Social Network Privacy to Java Attacks: The Week in Security

A recap of the week's security news follows privacy flaps affecting Facebook and MySpace as well as the growth of attacks on Java.

Privacy concerns kept reappearing in the news this week, starting with social networking giant Facebook.

Some of the most popular applications on Facebook were observed sharing Facebook user IDs, mostly inadvertently. The information could potentially be used to look up Facebook user names and other public information. Rapleaf, which the Wall Street Journal reported had linked user ID information from Facebook apps to its own for-sale database of Internet users, identified the issue as having to do with referrer URLs. Facebook said it will address the issue with encryption.

A similar situation was found to be affecting MySpace apps as well.

"Our terms of use prohibit third-party developers from sharing any user data, including public information such as the user ID, with other entities," a MySpace spokesperson said. "It has recently come to our attention that several third-party app developers may have violated these terms, and we are taking appropriate action against those developers."

Some of the affected MySpace apps include RockYou Pets and Tag Me. According to the Wall Street Journal, the information was primarily sent by MySpace when users clicked on ads. Like on Facebook, the user IDs can be used to look up public information, including potentially a person's name, photos and location. The advertising companies who were sent the data-which included Google, Quantcast and Rubicon Project-reportedly told the Journal they didn't use the information.

Away from the world of social networking, Microsoft shined the light on a growing number of attacks on Java vulnerabilities. According to the company's Security Intelligence Report, the most targeted vulnerabilities were three bugs that had already been patched-CVE-2008-5353, CVE-2009-3867 and CVE-2010-0094.

"Through our BrowserCheck application we have collected data that shows that over 80 percent of all visiting workstations have Java installed," Qualys CTO Wolfgang Kandek told eWEEK Oct. 19. "Of these machines, over 40 percent run a version of Java that has a critical vulnerability, making it the most vulnerable plug-in of all and giving the malware an excellent chance to install itself and control the targeted machine."

Adobe Systems, whose products have also been a frequent target of attacks, warned Oct. 21 of a new bug in Shockwave Player that could be used to hijack a vulnerable system. The company also announced a clearertimeline for Adobe Reader X, which for Windows users will include new sandboxing technology to mitigate attacks.

"Adobe's product security initiatives are focused on reducing both the frequency and the impact of security vulnerabilities," an Adobe spokesperson told eWEEK. "Adobe Reader Protected Mode represents an exciting new advancement in mitigating the impact of attempted attacks. Even if exploitable security vulnerabilities are found by an attacker, Adobe Reader Protected Mode will help prevent the attacker from writing files or installing malware on potential victims' computers."

Also during the week, Forrester Research released a report on the future of the cloud security market, and what that future means for security vendors, cloud providers and organizations alike.