Subscribe to this page now.

SSL vulnerability revealed as major issue; forced release of iOS patch

02/23, 4:15pm

OS X said be vulnerable to same style of attack, patch to come

On February 21, Apple released a patch for iOS bringing iOS 7 and 6 to versions 7.06 and 6.16 (respectively), with little fanfare as to why the patch was issued. However, it now appears to have had more to it than a simple fix to SSL connections. The release notes mentioned a Secure Socket Layer (SSL) vulnerability for "an attacker with a privileged network," meaning that a flaw in the SSL implementation could conceivably allow for a "man-in-the-middle" attack as uncovered by ZDNet.

more

Eavesdropping exploit for Chrome leaked after Google inaction

01/23, 5:12pm

Vulnerability allowed websites to secretly record from a microphone

A security vulnerability in the Chrome browser that allowed malicious websites to secretly record audio through a microphone connected to the computer has been revealed. The exploit, which has been revealed following an apparent lack of progress by Google to implement a patch, could have allowed for the private conversations of nearby individuals to be eavesdropped upon, a developer claims

more

Adobe issues 'emergency' Flash update to stop new malware

02/07, 10:00pm

Exploits affect both platforms, one targets the Mac specifically

Adobe has issued a patch to update Flash on both the Mac and Windows platform in order to fix two new vulnerabilities already being exploited "in the wild" to spread malware. One of the targeted attacks using the exploit works equally well against Mac users as it does against Windows users. Visitors are tricked into downloading and opening MS Word files that contain malicious Flash content, while the other vulnerability users a similar technique but only affects Windows users.

more

[U] Yahoo Mail accounts compromised in quick XSS exploit

01/07, 1:34pm

Hacker details attack process in YouTube video

[Updated with Yahoo response] Yahoo Mail accounts have been hacked, with a DOM-based cross-site scripting vulnerability being the main vector of attack. Details of the hack, including how to perform the attack on specific e-mail accounts, has appeared online in a YouTube video demonstration, with the entire attacking process taking just a couple of minutes.

more

Commonly used Broadcom Wi-Fi chipset vulnerable to attack

10/26, 9:40pm

Proof-of-concept code knocks affected devices offline

Proof-of-concept example code shows a vulnerability in the firmware of two wireless chips sold by Broadcom -- the BCM4325 and the BCM4329. The chips are found in recent devices such as the iPhone 4, iPad, iPad 2, HTC Droid Incredible 2, Motorola Droid X2, and some Edge model cards manufactured by Ford. The flaw makes the devices vulnerable to attacks that render the Wi-Fi connection unusable for the duration of the attack.

more

Security flaw found in iOS, allows spoofing of SMS messages

08/17, 10:59am

Could allow messages to silently re-direct to phishing sites

Security researcher Pod2g has discovered a flaw in the way iOS handles SMS messages that could conceivably allow for malicious texters to disguise messages as being from a known or trusted source, potentially getting users to reveal information they normally would not, or rack up inadvertent charges on their bill. Pod2g refers to the flaw as "severe" and plans on releasing a tool to allow iPhone 4 users to send messages in "raw" PDU format until the vulnerability is fixed.

more

Google increases vulnerability reporting reward to $20,000

04/23, 6:25pm

Google raises Vulnerability Reward Program prizes

Google has updated the bounties for its Vulnerability Reward Program. Users who report a bug from one of Google's products stand to earn up to $20,000 for each potential vulnerability declared to the search giant.

more

Google Wallet vulnerability exposes PIN on rooted handsets

02/08, 10:25pm

Google working quickly to fix bug

Researchers at security firm Zvelo have released details surrounding a Google Wallet vulnerability that is claimed to leave a user's PIN data exposed. Engineers were reportedly able to develop a crack that quickly determines a user's four-digit PIN, which serves as an essential security layer to prevent the NFC system from transmitting card data without authorization.

more

Researchers discover Wi-Fi router PIN vulnerability

12/28, 12:00am

Flaw makes for easier brute-force attacks

The US Computer Emergency Readiness Team (US-CERT) has reportedly issued a warning regarding a vulnerability in Wi-Fi routers that use Wi-Fi Protected Setup (WPS) PINs. The security flaw, which was said to be discovered by security researcher Stefan Viehbock, enables hackers to easily gain access to routers by using brute-force attacks and software tools to guess the PIN codes.

more

Vulnerability in Window 7 64-bit may be exploited by Safari

12/20, 8:30pm

Gives attacker ability to run arbitrary code

Microsoft is said to be looking into a new vulnerability in the 64-bit version of Windows 7 that can be exploited through Apple's Safari web browser for Windows, according to a report on Threat Post. The flaw, reported a few days ago by an independent researcher on Twitter and confirmed by Secunia, would allow an attacker to run arbitrary code on victimized machines.

more

HTC confirms fix underway for privacy hole in Android phones

10/04, 7:25am

HTC to plug major security hole ASAP

HTC has confirmed that it has commenced work on a patch for the gaping security hole that was discovered in its Android phones over the weekend. HTC has has also acknowledged that the vulnerability could allow a maliciously crafted third-party application to access a customer’s data without permission. The company claims that it is working quickly to issue a security update for its Android devices.

more

Serious XSS vulnerability found in Skype for iOS

09/20, 7:25pm

Users' address books could be copied

A security researcher going by "Phil P" and running the Superevr security blog has found a serious scripting vulnerability in the chat messaging feature of Skype versions 3.01 and earlier for the iPhone and iPod Touch that could execute malicious Javascript code without the user being fully aware, giving the attacker access to file contents of any file that the Skype app would have access to -- such as a user's address book.

more

Adobe issues another critical Flash security update

06/15, 9:45pm

Issue affects desktop platforms, Android

Adobe has again issued a security update for a critical issue affecting Adobe Flash Player 10.3 and earlier versions for Macintosh, Windows, Linux, Solaris and Android, just over a week since the previous update. A new memory corruption vulnerability (marked by the company as CVE-2011-2110) can cause a crash and potentially allow an attacker to take control of the affected system, with reports that the problem has been spotted in the wild.

more

Hackers attack Safari on MacBook to win Pwn2Own

03/09, 10:05pm

Team exploits WebKit vulnerability

Security researches from the French company Vupen hacked a MacBook running Safari to win the recent Pwn2Own hacking contest this week at the CanSecWest security conference. The group discovered and exploited an unpatched vulnerability in Safari's WebKit engine. The browser was directed to a website designed to take advantage of the flaw, enabling the hackers to remotely launch the calculator application and write a file to the disk.

more

Firefox 3.5 JS security vulnerability emerges

07/15, 12:40am

Firefox security issue

A new security vulnerability affecting Firefox 3.5 has been discovered, according to Secunia. The issue, spotted by Simon Berry-Byrne, relates to an error when processing JavaScript code, such as "font" HTML tags, and can be exploited to cause memory corruption. The flaw potentially could be used to allow malicious code to enable unauthorized control of a system.

more

iCal vulnerable to malicious .ics files

05/21, 4:05pm

iCal vulnerable to bad ics

A new vulnerability in iCal has been discovered that allows un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. Core Security writes that "the most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker".

more

URL spoofing flaw affects Safari 3.1.1

04/24, 9:00pm

URL spoofing flaw

A little over a week after Apple offered a security update to Safari 3.1.1, security research site Secunia warned users about another, but "less critical," vulnerability that could allows malicious sites to "spoof" other websites. Reported by Juan Pablo Lopez Yacubian, the security advisory notes that Safari 3.11 has a flaw that can be exploited by malicious people to display a fake URL in the address bar. "The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the report noted. It affects both Mac OS X and Windows Vista of the browser and may also affect older versions. Secunia, however, rates the flaw as "less critical," but warns that users should avoid untrusted websites and untrusted links.

more

Code crashes Safari in iPhone 1.1.4, fixed for Mac/PC

03/19, 12:30am

Code crashes iPhone 1.1.4

A new exploit has surfaced for the iPhone's Safari browser that, while drawing parallels to an earlier issue, requires no user input to function. According to iPhone World, the vulnerability is triggered by previously conceived code that has been refined in the above manner. The issue affects firmware version 1.1.4 iPhones, and presumably previous versions. Safari on the Mac and PC were also affected by this vulnerability, but it was recently fixed in Safari 3.1, released today.

more

DoS attack on iPhone causes memory leak, freeze

01/26, 1:25pm

New iPhone vulnerability

iPhone owners should be on guard against a new threat, which fortunately doesn't harm the device, but still induces a freeze by taking all available system memory. According to security firm SecurityFocus, the vulnerability is exposed by a Denial of Service attack, when a maliciously crafted webpage is viewed. The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic.

more

iPhone Trojan revealed, targets jailbroken phones

01/09, 12:10am

First iPhone Trojan attack

The iPhone recently fell victim to its first Trojan attack, which came in the form of a malicious file named “113 prep”. While installation of the phony application is relatively benign – the app merely says “shoes” when activated – uninstalling the file causes damage to or deletes system-critical files in the /bin directory on the iPhone. In addition to harming the devices own software, third party utilities are also being rendered useless through the same means. This attack was orchestrated by an 11-year-old, and has some modmyifone.com forum members laughing to ease the pressure using references to the 1995 film Hackers, due to the similarity of circumstances.

more

Firebox X protects against Java vulnerabilities

12/17, 11:20pm

Firebox X updated

WatchGuard Technologies recently updated its Firebox X network protection hardware to neutralize the latest Java threats against Mac OS X 10.4 Tiger users. Malicious web pages are reportedly the most common methods of implementation for viruses or attacks, but WatchGuard says that its equipment prevents against these kind of incursions by running network traffic through its Application Proxy technology – a proxy that separates user traffic from web-source to neutralize these exploits. Application Proxy is currently available in all of WatchGuard's products, including the Firebox X line of protective hardware.

more

iPhone will be hacker's choice in 2008 - report

12/11, 5:25pm

iPhone target of choice

The iPhone will be a major target for hackers in 2008, with attacks centered around the included Safari web browser, according to a prediction by Arbor Networks Security. The attacks will most likely be bits of malicious code that, when intertwined with benign digital material such as image files, could be capable of executing various harmful commands on the device. Arbor believes that the prospect of attacking Apple users and being among the first to hack a new platform are both big draws for malevolent hackers.

more

First Look: Symantec's Norton AntiVirus 11

12/11, 3:25pm

First look at NAV 11

Viruses have been of little concern to most Mac users since OS X made its first appearance in 2001. Apple's switch to Intel processors, and the various virtualization processes that exist for running Windows, have eroded that confidence for some users. Although Apple is usually on the ball with fixing system vulnerabilities, some larger problems can go for several days or weeks before a proper fix is available. Symantec's Norton AntiVirus 11 aims to compliment the Mac OS' natural sturdiness by providing anti-viral services and fixes for security holes while Apple works on a true solution for the problem.

more

Security flaws surface in Leopard, VPN

12/10, 5:25pm

Security flaws in Leopard

A new denial of service (DoS) vulnerability has surfaced in Apple's Mac OS X Leopard operating system that can result in crashes, according to Heise Security. The flaw, which is an integer overflow in the load_threadstack function in mach_loader.c, occurs when processing Mach-O binaries and can lead to a kernel panic. Single user systems should not be at risk, according to the company, but multi-user setups are vulnerable because attackers do not require any special privileges to provoke the error.

more

QuickTime exploit circulates on Web

11/30, 1:20am

QuickTime 7.2 exploit

Symantec has notified DeepSight customers that a bug in QuickTime's Real Time Streaming protocol can lead towards the execution of malicious code on any computer running QuickTime 7.2 or later, and that a working proof-of-concept set of code being circulated on the internet. Computerworld reports that the bug was originally posted on milw0rm.com, and that the exploit code had worked when tested against Windows XP and later in Vista. Mac OS X 10.4 Tiger and 10.5 Leopard are said to be vulnerable as well, but took considerably more time for researches to craft a reliable, working exploit.

more

SonicWALL blocks QuickTime zero-day exploit

11/29, 4:45pm

SonicWALL Quicktime issue

Networking security hardware manufacturer SonicWALL recently announced that it has distributed defensive measures to users of it's Unified Threat Management technology, against zero-day vulnerability exploits found in QuickTime. Malicious websites are able to create a stack-based buffer overflow in Apple's media player, by providing a phony movie file that, when activated, executes a series of code that allows a users machine to be taken over. SonicWALL says that the problem lies within the "Content-Type" header field that is sent from the server, which is not properly verified by the client's QuickTime. Once the "Content-Type" field reaches a certain length, a Buffer Overflow condition occurs, and through this, malevolent users can rewrite a user's privileges so that they have read-write access to the machine.

more

Electronista Sponsor

Electronista Newsletter

Free Technology and Gadgets Newsletter

  • We will not share your email address with anyone.

    toggle

    Most Popular

    Sponsor

    Recent Reviews

    PenClic Bluetooth mouse

    Windows 8 aside, computer users have been trained that a mouse is the proper way to navigate through the desktop for years. Trackballs ...

    Cat B100

    Cat is primarily known for its heavy-duty machinery used in the construction industry and farming, among other areas. What may not be ...

    Linksys EA6900 AC Router

    As 802.11ac networking begins to makes its way into more and more devices, you may find yourself considering an upgrade for your home ...

    Sponsor

    toggle

    Most Commented

     
    toggle

    Popular News