Are you sure? There is currently a DNS flaw out in the open waiting to be exploited. The scary thing about this flaw is that you may be completely oblivious to it. You will type a web address into your browser, hit Enter, and arrive at the page you expect. Problem is, are you really at the real site? All the signs seem to suggest you are. And yet, you may be about to send your password to a phishing site halfway across the world.
Patches are available, but has your DNS server been patched? For most users, this responsibility lies with your ISP. Fortunately, there is something you can do. DoxPara Research is providing a DNS Checker that will enable you to test whether the DNS server you’re using is vulnerable to this particular flaw. If the DNS server is found to be vulnerable, consider using OpenDNS instead.
The full details on the vulnerability is currently hard to come by as everyone is hush-hush about it in order to allow more time for people to patch up their DNS servers.
This isn’t the most timely security alert, but just in case you haven’t already heard. Exploits for these vulnerabilities have been observed in the wild.
A flaw was discovered late last year in the way Windows handled animated cursor (.ANI) files. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
For more information, please see Microsoft Security Bulletin MS07-017: Vulnerabilities in GDI Could Allow Remote Code Execution (925902).
If you have Windows automatic update enabled, then this patch should have already been applied. Otherwise, the patch for Windows XP SP2 is available from:
KB925902 – Updates for Windows XP
Now, chop chop! Go check that you do indeed have the update applied.
A cross-site scripting (XSS) vulnerability has been found in the Google Desktop application. The flaw, first discovered in October 2006, enables an attacker to search for and steal data from a user’s system.
Google released an updated version of the Google Desktop client that fixes the flaw earlier this month. If you use Google Desktop, make sure that you are running the latest version, 5.0.701.30540. The latest version of Google Desktop can be downloaded from the Google Desktop site, http://desktop.google.com/.
For more details on the vulnerability, please see http://www.securityfocus.com/news/11443.
You have been warned.