A recap of the week's security news follows privacy flaps affecting Facebook and MySpace as well as the growth of attacks on Java.
Privacy concerns kept reappearing in the news this week, starting with
social networking giant Facebook.
Some of the
most
popular applications on Facebook were observed sharing Facebook user IDs,
mostly inadvertently. The information could potentially be used to look up
Facebook user names and other public information. Rapleaf, which the Wall
Street Journal reported had linked user ID information from Facebook apps to
its own for-sale database of Internet users, identified the issue as having to
do with referrer URLs. Facebook said it will address the
issue
with encryption.
A similar situation was found to be affecting MySpace apps as well.
"Our terms of use prohibit third-party developers from sharing any user
data, including public information such as the user ID, with other entities,"
a MySpace spokesperson said. "It has recently come to our attention that
several third-party app developers may have violated these terms, and we are
taking appropriate action against those developers."
Some of the affected MySpace apps include RockYou Pets and Tag
Me. According to the
Wall
Street Journal, the information was primarily sent by MySpace when users
clicked on ads. Like on Facebook, the user IDs can be used to look up public
information, including potentially a person's name, photos and
location. The advertising companies who were sent the data-which included
Google, Quantcast and Rubicon Project-reportedly told the Journal they didn't
use the information.
Away from the world of social networking, Microsoft shined the light on a
growing
number
of attacks on Java vulnerabilities. According to the company's Security
Intelligence Report, the most targeted vulnerabilities were three bugs that had
already been patched-CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094.
"Through our BrowserCheck application we have collected data that shows
that over 80 percent of all visiting workstations have Java installed,"
Qualys CTO Wolfgang Kandek told eWEEK Oct.
19. "Of these machines, over 40 percent run a version of Java that has a
critical vulnerability, making it the most vulnerable plug-in of all and giving
the malware an excellent chance to install itself and control the targeted
machine."
Adobe Systems, whose products have also been a frequent target of
attacks, warned Oct. 21 of a new bug in
Shockwave
Player that could be used to hijack a vulnerable system. The company also
announced a clearer
timeline for Adobe Reader X, which for Windows users will include new
sandboxing technology to mitigate attacks.
"Adobe's product security initiatives are focused on reducing both the
frequency and the impact of security vulnerabilities," an Adobe
spokesperson told eWEEK. "Adobe Reader Protected Mode represents an
exciting new advancement in mitigating the impact of attempted attacks. Even if
exploitable security vulnerabilities are found by an attacker, Adobe Reader
Protected Mode will help prevent the attacker from writing files or installing
malware on potential victims' computers."
Also during the week, Forrester Research
released
a report on the future of the cloud security market, and what that future
means for security vendors, cloud providers and organizations alike.
Email
Print
