Feeds

Articles about Exploits

Exploits no more! Firefox 26 blocks all Java plugins by default

The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run. The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin …
Neil McAllister, 10 Dec 2013

NSA spooks tooled up with zero-day PC security exploits from the FRENCH

The NSA bought specialist computer hacking tools and research from French security outfit Vupen, according to documents unearthed using the Freedom of Information Act. A contract shows the American spooks paid for a year's supply of zero-day vulnerability information and the software needed to exploit those flaws to attack …
John Leyden, 17 Sep 2013

Vulns, exploits, hacks: Trusteer touts tech to terminate troubles

Trusteer is expanding from its speciality of providing transaction protection security to financial institutions with an enterprise-level product designed to guard against zero-day exploits and social engineering. Unpatched application vulnerabilities in widely deployed endpoint applications (such as web browsers) can be given …
John Leyden, 24 Apr 2013
More flaws found in Java

It's about time: Java update includes tool for blocking drive-by exploits

Oracle's latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java. After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing …
Neil McAllister, 13 Sep 2013
The Register breaking news

Samsung's smart TVs 'wide open' to exploits

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers. Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social networks …
John Leyden, 12 Dec 2012
The Register breaking news

Crims prefer old exploits: Microsoft

While media around the world are excited by the announcement of every new zero-day vulnerabilities, attackers yawn, according to Microsoft. Presenting Volume 11 of its Security Intelligence Report at the RSA Conference in Europe on October 11, Microsoft pointed out that less than one percent of the attacks its report identified …

Oracle releases July patch batch... with 27 fixes for remote exploits

Oracle has pushed out a quarterly patch batch of 89 updates that mean almost all of its enterprise software products need updating for one reason or another. Craig Young, a security researcher at Tripwire, noted that most of the vulnerabilities were picked up by third-party researchers. “The constant drumbeat of critical Oracle …
John Leyden, 17 Jul 2013
Stuxnet

Oi! Rip Van Winkle: PATCH, already

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since …
Darren Pauli, 20 Aug 2014
Facebook security

Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz. The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web …
Darren Pauli, 21 Aug 2014

Noooo... WAIT. Google slaps on Chrome patches ahead of Pwn2Own hackfest

Google trowelled plaster over seven security cracks in Chrome on Tuesday, a day before the browser became one of the targets at the annual Pwn2Own hacking competition. The latest cross platform security update for Chrome fixed four "high" severity flaws and three lesser bugs. Three of the four high profile bugs were discovered …
John Leyden, 13 Mar 2014
Good riddance to bad Java

Now even Internet Explorer will throw lousy old Java into the abyss

Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java. Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and …
Neil McAllister, 07 Aug 2014

Hacker publishes tech support phone scammer slammer

Security pro Matthew Weeks has released a Metasploit module that can take over computers running the Ammyy Admin remote control software popular among "Hi this is Microsoft, there's a problem with your computer" tech support scammers. Weeks' day job is director at Root9b, but he's taken time to detail a zero-day flaw in Ammyy …
Darren Pauli, 12 Sep 2014
Privacy image

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say. The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into …
Darren Pauli, 15 Jul 2014
balaclava_thief_burglar

Cisco: Hey, IT depts. You're all malware hosts

Everybody – at least every multinational that Cisco checked out for its 2014 Annual Security Report – is hosting malware of some kind, and there aren't enough security professionals to go around. Along with its Managed Threat Defense service launched this week, Cisco also launched the latest publication (here with registration) …
Old computer

Researcher sat on critical IE bugs for THREE YEARS

Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition. The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14- …
Darren Pauli, 24 Jul 2014
Australia China

Latest IE flaw being actively exploited

April's Internet Explorer flaw is being exploited, with at least two listed Australian entities targeted by a sophisticated foreign hacking outfit. The organisations were targeted in a campaign that foisted the Internet Explorer exploits (MS14-021) at high end corporations three days after the dangerous flaws were exposed. …
Darren Pauli, 15 May 2014
windows 7 image

Redmond is patching Windows 8 but NOT Windows 7, say security bods

Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day …
Darren Pauli, 06 Jun 2014
angler exploit kit 1

Silverlight finally becomes popular ... with crims

Silverlight has become a choice target for VXers who are foisting nasty exploit kits (EKs) on users through hacked advertising networks. Attacks targeting Silverlight have spiked since 23 April as attackers look for web platforms to target now that Java and Flash have cleaned up their acts a bit. Cisco lead threat researcher …
Darren Pauli, 20 May 2014
Rubbish bin

Webmin hole allows attackers to wipe servers clean

Holes in the Webmin Unix management tool - thankfully since patched - could allow attackers to delete data on servers, says security researcher John Gordon of the University of Texas. The remote root access server tool contained vulnerabilities in newly-created cron module environment variables that could erase data through …
Darren Pauli, 11 Sep 2014

SHELLSHOCKED: Fortune 1000 outfits Bash out batches of patches

The majority of Fortune 1000 and Global 2000 companies have already deployed, or are now deploying, Shellshock patches to fend off code attacks, according to cloud security firm CloudPassage. The Shellshock vulnerability allows remote attackers to execute arbitrary code on servers using a variety of techniques, with the CVE-2014 …
John Leyden, 29 Sep 2014

Revealed ... GCHQ's incredible hacking tool to sweep net for vulnerabilities: Nmap

For the past five years, British spying nerve-center GCHQ has been port scanning internet-connected computers in 27 countries – in a exhaustive hunt for systems to potentially exploit. That bombshell comes amid fresh leaks detailing the dragnet surveillance programs operated by the Five Eyes nations: America, UK, Canada, …
John Leyden, 15 Aug 2014

jQuery site popped to serve malware slop

The jQuery site served credential-stealing malware to scores of users who visited the website on September 18, researcher James Pleger says. The super-popular JavaScript library was used by 30 percent of websites including 70 percent of the 10,000 most popular sites which may have been compromised by the RIG exploit kit. jQuery …
Darren Pauli, 24 Sep 2014
Apple_iPad_001_SM

iPad racketeers' high wire exploits falter

Chinese smugglers have been caught transporting a host of Apple goods over a zip-line into Hong Kong in a bid to profit from tax differences. Using a crossbow, the perpetrators fired a fishing line from a skyscraper in Shenzhen over the Sha Tau Kok river and into a small house in Hong Kong. The team then filled nylon bags full …
Caleb Cox, 08 Aug 2011
Evil Android

App permissions? Pah! Rogue Android soft can 'place phone calls at will'

Researchers at German security firm Curesec have identified bugs present in most versions of Android that can allow malicious applications to place phone calls, even when they lack the necessary permissions. By exploiting these vulnerabilities, rogue apps can get up to such mischief as surreptitiously dialing out to expensive …
Neil McAllister, 07 Jul 2014

Time to ditch HTTP – govt malware injection kit thrust into spotlight

A new report form the Toronto-based internet watchdog Citizen Lab has shown cases of governments running network injection attacks that can deliver malware via any HTTP web connection. The dossier looks at two hacking tools created by the Italian firm Hacking Team and the German biz FinFisher that use the injection attack vector …
Iain Thomson, 16 Aug 2014
Tesla hack

Students hack Tesla Model S, make all its doors pop open IN MOTION

Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn - all while the car was driving along. The hack was part of a competition at the annual Syscan conference in Beijing, where a prize of $US10,000 was offered to …
Darren Pauli, 21 Jul 2014
WordPress

50,000 sites backdoored through shoddy WordPress plugin

Some 50,000 sites have been sprayed with backdoors from shonky malware targeting a popular and vulnerable WordPress plugin, according to researcher Daniel Cid. Sucuri founder Cid says the bodged malware can infect any site that resides on the server of a hacked WordPress website. The flawed plugin allowed attackers to "inject …
Darren Pauli, 24 Jul 2014
Remy from Ratatouille

FireEye, Microsoft, Cisco team up to take down RAT-flinging crew

Security vendors have teamed up to fight a prolific cyber-espionage group thought to be based in China. The hacking crew has been targeting finance, education, government, policy groups and think tanks for around four years since 2010. One of its main tools is Moudoor, a derivative of the infamous Gh0st RAT (remote access tool …
John Leyden, 15 Oct 2014

Bored hackers flick Shellshock button to OFF as payloads shrink

Malicious and benign attacks against systems vulnerable to Shellshock had halved by Sunday after peaking three days following the bug's disclosure, Akamai researchers say. The variety of payloads targeting vulnerable sites increased dramatically over the same period before tapering off, in a possible sign that hackers were bored …
Darren Pauli, 03 Oct 2014
image via SXC

Super-critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …
John Leyden, 30 Aug 2012
The Register breaking news

Adobe preps sandboxing tech to fight exploits

Adobe has fleshed out its plans to offer sandboxing as a mechanism to limit the impact of attacks against its ubiquitous Adobe Reader PDF reader application. Available from November, Adobe Reader X will incorporate virtual sandboxing technology that will place controls on the application's ability to modify the registry or …
John Leyden, 19 Oct 2010

THREE QUARTERS of Android mobes open to web page spy bug

A Metasploit module has been developed to easily exploit a dangerous flaw in 75 percent of Android devices that allows attackers to hijack a users' open websites. The exploit targets vulnerability (CVE-2014-6041) in Android versions 4.2.1 and below and was disclosed without fanfare on 1 September, but had since gathered dust, …
Darren Pauli, 16 Sep 2014
android tongue

Bad news, fandroids: He who controls the IPC tool, controls the DROID

A security flaw in a core message-passing mechanism leaves every Android device potentially vulnerable to attack, security researchers warned on Thursday. The newly discovered flaw enables hackers to override in-app security features, leaving critical apps such as mobile banking susceptible to tampering. The same vulnerability …
John Leyden, 16 Oct 2014
Q and Bond, Skyfall

JUST LIKE US: Hackers who work for gov seem almost... ORGANISED

State-sponsored hackers are looking less like traditional hacking crews and more like military units as they share infrastructure and adopt strict hierarchies, according to new research. Infosec firm FireEye has identified links between 11 APT campaigns, including use of the same malware tools, shared code, binaries with the …
John Leyden, 14 Nov 2013
Social media buttons

Attack flogged through shiny-clicky social media buttons

Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors. Several sources warn that popular JavaScript social media panels are being modified to load external resources that pulled down FlashPack, formerly known as SafePack, which …
Darren Pauli, 26 Aug 2014

FinFisher spyware used to snoop on Bahraini activists, police told

Allegations that three Bahraini activists resident in Britain were spied on by Bahraini authorities using British spyware have led to a criminal complaint. Privacy International is calling on the National Cyber Crime Unit of Britain's National Crime Agency to investigate the unlawful surveillance of three human rights …
John Leyden, 16 Oct 2014

Goog says patch⁵⁰ your Chrome

Google has dropped 50 patches for its flagship Chrome browser plugging holes and handed $30,000 to a lone bug hunter who reported a dangerous sandbox-busting attack. A clever chained combo of multiple flaws, reported to Google and patched, allowed attackers to crawl out of Chrome's security sandbox and execute code remotely. It …
Darren Pauli, 27 Aug 2014

Java, Android were THE wide-open barn doors of security in 2013 - report

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found. According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per …
Neil McAllister, 17 Jan 2014

Poison PDF pusher released to public

Attacking enterprises just got easier with the development of an idiot-friendly tool that spits out booby-trapped PDFs with a few clicks. The tool weaves existing exploits into PDFs, allowing attacks against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1. Users can insert their own URL pointers into …
Darren Pauli, 12 Jun 2014
bug on keyboard

Patch Tuesday brings Microsoft fixes and Adobe Shockwave update

Microsoft and Adobe have delivered the February edition of their monthly security updates. The two firms kicked off the second Patch Tuesday of the year by each releasing fixes for critical vulnerabilities that could allow for remote code execution. For Microsoft, the monthly release consists of six bulletins which address a …
Shaun Nichols, 12 Feb 2014

NSA Sentry Eagle placed spies in private companies

The National Security Agency (NSA) has since 2004 sent spies into private companies in a bid to compromise networks from within, according to documents leaked by Edward Snowden. Agents sent in by the NSA targeted global communications firms under a highly classified 'core secrets' program dubbed Sentry Eagle previously known …
Darren Pauli, 14 Oct 2014

FBI and pals grab banking Trojan zombielord's joystick

Law enforcement and the security business have teamed up to disrupt the operation of the Shylock banking Trojan. The UK's National Crime Agency joined forces with Europol and the FBI to take down and seize the command and control servers key to running the botnet. Law enforcement also took control of the domains Shylock uses for …
John Leyden, 11 Jul 2014

Oracle SHELLSHOCKER - data titan lists unpatchables

Oracle has confirmed that at least 32 of its products are affected by the vulnerability recently discovered in the Bash command-line interpreter – aka the "Shellshock" bug – including some of the company's pricey integrated hardware systems. The database giant issued a security alert regarding the issue on Friday, warning that …
Neil McAllister, 27 Sep 2014

Racing Post escapes ICO fine after leaking info of 677K punters

UK sports-betting newspaper the Racing Post has received a stern warning – but not a fine – after it emerged that it had aired the private details of more than 677,000 customers as the result of a security breach last year. The October 2013 snafu resulted in the exposure of the names, addresses, passwords, dates of birth and …
John Leyden, 28 Aug 2014

OpenSSL promises devs advance notice of future bugs, slaps if they blab

In the wake of Heartbleed, the OpenSSL project has decided that *nix distributions that use the popular crypto pack will get advance notice of upcoming security-related bugfixes. The project has decided that distributions that ship with OpenSSL will get some advance notice of issues ahead of fixes – an announcement on the …
Google Chrome logo

Chrome 35 made deaf to old speech API bug

Google has patched 23 vulnerabilities, including three marked high risk, in the latest update to the web browser. Mountain View has yet to release details on the full set of patched bugs pushed out overnight in the new release 35 of Chrome for Windows, Mac and Linux. Chrome engineer Karen Grünberg said it paid out US$9500 to …
Darren Pauli, 21 May 2014
Dunce

Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws

The whopping 70 per cent of retail and 69 perc ent of financial services apps are vulnerable to data breaches. That's according to an analysis of 705 million lines of code as used by 1,316 enterprise applications carried out by software analysis and measurement firm CAST. The firm reckons a growing number of data breaches and …
John Leyden, 27 Aug 2014
Bug bounties

SMASH the Bash bug! Apple and Red Hat scramble for patch batches

A fresh dump of Shellshock patches were released on Friday night in the latest move to stamp out the Bash shell security vuln that has the potential to blight millions of Linux, Unix and Mac OS X machines. Red Hat said in a blog post that the threat from Shellshock was receding now that patches had been issued for most operating …
Team Register, 28 Sep 2014
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014
Curiosity Mars rover's latest hole in Mars

Curiosity GOUGES AND SCORCHES Mars with drill and laser

Nuclear-powered space tank Curiosity as struck another blow for humanity by scorching Mars with seven smears of its mighty lasers. NASA published photos of the rover's latest exploits yesterday, explaining that the latest unfurling of Curiosity's laser weapons was done after the vehicle had first unleashed its drill and …
Simon Sharwood, 16 May 2014