15946 matches found
Google Patches 34 Browser Bugs in Chrome 67, Adds Spectre Fixes
Google updated its Chrome browser to version 67.0.3396.62 on Tuesday patching 34 bugs and adding support for the credential management API called WebAuthn. The update will be available in the coming days for Windows, Mac and Linux platforms, Google said. Most notably to the browser update are...
Quant Loader Trojan Spreads Via Microsoft URL Shortcut Files
Researchers are warning of a new email phishing campaign that downloads and launches the Quant Loader trojan, capable of distributing ransomware and stealing passwords. Barracuda on Tuesday said it has been tracking emails containing zipped Microsoft internet shortcut files with a “.url” file...
Intel Patches CPU Bugs Impacting Millions of Devices
Intel released patches on Monday to protect millions of PCs and servers from vulnerabilities found in its Management Engine, Trusted Execution Engine and Server Platform Services that could allow local attackers elevate privileges, run arbitrary code, crash systems and eavesdrop on communications...
Oracle Issues Emergency Patches for ‘JoltandBleed’ Vulnerabilities
Oracle pushed out an emergency update for vulnerabilities affecting several of its products that rely on its proprietary Jolt protocol. The bugs were discovered by researchers at ERPScan who named the series of five vulnerabilities JoltandBleed. The vulnerabilities are severe, with two of the bug...
Factorization Flaw in TPM Chips Makes Attacks on RSA Private Keys Feasible
A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a...
Juniper Issues Security Alert Tied to Routers and Switches
Juniper Networks warned customers Thursday of a high-risk vulnerability in the GD graphics library that could allow a remote attacker to take control of systems running certain versions of the Junos OS. The alert was in conjunction with a warning from the U.S. Computer Emergency Readiness Team...
Adobe Fixes Six Vulnerabilities in Flash, Connect
Adobe fixed six vulnerabilities in two products, one of the company’s smallest security bulletins in recent memory, as part of its regularly scheduled round of updates on Tuesday. Included are fixes for the company’s Flash Player software platform, including a critical vulnerability CVE-2017-3099...
OpenVPN Audits Yield Mixed Bag
Two security audits of OpenVPN were recently carried out to look for bugs, backdoors, and other defects in the open source software; one found the software was cryptographically sound, while another found two legitimate vulnerabilities. The news comes after it was announced in December the SSL VP...
Cisco Patches Critical IOx Vulnerability
Cisco Systems patched a critical vulnerability Wednesday that could allow an unauthenticated, remote attacker to execute remote code on affected hardware and gain root privileges. The bug is in Cisco’s Data-in-Motion DMo process, part of the company’s IOx application environment that marries its...
Docker Patches Privilege Escalation Vulnerability
Docker has patched a privilege escalation vulnerability CVE-2016-9962 that could lead to container escapes, allowing a hacker to affect operations of a host from inside a container. The vulnerability is rated high severity by some Linux distributions such as Arch Linux, which traces the problem t...
Microsoft Patches Five Zero Days Under Attack
Update: Microsoft today said it mislabeled CVE-2016-7189 in bulletin MS16-119 as exploited. “There is no evidence of any active attacks using this vulnerability and the bulletin text has been corrected.” – a Microsoft spokesperson said. Microsoft today patched a handful of zero-day vulnerabilitie...
Mozilla Patches Certificate Pinning Vulnerability in Firefox
As expected, Mozilla patched a highly scrutinized flaw in its automated update process for add-ons in Firefox, specifically around the expiration of certificate pins. The vulnerability allowed attackers to intercept encrypted browser traffic, inject a malicious NoScript extension update and gain...
Patched ColdFusion Flaw Exposes Applications to Attack
An Adobe ColdFusion vulnerability addressed Tuesday in a hotfix pushed to users put applications developed on the platform at risk to a number of serious issues. Researcher Dawid Golunski of Legal Hackers today revealed details on the flaw, which he privately disclosed to Adobe, as well as a...
Simple Car Hack Open Millions Wireless Key Systems
Academic researchers added another hack to a growing list of compromises involving vehicles, and this one should give drivers pause the next time they leave valuables locked in their trunk. This hack involves millions of Volkswagen, Ford and Chevrolet vehicles that rely on an outdated key fob...
Conficker Used in New Wave of Hospital IoT Device Attacks
Internet-connected medical devices such as MRI machines, CT scanners and dialysis pumps are increasingly being targeted by hackers seeking to steal patient medical records from hospitals. Attackers consider the devices soft digital targets, seldom guarded with same security as client PCs and...
Exploit Kits Attacking Adobe Flash Player Zero Day
Update Exploits for the most recent Adobe Flash Player zero-day vulnerability have been integrated into the Angler, Neutrino and Magnitude exploit kits, and are leading compromised computers to different ransomware strains, banking malware, and a credential-stealing Trojan. A French researcher wh...
ISC Warning Some Versions of DHCP Vulnerable to DoS
The Internet Systems Consortium ISC this week announced that it plans to patch versions of its Dynamic Host Configuration Protocol DHCP to mitigate a vulnerability that could’ve let a remote attacker cause a denial of service condition. The group acknowledged on Monday that it plans to release DH...
VMware Patches Pesky XXE Bug in Flex BlazeDS
VMware has patched an information disclosure vulnerability affecting a number of its products that use Flex BlazeDS. The original vulnerability was discovered and disclosed in August by Matthias Kaiser of Code White GmbH. Researchers there found a XML External Entity flaw in Apache Flex BlazeDS...
Password Cracking Group Decodes 11 Million Ashley Madison Passwords
A San Diego-based password cracking group has taken a big step towards deciphering some of the 36 million odd passwords leaked in last month’s Ashley Madison breach, a move that could quickly lead to the widespread hacking of any users who used the same password on other services. Hackers had...
Adobe ColdFusion Hotfix
Adobe today pushed out a hotfix to ColdFusion implementations, patching a vulnerability it had already patched nine days ago on the LiveCycle Data Services application framework. Today’s hotfix affects ColdFusion 11, update 5 and earlier, and ColdFusion 10, update 16 and earlier. Hotfixes, unlike...
Adobe LiveCycle Data Services Hotfix
Adobe is today expected to push a hotfix through to implementations of its LiveCycle Data Services application framework. The company said the vulnerability, CVE-2015-3269, affects versions 4.7, 4.6.2, 4.5 and 3.0.x on Windows, Macintosh and UNIX systems. Adobe is not aware of public exploits of...
August 2015 Microsoft Patch Tuesday Security Bulletins
Microsoft Edge wasted no time making its presence felt on Patch Tuesday today when Microsoft released the first security bulletin for the company’s new browser. Released two weeks ago along with the public debut of Windows 10, Edge, like its big brother Internet Explorer, got its own critical...
Oracle Patches VENOM Vulnerability
Oracle, whose virtualization software VirtualBox is among those affected by the VENOM vulnerability, on Saturday joined the litany of VM providers that have patched the bug. Oracle was one of the first vendors notified by Crowdstrike, whose researcher Jason Geffner found the bug and disclosed it...
WordPress CartPress Plugin Zero Day Disclosure
Another round of WordPress vulnerability disclosures has taken place with details made public on a handful of unpatched bugs in the CartPress ecommerce plugin. These disclosures come on the heels of a separate disclosure of a zero-day in the WordPress core engine. Those vulnerabilities have since...
Hilton Hotels Fix CSRF Vulnerability That Exposed All Accounts
A cross-site request forgery CSRF vulnerability in the website of hotel chain Hilton Worldwide could have inadvertently compromised much of its users’ personal information. Ironically the since-fixed issue stemmed from a promotion the chain was offering to users if they changed their passwords on...
Inside nls_933w.dll, the Equation APT Persistence Module
CANCUN – The names called out like beacons from the screen: Samsung; Seagate; Western Digital; Hitachi; Maxtor. Hardware makers were in the crosshairs of the Equation APT group and it was perhaps the worst possible scenario imagined by researchers looking at the frightening and extensive storehou...
Four Oracle Demantra Security Vulnerabilities Found
Oracle’s Demantra, part of the company’s Value Chain Planning suite of software, is fraught with vulnerabilities according to several bug disclosures issued over the weekend. Researchers at the London-based computer security firm Portcullis claim the application is plagued by a four vulnerabiliti...
Kaspersky Provides Details on Latest Adobe Flash Zero Day
Exploits for a newly reported zero-day vulnerability in Adobe’s Flash Player drop a password-grabbing Trojan that targets the email and social media accounts of users and organizations in China, researchers at Kaspersky Lab said today. The attacks appear to be an isolated campaign and there is no...
EE BrightBox Router Vulnerabilities Exposed
Leave it to a software test engineer to be thorough about his home networking gear. Scott Helme, an engineer in the U.K., likes to take a close look at traffic coming and going from new devices installed at his home. Recently, he signed up for fiber service from Everything Everywhere, an ISP in t...
Blackhole and Cool Exploit Kits Nearly Extinct
When authorities in Russia arrested Paunch, the alleged creator of the Blackhole exploit kit, last month, security researchers and watchers of the malware underground predicted that taking him off the board would put a dent in the use of Blackhole and force its customers onto other platforms. Six...
Google Fixes 17 Flaws in Chrome 28
Google has fixed more than 15 vulnerabilities in Chrome and paid out nearly $35,000 in rewards to security researchers for reporting the bugs. One researcher earned an unusually large reward of $21,500 for a series of vulnerabilities he reported in Chrome. Google Chrome 28 includes fixes for thre...
At Microsoft, a Sharp Focus on Cybercrime
REDMOND, Wash.–Cybercrime has developed in the last few years into a major concern, not just for the consumers and businesses that are victims, but also for governments around the world. Obama administration officials have called it one of the larger threats to the United States economy. While la...
Google Fixes 11 Flaws in Chrome
Google Chrome 26, the latest version of the company’s browser, is out and it contains a number of security patches, most notably a fix for a high-priority use-after-free vulnerability in the Web Audio component of the browser. That vulnerability, discovered and reported by Atte Kettunen, is the...
Adobe Patches Sandbox Escape Vulnerability in Reader and Acrobat
Adobe today released a patch for two vulnerabilities being exploited in the wild that enabled attackers to pull off the first confirmed sandbox escape against Adobe Reader. The vulnerabilities CVE-2013-0640 and CVE-2013-0641 could cause a crash and allow an attacker to remotely run malware on a...
Oracle Patches Critical Java Flaws in 7u15
On a day when Java zero day exploits were fingered in attacks against Apple, Facebook and Twitter, Oracle released the remainder of its quarterly security patch updates for the Java platform. Five vulnerabilities were patched in Java 7 Update 15 today, all of them remotely exploitable, and three ...
Vulnerability Patched in Schneider Electric ICS Gear
The Industrial Control System CERT released an advisory this week warning of a vulnerability in a popular sensor monitoring system used in a number of critical industries, including energy, water and manufacturing. Aaron Portnoy of Exodus Intelligence discovered the flaw in the Windows-based...
Out-of-Band IE Patch Released as More Sites Attacked
Internet Explorer users, exposed to a zero-day vulnerability in the browser and a faulty temporary Fix It from Microsoft, finally got some relief today when the company, as promised, released an out-of-band patch. Meanwhile, a handful of new telco, manufacturing and human rights sites have been...
Google Repairs High-Risk Flaw in Chrome
Google has fixed a couple of security vulnerabilities in its Chrome browser, including a high-risk use-after-free bug and a problem in the way that the Apple OS X driver for some Intel GPUs handles rendering. The biggest fix in Chrome 23 is a patch for the use-after-free vulnerability in the Chro...
Embedded Systems, Critical Infrastructure 'Renovation' Outpacing Security
Scott Tousley, deputy director cybersecurity division at Department of Homeland Security Science & Technology, is an advocate of integrating cybersecurity education into all disciplines of IT and business and risk management. “We don’t want to teach cybersecurity as a stovepipe, but to do it so...
Apple Fixes Flaws, Updates Java 6 for OS X
Apple pushed out a Java update for its Snow Leopard, Lion and Mountain Lion systems Wednesday, fixing vulnerabilities Oracle tackled in last week’s emergency CVE-2012-4681 patch. Both Java for Mac OS X 10.6 Update 10 and Java for OS X 2012-005 update the Java SE 6 plugin and, in what might be a...
Microsoft Patches Critical MS12-060 Office Flaw Being Used in Targeted Attacks
Microsoft on Tuesday fixed a critical vulnerability in a component of Office, SQL Server and other widely deployed applications that attackers already are using in targeted attacks. The flaw in the Microsoft Common Controls component, which was one of the 26 vulnerabilities fixed in nine bulletin...
OpFake, FakeInst Android Malware Variants Continue to Resist Detection
Android devices have remained a constant target of attacks over the last quarter thanks in part to new variants from the FakeInst and OpFake families of malware. According to the latest version of the F-Secure Mobile Threat Report, the firm found 5033 malicious Android application packages APKs, ...
Yahoo Sued By User Following Breach of 450,000 Passwords
Internet search conglomerate Yahoo is being sued by one of its users for negligence after the usernames and passwords of approximately 450,000 of its users were leaked by a hacker online last month. According to a complaint .PDF filed earlier this week in a federal court in San Jose, Calif., the...
New Version of Sykipot Trojan Linked To Targeted Attacks On Aerospace Industry
A new version of the Sykipot Trojan is being pushed to unsuspecting users in a wave of online attacks, including targeted attacks on attendees of an international aerospace conference, according to researchers at the security firm AlienVault. The latest edition of the common Trojan Horse program...
Intel Processor SYSRET Vulnerability Affecting Some 64-Bit Systems
A flaw exists in the way that a specific instruction is handled on some types of Intel 64-bit chips that could open up some operating systems and types of virtualization software to attacks, according to an alert issued last week but revised today by the United States Computer Emergency Readiness...
New Version of Stoned Bootkit Said to Bypass Windows 8 Secure Boot
A security researcher who has in the past has created low-level rootkits capable of staying resident on an infected machine after reboots, said he has now accomplished the same feat on Windows 8, which hasn’t even hit the shelves yet. Peter Kleissner said he has created a new version of his Stone...
Weaknesses in Webkit Becoming Problematic
Attackers interested in getting the most bang for their buck focus on ubiquitous software. Microsoft’s Office, Adobe’s Acrobat and Oracle’s Java have all become popular platforms exploited by cybercriminals intent on compromising end users’ systems. Another platform has quietly made its way onto...
Anonymous Shifts Attention to Big Oil, Monsanto
Just days after infiltrating military contractor Booz Allen Hamilton, hacktivist group Anonymous has confirmed they’ve set their next target: Big oil. In a post on the AnonNews website, the group has announced their intent to shift their ongoing Operation Green Rights initiative to “protest...
Google Fixes 15 Bugs in Chrome, Gives Users Ability to Delete Flash Cookies
Google has fixed more than a dozen security bugs in its Chrome browser, including five high-severity vulnerabilities and one that qualified for the company’s highest bug bounty, a $3133.7 reward. The new version of Chrome has fixes for 15 separate security vulnerabilities, the most critical of...
Adobe Releases Patch for Flash Zero Day Hole in Reader, Acrobat
Adobe has released patches for its Reader and Acrobat products to plug a hole in the Flash Player that was first reported in March and is being used in attacks on the Internet. The company issued a security update on Thursday, APSB11-08, that repairs critical vulnerabilities in current versions o...