A week in security: Feds investigate iPad breach

The FBI is investigating the recent iPad security breach

The week has been dominated by a batch of security fixes from Microsoft, Google and Adobe covering several key products, as well as growing concerns over the security of the much hyped iPad.

Vulnerability research firm Goatse Security claimed to have found a security flaw in AT&T's protocols that exposed the personal data of more than 114,000 iPad buyers, according to reports earlier this week.

The company ran an open script on AT&T's web site which passed on the email addresses of owners based on the ID number of their 3G iPad. The situation then appeared to escalate, and the FBI confirmed that it is investigating the breach.

Microsoft kicked off the week with a mammoth Patch Tuesday, issuing 10 bulletins patching 34 vulnerabilities in Windows, Office and Internet Explorer. Three of the bulletins are rated 'critical', Microsoft's top security risk level.

The critical fixes address remote code execution flaws in a media decompression component in all currently supported versions of Windows. All client versions of Windows will also receive a critical update for flaws in Internet Explorer.

However, one flaw that wasn't patched came to light only this week after Google security engineer Tavis Ormandy identified a zero-day flaw affecting Windows XP, 2003 and possibly other Windows systems.

Ormandy found the flaw in a component of the Windows Help and Support Center which is accessed via the 'hcp://' protocol handler. A correct exploitation could give an attacker complete access to any PC running the vulnerable operating system.

Google itself issued security updates for Chrome, addressing 11 vulnerabilities for the Windows, Mac OS X and Linux versions of the browser. Eight of the flaws in the Chrome 5.0.375.70 update are labelled as 'high risk', while the remaining three are listed as 'medium' risk. The vulnerabilities range from memory corruption and cross site scripting flaws, to keystroke redirection risks.

Adobe, meanwhile, released patches for serious security flaws in Flash. The 10.1.53.64 update fixes 32 issues that could allow remote code execution, system crashes or the loss of virtualised images.

And finally, Symantec Hosted Services rounded the week off with another warning about targeted malware attacks using the World Cup as a lure. The newly discovered attack, targeting Brazilian firms, features a malicious PDF attachment and link in the same email, increasing the chances of success.