Spyware, viruses, & security forum: NEWS - March 04, 2013

... Sandbox Vulnerabilities

Giving a prolific bug hunter an excuse to go poking deeper into a potential security issue generally doesn't end well or the vendor in question—in this case Oracle. Polish security firm Security Explorations, noteworthy for its Java security research, said today it reported five new vulnerabilities in Java SE 7 to Oracle. If combined, researcher Adam Gowdiak said, they can be used to gain a complete bypass of the Java sandbox.

The deeper look stemmed from a recent submission the company made to Oracle on Feb. 25 of two vulnerabilities that when used in conjunction could also bypass the sandbox. Gowdiak said Oracle dismissed one of the issues he reported, which he labels Issue 54, and called it "allowed behavior," rather than a vulnerability. It confirmed the other.

"We confirmed that company's initial judgment of Issue 54 as the 'allowed behavior' contradicts both Java SE documentation as well as existing security checks in code," he said. "It looks Oracle needs to either start treating Issue 54 as a vulnerability or change the docs and relax some of the existing security checks."

Continued : https://threatpost.com/en_us/blogs/prompted-oracle-rejection-researcher-finds-five-new-java-sandbox-vulnerabilities-030413

Last week saw the US debut of the "six strikes" pirate wrist-slapping system, officially known as the Copyright Alert System (CAS).

With the new "six strikes" piracy alert system, Comcast plans to hijack offenders' browsers, Cablevision will suspend subscribers for 24 hours after a fifth offense, and other ISPs are looking at throttling infringers' connections down to a crawl.

CAS was birthed by the Center for Copyright Information (CCI), made up of five of the US's biggest Internet Service Providers (ISPs): AT&T, Cablevision, Comcast, Time Warner Cable and Verizon, as well as the Recording Industry Association of America (RIAA) and Motion Picture Association of America (MPAA).

Two CCI ISPs, Verizon and Comcast, activated the service on Wednesday.

Here's how the alert system will work, according to a post from CCI Executive Director Jill Lesser that went up on Monday:

Continued : http://nakedsecurity.sophos.com/2013/03/04/us-isps-pirate-campaign/

Related to:
ISP's to Implement Pirate Notification System
Comcast Punishes BitTorrent Pirates With Browser Hijack

March 3, 2013 9:11 AM

In an ironic twist this morning, CloudFlare, a company that speeds up and protects websites, suffered an outage that also took down the 785,000 sites using its service, including Wikileaks and 4Chan.

A change pushed out to the company's routers ended up crashing them, TechCrunch reports. Chief executive Matthew Prince (above) told the site, "If you sent a packet to one of our IP addresses, you would get back a response that there was no router." The outage lasted for almost an hour.

CloudFlare serves as a line of defense between its customers and web visitors, which allows it to cache sites for better page loading performance, and also makes it difficult to take down sites with distributed denial of service (DDoS) attacks. But that also means if CloudFlare goes down, so does its customers.

The company runs 23 data centers globally, all of which were affected by the outage. "These data centers are connected to the rest of the Internet using routers," Prince explained in a blog post this morning. "These routers announce the path that, from any point on the Internet, packets should use to reach our network. When a router goes down, the routes to the network that sits behind the router are withdrawn from the rest of the Internet."

Continued : http://venturebeat.com/2013/03/03/cloudflare-goes-down-for-an-hour-taking-its-785k-customers-with-it/

Also : CloudFlare Goes Out for an Hour, Takes 785,000 Sites Offline