Items tagged with exploit

It seems impossible for the world to go a single week without a major security breach, so to fill the inevitable void this week is a hacker that goes by the name "thedarkoverlord," who claims to be in possession of a staggering 655,000 healthcare records. Of course, he is looking to sell them off. This latest records leak was first reported by Deep Dot Web, which has exclusive images to prove that the leak is real (one can be seen below). These images were not sourced by the website; rather, thedarkoverlord himself provided the images, probably as a way to build up some notoriety, and to flaunt... Read more...
We wrote earlier about the kind of success Google has been seeing with its Android bug bounty program -- success that has led the company to actually increase its rewards. Over the years, we've seen other major companies offer bug bounties as well, such as Facebook and Microsoft, so it's clear that they can provide some real value. Could that value be important enough for the US government to get in on the action? It appears that "yes", it certainly can. In a new report from the Pentagon, the groundwork is laid for future programs that target much more than some front-facing websites, which is... Read more...
It has been suggested that the microprocessors we use each and every day could pack in a bit more than we bargained for; namely, the tools needed for spying or undetectable access. And unfortunately, according to security researcher and developer Damien Zammit, there's a potential reason to be concerned over the "ME" or Management Engine module found in all Intel chipsets manufactured after the Core 2 era. If you've built your own Intel-based PC in recent years, or have at least reinstalled the OS and needed to install all of the drivers on your own, you've probably noticed a piece of software... Read more...
The greatest benefit wireless peripherals offer is what they help cut down on: wires. Fewer wires means that our desktops are easier to keep clean, and we're not kicking wires as often under our desk. It's a win-win overall. Or is it? As with most things convenient, wireless peripherals can suffer exploits just like anything else that's open to a wireless connection. While your keyboard is designed to handshake with an adapter that's plugged into your PC, there's usually nothing stopping the data stream from being intercepted. Though remote, no question, it could be a legitimate attack vector.... Read more...
Security researchers thought that we were all rid of a pesky vulnerability that was initially patched over three years ago. The exploit takes advantage of code lurking within the “libupnp” library, which is included in the Portable SDK for UPnP Devices used for DLNA media playback. However, some lax vendors have failed to include newer versions of the SDK with an updated version of libupnp, leaving millions of devices that we use everyday exposed -- 6.1 million devices to be exact, including smartphones, routers and smart TVs. In addition to hardware vendors, it’s also been discovered that 547... Read more...
We've talked lots in the past about vulnerabilities that hit home and enterprise routers, but not quite as much about cable modems, where the importance of good security is arguably even more paramount. The reason for that is that most often, customers do not have control over the firmware in such devices. If a vulnerability is found and patched, it's up to the ISP to issue it, automatically. As you might imagine, this could lead to some serious problems if your ISP isn't too on top of things. A great example of this is brought forth by security researcher Bernardo Rodrigues. He found that with... Read more...
UpdatedThe lock screen on your phone might not be foolproof as you thought. Researchers at The University of Texas at Austin released a demonstration this week of what they say is a vulnerability in mobile devices running Android 5.x. Also known as Lollipop, it is the latest version of Android and is run by many modern phones, but the attack may not affect all phones running Lollipop. Researchers used a Nexus 4 in the proof-of-concept attack. Also, phones running the latest version of Android (5.5.1 build LMY48M) are not vulnerable. The attack involves copying and pasting multiple characters, starting... Read more...
If you’re a Firefox user, you should update your browser immediately. Mozilla was informed earlier this week by an astute Firefox user that a Russian news site was was using malicious advertisements to take advantage of an exploit in the browser when installed on Windows and Linux machines. The exploit takes advantage of a vulnerability in the PDF viewer that is built into the Firefox browser. That also means that the mobile version of Firefox, which doesn’t include the PDF viewer, is not affected. Mac users were also spared from this particular exploit, but Mozilla still suggests that they upgrade... Read more...
We reported earlier this week that a Jeep Cherokee could be remotely accessed and controlled, and I wouldn't blame anyone for being a skeptic. After all, what are the chances of someone remote being able to disable the transmission? Well, with Fiat Chrysler's response, I think that question has been answered. In a press statement issued today, the company has announced that it's recalling 1.4 million cars that are equipped with certain UConnect radios. Dodges, Jeeps, Rams, and Chrysler's are affected. Ultimately, it seems like this recall isn't going to be that painful for owners of the affected... Read more...
One of the biggest concerns revolving around ever-improving vehicle technologies is the risk of their security being breached and an exploiter causing something bad to happen. After all, our vehicles are now kitted out with computers - they are computers - and whether we're talking about the desktop, mobile, or enterprise, we see computers get breached a lot. Well, if you've tried to convince yourself that the computers in our vehicles are more bulletproof than those used elsewhere, you're about to have a rude awakening. Tapping into and controlling the remote vehicle Over at Wired, a proof-of-concept... Read more...
We reported last week on a new zero-day vulnerability in Adobe Flash that was revealed following the leak of data from the Italian hacking group "Hacking Team". It's hardly a surprise when such a vulnerability is found in either Flash or Java, and as sad as it is, it's not even surprising to learn that two more have been found. Oy! The latest vulnerabilities, named CVE-2015-5122 and CVE-2015-5123, are considered critical, and affect the Flash player on Windows, OS X, and Linux. A verbatim threat to last week's vulnerability, "successful... Read more...
After mainboard vendors began adopting EFI en masse in recent years, security researchers all over have dissected the many different implementations out there to find that elusive crippling bug. Sometimes, though, such bugs are not actually elusive at all, like one just discovered by reverse engineering enthusiast fG. fG starts off his report by pointing out two excellent presentations revolving around EFI exploitation, and how this new one relates to one of those. At any point while using your PC, your EFI should never become exposed to write commands, but fG notes that this isn't the case on... Read more...
It's always fun to see which security flaws get exploited at Pwn2Own, and this year's event has proven to be no exception. In fact, it could be considered to be one of the most exciting events to date, with JungHoon Lee exploiting three major browsers, and securing a record $110,000 payout for one of the flaws. Starting the day off, JungHoon (aka: lokihardt) breached a time-of-check to time-of-use vulnerability in the 64-bit version of Internet Explorer, breaking out of the sandbox via a privileged JavaScript injection, allowing him to execute medium-integrity code. This flaw netted JungHoon $65,000.... Read more...
IBM's X-Force Application Security Research Team has discovered a severe bug that plagues the Dropbox SDK on Android, which apps can use to interact with the cloud storage service. Dubbed 'DroppedIn', unauthorized apps have been able to access a rogue Dropbox account, potentially allowing an attacker to grab data off of your device for their later perusal. The bug affects SDK version 1.5.4 through 1.6.1, and has been fixed as of 1.6.2. As serious as this bug is, it's nice to know that Dropbox wasted no time in fixing it. Security Intelligence notes that Dropbox responded to IBM's email about the... Read more...
1 2 3 Next