Feeds

Articles about Exploits

Exploits no more! Firefox 26 blocks all Java plugins by default

The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run. The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin …
Neil McAllister, 10 Dec 2013

NSA spooks tooled up with zero-day PC security exploits from the FRENCH

The NSA bought specialist computer hacking tools and research from French security outfit Vupen, according to documents unearthed using the Freedom of Information Act. A contract shows the American spooks paid for a year's supply of zero-day vulnerability information and the software needed to exploit those flaws to attack …
John Leyden, 17 Sep 2013

Vulns, exploits, hacks: Trusteer touts tech to terminate troubles

Trusteer is expanding from its speciality of providing transaction protection security to financial institutions with an enterprise-level product designed to guard against zero-day exploits and social engineering. Unpatched application vulnerabilities in widely deployed endpoint applications (such as web browsers) can be given …
John Leyden, 24 Apr 2013
More flaws found in Java

It's about time: Java update includes tool for blocking drive-by exploits

Oracle's latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java. After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing …
Neil McAllister, 13 Sep 2013
The Register breaking news

Samsung's smart TVs 'wide open' to exploits

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers. Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social networks …
John Leyden, 12 Dec 2012

Oracle releases July patch batch... with 27 fixes for remote exploits

Oracle has pushed out a quarterly patch batch of 89 updates that mean almost all of its enterprise software products need updating for one reason or another. Craig Young, a security researcher at Tripwire, noted that most of the vulnerabilities were picked up by third-party researchers. “The constant drumbeat of critical Oracle …
John Leyden, 17 Jul 2013

Noooo... WAIT. Google slaps on Chrome patches ahead of Pwn2Own hackfest

Google trowelled plaster over seven security cracks in Chrome on Tuesday, a day before the browser became one of the targets at the annual Pwn2Own hacking competition. The latest cross platform security update for Chrome fixed four "high" severity flaws and three lesser bugs. Three of the four high profile bugs were discovered …
John Leyden, 13 Mar 2014
The Register breaking news

Crims prefer old exploits: Microsoft

While media around the world are excited by the announcement of every new zero-day vulnerabilities, attackers yawn, according to Microsoft. Presenting Volume 11 of its Security Intelligence Report at the RSA Conference in Europe on October 11, Microsoft pointed out that less than one percent of the attacks its report identified …
balaclava_thief_burglar

Cisco: Hey, IT depts. You're all malware hosts

Everybody – at least every multinational that Cisco checked out for its 2014 Annual Security Report – is hosting malware of some kind, and there aren't enough security professionals to go around. Along with its Managed Threat Defense service launched this week, Cisco also launched the latest publication (here with registration) …
Apple_iPad_001_SM

iPad racketeers' high wire exploits falter

Chinese smugglers have been caught transporting a host of Apple goods over a zip-line into Hong Kong in a bid to profit from tax differences. Using a crossbow, the perpetrators fired a fishing line from a skyscraper in Shenzhen over the Sha Tau Kok river and into a small house in Hong Kong. The team then filled nylon bags full …
Caleb Cox, 08 Aug 2011
Q and Bond, Skyfall

JUST LIKE US: Hackers who work for gov seem almost... ORGANISED

State-sponsored hackers are looking less like traditional hacking crews and more like military units as they share infrastructure and adopt strict hierarchies, according to new research. Infosec firm FireEye has identified links between 11 APT campaigns, including use of the same malware tools, shared code, binaries with the …
John Leyden, 14 Nov 2013

Java, Android were THE wide-open barn doors of security in 2013 - report

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found. According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per …
Neil McAllister, 17 Jan 2014
bug on keyboard

Patch Tuesday brings Microsoft fixes and Adobe Shockwave update

Microsoft and Adobe have delivered the February edition of their monthly security updates. The two firms kicked off the second Patch Tuesday of the year by each releasing fixes for critical vulnerabilities that could allow for remote code execution. For Microsoft, the monthly release consists of six bulletins which address a …
Shaun Nichols, 12 Feb 2014
image via SXC

Super-critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …
John Leyden, 30 Aug 2012
The Register breaking news

Biz bods STILL don't patch hacker's delight Java and Flash

A whopping 81 per cent of businesses run outdated Java while two in five (40 per cent) have not updated Flash, according to the latest figures from net security firm Websense. Websense warns that failing to apply patches that address vulnerabilities in hacker favourites such as Flash and Java leaves these business at risk of …
John Leyden, 10 Sep 2013
The Register breaking news

Adobe preps sandboxing tech to fight exploits

Adobe has fleshed out its plans to offer sandboxing as a mechanism to limit the impact of attacks against its ubiquitous Adobe Reader PDF reader application. Available from November, Adobe Reader X will incorporate virtual sandboxing technology that will place controls on the application's ability to modify the registry or …
John Leyden, 19 Oct 2010

Sync'n'steal: Hackers brew Android-targeting Windows malware

Internet Igors have stitched together the first strain of Windows malware that can hop over and infect Android smartphones and tablets. The Droidpak mobile banking trojan exploits syncing between smartphones and Windows PCs to jump from a compromised PC onto an Android device. The Windows Trojan downloads a malicious .APK file …
John Leyden, 27 Jan 2014
Autodesk's AutoCAD

Rare AutoCAD malware rigs drafting machines for follow-up attacks

Security researchers have discovered a rare strain of AutoCAD malware that opens up compromised machines to secondary exploits. ACM/SHENZ-A poses as a legitimate component of AutoCAD software for computer-aided design (CAD). But analysis by security researchers at Trend Micro has revealed that the malicious file opens up systems …
John Leyden, 25 Nov 2013
The Register breaking news

Politically motivated exploits target activists on Google

Politically motivated attackers are exploiting an unpatched flaw in all supported versions of Microsoft Windows to carry out highly targeted attacks against activists using Google, the company's security team warned. The unidentified attackers are wielding a serious vulnerability in the way Windows parses webpages containing …
Dan Goodin, 12 Mar 2011
An alternative Yahoo! logo, courtesy of a Flickr user

Malware! tainted! ads! infect! thousands! of! Yahoo! users!

Thousands of Yahoo! users have been exposed to malware through malicious advertisements over the past few days, according to research by Dutch security firm Fox-IT. Malware-tainted ads served from ads.yahoo.com were shown to victims in Romania, Great Britain and France, infecting tens of thousands every hour. The first infection …
John Leyden, 06 Jan 2014
The Register breaking news

Dozens of exploits released for popular SCADA programs

The security of software used to control hardware at nuclear plants, gas refineries and other industrial settings is coming under renewed scrutiny as researchers released attack code exploiting dozens of serious vulnerabilities in widely used programs. The flaws, which reside in programs sold by Siemens, Iconics, 7-Technologies …
Dan Goodin, 22 Mar 2011
bug on keyboard

Didn't you know? Today's Patch Thursday! Adobe splats hijack bug in Shockwave Player

Adobe has updated its Shockwave Player to close a security hole that could allow hackers to hijack vulnerable Windows and OS X computers. The Photoshop giant said version 12.1.150 will address a flaw that enables an attacker to potentially remotely control a targeted system: a malicious file opened by Shockwave could exploit a …
Shaun Nichols, 13 Mar 2014
Q and Bond, Skyfall

Kaspersky rips The Mask from sneaky Spanish spy campaign

Security researchers have discovered a sophisticated string of cyberattacks from a group of Spanish-speaking miscreants who have been operating since at least 2007. ”The Mask” (aka Careto) is one of the most advanced campaigns to date due to the complexity of the toolset used by the attackers, according to Kaspersky Lab. This …
John Leyden, 11 Feb 2014

Microsoft hardens EMET security tool: OK, it's not invulnerable, but it's free

Microsoft has beefed up its Enhanced Mitigation Experience Toolkit (EMET), adding features designed to block more exploits. The release of the technical review (beta) version of the tool, EMET 5.0, follows the discovery of new attacks against earlier versions of the technology. EMET 5.0 beta comes with a feature called Attack …
John Leyden, 26 Feb 2014
CSRF attack

Team Cymru spots 300,000 compromised SOHO gateways

It's time to check the DNS settings on your broadband gateway, with security research group Team Cymru discovering an attack that could have redirected as many as 300,000 devices to a malicious resolver. Once a gateway is compromised, the devices behind it would be sent to the attacker's DNS, exposing them to drive-by attacks, …

A-D'OH!-BE: Adobe hit by 'sophisticated' MEGA HACK RANSACK

Adobe's systems have been hit by numerous "sophisticated attacks" that have compromised the information of 2.9 million customers, and accessed the source code of Adobe products. The company said on Thursday that it has been the victim of a major cyberattack and said hackers had accessed those millions of customer IDs and …
Jack Clark, 03 Oct 2013

Have a Linksys router? Now's a good time to update that firmware

Owners and administrators of Linksys home routers are being advised to update and secure their devices following reports of active attacks on a flaw present in at least two models. Researchers with the SANS Institutes Internet Storm Center have received reports of mass attacks on a remote access vulnerability in the Linksys …
Shaun Nichols, 13 Feb 2014

OpenSSL Heartbleed bug sniff tools are 'BUGGY' – what becomes of the broken hearted?

Software that claims to detect the presence of OpenSSL's Heartbleed bug in servers, PCs and other gear may falsely report a system to be safe when users are actually in danger, according to a security consultancy. This finding is disputed by developers publishing tools that test for the vulnerability. The teams behind Nessus, …
John Leyden, 17 Apr 2014

RIP Full Disclosure: Security world reacts to key mailing list's death

The legendary Full Disclosure mailing list, where security researchers posted details of exploits and software vulnerabilities, is shutting down. The service, which had been running for nearly 12 years since July 2002, has been suspended indefinitely after list admin John Cartwright was no longer prepared to put up with the …
John Leyden, 19 Mar 2014
Doctor Who: The Companions

Are you experienced? The Doctor Who assistants that SUFFERED the most

There is a range of events the Doctor’s companions can expect to encounter, from meeting his most arch of enemies to being flung bodily through time and space, and undergoing various forms of attack. One might presume the more adventures they have, the more of these experiences they’ll gain, so the radius of the slices indicates …
Paul Smith, 14 Nov 2013

Adobe hackers strike again: PR Newswire grovels to clients after latest hack'n'grab

PR Newswire has been forced to reset its clients' passwords following a security breach linked to the same hackers who smashed into Adobe earlier this month. The hackers made off with the usernames and encrypted passwords of the marketing and press release distribution service's customers, reports investigative journalist Brian …
John Leyden, 21 Oct 2013
Evil Android

Android update process gives malware a leg-up to evil: Indiana U

Researchers from Indiana University Bloomington have tagged a vulnerability in the way Android handles updates, which they say puts practically every Android device at risk of malicious software. As ThreatPost explains, the vulnerability uses the update process to “ramp up the permissions given to malicious apps once Android is …

Vulnerability leaves Cisco small biz routers wide open to attack

A number of Cisco networking products for small businesses contain critical vulnerabilities that could allow attackers to gain root access to the equipment, the networking giant has warned. The affected products include the WAP4410N Wireless-N Access Point, the WRVS4400N Wireless-N Gigabit Security Router, and the RVS4000 4-port …
Neil McAllister, 14 Jan 2014

iOS 7: Even if you don't jailbreak your iPhone, bugs STILL CREEP IN

The comforting notion that unmodified iOS phones are more or less immune to security threats has been shaken to the core with the release of new research that shows mobile monitoring applications can bypass Apple’s app review process and successfully exploit non-jailbroken iOS 7 kit. Background monitoring mobile (AKA snooping) …
John Leyden, 25 Feb 2014
The Register breaking news

Sneaky Trojan exploits e-commerce flaws

More details have emerged of an e-commerce software flaw linked to the theft of credit card information from numerous websites. A security flaw in osCommerce, an open source e-commerce package, created a means for criminals to compromise 90,000 web pages with redirection scripts that ultimately directed surfers towards a site …
John Leyden, 01 Aug 2011
The Register breaking news

Open wide, Google: Here comes an advertising antitrust probe

Ad giant Google is facing an antitrust probe intended to establish whether it exploits its dominance in the advertising trade to steer customers away from rivals' products. According to a Bloomberg report, the US Federal Trade Commission is in the preliminary stages of an investigation, which may not develop into a full-blown …
Jasper Hamill, 24 May 2013
The Register breaking news

Oracle trowels more plaster over flawed Java browser plugin

Oracle has issued a rare emergency patch to address two vulnerabilities in the Java plugin for web browsers that the company says are being actively exploited. "Due to the severity of these vulnerabilities, and the reported exploitation of CVE-2013-1493 'in the wild,' Oracle strongly recommends that customers apply the updates …
Neil McAllister, 05 Mar 2013
Windows XP

Fine! We'll keep updating WinXP's malware sniffer after April, says Microsoft

Microsoft has capitulated to the legions of users who are still running Windows XP once again, by extending support for its antimalware software for the aging OS into 2015. In the past, Redmond has warned that it would discontinue support for Microsoft Security Essentials, Forefront Client Security, Forefront Endpoint Protection …
Neil McAllister, 16 Jan 2014
Google Glass

Hey, Glasshole: That cool app? It has turned you into a SPY DRONE

Security researchers have created prototype Google Glass spyware that is capable of snooping on everything the user is looking at without tipping off victims that anything is amiss. Mike Lady and Kim Paterson – graduate researchers at California Polytechnic San Luis Obispo – created an app that takes a picture every 10 seconds a …
John Leyden, 24 Mar 2014
A boat full of Fail

Phisherman's friend: Confused hacktivists deface FAKE BANK SITE

Anon hackers have been caught boasting about defacing a counterfeit Yorkshire Bank website. Hacktivist crew Anon Ghost earned coverage on underground security blogs for defacing “Yorkshire Bank, one of the largest United Kingdom bank (sic)”. However, the hackers actually hit "ybs-bank.com", a Malaysian imitation of the real …
John Leyden, 06 Mar 2014
The Register breaking news

Crimelords: Stolen credit cards... keep 'em. It's all about banking logins now

Stolen bank login information attracts an even higher price than credit card numbers on underground cybercrime bazaars, and EU logins are worth more than American ones, according to research by McAfee. The Intel-owned security division's Cybercrime Exposed paper highlights trends in the thriving digital underground, including …
John Leyden, 02 Jul 2013

It's 2014 and Microsoft Windows PCs can still be owned by a JPEG

Microsoft has fixed security bugs in Internet Explorer and Windows that allow hackers to remotely execute code on victims' vulnerable machines – one bug a result of poor JPEG handling. Redmond said the March edition of Patch Tuesday – out today, natch – tackles programming errors in the software giant's web browser, operating …
Shaun Nichols, 11 Mar 2014
More flaws found in Java

Java devs warned of pushbutton exploit for buggy Struts framework

Java developers were warned, but they didn't listen. Security researchers at Trend Micro report that old and vulnerable versions of the Apache Struts framework for Java are still in widespread use, and now Chinese hackers are using automated tools to exploit their flaws. The vulnerabilities in question were patched in the July …
Neil McAllister, 15 Aug 2013

Hidden 'Windigo' UNIX ZOMBIES are EVERYWHERE

Hackers using a Trojan seized control of over 25,000 Unix servers worldwide to create a potent spam and malware distribution platform. The attack, dubbed Operation Windigo1, was uncovered by security experts at anti-virus firm ESET, in collaboration with CERT-Bund, the Swedish National Infrastructure for Computing, as well as …
John Leyden, 18 Mar 2014
The Register breaking news

Attack exploits just-patched Mac security bug

If you haven't installed the latest security update for Mac OS X, now would be a good time. A security researcher has released a proof-of-concept attack that exploits critical vulnerabilities that Apple patched on Thursday. The vulns stem from bugs in the Java runtime environment that allow attackers to remotely execute …
Dan Goodin, 04 Dec 2009

Micron takes on Intel with 'breakthrough' processor for streaming data

Memory specialist Micron has announced a new accelerator processor that it claims outperforms Intel's chips when it comes to dealing with streaming data. The "Automata Processor" was announced by the company on Monday and billed as a device that uses the inherent parallelism of memory architectures to speed the ingestion and …
Jack Clark, 19 Nov 2013
The Register breaking news

Charlie Miller to tell Vegas punters how to hack your car

An eagerly anticipated talk by Charlie Miller on car hacking, rejected by organisers of the Black Hat security conference, will get an airing in Las Vegas this summer after all. Charlie Miller, a security engineer at Twitter, and Chris Valasek, director of security intelligence at IOActive, are due to present a talk on …
John Leyden, 25 Jun 2013
The Register breaking news

Windows 8 'penetrated' says firm which sells to world's spy agencies

French security researcher firm Vupen claim to have already developed a reliable windows 8 exploit, just days after the launch of latest edition of Microsoft's flagship operating system. The sometimes controversial firm, which sells the exploits it develops to Western government agencies and deliberately avoids sharing …
John Leyden, 01 Nov 2012
Snapchat logo

Snapchat vows to shut its hole in wake of 4.6 million user data breach

Mobile image-sharer Snapchat has promised an update to its service to seal off a security hole that allowed hackers to harvest the account details of some 4.6 million users. The company said that its update will allow users to opt out of the Find Friends system and prevent others from looking up their account information through …
Shaun Nichols, 04 Jan 2014
The Register breaking news

Adobe plugs up buffer overflow holes in Shockwave update

Adobe released a patch for its Shockwave Player software on Tuesday, addressing six security vulnerabilities that might easily lend themselves to malware-pushing exploits. Shockwave Player 11.6.7.637 and earlier versions on both Windows and Mac need updating to the latest version: Shockwave Player 11.6.8.638. Adobe said it was …
John Leyden, 24 Oct 2012