Valleywag reported yesterday that a hack targeting AT&T’s infrastructure led to the disclosure of 114,000 iPad owners' email addresses, including those of prominent celebrities, politicians, and high-profile industry figures.
As far as we can gather at this point, this is most likely a parameter tampering attack. The hackers attacked AT&T’s iPad support Web application, traversed through a range of ICCIDs (Integrated Circuit Card Identifiers), and were able to eventually obtain valid iPad owners’ email addresses without proper authentication.
If this is indeed true, AT&T has done a poor job designing their Web applications — being able to guard against automated parameter traversal attacks is one of the first things you do to secure your Web apps. One can launch an automatic parameter traversal attack fairly easily these days: It does not require sophisticated technology or advanced reconnaissance on the victim Web application.
This attack apparently only affected iPad 3G users, not those with Wi-Fi-only iPads. AT&T's official response stated that this particular flaw on their Web application has been remediated.
Yesterday, June 8, 2010, Microsoft released 10 security bulletins, three rated as "critical" and seven rated as "important," to address a total of 34 software vulnerabilities. Of these bulletin items, users should prioritize these four:
MS10-033: Critical on all supported versions of Windows. This update addresses a Windows media file vulnerability that could potentially enable drive-by downloads.
S10-034: Addresses an ActiveX vulnerability.
MS10-035: A cumulative update for Internet Explorer.
MS10-038: Addresses critical vulnerabilities in Excel.
It’s important to note that MS10-038 addresses 14 CVE vulnerabilities, all related to Excel. Many of these vulnerabilities have a “critical” rating. Of the 14 vulnerabilities, only 11 affect Office 2002. Office 2010 is not impacted by any of these.
If you are still running MS Office 2002, it is time to upgrade! In addition to these newly announced vulnerabilities, Microsoft is ceasing support to Office 2002 next month. All the more reason to upgrade!
An important item to note: In addition to Office 2002, Microsoft will cease support for Windows XP service pack 2 and Windows 2000. Users should upgrade to a later version of Windows XP service pack 3.