A day after users of AOL’s instant messaging service were advised to upgrade to address a vulnerability uncovered by Core Security Technologies, well-known security researcher Aviv Raff reports that he has found a way to defeat the patch.

His finding, subsequently confirmed by AOL in an e-mail he received, is the latest twist in the case of a vulnerability reported to AOL by Core Security in August but publicized among security aficionados two weeks ago, before either company was ready to disclose the issue.

The flaw in question affects AIM 6.1, 6.2 beta, AIM Pro and AIM Lite. All of the vulnerable AIM clients include support for enhanced message types that allow people to use HTML to customize text messages with specific font formats or colors. To render this HTML content, the vulnerable AIM clients use an embedded Internet Explorer server control, Core Security officials said.

Since these clients do not properly sanitize potentially malicious content before it is rendered, an attacker could deliver malicious HTML code in a IM message to directly exploit IE bugs without user interaction or to target security configuration weaknesses in IE.

A scripting error in Adobe’s website gave outsiders broad access to internal files on the company’s webserver that could prove valuable to malicious hackers trying to penetrate its security.

The error, which appeared to reside in a faulty CGI script, allowed people outside Adobe to read and download files entering specially crafted URLs into their favorite browser. An Adobe spokesman said company engineers have plugged the leak, but couldn’t say when or how long the error had exposed site internals.
Click here to find out more!

The flaw, known as a directory traversal, has serious implications for the security of Adobe’s site because it effectively gave web surfers the same permissions to read files afforded Adobe’s web application. Online discussions, including this one from Reddit contained numerous posts claiming the private key Adobe uses to authenticate itself during Secure Socket Layer sessions was exposed. The interception of the key could make it easier for malicious hackers to spoof trusted portions of Adobe’s site.

iPhone hackers have some new tools now, thanks to HD Moore, one of the developers of the Metasploit hacking software.

On Tuesday, Moore announced that he was supporting the iPhone within his Metasploit framework and released software that would allow hackers to run “shellcode” command prompts on Apple’s mobile device.

By integrating the iPhone into Metasploit, it will now be a little easier for hackers to gain access to someone else’s iPhone, but they will also need a few other tools to succeed. First, they will need to create working exploit code, which takes advantage of bugs in Apple’s software, to trick the device into running the shellcode. They will also need to create more sophisticated “payload” applications that can do things like remotely connect with the hacker. “It’s a first step,” Moore said of his hack.

With iPhone prices dropping and noticeable improvements in the quality of iPhone hacking tools, Apple’s phone has become a more interesting target of late, Moore said.

A U.S. appeals court on Wednesday upheld a verdict that Vonage Holdings Corp. infringed two patents held by Verizon Communications Inc and also reaffirmed an order barring Vonage from using the Internet phone call technologies involved.

The U.S. Court of Appeals for the Federal Circuit affirmed an injunction issued by a lower court judge earlier this year with regard to two of three Verizon patents, while reversing the judge’s interpretation of a third patent in the case.

The appeals court sent the case back to the district court for further proceedings on the third patent and a new calculation of damages and royalties awarded to Verizon.

The decision was a further blow to Vonage, coming a day after a U.S. jury found it had infringed patents owned by Sprint Nextel Corp.

Vonage shares were halted soon after trading began Wednesday on the New York Stock Exchange after falling 26 cents, or 20 percent, to $1.04. At that price they have fallen 94 percent from the company’s initial public offering at $17 per share in May 2006.

A Vonage spokeswoman confirmed the court upheld two of the three verdicts in the Verizon case but declined to comment further, saying the company was still preparing a statement.

Nearly two decades after the fall of communism, Europe’s former Moscow-dominated states are using the Internet to make public the files of the security services that helped keep their regimes in power.

In the latest step, the body in charge of Poland’s communist-era secret police files began Tuesday posting documents related to top officials, including the President Lech Kaczynski and his identical twin Prime Minister Jaroslaw Kaczynski.

The material on the special site of National Remembrance Institute (IPN) was hardly shocking, and simply confirmed that both Kaczynskis were spied on and harassed by the Sluzba Bezpieczenstwa police because of their anti-communist activities in the 1970s and 1980s.

But the possibility of peeking into the SB archives — which cover people who were spies, victims, or both — was such a draw for Poles that users swamped the IPN’s site.

Microsoft Corp. and its hardware partners are trying to bridge the divide between home computers and TV sets this holiday season with the release of several “media extenders.”

These TV set-top boxes will connect wirelessly to computers running the Home Premium or Ultimate flavors of Windows Vista and enable users to use their TV sets to watch movies, TV shows and Internet video that is stored on their computers.

Microsoft planned to announce the prices and more details about the extenders Thursday at the DigitalLife trade show in New York.

The cheapest extender, from Cisco Systems Inc.’s Linksys division, will cost $300. Linksys will have another model with a built-in DVD player for $350, a price matched by D-Link’s model, which lacks a DVD player but includes a USB port for viewing photos and other content stored on flash drives or hard drives.

Another extender is from Niveus and is aimed at home theater enthusiasts. No price was announced yet, but Microsoft product planner Hakan Olsson said it would be substantially higher than the other models.