Offering regional and national programs, CIO (and CSO) events bring together some of the most respected names and thought leaders in information technology and security. Presented by CIOs and other senior level executives, these invitation-only programs offer timely topics and strong networking. Learn More »
Social Responsibility's Strategic Benefits
December 15, 11:30 AM - 12:30 PM US/Eastern (GMT-5)
Join Ed Granger-Happ, CIO of Save the Children, for a discussion of how creating an organization that is socially responsible improves staffing, retention, leadership development and overall corporate health.
Working With and Communicating to Your Board of Directors
January 13, 2009, 4:00 PM - 5:00 PM US/Eastern (GMT-5)
CIO panelists who will share tips and experiences working with their boards: Twila Day of SYSCO; Jeff O'Hare, West Corp.; Marc West, formerly with H&R Block.
IT's Role in Growing Mid-Market Companies
January 14, 4:00 PM - 5:00 PM ET (GMT-5)
Mid-market Council members will share their companies' stories and challenges in driving or coping with growth. Panelists represent Veterinary Pet Insurance, Medicis Pharmaceutical, and Intrax Cultural Exchange.
Learn more about the CIO Executive Council »
Apply today for a FREE subscription to CIO Magazine!
January 05, 2007 — CIO —
The QuickTime vulnerability that led to a widespread worm outbreak on MySpace.com last month could be exploited again, according to security researcher Aviv Raff, who has published software that illustrates his point.
Apple Computer issued a temporary patch for the problem last month, but on Wednesday Raff published proof-of-concept code showing how this bug could still be exploited in combination with other malicious software to run unauthorized software on a patched computer.
Apple created its patch after a worm spread through the MySpace community in early December, stealing MySpace log-in credentials and promoting adware websites. But rather than addressing the underlying problem, Apple’s fix appears to simply block the MySpace worm code, Raff said. "Apple’s patch has no effect on this vulnerability," he said via instant message.
Users were infected by the MySpace worm when they played maliciously encoded .mov multimedia files.
The attack demonstrated by Raff is called a cross-zone scripting attack. It circumvents the "zone" security model that is used by Internet Explorer to limit the types of things Web-based software can do on a PC. "It potentially allows an attacker to execute arbitrary code on the user’s machine," Raff said of the vulnerability.
Raff’s proof-of-concept code shows how this cross-zone scripting attack could be used to run code on a Windows 2000 system running the Internet Explorer 6 browser. It was published as part of a monthlong effort to draw attention to security issues in Apple’s products, called the Month of Apple Bugs.
Running malware on a victim’s PC is a two-step process, however, and attackers would also need to exploit a second vulnerability in order to trick the browser into running their code.
Raff’s code exploits a known bug in Microsoft’s Management Console software, which was patched last August. But the attack could also be paired with code that takes advantage of an unpatched Windows vulnerability, making it a far more serious exploit, said Alyssa Myers, a virus research engineer with McAfee. "It seems likely that this sort of thing could be used for a MySpace worm," she said. "Whether that actually ends up happening is anybody’s guess."
When Apple created its QuickTime fix last month, it did not deliver the software directly to QuickTime users, but instead took the unusual step of having MySpace link to the code.
Apple may have decided not to distribute this patch directly because it did not address the underlying problem, said Tim Erlin, risk assessment technology manager with nCircle Network Security. "They didn’t patch the whole thing," he said. "They reacted to the emergence of a worm on MySpace."
Improving Mobile Access to Data
Operational Excellence Is Key to Maximizing IT Investments
Learning from BPM Leaders
Optimizing Infrastructure Control
File Integrity Monitoring: Secure Your Virtual and Physical IT Environments
Configuration Assessment: Choosing the Right Solution
Constructing Partnerships That Work
Turning information into a Competitive Advantage.
Data Protection: Challenges for the Traveling User
Revolutionizing Endpoint Security with a Single Agent
Gartner on Data Deduplication Cost Savings
Optimizing Wide-Area Data Services Webcast
Resource Alerts
Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.
Forrester: How to Squeeze Your Vendors
Security, Civil Liberties Experts Question Data-Mining
Microsoft Tools Build Bridge Between OpenXML, Other Formats
Microsoft Market Share Slips: Pressure's On for Windows 7 and IE8
Shoppers Opened Their Wallets on Cyber Monday
Windows 7 Beta Slated for Mid-January Release
Entellium Files Bankruptcy, Intuit Eyeing Assets
Registrations Open for .Tel Domain
Nvidia Restates Its Interest in Mini-Laptops
Apple Antivirus Support Page Removed
Just the basics, please. Sometimes we all need a refresher or we need to make sure our team and our colleagues are all on the same page.
Over 25 tutorials on everything from business intelligence to virtualization.
- CIO|
- Computerworld|
- CSO|
- DEMO|
- Game Pro|
- Games.net|
- IDG|
- IDG UK|
- IDG Connect|
- IDG Tech Network |
- IDG World Expo|
- Industry Standard|
- InfoWorld|
- ITworld|
- JavaWorld|
- LinuxWorld|
- MacUser|
- Macworld|
- Network World|
- PC World|
- Playlist|
- CIO UK|
- CIO Germany|
- CIO China|
- CIO Sweden|
- CIO Australia|
- Other CIO Sites
