Millions of websites such as online news, blogs, e-commerce, banks, webmail, social networking and more utilize third-party hosted content on their webpages in the form of JavaScript, Adobe Flash, Microsoft Silverlight, HTML IFrames, and images. Often referred to as Web Widgets , common examples are banners (Google AdSense), search boxes (Yahoo), traffic counters (StatCounter), games (Pogo), videos (YouTube), Twitter / RSS feeds, user polls, security badges (VeriSign Secured Seal), social buttons (Facebook Like), etc.

Go here to see the original:
Third-Party Web Widget Security FAQ

The lab is currently seeing a spam run pushing a PDF exploit. The emails look like this:

On Friday, Adobe released a security advisory announcing a zero-day exploit found in specific Adobe Flash Player versions. Tagged as critical, the vulnerability (CVE-2010-1297) causes the application to crash. Potentially, the underlying vulnerability could also be used to run arbitrary code, such as downloading/dropping malicious files onto the affected system.

Excerpt from:
Zero-Day Flash/Acrobat Exploit Seen In The Wild

Ten of Application Security industry’s coolest, most interesting, important, and entertaining links from the past week — in no particular order.= Microsoft SDL version 5 Force.com Secure Cloud Development Stroke triggered XSS and StrokeJacking German Government Pays Hacker For Stolen Bank Account Data CAPEC-333: WASC Threat Classification 2.0 WAF Confusion Continues Serious New Java Flaw Affects All Current Versions of Windows + Advisory Safari Integer Overflow Aids Inter Protocol Exploitation OWASP AIR + Flash Security Projects Prion 1.1 - Polymorphic XSS Worm WhiteHat Security is a leading provider of website security services.

See the original post here:
Best of Application Security (Friday, Apr. 9)

Advanced threats researcher Ivan Macalintal spotted a fresh wave of spammed messages that were used to spread another ZBOT variant of the infamous ZeuS botnet. These messages warned users that a “jerk” posted photos of them and contained a link to the said images

Here is the original post:
Spam with “Pictures” Used to Spread ZBOT

Another day, another news, and well… another SEO Poisoning stint. Using PDF files in SEO poisoning is a bit recent, but not exactly fresh news.

See original here:
SEO Poisoning Sites Use Flash for Redirection

Charlie Miller, the Pwn2Own contest winner for two years in a row, gives his take on internet security. Guess what—your Mac OS is no less vulnerable than its Microsoft Windows counterpart

Go here to see the original:
Pwn2Own Interview with Charlie Miller

Since the beginning of the year, Adobe and Microsoft have been under a bad light since most of the most recent attacks notably exploited the two companies’ software vulnerabilities. Adobe Reader and Acrobat, in particular, are currently cybercriminals’ favorite targets.

Read the original:
Adobe Releases Out-of-Band Patch for Adobe Reader and Acrobat

Any penetration tester would agree that pivot attacks, designed to compromise a secondary host to more effectively attack primary targets, are incredibly powerful. Organizations tend to have difficulty protecting all hosts at all times, which is why proper network segmentation is vital should loss of control occur on any one node. Often it’s easier to compromise a host from behind rather than head on

See the original post here:
Web 2.0 Pivot Attacks