When is your VM not your VM?
When your provider seems to own it?
A reader sent us a link to a story which ends well, a gentleman who's spouse had passed away had asked his VM provider to restore the greeting she had made. My first reaction was isn't that wonderful! Then Darren and I started to discuss the implications. The original story is here.
- Who owns your voicemail?
- if you delete a VM message, is it deleted?
- If you delete a VM, can it be restored if you ask?
- Who authorized the backups of my VM?
- Are the backups subpoenable?
- Do providers adequately authenticate requests to retrieve VM?
- What logs are kept of such requests?
I think we have only scratched the surface of the privacy and security implications raised by this case.
Cheers,
Adrien de Beaupré
Bell Canada
BBB is back
We have two separate reports of BBB targeted phishing (AKA spear phishing) attacks. Both are using the URL: hxxp://www.national-bbb.com
The site tries to initiate an ActiveX install.
Browser beware!
Cheers,
Adrien de Beaupré
Bell Canada
Apple Patches AND Vista service pack
The first service pack from Microsoft for Vista is out. Please let us know your experiences downloading and applying the 434.5 MB Windows Vista Service Pack 1 Five Language Standalone (KB936330).
Apple has released Security Update 2008-02 and Security Update for Safari 3.1 for Mac users.
Update 1: If Vista SP1 will not install, or is not being offered as a option you should read the following article. You may have to update drivers first or other issues. If you run into any other problems please let us know. (Thanks Susan!): Windows Vista Service Pack 1 is not available for installation from Windows Update and is not offered by Automatic Updates
Update 2: Before you install the final release of Windows Vista SP1, you must uninstall any previous releases (Thanks Chris!). As detailed in this article.
Update 3: V3.0 of MS08-014 dated March 19, 2008 should fix the Excel issues.
Cheers,
Adrien de Beaupré
Bell Canada
VMware updates resolve critical security issues (VMSA-2008-0005)
Last month we announced a critical VMware vulnerability where it was possible for a program running in a guest virtual machine to gain access to the host's complete file system and create or modify executable files in sensitive locations (that is, a true escape). The problem was due to a directory traversal vulnerability on the VMware share folder capabilities on Windows.
VMware has announced a new security advisory that includes a set of updates for VMware Workstation, Player, Server, ACE, and Fusion (VMSA-2008-0005), resolving this vulnerability plus a few other relevant security issues:
- a. Host to guest shared folder (HGFS) traversal vulnerability (CVE-2008-0923)
- b. Insecure named pipes (CVE-2008-1361, CVE-2008-1362)
- c. Updated libpng library to version 1.2.22 to address various security vulnerabilities (CVE-2007-5269)
- d. Updated OpenSSL library to address various security vulnerabilities (CVE-2006-2940, CVE-2006-2937, CVE-2006-4343, CVE-2006-4339)
- e. VIX API default setting changed to a more secure default value
- f. Windows 2000 based hosted products privilege escalation vulnerability (CVE-2007-5618)
- g. DHCP denial of service vulnerability (CVE-2008-1364)
- h. Local Privilege Escalation on Windows based platforms by Hijacking VMware VMX configuration file (CVE-2008-1363)
- i. Virtual Machine Communication Interface (VMCI) memory corruption resulting in denial of service (CVE-2008-1340)
The latest versions are:
- VMware Workstation 6.0.3
- VMware Workstation 5.5.6
- VMware Player 2.0.3
- VMware Player 1.0.6
- VMware ACE 2.0.3
- VMware ACE 1.0.5
- VMware Server 1.0.5
- VMware Fusion 1.1.1
Update as soon as possible!
--
Raul Siles
www.raulsiles.com
Comments