Lawsuit Says Microsoft Illegally Tracks Customers

Microsoft allegedly tracks the location of its mobile user even after customers request that tracking software be turned off, according to a new lawsuit.

The proposed class action, filed in a Seattle federal court on Wednesday, states Microsoft intentionally designed camera software on the Windows Phone 7 operating system to ignore customer requests that they not be tracked.

A Microsoft representative could not immediately be reached for comment.

The lawsuit comes after concerns surfaced earlier this year that Apple’s iPhones collected location data and stored it for up to a year, even when location software was supposedly turned off. Apple issued a patch to fix the problem.

However, the revelation prompted renewed scrutiny of the nexus between location and privacy. At a hearing in May, U.S. lawmakers accused the tech industry of exploiting location data for marketing purposes — a potentially multibillion-dollar industry — without getting proper consent from millions of Americans.

The lawsuit against Microsoft cites a letter the company sent to Congress, in which Microsoft said it only collects geolocation data with the express consent of the user.

Spam Is At A Two-Year High

Spam – particularly the kind with malicious attachments – is enjoying a growth spurt, reaching a two-year high overall, which includes the spike last fall just before the SpamIt operation folded its doors, a security firm says.

In fact spam traffic is about double what it was then, according to M86 Security Labs, which analyzes spam levels across selected domains.

“After multiple recent botnet takedowns, cybercriminal groups remain resilient clearly looking to build their botnets and distribute more fake AV in the process,” the company says in its blog. “It seems spammers have returned from a holiday break and are enthusiastically back to work.”

This report coincides with a report yesterday from Internet security company Commtouch, which says a spike in email-attached malware has just ended, but that further waves are expected.

M86 says in its blog that most of the spam is generated by the Cutwail botnet, and malicious spam accounted for 13% of the mix over the past week, which is unusually high, but even that spiked to 24% yesterday.

Read More…

« Previous Page — Next Page »