The number of serious zero-day vulnerabilities and potential exploits discovered in recent days is higher than normal.

Link:
Multiple Vendors Affected By New Vulnerabilities

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order. Verizon Incident Metrics Framework Released Wiseguys net $25m in ticket scalping racket State of Software Security Report Internet Explorer 8 and the Security Development Lifecycle (SDL) Top 10 Hacks of 2009 and WAF Mitigations FTC alleges that ControlScan offered ‘little or no verification’ of site security or privacy I’m in ur 4sq, snarfin ur password — Part I Fifteen Common Activities from BSIMM2 Even if You Don’t Invent Your Own Crypto….It’s Still Hard Facebook founder Mark Zuckerberg ‘hacked into emails of rivals and journalists’ WhiteHat Security is a leading provider of website security services.

Link:
Best of Application Security (Friday, Mar. 5)

Another Proof-of-Concept (POC) Revealed The changing threat landscape has brought about more sophisticated Web threats, and left the online population clamoring for better security features in the systems and applications that they use. This has pushed Microsoft to develop security mechanisms within its applications like Windows’ Data Execution Protection (DEP) and Address Space Layout Randomization (ASLR) . Both DEP and ASLR are security mechanisms that Microsoft included in its latest Windows releases starting with XP SP2 and Vista, respectively, which should ideally protect systems from being attacked by exploit codes.

Excerpt from:
New Exploit Bypasses DEP

The recent attacks on Google and other large organizations (currently being referred to by others as Aurora, Google Attacks, Hydraq) were a set of carefully orchestrated, sophisticated and highly complex attacks. They comprised malicious threats to all three communication vectors – email, web and files, plus most notably, a zero-day vulnerability in Internet Explorer.

Originally posted here:
Trend Micro To Help Proactively Protect Against Zero-Day Attacks like the recent IE Explorer Exploit

Microsoft is releasing an out-of-band update for their IE vulnerability. Internet Explorer 6 is affected and is being actively exploited in the wild. The patch will be released on the 21st, today, see Microsoft’s Security Bulletin for additional details.

Read the original post:
Microsoft Vulnerabilities

Trend Micro has identified new malware samples that exploit the still-unpatched Internet Explorer (IE) vulnerability .   These samples have been detected as JS_ELECOM.C and HTML_COMLE.CXC Further analysis by TrendLabs threat experts found that the new scripts are versions of JS_DLOADER.FIS (the only difference being the encryption techniques used), which was widely used in the recent and still ongoing attacks targeting major organizations like Google and Adobe. In line with this, Microsoft announced that it will release an out-of-band security update to fix the issue.

More here:
New IE Zero-Day Exploit Attacks Continue

Internet Explorer’s latest vulnerability is causing Germany and France to advise against its use .

More here:
To IE or Not to IE : That is the Question

Recent cyber attacks on Google and other organisations have been covered greatly by the media, much owing to the size and notability of the Companies affected. However, what this incident really does is bring to view the true complexity and sophistication of computer threats, and that any user or organization -  large or small, could potentially be at risk. Although these attacks were orchestrated to target certain groups or organisations, any computer can actually fall prey to them

Go here to read the rest:
Cyber Attacks on Google and Others – Who is Really at Risk?

Following the usual cycle of monthly patch releases, Microsoft just issued its first for this year last January 12.

See the article here:
One Patch For January Patch Tuesday

I was updating the browsers on one of my VMware images today: And I updated Google Chrome to version 3.0.195.24: Version 3.0.195.24 resolves a security vulnerability which could allow an attacker to run arbitrary code within the Google Chrome sandbox. Only… the update didn’t delete the vulnerable files during installation: So while Chrome may no longer be using the vulnerable file, the old chrome.dll remains on my VMware system: If something such as Sun Java can finally uninstall old versions , don’t you think Google Chrome should be able to do so too? Does anyone else notice this on their systems

Original post:
Google Chrome Update?