Requires physical access, but works on OS X, Windows, Linux
A new USB microcontroller -- roughly the size of a small thumb drive -- has been demonstrated as a proof-of-concept device that leverages a serious and unfixable vulnerability in USB easily take over and install malware on any unlocked computer. Though it requires physical access or tricking the user into inserting the controller into a USB port, the device has worrying implications for any computer left unattended for more than a minute -- the time it takes for the device to gain admin access, change network settings, install a backdoor and remove any obvious sign of intrusion.
Versions of WordPress from 3.0 up to 3.9.2 were discovered to contain a security vulnerability through the comment features on the site, making a large number of installs and servers vulnerable to attack. The bug was discovered by Jouko Pynnonen of the Finnish IT company Klikki Oy, indicating that the bug went unchecked for more than four years since it was introduced with version 3.0 in June 2010.
Only those running advanced UNIX services should be concerned, fix is on the way
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.
Major security risk could be bigger issue than Heartbleed
A new bug may have a greater potential for harm than April's Heartbleed vulnerability, according to reports. The "Shellshock" vulnerability in Bash, a Unix shell typically used in Linux systems as well as in OS X, apparently allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user.
Latest version for Snow Leopard and higher now required for Flash to work
Following an emergency patch issued by Adobe yesterday for a vulnerability in Flash Player and Adobe AIR that the company deemed "critical" for users to upgrade to, Apple is now blocking all un-upgraded versions of the plug-in in Safari, though the warning dialog will take users to the Flash Installer page where they can obtain the patched version. Users of OS X 10.6 and higher must be running version 18.104.22.168 in order for the Flash plug-in to work normally. Windows and Linux users are also affected by the flaw.
XSS attack leaves Tweetdeck's web users vulnerable to scripts in Tweets
Researcher finds decrease in vulnerable systems from previous month
Security researcher Robert Graham announced on the Errata Security blog that over 300,000 servers remain vulnerable to the Heartbleed bug, according to a recent scan done of Internet systems. The number marks a decrease from the previous month's scan, which numbered over 600,000 systems.
OS X said be vulnerable to same style of attack, patch to come
On February 21, Apple released a patch for iOS bringing iOS 7 and 6 to versions 7.06 and 6.16 (respectively), with little fanfare as to why the patch was issued. However, it now appears to have had more to it than a simple fix to SSL connections. The release notes mentioned a Secure Socket Layer (SSL) vulnerability for "an attacker with a privileged network," meaning that a flaw in the SSL implementation could conceivably allow for a "man-in-the-middle" attack as uncovered by ZDNet.
Vulnerability allowed websites to secretly record from a microphone
A security vulnerability in the Chrome browser that allowed malicious websites to secretly record audio through a microphone connected to the computer has been revealed. The exploit, which has been revealed following an apparent lack of progress by Google to implement a patch, could have allowed for the private conversations of nearby individuals to be eavesdropped upon, a developer claims
Exploits affect both platforms, one targets the Mac specifically
Adobe has issued a patch to update Flash on both the Mac and Windows platform in order to fix two new vulnerabilities already being exploited "in the wild" to spread malware. One of the targeted attacks using the exploit works equally well against Mac users as it does against Windows users. Visitors are tricked into downloading and opening MS Word files that contain malicious Flash content, while the other vulnerability users a similar technique but only affects Windows users.
Hacker details attack process in YouTube video
[Updated with Yahoo response] Yahoo Mail accounts have been hacked, with a DOM-based cross-site scripting vulnerability being the main vector of attack. Details of the hack, including how to perform the attack on specific e-mail accounts, has appeared online in a YouTube video demonstration, with the entire attacking process taking just a couple of minutes.
Proof-of-concept code knocks affected devices offline
Proof-of-concept example code shows a vulnerability in the firmware of two wireless chips sold by Broadcom -- the BCM4325 and the BCM4329. The chips are found in recent devices such as the iPhone 4, iPad, iPad 2, HTC Droid Incredible 2, Motorola Droid X2, and some Edge model cards manufactured by Ford. The flaw makes the devices vulnerable to attacks that render the Wi-Fi connection unusable for the duration of the attack.
Could allow messages to silently re-direct to phishing sites
Security researcher Pod2g has discovered a flaw in the way iOS handles SMS messages that could conceivably allow for malicious texters to disguise messages as being from a known or trusted source, potentially getting users to reveal information they normally would not, or rack up inadvertent charges on their bill. Pod2g refers to the flaw as "severe" and plans on releasing a tool to allow iPhone 4 users to send messages in "raw" PDU format until the vulnerability is fixed.
Google raises Vulnerability Reward Program prizes
Google has updated the bounties for its Vulnerability Reward Program. Users who report a bug from one of Google's products stand to earn up to $20,000 for each potential vulnerability declared to the search giant.
Google working quickly to fix bug
Researchers at security firm Zvelo have released details surrounding a Google Wallet vulnerability that is claimed to leave a user's PIN data exposed. Engineers were reportedly able to develop a crack that quickly determines a user's four-digit PIN, which serves as an essential security layer to prevent the NFC system from transmitting card data without authorization.
Flaw makes for easier brute-force attacks
The US Computer Emergency Readiness Team (US-CERT) has reportedly issued a warning regarding a vulnerability in Wi-Fi routers that use Wi-Fi Protected Setup (WPS) PINs. The security flaw, which was said to be discovered by security researcher Stefan Viehbock, enables hackers to easily gain access to routers by using brute-force attacks and software tools to guess the PIN codes.
Gives attacker ability to run arbitrary code
Microsoft is said to be looking into a new vulnerability in the 64-bit version of Windows 7 that can be exploited through Apple's Safari web browser for Windows, according to a report on Threat Post. The flaw, reported a few days ago by an independent researcher on Twitter and confirmed by Secunia, would allow an attacker to run arbitrary code on victimized machines.
HTC to plug major security hole ASAP
HTC has confirmed that it has commenced work on a patch for the gaping security hole that was discovered in its Android phones over the weekend. HTC has has also acknowledged that the vulnerability could allow a maliciously crafted third-party application to access a customer’s data without permission. The company claims that it is working quickly to issue a security update for its Android devices.
Users' address books could be copied
Issue affects desktop platforms, Android
Adobe has again issued a security update for a critical issue affecting Adobe Flash Player 10.3 and earlier versions for Macintosh, Windows, Linux, Solaris and Android, just over a week since the previous update. A new memory corruption vulnerability (marked by the company as CVE-2011-2110) can cause a crash and potentially allow an attacker to take control of the affected system, with reports that the problem has been spotted in the wild.
Team exploits WebKit vulnerability
Security researches from the French company Vupen hacked a MacBook running Safari to win the recent Pwn2Own hacking contest this week at the CanSecWest security conference. The group discovered and exploited an unpatched vulnerability in Safari's WebKit engine. The browser was directed to a website designed to take advantage of the flaw, enabling the hackers to remotely launch the calculator application and write a file to the disk.
Firefox security issue
iCal vulnerable to bad ics
A new vulnerability in iCal has been discovered that allows un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. Core Security writes that "the most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker".
URL spoofing flaw
A little over a week after Apple offered a security update to Safari 3.1.1, security research site Secunia warned users about another, but "less critical," vulnerability that could allows malicious sites to "spoof" other websites. Reported by Juan Pablo Lopez Yacubian, the security advisory notes that Safari 3.11 has a flaw that can be exploited by malicious people to display a fake URL in the address bar. "The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the report noted. It affects both Mac OS X and Windows Vista of the browser and may also affect older versions. Secunia, however, rates the flaw as "less critical," but warns that users should avoid untrusted websites and untrusted links.
Code crashes iPhone 1.1.4
A new exploit has surfaced for the iPhone's Safari browser that, while drawing parallels to an earlier issue, requires no user input to function. According to iPhone World, the vulnerability is triggered by previously conceived code that has been refined in the above manner. The issue affects firmware version 1.1.4 iPhones, and presumably previous versions. Safari on the Mac and PC were also affected by this vulnerability, but it was recently fixed in Safari 3.1, released today.
New iPhone vulnerability
iPhone owners should be on guard against a new threat, which fortunately doesn't harm the device, but still induces a freeze by taking all available system memory. According to security firm SecurityFocus, the vulnerability is exposed by a Denial of Service attack, when a maliciously crafted webpage is viewed. The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic.
First iPhone Trojan attack
The iPhone recently fell victim to its first Trojan attack, which came in the form of a malicious file named “113 prep”. While installation of the phony application is relatively benign – the app merely says “shoes” when activated – uninstalling the file causes damage to or deletes system-critical files in the /bin directory on the iPhone. In addition to harming the devices own software, third party utilities are also being rendered useless through the same means. This attack was orchestrated by an 11-year-old, and has some modmyifone.com forum members laughing to ease the pressure using references to the 1995 film Hackers, due to the similarity of circumstances.
Firebox X updated
WatchGuard Technologies recently updated its Firebox X network protection hardware to neutralize the latest Java threats against Mac OS X 10.4 Tiger users. Malicious web pages are reportedly the most common methods of implementation for viruses or attacks, but WatchGuard says that its equipment prevents against these kind of incursions by running network traffic through its Application Proxy technology – a proxy that separates user traffic from web-source to neutralize these exploits. Application Proxy is currently available in all of WatchGuard's products, including the Firebox X line of protective hardware.
iPhone target of choice
The iPhone will be a major target for hackers in 2008, with attacks centered around the included Safari web browser, according to a prediction by Arbor Networks Security. The attacks will most likely be bits of malicious code that, when intertwined with benign digital material such as image files, could be capable of executing various harmful commands on the device. Arbor believes that the prospect of attacking Apple users and being among the first to hack a new platform are both big draws for malevolent hackers.
First look at NAV 11
Viruses have been of little concern to most Mac users since OS X made its first appearance in 2001. Apple's switch to Intel processors, and the various virtualization processes that exist for running Windows, have eroded that confidence for some users. Although Apple is usually on the ball with fixing system vulnerabilities, some larger problems can go for several days or weeks before a proper fix is available. Symantec's Norton AntiVirus 11 aims to compliment the Mac OS' natural sturdiness by providing anti-viral services and fixes for security holes while Apple works on a true solution for the problem.
Security flaws in Leopard
A new denial of service (DoS) vulnerability has surfaced in Apple's Mac OS X Leopard operating system that can result in crashes, according to Heise Security. The flaw, which is an integer overflow in the load_threadstack function in mach_loader.c, occurs when processing Mach-O binaries and can lead to a kernel panic. Single user systems should not be at risk, according to the company, but multi-user setups are vulnerable because attackers do not require any special privileges to provoke the error.
QuickTime 7.2 exploit
Symantec has notified DeepSight customers that a bug in QuickTime's Real Time Streaming protocol can lead towards the execution of malicious code on any computer running QuickTime 7.2 or later, and that a working proof-of-concept set of code being circulated on the internet. Computerworld reports that the bug was originally posted on milw0rm.com, and that the exploit code had worked when tested against Windows XP and later in Vista. Mac OS X 10.4 Tiger and 10.5 Leopard are said to be vulnerable as well, but took considerably more time for researches to craft a reliable, working exploit.
SonicWALL Quicktime issue
Networking security hardware manufacturer SonicWALL recently announced that it has distributed defensive measures to users of it's Unified Threat Management technology, against zero-day vulnerability exploits found in QuickTime. Malicious websites are able to create a stack-based buffer overflow in Apple's media player, by providing a phony movie file that, when activated, executes a series of code that allows a users machine to be taken over. SonicWALL says that the problem lies within the "Content-Type" header field that is sent from the server, which is not properly verified by the client's QuickTime. Once the "Content-Type" field reaches a certain length, a Buffer Overflow condition occurs, and through this, malevolent users can rewrite a user's privileges so that they have read-write access to the machine.