Firefox was the application that had the most reported vulnerabilities this year, while holes in Adobe Reader more than tripled from a year ago, according to statistics compiled by Qualys, a vulnerability management provider.

Qualys tallied 102 vulnerabilities that were found in Firefox this year, up from 90 last year. The numbers are based on running totals in the National Vulnerability Database.

However, the high number of Firefox vulnerabilities doesn't necessarily mean the Web browser actually has the most bugs; it just means it has the most reported holes. Because the software is open source, all holes are publicly disclosed, whereas proprietary software makers, like Adobe and Microsoft, typically only publicly disclose holes that were found by researchers outside the company, and not ones discovered internally, Qualys Chief Technology Officer Wolfgang Kandek said late on Wednesday.

Meanwhile, Adobe took the second place spot from Microsoft this year. The number of vulnerabilities in Adobe Reader rose from 14 last year to 45 this year, while those in Microsoft Office dropped from 44 to 41, according to Qualys. Internet Explorer had 30 vulnerabilities.

A shift in focus
The numbers illustrate the trend of attackers turning their focus away from operating systems and toward applications, Kandek said.

"Operating systems have become more stable and harder to attack and that's why attackers are migrating to applications, he said. "Adobe is a huge focus for attacks now, around 10 times more than Microsoft Office. However, other widely used targets like Internet Explorer and Firefox are still far from secure."

Research from F-Secure earlier this year provides further evidence that holes in Adobe applications are being targeted more than Microsoft apps. During the first three months of 2009, F-Secure discovered 663 targeted attack files, the most popular type being PDFs at nearly 50 percent, followed by Microsoft Word at nearly 40 percent, Excel at 7 percent, and PowerPoint at 4.5 percent.

That compared with Word representing nearly 35 percent of all 1,968 targeted attacks in 2008, followed by Reader at more than 28 percent, Excel at nearly 20 percent, and PowerPoint at nearly 17 percent.

As a result, Adobe needs to respond the way Microsoft did in 2002 when it launched its Trustworthy Computing initiative, and make securing its software a company-wide priority, researchers say. F-Secure even recommended that people stop using Reader and use an alternative PDF reader.

Adobe has taken some action, announcing in May that it would release its security updates on a regular schedule, quarterly and coinciding with every third Microsoft Patch Tuesday.

Another study released this week focuses on which applications are the riskiest to users. Based on the most severe vulnerabilities in popular applications that run on Windows and which are not updated automatically, Firefox again tops the list, followed by Adobe Reader and Apple QuickTime, according to Bit9, a provider of application white listing technology.

The list of risky software compiled by Bit9 based on the National Vulnerability Database also includes Java, Flash Player, Safari, Shockwave, Acrobat, Opera, Real Player, and Trillian. Last year, the Bit9 list of the most risky apps included Skype, Yahoo IM, and AOL IM, but those three were not on this year's list.

Not included on the list are programs from Microsoft and Google because of the ability for users of their software to have patches installed automatically. Microsoft software can be automatically and centrally updated via the Microsoft Systems Management Server and Windows Server Update Services, and Google Chrome is automatically updated when users are on the Internet, Bit9 said.

The lists do not take into account the amount of time it takes for companies to release patches, particularly when there is an exploit in the wild. Bit9 noted that Microsoft Internet Explorer was given an "honourable mention" because of a zero-day vulnerability related to ActiveX that went un-patched for three weeks in July.

Microsoft isn't alone in taking longer than customers would like to fix holes. In March, Adobe released a patch for a zero-day vulnerability in Reader and Acrobat--about two weeks after it was disclosed to users and nearly two months after exploits had been discovered in the wild.

Adobe customers will have to wait about a month for a fix to the latest critical zero-day hole in Reader and Acrobat. The company announced on Wednesday it would not patch the vulnerability until its next scheduled quarterly security update release on January 12.

For those looking for a secure alternative to Adobe PDF reader, try Foxit Reader.

http://www.foxitsoftware.com/pdf/reader/

SECURITY ALERT!

There has been an increase in the past few days of sites being hacked via file upload scripts, particularly a number of high profile ColdFusion based sites.

The hacker gets in by uploading a CFM, ASP, PHP or other supported file type to the server and executing the file, thus escalating his access.

If you have any publicly accessible areas of your site where files can be uploaded then you should make sure you are not vulnerable, make sure that you are validating allowed uploaded file types and not allowing executable files to be uploaded.

In particular you should pay attention to things like image uploads on forums or other applications which people seem to think are safe because it only allows images to be upload. Many scripts will actually accept the uploaded file to the final destination folder before validating it and then deleting it if it is not valid, thus giving a window of opportunity for the file to be executed.

What happens is that the hacker uses a load testing tool that constantly executes the URL on your site where he knows his file will be uploaded (e.g. mysite.com/files/xyz.cfm), this is done many times a second, so when he then uploads the file it will get executed in those few milliseconds before it is deleted.

To avoid this scenario you should perform checks prior to accepting the upload, or upload the file to a temp location first that the hacker cannot access and then move it to the destination folder once it has been verified.

I guess this has been inevitable for some time, but the the WPA wireless security protocol has now been effectively hacked. A Japanese group have developed a hack for the WPA protocol and will be presenting their findings in Hiroshima on Sept 25th (http://www.ieice.org/ken/paper/20090925faPH/eng/).

See here for their full report:

http://jwis2009.nsysu.edu.tw/location/paper/A%20Practical%20Message%20Falsification%20Attack%20on%20WPA.pdf

If you are using WEP(already hacked) or WPA, I would strongly encourage you to switch to the WPA2 protocol as soon as possible. If you are using WPA with AES, you should be fine, for now. This hack currently affects WPA using TKIP. But if you have to switch things up might as well go to WPA2 with its newer version of AES. It's only a matter of time before this exploit is actively used, so time is critical.

Here's also a report on this from Network World:

http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html

Police have rescued five children who were being kept as sex slaves by paedophiles who broadcast the abuse on the internet.

The boys and girls, aged from seven to 13 years old, were snatched from the suspects in a series of raids across the UK.

Three of the youngsters were discovered at addresses in Scotland, and two in England.

The children were being attacked on a daily basis, and footage of the abuse was streamed live on websites.

All are now receiving counselling and support.

Officers said a number of suspects were arrested in the operation.

Scotland's National Sex Crimes Unit, which was set up in March this year, said legal proceedings have begun against them.

Senior prosecuting counsel Derek Ogg QC, who heads the unit, praised police for the "good old-fashioned detective work" that led to the arrests.

Officers began the operation after a man was arrested for other alleged sex offences.

Children were identified and the raids were launched across the UK.

Mr Ogg told Sky News Online: "When you discover this going on in your own back yard, in your home country, it really brings it home to people.

"This was all down to good old-fashioned police detective work."

He added: "It was carried out by incredibly dedicated officers who worked night and day to put an end to these children's daily ordeal.

"I can't stress enough the credit that the police take in these cases.

"It takes amazing dedication sifting through the evidence to get success like this."

I can only hope that our dismal justice system for once does the right thing and a sensible judge puts these evil bastards away for the rest of their lives and while inside they get their genitals amputated.

As a father of 3 myself, I can only imagine how the parents of these children must be feeling right now, it is certainly a heart wrenching decision when you have to decide between what you want to do and what you should do in the best interest of your kids, when sadly vengeance, no matter how much you want it or deserve it will only make the situation worse.

Security researchers are raising an alarm for a potent malware cocktail - backdoor Trojans and password stealers being pushed to Windows users from about 55,000 hacked Web sites.

According to Mary Landesman, a researcher in ScanSafe's security threat alert team, the cybercriminals have embedded a malicious iFrame into tens of thousands of Websites to fire exploits at unsuspecting PC users who surf to one of the rigged sites.

The iFrame points to an intermediary exploit site which in turn loads additional exploits and malware from up to seven different malware domains, Landesman said.

She ran a Google search on the iframe script tag and found it embedded on about 54,900 sites, many  of them legitimate online destinations.

Victim sites include www.feedzilla.com, latindiscover.com, and a number of charitable and nursing facilities, including howellcarecenter.com, sweetgrassvillagealf.com, www.foodsresourcebank.org, and morningsideassistedliving.com.

At the time of writing this blog post, the number of hacked sites listed in Google results climbed to 56,000.

It is not yet clear which vulnerabilities are being exploited in this attack but, judging from recent history, end users should ensure that operating system and desktop software programs are fully patched.

The most common programs under attack include Adobe Flash, Adobe PDF Reader, Apple's QuickTime, WinZip and RealPlayer.  In addition to Microsoft Windows patches, these desktop applications should be updated to the newest version immediately.

If you run a website then I would suggest you do a file search for the aforementioned code and make sure your site has not been hacked, especially if you use 3rd party scripts that may be vulnerable.