Notorious as a malware ghetto, LimeWire takes its first steps to integrate authoritative threat protection by signing on AVG to provide premium users with download scanning and blocking.

Originally posted at The Download Blog

Links in direct messages on Twitter and e-mail notifications about direct messages will be filtered in an attempt to stop phishing attacks.

Originally posted at InSecurity Complex

Site investigates malware delivered via ads on its site in a fake antivirus attack similar to that on the Drudge Report site.

Originally posted at InSecurity Complex

FTC complaint alleged that LifeLock made false claims for adequately protecting customers from identity fraud and data theft.

Originally posted at InSecurity Complex

Today I was looking at some of the various vendor security and advisory sites and I noticed at the top of the Ubuntu site:  For more details on a specific CVE or source package, please see the Ubuntu CVE Tracker.

I had not seen the Ubuntu CVE Tracker before, so I checked out, very interested because of the fact that certain sites continue to assert and report that some Linux distributions do not have any Unpatched issues.  For example, take a look at the page Vulnerability Report: Ubuntu Linux 9.10 on secunia.com (9.10 is Ubuntu Karmic Koala, released on October 29, 2009) and you’ll see a couple of interesting summary statistics as shown here:

Looks good, eh?  However, if you take a look at the CVE tracker, you get a view that is a bit different:

You can see the Risk Color Key, but it is about what you’d expect.  Red is High or Critical, orange is Medium and yellow is Low.  The asterisk means that this is a package maintained by Canonical instead of a 3rd-party.

I didn’t bother to do a count, but I can see that the number of “needed” fixes is somewhat larger than zero, however, I did not see an RED = High vulnerabilities, so I did check on more thing – I wondered how these severity ratings mapped to CVSS as used by the National Vulnerability Database (ie, http://nvd.nist.gov).  I spot-checked a few:

• CVE-2009-4537, kernel, Orange(Medium) by Canonical,  High(7.8) by CVSS
• CVE-2009-4565, sendmail, Orange(Medium) by Canonical,  High(7.5) by CVSS
• CVE-2010-0408, apache2, Orange(Medium) by Canonical,  Medium(5.0) by CVSS
• CVE-2010-0433, openssl, Orange(Medium) by Canonical,  Medium(4.3) by CVSS
• CVE-2007-5901, krb5 (kerberos), Yellow(Low) by Canonical, High(10.0) by CVSS

There were 474 CVE entries, so I didn’t do a comprehensive check, but it turns out that there are more than a few of these unfixed vulnerabilities that are rated High by CVSS. 

HTC mobile device running Android was distributed by Vodafone with a botnet program on it, as well as Conficker and a password-stealing Trojan, Panda Labs says.

Originally posted at InSecurity Complex

New vulnerability in Windows and Office could allow someone an attacker to take control of IE 6 and IE 7 systems, Microsoft says.

Originally posted at InSecurity Complex

Drudge says a Senate committee has falsely accused the conservative news aggregation site of spreading malware, but a CNET reader says it’s true.

Originally posted at InSecurity Complex

The battery maker says it doesn’t know how the Trojan got into the software it offered via download for Windows-based computers.

Originally posted at InSecurity Complex

The battery maker says it doesn’t know how the Trojan got into the software it offers via download for Windows-based computers.

Originally posted at InSecurity Complex