Infosecurity - the week in brief

Researchers Matthew Flick and Jeff Yestrumskas also demonstrated a way to marry XSS with anonymous proxies, creating a proof of concept that would allow a cross-site scripting attacker to use the victim's browser to surf anonymously.

Researcher Vincenzo Iozzo also explained how to hack Apple's OS X without leaving any traces on the hard drive or affecting the kernel, using in-memory injection.

Microsoft says that it has found another version of Conficker with new functionality. Unlike previous versions, Conficker.C leaves a back door open for the further exposure of MS08-067 (the vulnerability that originally allowed the worm to spread). The firm posits that it might be a way for the malware authors to update the worm following the Conficker Cabal's attempt to block the domain names it was originally using. Lurene Grenier of Sourcefire's research team also geeks out while dismantling the existing Conficker binary here.

related news:

Microsoft Conficker

It hasn't been a good PR week for Facebook. After incensing users and backing down over its decision to retain information after accounts were closed, it had to clarify its position on the accounts of deceased members. Initially refusing to remove the account of a dead journalist, it later capitulated, says Consumerist .

related news:

Facebook moves to save face on T&Cs

Adobe flaw
Adobe reported a zero-day flaw in its PDF reader. Sophos has more details on the vuln, which could allow remote code execution, and Secunia has an advisory. Symantec is already seeing attacks in the wild. Adobe has promised a patch by March 11th, giving the attackers an unhealthy window of opportunity.

DShield, which collects firewall data, has started an alpha project to collect data on how web applications are being probed. The Web Honeypot will look for "background noise" that may or may not include malicious attacks, says the organisation.

Legislation introduced into the Senate and House would require ISPs to retain records on the identity of network users for two years. This includes the identity of those using temporarily assigned network addresses, opening it up to users of mobile WiFi access points in addition to the dynamic IP addresses normally used on residential internet accounts.

Pittsburgh couple Aaron and Christine Boring lost a court case against Google after claiming that the firm’s Street View service infringed on their privacy. Last April, the couple asked for $25 000 in damages after claiming that the firm took pictures beyond a ‘private’ sign.

What’s hot on Infosecurity Magazine?