Feeds

Articles about Exploits

Exploits no more! Firefox 26 blocks all Java plugins by default

The latest release of the Firefox web browser, version 26, now blocks Java software on all websites by default unless the user specifically authorizes the Java plugin to run. The change has been a long time coming. The Mozilla Foundation had originally planned to make click-to-run the default for all versions of the Java plugin …
Neil McAllister, 10 Dec 2013

NSA spooks tooled up with zero-day PC security exploits from the FRENCH

The NSA bought specialist computer hacking tools and research from French security outfit Vupen, according to documents unearthed using the Freedom of Information Act. A contract shows the American spooks paid for a year's supply of zero-day vulnerability information and the software needed to exploit those flaws to attack …
John Leyden, 17 Sep 2013

Vulns, exploits, hacks: Trusteer touts tech to terminate troubles

Trusteer is expanding from its speciality of providing transaction protection security to financial institutions with an enterprise-level product designed to guard against zero-day exploits and social engineering. Unpatched application vulnerabilities in widely deployed endpoint applications (such as web browsers) can be given …
John Leyden, 24 Apr 2013
More flaws found in Java

It's about time: Java update includes tool for blocking drive-by exploits

Oracle's latest update to the Java SE Development Kit (JDK) version 7 adds new security features designed to help businesses avoid being stung by critical vulnerabilities in out-of-date versions of Java. After a string of embarrassing Java security flaws was disclosed by independent researchers, Oracle has made addressing …
Neil McAllister, 13 Sep 2013
The Register breaking news

Samsung's smart TVs 'wide open' to exploits

Samsung's Smart TV has a vulnerability which allows remote attackers to swipe data, according to security researchers. Malta-based security start-up ReVuln claims to have discovered a zero-day vulnerability affecting Smart TV, in particularly a Samsung TV LED 3D. Smart TV can be used to browse the internet, use social networks …
John Leyden, 12 Dec 2012

Oracle releases July patch batch... with 27 fixes for remote exploits

Oracle has pushed out a quarterly patch batch of 89 updates that mean almost all of its enterprise software products need updating for one reason or another. Craig Young, a security researcher at Tripwire, noted that most of the vulnerabilities were picked up by third-party researchers. “The constant drumbeat of critical Oracle …
John Leyden, 17 Jul 2013
Stuxnet

Oi! Rip Van Winkle: PATCH, already

Nearly 20 million computers remain infected with malware targeting a vulnerability first targeted four years ago by the Stuxnet worm. The flaw (CVE-2010-2568) was a Windows operating system bug in the way shortcuts worked allowing quiet download of the random dynamic library on Win Server 2003 and XP through to version 7. Since …
Darren Pauli, 20 Aug 2014
The Register breaking news

Crims prefer old exploits: Microsoft

While media around the world are excited by the announcement of every new zero-day vulnerabilities, attackers yawn, according to Microsoft. Presenting Volume 11 of its Security Intelligence Report at the RSA Conference in Europe on October 11, Microsoft pointed out that less than one percent of the attacks its report identified …
Facebook security

Facebook slings $50k Internet Defense Prize™ at bug hunter duo

Facebook and Usenix have together created the Internet Defense Prize™ – and awarded its first gong to security bods Johannes Dahse and Thorsten Holz. The pair, of Ruhr University Bochum in Germany, received $50,000 from Facebook's prize-giving committee for their paper, Static Detection of Second-Order Vulnerabilities in Web …
Darren Pauli, 21 Aug 2014
Good riddance to bad Java

Now even Internet Explorer will throw lousy old Java into the abyss

Internet Explorer will soon join its rival browsers by automatically blocking old, insecure add-ons – and it's got its eye set squarely on Java. Microsoft said on Wednesday that starting on August 12, Internet Explorer will begin alerting users when web pages try to launch ActiveX controls that are considered out-of-date and …
Neil McAllister, 07 Aug 2014

Noooo... WAIT. Google slaps on Chrome patches ahead of Pwn2Own hackfest

Google trowelled plaster over seven security cracks in Chrome on Tuesday, a day before the browser became one of the targets at the annual Pwn2Own hacking competition. The latest cross platform security update for Chrome fixed four "high" severity flaws and three lesser bugs. Three of the four high profile bugs were discovered …
John Leyden, 13 Mar 2014
Privacy image

Flaw in Google's Dropcam sees it turned into SPYCAM

Hackers could inject fake video into popular home surveillance kit Dropcam and use the system to attack networks, researchers Patrick Wardle and Colby Moore say. The wide-ranging attacks were tempered by the need for attackers to have physical access to the devices but the exploits offer the chance to inject video frames into …
Darren Pauli, 15 Jul 2014
Old computer

Researcher sat on critical IE bugs for THREE YEARS

Security outlet VUPEN has revealed it held onto a critical Internet Explorer vulnerability for three years before disclosing it at the March Pwn2Own hacker competition. The company wrote in a disclosure last week it discovered the vulnerability (CVE-2014-2777) on 12 February 2011 which was patched by Microsoft on 17 June (MS14- …
Darren Pauli, 24 Jul 2014
balaclava_thief_burglar

Cisco: Hey, IT depts. You're all malware hosts

Everybody – at least every multinational that Cisco checked out for its 2014 Annual Security Report – is hosting malware of some kind, and there aren't enough security professionals to go around. Along with its Managed Threat Defense service launched this week, Cisco also launched the latest publication (here with registration) …
Australia China

Latest IE flaw being actively exploited

April's Internet Explorer flaw is being exploited, with at least two listed Australian entities targeted by a sophisticated foreign hacking outfit. The organisations were targeted in a campaign that foisted the Internet Explorer exploits (MS14-021) at high end corporations three days after the dangerous flaws were exposed. …
Darren Pauli, 15 May 2014
windows 7 image

Redmond is patching Windows 8 but NOT Windows 7, say security bods

Microsoft has left Windows 7 exposed by only applying patches to its newest operating systems. Researchers found the gaps after they scanned 900 Windows libraries and uncovered a variety of security functions that were updated in Windows 8 but not in 7. They said the shortcoming could lead to the discovery of zero day …
Darren Pauli, 06 Jun 2014
angler exploit kit 1

Silverlight finally becomes popular ... with crims

Silverlight has become a choice target for VXers who are foisting nasty exploit kits (EKs) on users through hacked advertising networks. Attacks targeting Silverlight have spiked since 23 April as attackers look for web platforms to target now that Java and Flash have cleaned up their acts a bit. Cisco lead threat researcher …
Darren Pauli, 20 May 2014

Revealed ... GCHQ's incredible hacking tool to sweep net for vulnerabilities: Nmap

For the past five years, British spying nerve-center GCHQ has been port scanning internet-connected computers in 27 countries – in a exhaustive hunt for systems to potentially exploit. That bombshell comes amid fresh leaks detailing the dragnet surveillance programs operated by the Five Eyes nations: America, UK, Canada, …
John Leyden, 15 Aug 2014
Evil Android

App permissions? Pah! Rogue Android soft can 'place phone calls at will'

Researchers at German security firm Curesec have identified bugs present in most versions of Android that can allow malicious applications to place phone calls, even when they lack the necessary permissions. By exploiting these vulnerabilities, rogue apps can get up to such mischief as surreptitiously dialing out to expensive …
Neil McAllister, 07 Jul 2014

Time to ditch HTTP – govt malware injection kit thrust into spotlight

A new report form the Toronto-based internet watchdog Citizen Lab has shown cases of governments running network injection attacks that can deliver malware via any HTTP web connection. The dossier looks at two hacking tools created by the Italian firm Hacking Team and the German biz FinFisher that use the injection attack vector …
Iain Thomson, 16 Aug 2014
Tesla hack

Students hack Tesla Model S, make all its doors pop open IN MOTION

Zhejiang University students have hacked the Tesla Model S with an attack that enabled them to open its doors and sun roof, switch on the headlights and sound the horn - all while the car was driving along. The hack was part of a competition at the annual Syscan conference in Beijing, where a prize of $US10,000 was offered to …
Darren Pauli, 21 Jul 2014
WordPress

50,000 sites backdoored through shoddy WordPress plugin

Some 50,000 sites have been sprayed with backdoors from shonky malware targeting a popular and vulnerable WordPress plugin, according to researcher Daniel Cid. Sucuri founder Cid says the bodged malware can infect any site that resides on the server of a hacked WordPress website. The flawed plugin allowed attackers to "inject …
Darren Pauli, 24 Jul 2014
Apple_iPad_001_SM

iPad racketeers' high wire exploits falter

Chinese smugglers have been caught transporting a host of Apple goods over a zip-line into Hong Kong in a bid to profit from tax differences. Using a crossbow, the perpetrators fired a fishing line from a skyscraper in Shenzhen over the Sha Tau Kok river and into a small house in Hong Kong. The team then filled nylon bags full …
Caleb Cox, 08 Aug 2011
image via SXC

Super-critical Java zero-day exploits TWO bugs

A potent Java security vulnerability that first appeared earlier this week actually leverages two zero-day flaws. The revelation comes as it emerged Oracle knew about the holes as early as April. Windows, Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. Exploit code already in …
John Leyden, 30 Aug 2012
Social media buttons

Attack flogged through shiny-clicky social media buttons

Web admins beware: social media buttons that load scripts from unknown external sites could see your sites foisting the FlashPack exploit kit to visitors. Several sources warn that popular JavaScript social media panels are being modified to load external resources that pulled down FlashPack, formerly known as SafePack, which …
Darren Pauli, 26 Aug 2014

Goog says patch⁵⁰ your Chrome

Google has dropped 50 patches for its flagship Chrome browser plugging holes and handed $30,000 to a lone bug hunter who reported a dangerous sandbox-busting attack. A clever chained combo of multiple flaws, reported to Google and patched, allowed attackers to crawl out of Chrome's security sandbox and execute code remotely. It …
Darren Pauli, 27 Aug 2014
Q and Bond, Skyfall

JUST LIKE US: Hackers who work for gov seem almost... ORGANISED

State-sponsored hackers are looking less like traditional hacking crews and more like military units as they share infrastructure and adopt strict hierarchies, according to new research. Infosec firm FireEye has identified links between 11 APT campaigns, including use of the same malware tools, shared code, binaries with the …
John Leyden, 14 Nov 2013

Poison PDF pusher released to public

Attacking enterprises just got easier with the development of an idiot-friendly tool that spits out booby-trapped PDFs with a few clicks. The tool weaves existing exploits into PDFs, allowing attacks against Adobe Reader and Acrobat versions 8.x prior to 8.2.1 and 9.x before 9.3.1. Users can insert their own URL pointers into …
Darren Pauli, 12 Jun 2014

Java, Android were THE wide-open barn doors of security in 2013 - report

While it was another tough year for network security all around, 2013 was particularly hard on users of Java and Android, new research from Cisco has found. According to the networking giant's latest Annual Security Report, Java flaws were responsible for 91 per cent of all web-based exploits in 2013. Meanwhile, fully 99 per …
Neil McAllister, 17 Jan 2014
The Register breaking news

Adobe preps sandboxing tech to fight exploits

Adobe has fleshed out its plans to offer sandboxing as a mechanism to limit the impact of attacks against its ubiquitous Adobe Reader PDF reader application. Available from November, Adobe Reader X will incorporate virtual sandboxing technology that will place controls on the application's ability to modify the registry or …
John Leyden, 19 Oct 2010
bug on keyboard

Patch Tuesday brings Microsoft fixes and Adobe Shockwave update

Microsoft and Adobe have delivered the February edition of their monthly security updates. The two firms kicked off the second Patch Tuesday of the year by each releasing fixes for critical vulnerabilities that could allow for remote code execution. For Microsoft, the monthly release consists of six bulletins which address a …
Shaun Nichols, 12 Feb 2014

FBI and pals grab banking Trojan zombielord's joystick

Law enforcement and the security business have teamed up to disrupt the operation of the Shylock banking Trojan. The UK's National Crime Agency joined forces with Europol and the FBI to take down and seize the command and control servers key to running the botnet. Law enforcement also took control of the domains Shylock uses for …
John Leyden, 11 Jul 2014

Racing Post escapes ICO fine after leaking info of 677K punters

UK sports-betting newspaper the Racing Post has received a stern warning – but not a fine – after it emerged that it had aired the private details of more than 677,000 customers as the result of a security breach last year. The October 2013 snafu resulted in the exposure of the names, addresses, passwords, dates of birth and …
John Leyden, 28 Aug 2014
Google Chrome logo

Chrome 35 made deaf to old speech API bug

Google has patched 23 vulnerabilities, including three marked high risk, in the latest update to the web browser. Mountain View has yet to release details on the full set of patched bugs pushed out overnight in the new release 35 of Chrome for Windows, Mac and Linux. Chrome engineer Karen Grünberg said it paid out US$9500 to …
Darren Pauli, 21 May 2014
Dunce

Banking apps: Handy, can grab all your money... and RIDDLED with coding flaws

The whopping 70 per cent of retail and 69 perc ent of financial services apps are vulnerable to data breaches. That's according to an analysis of 705 million lines of code as used by 1,316 enterprise applications carried out by software analysis and measurement firm CAST. The firm reckons a growing number of data breaches and …
John Leyden, 27 Aug 2014
Breach

2,285,295 Aussie logins nabbed in Russian password haul

More than two million unique login credentials for Australian internet users were stolen as part of the massive haul of 1.2 billion passwords by a Russian hacker outfit. Earlier this month Hold Security reported that Russian hackers under the group dubbed CyberVors amassed the largest ever cache of stolen website passwords …
Darren Pauli, 11 Aug 2014
Curiosity Mars rover's latest hole in Mars

Curiosity GOUGES AND SCORCHES Mars with drill and laser

Nuclear-powered space tank Curiosity as struck another blow for humanity by scorching Mars with seven smears of its mighty lasers. NASA published photos of the rover's latest exploits yesterday, explaining that the latest unfurling of Curiosity's laser weapons was done after the vehicle had first unleashed its drill and …
Simon Sharwood, 16 May 2014

Watch a bank-raiding ZeuS bot command post get owned in 60 seconds

Web thieves may get more than they bargained for if tech pros follow the lead of one researcher – who demonstrated how to hack the systems remote-controlling the infamous ZeuS crime bot in 60 seconds. The dangerous Trojan ZeuS infects Windows PCs to, among other things, silently siphon cash from victims' online bank accounts. …
Darren Pauli, 06 May 2014

Cyber spies whip out 'Machete', stride towards Latin America

Security watchers are tracking a new cyber-espionage campaign that appears to be targetting Latin American countries including Venezuela, Colombia and Ecuador. The so-called "Machete" campaign has been zoning in on governments, military and law enforcement agencies and embassies in South America for the last four years, stealing …
John Leyden, 21 Aug 2014
IE8 patch

Redmond promises IE8 patch is in the pipeline

Microsoft has announced it is working on a patch for a zero day Internet Explorer 8 vulnerability first identified seven months ago. Perhaps following a report by El Reg, Redmond said it will bake a patch for the flaw which allowed attackers to execute arbitrary code on computers running the older Internet Explorer version 8 …
Darren Pauli, 23 May 2014
The Register breaking news

Biz bods STILL don't patch hacker's delight Java and Flash

A whopping 81 per cent of businesses run outdated Java while two in five (40 per cent) have not updated Flash, according to the latest figures from net security firm Websense. Websense warns that failing to apply patches that address vulnerabilities in hacker favourites such as Flash and Java leaves these business at risk of …
John Leyden, 10 Sep 2013
An alternative Yahoo! logo, courtesy of a Flickr user

CryptoWall! crooks! 'turn! to! Yahoo! ads! to! spread! ransomware!'

Crooks are using Yahoo!'s advertising network to infect PCs with the CryptoWall ransomware, it's claimed. Windows software nasty CryptoWall encrypts a victim's files using an OpenSSL-generated key pair before demanding a ransom to decrypt the data. It communicates with its masters using RC4-encrypted messages to command servers …
John Leyden, 11 Aug 2014
Blackmail image

Cyber scum pump ransomware at victims from spambot-stuffed websites

Miscreants have brewed up a strain of ransomware which functions like the recently dead CryptoLocker - and this one communicates using the Tor browsing anonymization network. Critroni appears geared towards exploiting a gap in the market created by a takedown operation against the CryptoLocker and Gameover ZeuS botnets back in …
John Leyden, 22 Jul 2014

Cortana, remind me to patch Windows, IE, and Adobe gear next Tues

Microsoft will release eight security updates next Tuesday to squash remote-code execution bugs in Windows and Internet Explorer among other flaws. Meanwhile, Adobe will issue new versions of Acrobat and Reader for this month's Patch Tuesday. Two of the security updates from Microsoft are rated as critical because they allow …
Shaun Nichols, 09 May 2014
The Register breaking news

Politically motivated exploits target activists on Google

Politically motivated attackers are exploiting an unpatched flaw in all supported versions of Microsoft Windows to carry out highly targeted attacks against activists using Google, the company's security team warned. The unidentified attackers are wielding a serious vulnerability in the way Windows parses webpages containing …
Dan Goodin, 12 Mar 2011

Big Java security fixes on the way – but not so fast, Windows XP users

As if running Windows XP after Microsoft withdrew support wasn't risky enough, XP users who have Java installed may soon have even more to worry about. Oracle is due to issue its next Critical Patch Update – the massive, quarterly fix-it fests that deliver security updates across the company's entire product line, including Java …
Neil McAllister, 04 Jul 2014
Data breach image

'Up to two BEEELLION' mobes easily hacked by evil base stations

The mechanisms used to update smartphone operating systems over the air are vulnerable to hijacking and abuse, researchers have claimed. Speaking at the Black Hat conference in Las Vegas on Thursday, the infosec bods believe up to two billion handsets are at risk, and that in some cases patches for the flaw still haven't been …
Iain Thomson, 08 Aug 2014
The Register breaking news

Dozens of exploits released for popular SCADA programs

The security of software used to control hardware at nuclear plants, gas refineries and other industrial settings is coming under renewed scrutiny as researchers released attack code exploiting dozens of serious vulnerabilities in widely used programs. The flaws, which reside in programs sold by Siemens, Iconics, 7-Technologies …
Dan Goodin, 22 Mar 2011
bug on keyboard

Manic malware Mayhem spreads through Linux, FreeBSD web servers

Malware dubbed Mayhem is spreading through Linux and FreeBSD web servers, researchers say. The software nasty uses a grab bag of plugins to cause mischief, and infects systems that are not up to date with security patches. Andrej Kovalev, Konstantin Ostrashkevich and Evgeny Sidorov, who work at Russian internet portal Yandex, …
Iain Thomson, 18 Jul 2014
Hacker mug 06.12.02

It woz the Reg wot won it: UK mobe network EE fixes voicemail hack flaw

Since we alerted EE to the security flaw in its voicemail system that allowed us to access the messages of anti-terrorism bods, the mobile telco has been working to close the hole. As we explained in our original article, the vulnerability was only exploitable through certain routes, and we disclosed the problem to EE ahead of …
Simon Rockman, 25 Apr 2014