Items tagged with vulnerability

We reported earlier this week that a Jeep Cherokee could be remotely accessed and controlled, and I wouldn't blame anyone for being a skeptic. After all, what are the chances of someone remote being able to disable the transmission? Well, with Fiat Chrysler's response, I think that question has been answered. In a press statement issued today, the company has announced that it's recalling 1.4 million cars that are equipped with certain UConnect radios. Dodges, Jeeps, Rams, and Chrysler's are affected. Ultimately, it seems like this recall isn't going to be that painful for owners of the affected... Read more...
Microsoft is plugging a security hole with a new Critical-rated security update. The patch will fix an issue in Windows and OpenType fonts that could expose users to malicious website content. So long as you have automatic updates enabled, your PC will download and install the patch, if it hasn’t already. “This security update resolves a vulnerability in Windows that could allow remote code execution if a user opens a specially crafted document or goes to an untrusted webpage that contains embedded OpenType fonts,” Microsoft said in a statement. It deems the hole dangerous enough to have released... Read more...
We reported last week on a new zero-day vulnerability in Adobe Flash that was revealed following the leak of data from the Italian hacking group "Hacking Team". It's hardly a surprise when such a vulnerability is found in either Flash or Java, and as sad as it is, it's not even surprising to learn that two more have been found. Oy! The latest vulnerabilities, named CVE-2015-5122 and CVE-2015-5123, are considered critical, and affect the Flash player on Windows, OS X, and Linux. A verbatim threat to last week's vulnerability, "successful... Read more...
This week, something nearly as common as breathing happened: a severe Adobe Flash vulnerability was revealed. How this one came to be, however, is far more interesting than most. Earlier this week, a well-known Italian hacking group called 'Hacking Team' was itself hacked. On Monday, the group's Twitter account was hijacked to post a link to a torrent file that includes about 400GB worth of its data. We're now finding out that this data could have huge repercussions for software vendors and regular consumers alike. Because Hacking Team's efforts largely revolve around exploiting bugs in popular... Read more...
Jan Souček, a security researcher from Prague, has uncovered a vulnerability in the security of the iOS Mail application that nefarious types can deploy against users of the app to gain access to their iCloud passwords.    The method published by Souček illustrates how an email can be sent to the hapless victim that uses HTML code that mimics the iCloud login pop-up window upon receipt. Then, after said victim has inadvertently tapped their iCloud password into the window's Password field and clicked OK, an email is sent back to the sender with that critical information. Specifically,... Read more...
After mainboard vendors began adopting EFI en masse in recent years, security researchers all over have dissected the many different implementations out there to find that elusive crippling bug. Sometimes, though, such bugs are not actually elusive at all, like one just discovered by reverse engineering enthusiast fG. fG starts off his report by pointing out two excellent presentations revolving around EFI exploitation, and how this new one relates to one of those. At any point while using your PC, your EFI should never become exposed to write commands, but fG notes that this isn't the case on... Read more...
It's beginning to look like the latest hotness in the vulnerability world is crashing applications with simple strings of text. We just talked about such a bug that's stricken iOS a mere week ago, and already another one has come to the surface. This time, Skype is in the crosshairs, and this is a bug even easier to replicate than the iOS one. All you have to do is type in the characters "http://:" and send it, and that somehow causes Skype to become inoperable for a time. The bug does not seem to affect the "modern" version of Skype in Windows 8, nor the Mac version, and I'd also assume the... Read more...
Given their importance, it'd be easy to believe that an institution such as the IRS would have sufficient security measures in place to protect our data - the tax information of everyone in the United States. As we discovered last week though, that's not at all the case. We learned on Wednesday that at least 100,000 personal tax records were snatched illegally from the IRS, not with the intent of making a statement, but instead to steal identities. It didn't take long before someone got the blame, and that someone, or country, was Russia. In case it hasn't been evident enough lately, Russia really... Read more...
We posted earlier this week about a bizarre bug that strikes when a specific text message is received by an iOS user, either via Messages or SMS. Composed of various unicode characters, receiving this specific message can lock up the device, and render the Messages app useless until the bug is dealt with. When the bug leaked to the Web earlier this week, there were some suggestions of how to fix it, but now Apple itself has jumped in with suggestions of its own. With an iPhone or other bugged iOS device at-the-ready, you'll need to ask Siri to "read unread messages". Then, with the malicious message... Read more...
Is it possible to take control of an airplane using an infotainment system as a gateway? Chris Roberts, a well-known hacker and security researcher with One World Labs, claims that it is. The FBI, who is investigating Roberts' claims, is taking no chances that he's incorrect. On April 15, Roberts posted this tweet: Find myself on a 737/800, lets see Box-IFE-ICE-SATCOM, ? Shall we start playing with EICAS messages? "PASS OXYGEN ON" Anyone ? :)— Chris Roberts (@Sidragon1) April 15, 2015 It's as if Roberts was looking for trouble. And if that's the case, he certainly got it. Upon landing, he was greeted... Read more...
Data security research player CrowdStrike is reporting a security flaw that could allow hackers to exploit and take over data centers from within. Given the nasty moniker "VENOM" (for "Virtualized Environment Neglected Operations Manipulation"), the vulnerability CrowdStrike uncovered is present in a common component — a legacy floppy drive controller — that is widely used in virtualization platforms and appliances. The seriousness of the VENOM vulnerability rests on how it circumvents an essential barrier used by cloud service providers to segregate customer data. Thus, infiltrators who are able... Read more...
A serious flaw has been discovered in the software component of some routers that feature a Realtek chipset. In particular, routers that utilize a Realtek RTL81XXX chipset and also use the 1.3 SDK (or older, potentially), are vulnerable to an exploit that could see executable code run as root. Because it's not obvious what chipset most routers will use, ITworld shares an extremely helpful link that will let you search for whichever one you use. It should be stressed, though, that not every affected router may be listed here, and it still hasn't been ruled-out if versions older than the 1.3 SDK... Read more...
Another day, another story about a poor SSL implementation. According to analytics service SourceDNA, a staggering 1,500 iOS apps are bugged with a gaping HTTPS hole, allowing attackers to intercept traffic that should otherwise be secure. The bug exists in a popular networking library called AFNetworking. If an app was built with version 2.5.1, it's vulnerable, whereas with 2.5.2, released a few weeks ago, is not. It'd be easy to write this issue off as one that affects a small number of developers, but SourceDNA says that even apps from Microsoft, Uber, and Yahoo were all affected. Those apps... Read more...
Swedish hacker Emil Kvarnhammar is reporting that an unpublished OS X API — he dubs it a "backdoor" — can be used by nefarious types to gain root access through local users without Administrator status on Mac computers that have not yet been migrated to the 10.10.3 iteration of OS X, which was released just two days ago. "The admin framework in Apple OS X contains a hidden backdoor API to root privileges [that] can be exploited to escalate privileges to root from any user account in the system," Kvarnhammar says in an advisory. "The intention was probably to serve the System Preferences app and... Read more...
1 2 3 Next