Oracle fixes 144 bugs including 36 Java flaws

Oracle has issued its first patch update of 2014 on Tuesday and it just so happens that it has been one of its biggest ever that includes a slew of security patches, many of which address vulnerabilities in Java. The Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication. "Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products", Oracle said in its pre-release announcement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible." <more>

Only FOUR bulletins for January Patch Tuesday

Microsoft disclosed four security bulletins describing a total of six vulnerabilities and released product updates to address these vulnerabilities. January Patch Tuesday repairs a privilege escalation bug in the ND Proxy Driver that manages Microsoft's Telephony API. Microsoft had released a mitigation that would have rendered the API unusable. The vulnerability was rated important because it could not be exploited remotely. An attacker would need to log in to a system with valid credentials and run a malicious application in order to exploit the vulnerability locally. <more>

Yahoo found serving Java malware-spreading ads

Malicious ads served through Yahoo's ad network delivered malware to thousands of site visitors, according to researchers at Fox-IT, but Yahoo subsequently blocked the attack. Fox-IT's post said that visitors who saw the ads in their browsers were redirected to a "Magnitude" exploit kit. "This exploit kit exploits vulnerabilities in Java and installs a host of different malware," Fox-IT said, including ZeuS, Andromeda, Dorkbot/Ngrbot, ad-clicking malware, Tinba/Zusy and Necurs. The security company's investigation dated the start of the infection to December 30 but it said it might have begun earlier. Yahoo confirmed the infection and said it had taken action to remove it. <more>

Expert finds flaws in Google and Facebook

Security researcher Jitendra Jaiswal has identified a couple of interesting vulnerabilities in Facebook and Google. Both of them have been addressed. The security hole that plagued Facebook was an open URL redirect issue that allowed an attacker to redirect victims to any website without any restriction and without interaction on the user's part. Facebook rewarded the expert with $1,000 for his findings. As far as Google vulnerability is concerned, Jaiswal found a clickjacking (UI redressing) flaw on the Google Maps website that could have been exploited to change a user's Google+ profile picture, hijack his webcam, and update his status. Proof-of-Concept videos are available to see how the vulnerabilities could have been exploited. The issues were discovered last year in November, but the expert has only published their details now. <more>

Unencrypted Windows crash reports open to hijacking

Microsoft's handy automated Windows error report feature "Dr. Watson" mostly transmits crash log data in the clear, leaving organizations that use the function vulnerable to targeted attacks, researchers say. Websense Security Labs found in a study of risks posed by some popular applications and services that Microsoft Windows Error Reporting, which automatically sends to the software giant details of a system crash, does so without encrypting the information. The sensitive information in these reports, which includes the make and model of the machine, BIOS version, ID, and applications, can help bad guys and even the National Security Agency profile potential targeted machines and networks. Word that the NSA was likely doing just that came among other new revelations in a report over the weekend by German publication Der Spiegel that pulled back the curtain on an elite team of NSA hackers called the Tailored Access Operations (TAO) Group. According to the report, TAO appears to use NSA's XKeyscore spy tool to grab Windows crash reports from Internet traffic it captures, and the intelligence can be used to profile a machine and exploit its vulnerabilities. <more>

Skype social media accounts hacked

Skype said its social media properties were targeted, with a group styling itself as the Syrian Electronic Army appearing to claim credit for the hacks. "You may have noticed our social media properties were targeted today," Skype said in a Twitter message late Wednesday. "No user info was compromised. We're sorry for the inconvenience." Skype's Twitter account, blog and Facebook page appeared to have been attacked by the SEA, a group that supports the Syrian government, according to reports. The Skype blog was still inaccessible late Wednesday and redirected users to the Skype home page. The SEA reproduced in a Twitter message a copy of what appeared to be its message using the Skype account on Twitter. <more>