Posted by Elinor Mills

Hackers have broken into BusinessWeek's online site and set up an attack scenario in which visitors to a section of the site could have their own computers compromised and their data stolen, a security researcher said on Monday.

It's unclear how long the site has been compromised and there is no evidence that BusinessWeek.com readers have been affected, but also no evidence that they haven't, said Graham Cluley, senior technology consultant at Sophos.

The hackers used an increasingly common form of attack called SQL injection, in which a small malicious script is inserted into a database that feeds information to the BusinessWeek Web site, he said. The executable code in the database links to a Web site with a Russian domain, which could download malware onto the computers of BusinessWeek.com readers.

The Russian Web site is offline right now, but could be put back online at any time, according to Cluley.

The malware was found to be on a section of the BusinessWeek site that offers information about the top companies that recruit from particular MBA programs, he said. The attack would not only put visitors to that section at risk, but also their employer if the computer they are using has corporate data on it, he said.

Sophos contacted BusinessWeek about the security problem last week, but the malicious code is still in the site's database, Cluley said.

A BusinessWeek spokeswoman provided this comment: "Online security is a top priority and, while we continue to investigate the matter, we are confident that our readers' personal information has not been compromised. The attack affected only one application within a specific section of our Web site and that application has been removed. We continue to work to ensure the integrity of our site and to protect it from future illegal and malicious hacking activity."

SQL injection attacks are on the rise primarily because they work; they target Web sites that computer users trust and the attack is stealth so victims usually don't know their computer has been compromised.

[click here for full article]

Microsoft sends e-mail messages to subscribers of our security communications when we release information about a security software update or security incident. Unfortunately, malicious individuals can and have sent fake security communications that appear to be from Microsoft.

This tactic is known as spoofing.

Some of these messages lure recipients to Web sites to download spyware or other unwanted software. Others include a file attachment that contains a virus.

Click here for full article.

Source: Microsoft.com

Microsoft Corp. has announced that it will upgrade Windows' update mechanism later this month, a warning that comes nearly a year after the company issued a similar upgrade without informing users.

Click here for full article.

Source: PC World

A group of researches on Tuesday said 637 million Web users are surfing with outdated Internet browsers and therefore at greater risk of Web-based attacks.

Click here for full article.

Source: CNET.com