Microsoft is investigating reports of a zero-day vulnerability in its IIS 6 software. Attackers can upload malicious executable files which will be run by the server, said Soroush Dalili. Microsoft said that that the software would have to be in a non-default, unsafe configuration to be vulnerable.
Christmas was far from merry for several companies hosting sensitive customer data. A former board member from a matchmaking service in Japan called Web has been accused of stealing the personal data of 16 000 members and trying to sell it to rivals. And social networking applications company RockYou has been targeted by a class action lawsuit claiming that it failed to adequately protect customers' information. RockYou kept email and password information along with social network login credentials, enabling hackers to steal 32 million users' information using an obvious exploit, the lawsuit alleges. And Internet trading site collective2.com said that hackers had access customer information from its database including names, email addresses, passwords, and credit card information.
A German hacker claims to have broken A5, the encryption system used by the GSM mobile communications network. Karsten Nohl unveiled the hack at the Chaos Communication Congress over the holiday season. The Conference carried some other interesting presentations, too, including a purported eavesdropping technology that could break quantum encryption.
Twitter banned 370 passwords that were deemed too obvious - but included them in the source code of its internet pages. And on the subject of Twitter, Errata Security is running a test using its TwiGUARD Twitter malware monitoring project. It will check to see how up to date Google's SafeBrowse service is at spotting new malicious URLs.