Items tagged with exploit

If you’re a Firefox user, you should update your browser immediately. Mozilla was informed earlier this week by an astute Firefox user that a Russian news site was was using malicious advertisements to take advantage of an exploit in the browser when installed on Windows and Linux machines. The exploit takes advantage of a vulnerability in the PDF viewer that is built into the Firefox browser. That also means that the mobile version of Firefox, which doesn’t include the PDF viewer, is not affected. Mac users were also spared from this particular exploit, but Mozilla still suggests that they upgrade... Read more...
We reported earlier this week that a Jeep Cherokee could be remotely accessed and controlled, and I wouldn't blame anyone for being a skeptic. After all, what are the chances of someone remote being able to disable the transmission? Well, with Fiat Chrysler's response, I think that question has been answered. In a press statement issued today, the company has announced that it's recalling 1.4 million cars that are equipped with certain UConnect radios. Dodges, Jeeps, Rams, and Chrysler's are affected. Ultimately, it seems like this recall isn't going to be that painful for owners of the affected... Read more...
One of the biggest concerns revolving around ever-improving vehicle technologies is the risk of their security being breached and an exploiter causing something bad to happen. After all, our vehicles are now kitted out with computers - they are computers - and whether we're talking about the desktop, mobile, or enterprise, we see computers get breached a lot. Well, if you've tried to convince yourself that the computers in our vehicles are more bulletproof than those used elsewhere, you're about to have a rude awakening. Tapping into and controlling the remote vehicle Over at Wired, a proof-of-concept... Read more...
We reported last week on a new zero-day vulnerability in Adobe Flash that was revealed following the leak of data from the Italian hacking group "Hacking Team". It's hardly a surprise when such a vulnerability is found in either Flash or Java, and as sad as it is, it's not even surprising to learn that two more have been found. Oy! The latest vulnerabilities, named CVE-2015-5122 and CVE-2015-5123, are considered critical, and affect the Flash player on Windows, OS X, and Linux. A verbatim threat to last week's vulnerability, "successful... Read more...
After mainboard vendors began adopting EFI en masse in recent years, security researchers all over have dissected the many different implementations out there to find that elusive crippling bug. Sometimes, though, such bugs are not actually elusive at all, like one just discovered by reverse engineering enthusiast fG. fG starts off his report by pointing out two excellent presentations revolving around EFI exploitation, and how this new one relates to one of those. At any point while using your PC, your EFI should never become exposed to write commands, but fG notes that this isn't the case on... Read more...
It's always fun to see which security flaws get exploited at Pwn2Own, and this year's event has proven to be no exception. In fact, it could be considered to be one of the most exciting events to date, with JungHoon Lee exploiting three major browsers, and securing a record $110,000 payout for one of the flaws. Starting the day off, JungHoon (aka: lokihardt) breached a time-of-check to time-of-use vulnerability in the 64-bit version of Internet Explorer, breaking out of the sandbox via a privileged JavaScript injection, allowing him to execute medium-integrity code. This flaw netted JungHoon $65,000.... Read more...
IBM's X-Force Application Security Research Team has discovered a severe bug that plagues the Dropbox SDK on Android, which apps can use to interact with the cloud storage service. Dubbed 'DroppedIn', unauthorized apps have been able to access a rogue Dropbox account, potentially allowing an attacker to grab data off of your device for their later perusal. The bug affects SDK version 1.5.4 through 1.6.1, and has been fixed as of 1.6.2. As serious as this bug is, it's nice to know that Dropbox wasted no time in fixing it. Security Intelligence notes that Dropbox responded to IBM's email about the... Read more...
A weakness has been identified that could exist in Android, Windows, and iOS devices that can be used to obtain personal information. Discovered by a team of researchers, the vulnerability revolves around multiple applications running on a shared infrastructure that can be exploited. According to their research, they were able to test a method, on an Android phone, that was successful between 82 percent and 92 percent of the time for six of the seven apps that were tested. The apps with such high percentages were Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent),... Read more...
In a Microsoft post announcing a mostly uninteresting list of products and their respective dates for when Microsoft will terminate support for them is a notable standout: Windows 7. Within the next six months, all versions of Windows 7 will enter the Extended Support phase, which lasts for 5 years and includes free security updates and paid hotfix support, but Mainstream Support for the popular OS will cease as of January 13, 2015. What that means in practice is that although you can rest easy knowing that Windows 7 will remain secure until 2020, it won’t be getting any new features. This... Read more...
While perhaps a bit unnerving, let's not act like this hasn't happened before. While Apple's engineering team is no doubt massive, there's only so much a fixed group can find. We're talking about bugs in particular; while iOS 7's final build squashed a ton of quirks, a couple of security issues have presented themselves now that the operating system has been unleashed to the masses. In fact, most major companies find themselves in similar spots shortly after a major OS release: users discover exploits, and then, the firm has to work overtime in order to issue a patch (or two) to ensure it doesn't... Read more...
Less than a week ago, we posted about a newfound Android vulnerability that's not only a bit worrying, but affects potentially 900 million devices - dating all the way back to Android 1.6. The discovery and minor reveal was made by Bluebox, an up-and-comer security firm that had plans to expose all at an upcoming security conference. It appears, however, that one github user had no plans to wait around for that. Either user "Poliva" knew about the exploit already, or could figure it out based on what Bluebox had revealed up to this point, but he's released some proof-of-concept code - and it's... Read more...
Oh Facebook - couldn't this have come at a better time? Mere weeks after news of NSA's PRISM project being leaked, which is said to involve tight integration with the likes of Facebook and other popular Web entities, we learn of a bug that caused six million user's worth of phone numbers and email addresses being exposed over the past year. The New York Times reports that the cause was a "technical bug", and so far, Facebook has seen no evidence that it was exploited or used maliciously. What it does mean, however, is that if anyone synced their Facebook account to their phone or any other device,... Read more...
We talked earlier this week about all of the software that lost their battles against the hackers at the Pwn2Own competition in Vancouver, Canada, but lest we forget about the sister competition, Pwnium 3. This particular competition was heavily sponsored by Google, with the company paying well more than $100,000 per exploit discovered against its Chrome browser. Examples would be a system compromise delivered via a webpage while in guest mode or even better - an exploit that results in device persistence (lasting through the reboots). Well, while Chrome fell at Pwn2Own - despite Google patching... Read more...
Is there a world record for number of software vulnerabilities exposed within the span of a single month? If so, I'm willing to bet that Oracle's Java is the clear winner. We've reported on many Java happenings over the past couple of months, and it doesn't look like the fun is going to end anytime soon. Security firm FireEye is responsible for the latest finding, noting that this zero-day exploit has been successfully executed using Java 1.6 update 41 and the most recent 1.7 update 15. It takes advantage of a vulnerability that might allow someone to overwrite bits of data Java has stored in the... Read more...
1 2 Next