Security news round up: Retailer acknowledges security breach

In other news, researchers warn of a new security hole in Mozilla Firefox that could allow attackers to tamper with cookies.

Quincy, Massachusetts-based supermarket chain Stop & Shop has acknowledged that thieves stole account and personal identification numbers from customers' credit and debit cards at two Rhode Island locations by tampering with checkout-lane computers.

Customer information was stolen from Stop & Shop stores in Coventry and in Cranston, and there's suspicion that stores in Bristol, Providence, Warwick, and Seekonk were affected, according to an announcement on its Web site. There's no evidence yet of fraudulent debit or credit card activity in connection with the security breach.

The supermarket chain said the data, consisting of credit card numbers and associated pin numbers were stolen in early February.

"Although we do not yet have enough information to determine the extent of this criminal activity, compromised debit and credit cards that we are aware of are limited to specific transactions at two stores," the supermarket chain said in a letter to customers on its Web site.

It wasn't immediately clear how many customers were affected by the thefts.

No arrests have been made. Local police departments and the U.S. Secret Service are investigating.

Apple fixes multiple flaws
Apple has released a security update for Mac OS X that fixes several vulnerabilities, including some disclosed as part of the Month of Apple Bugs project. They include:

  • A boundary error in Finder attackers could exploit to cause a buffer overflow or run malicious code by tricking the user into mounting a malicious disk image.
  • A null-pointer dereference error in iChat Bonjour attackers could exploit to crash an application.
  • A format string error in how AIM URLs are handled in iChat, which attackers could exploit to launch malicious code.
  • An error in the UserNotificationCenter local attackers could exploit to enhance their user privileges.

Cookie flaw found in Firefox
Researcher Michal Zalewski has reported a new Mozilla Firefox flaw attackers could exploit via a malicious Web site to manipulate authentication cookies for a third-party Web site. According to Zalewski's Bugzilla forum posting, the problem is an origin validation error in how the browser handles the "location.hostname" property. Remote attackers could exploit this to steal authentication cookies from arbitrary sites by tricking a user into visiting a specially crafted Web page. The flaw affects Firefox versions and prior.

Read more on IT risk management