Items tagged with vulnerability
Well, this isn't something we see everyday. With Project Zero, Google monitors the discovery of software vulnerabilities, and in the event that one is found, the vendor responsible for it will be contacted. As per Google's own ruling, if a bug is not patched in 90 days from the date it's disclosed, it'll become derestricted automatically, meaning that anyone can pore over it's details.That's just what's happened with the latest elevation-of-privilege vulnerability that affects at least Windows 8.1 (no other OSes were tested by the submitter). This is a local-only bug, so it's not classified as severe, but it still raises some concern. If exploited, anyone with a non-administrator account would...
Read more...
A weakness has been identified that could exist in Android, Windows, and iOS devices that can be used to obtain personal information. Discovered by a team of researchers, the vulnerability revolves around multiple applications running on a shared infrastructure that can be exploited. According to their research, they were able to test a method, on an Android phone, that was successful between 82 percent and 92 percent of the time for six of the seven apps that were tested. The apps with such high percentages were Gmail (92 percent), H&R Block (92 percent), Newegg (86 percent), WebMD (85 percent), CHASE Bank (83 percent), and Hotels.com (83 percent). The final app tested belonged to Amazon,...
Read more...
When the OpenSSL vulnerability Heartbleed broke cover in April, it felt like it was the only thing that mattered for an entire week. Like many news outlets, we reported on the bug from a number of different angles, and it was all for good reason: It's a severe bug, and one that the world needs to know about. Given all of the attention Heartbleed received, it'd be easy to assume that the vulnerability would now be hard to spot out in the wild - but no. Far from it, actually. When we first learned of Heartbleed, it was estimated that at least half a million Web servers were vulnerable because of it. More importantly, the bug affected a large number of popular services, requiring users to change...
Read more...
In the world of software, it's not uncommon to learn of a program that's implemented vulnerable code for over a decade (Java, anyone?), but where gaming's concerned, that's another story. According to a security researcher simply going by "Joe", one such vulnerability has made Bethesda its home. Clearly the sort of guest that overstays their welcome, this vulnerability has appeared in the company's titles dating back to 2002, with Morrowind. Exploiting the vulnerability is a matter of loading up the in-game console and writing out some simple hex code to alter some memory addresses. An example is with: "0x%x_0x%x_0x%x". When executed, the action skips a function due to how...
Read more...
This coming Tuesday, April 9, is going to be a busy one for Microsoft’s update servers. In advance of what have become known as “Patch Tuesday”, Microsoft posted nine early security bulletins to notify users and system administrators of the slew of impending Windows updates. Two of the patches have been deemed critical, while the remaining seven are flagged as important. And all of the updates are likely to require a restart. The exact details of the two critical updates are not posted just yet, but one of them affects Windows and Internet Explorer; the other is solely a Windows update. Though the details aren’t posted, critical updates are usually deemed as such because...
Read more...
A new research report on Valve's Steam has highlighted how the program can be used to launch malicious code attacks, thanks to flaws in how browser commands are passed between Steam and browsers like Chrome, IE, Opera, and Firefox. First, it's important to understand that Steam itself isn't the (S)ource of the vulnerability. As Figure 1 illustrates, the attack vector presupposes that a machine has already been compromised in some fashion. The relevant vulnerabilities all revolve around the Steam browser and how Steam:// commands are treated by the third-party browsers they interact with. Browsers based on Firefox will execute Steam:// protocol handlers without any warnings; IE9 will warn (but...
Read more...
Today, Microsoft released its detailed security report covering the latter half of 2010. Industry tends in general are positive—vulnerability disclosures in 2010 fell 16.5 percent from their 2009 levels and approximately 35 percent from 2006. Microsoft's own share of the vulnerability pie rose from 4.5 percent in 2009 to 7.2 percent in 2010; the company claims this is largely because industry disclosures fell so sharply in just one year. The general decline in disclosures hides sharp changes in the nature of the exploits roaming the Internet. From the report: Malware written in Java has existed for many years, but attackers had not focused significant attention on Java vulnerabilities until...
Read more...
Energizer has discontinued the sale of its Duo Charger/USB Charger due to a vulnerability in the Windows-based software that was supposed to be downloaded to support it.The devices allowed users to charge nickel metal hydride batteries from either a wall socket or a USB connection. The documentation with the charger suggested users download software from www.energizer.com/usbcharger (the page has since been taken down). The software allowed the user to view the charging status from a computer.A code was inserted in the software - Windows version only - that contained a backdoor allowing unauthorized remote system access. Simply removing the software won't completely remove the vulnerability,...
Read more...
Research In Motion, the maker of the popular BlackBerry line of handheld devices, has issued a security patch for the popular handhelds, warning they are vulnerable to attacks by hackers. According to security experts, if this latest patch is not applied, there is a risk hackers could exploit the vulnerability and take over a company’s server. To date, no hacker has exploited the vulnerability. As RIM put it, “Multiple security vulnerabilities exist in the PDF distiller of some released versions of the BlackBerry Attachment Service.” This vulnerability could cause memory corruption and could also possibly lead to arbitrary code execution on the computer that hosts the BlackBerry Attachment Service....
Read more...
