Google says that security experts will have to break the software’s sandbox protection and other measures taken to isolate attacks and prevent malicious code from gaining access to the machines operating system. If successful, all hacks will be disclosed to the software vendor first so that loopholes can be closed before they are made public. TippingPoint, a security firm owned by Hewlett Packard (HP), runs the annual contest.

"As mentioned previously, we've upped the ante this time around and the total cash pool allotted for prizes has risen to a whopping $125,000 USD," says Aaron Portnoy, manager of HP TippingPoint's security research team, on the companies blog. "While HP TippingPoint is funding $105,000 of that, we've partnered with Google who has generously offered up $20,000 to the researcher who can best their Chrome browser. Kudos to the Google security team for taking the initiative to approach us on this; we're always in favor of rewarding security researchers for the work they too-often do for free."

Other systems available for hacking include laptop’s running Mozilla, Microsoft, and Apple browsers. Mobile phones including BlackBerry’s Torch, the Nexus S, the iPhone 4, and the Dell Venue will be available as well.

Google has a tradition of paying rewards to security researchers that find and disclose loopholes in its applications. The Menlo Park based Internet search and cloud computing company is now paying for vulnerability information on many of its applications and services, including Gmail, Blogger, and YouTube.

Google has announced a $20,000 bounty payable to the first hacker able to break a laptop that runs its Chrome browser and gain full control. Photo: www.imagine-your-world.com

After discovering the vulnerability in its research labs in Helsinki, integrated network security and business continuity solutions provider Stonesoft sent samples of AET’s to the national computer security incident response team CERT in Finland as well as ICSA Labs, an independent division of Verizon Business that offers third-party testing and certification of security products and network-connected devices. Charged with globally coordinating the remediation of the identified vulnerabilities with network security vendors, CERT issued a vulnerability statement about the exploits.

"We have reason to believe that we have seen just the tip of the iceberg," said Juha Kivikoski, chief operating officer at Stonesoft. "The dynamic and undetectable nature of these advanced evasion technique has the potential to directly affect the network security landscape. The industry is facing a non-stop race against this type of advanced threats and we believe only dynamic solutions can address this vulnerability."

Researchers discovered the new threats while testing a new network security solution using the latest and most advanced attacks. Field tests and experimental data show many of the existing network security solutions fail to detect AET’s and thus fail to block the attack inside, Stonesoft says. Hackers across the globe may already use the new exploits in advanced, targeted attacks.  With only a select few products available to provide protection, organizations may be challenged to protect their systems quickly.

"Stonesoft has discovered new ways AET’s can evade many network security systems," said Jack Walsh, intrusion detection and prevention program manager at ICSA Labs.  "We were able to validate Stonesoft’s research and believe that these advanced evasion techniques can result in lost corporate assets with potentially serious consequences for breached organizations."

The best defense against the dynamic and ever-evolving nature of AET’s is delivered through flexible, software-based security systems with remote update and centralized management capabilities, Stonesoft says. However, most organizations today use static hardware-based solutions, which can be difficult to update.

The picture shows a network interface card (NIC). Photo: www.imagine-your-world.com

"We're able to confirm that, in the past few days, we've seen an increase in attempts to exploit the vulnerability," said Christopher Budd, a senior security response manager at Microsoft. "We firmly believe that releasing the update out-of-band is the best thing to do to help protect our customers."

Windows incorrectly parses shortcuts in a way that allows malicious code to be executed when the icon of a shortcut is displayed, Microsoft says. The vulnerability can be exploited remotely via network shares and WebDAV and locally through a malicious USB drive. Some types of documents that support embedded shortcuts can also be used to gain access and ultimately control over the computer.

The vulnerability was first found in July, and Microsoft published a workaround solution on July 16 saying that users should disable icons for shortcuts and the WebClient service. According to the Microsoft Malware Protection Center's Threat Research & Response Blog, hackers did gain temporary access to more than 8,000 computers by the end of July.

The patch will be released today at around 1.00 p.m.

"In the last two years, the software used to create the Mariposa botnet was sold to hundreds of other criminals, making it one of the most notorious in the world," said FBI Director Robert S. Mueller in a press release. "These cyber intrusions, thefts, and frauds undermine the integrity of the Internet and the businesses that rely on it; they also threaten the privacy and pocketbooks of all who use the Internet."

The Spanish Guardia Civil arrested three suspected Mariposa Botnet operators in February (ip-192.com reported here and here). The suspected creator of the botnet was now arrested by the Slovenian police. "We are glad to cooperate with the United States; the FBI's assistance is invaluable and represents professional affirmation of our force," said the Slovenian Minister of the Interior Katarina Kresal and Slovenian Criminal Police director General Janko Gorsek in a joint statement. "This case shows that cyber crime issues call for international police cooperation that shouldn’t be hindered by geographical borders. The FBI has demonstrated a high level of collaboration in which our countries were equal partners, which was crucial for the success of the investigation and reducing the threat on a global level. This partnership serves as a solid basis for future cooperation."

Over the past two to three years, the creator of the Butterfly botnet did sell the virus to cybercriminals worldwide, allowing them to infect thousands of computers and create the Mariposa botnet.

The vulnerability only affected iPad users that did sign up for AT&T’s 3G wireless service in the U.S. "We take customer privacy very seriously and while we have fixed this problem, we apologize to our customers who were impacted," AT&T said in a statement. The breach exploited an Integrated Circuit Card Identifier (ICC-ID) present on every SIM card that is used as an authentication token. After the AT&T website received the ID's, it responded by providing an email addresses to allow a speedy log-on process to user accounts. The hacker group exploited the flaw by sending thousands of requests with made up codes to AT&T’s website, masqueraded as valid requests from iPads.

AT&T says that the issue has been resolved and that it will inform all customers who were impacted. It discovered the vulnerability after being alerted by a customer. Only email addresses were revealed in the breach. Goatse Security says that it has previously exposed vulnerabilities in Amazon's rating system and the Firefox and Safari web browsers.