Articles about tavis ormandy

uTorrent file-swappers urged to upgrade after PC hijack flaws fixed

Users of uTorrent should grab the latest versions of the popular torrenting tools: serious security bugs, which malicious websites can exploit to commandeer PCs, were squashed this week in the software. If you're running a vulnerable Windows build of the pira, er, file-sharing applications while browsing the web, devious …
Iain Thomson, 22 Feb 2018

Windows 10 bundles a briefly vulnerable password manager

Google Project Zero's Tavis Ormandy has turned up a howling blunder in a password manager bundled with Windows 10. On Friday, Ormandy publicly disclosed the bug, which lies not in the Microsoft operating system but in an included third-party Keeper password manager. He wrote: “I've heard of Keeper, I remember filing a bug a …
Broken record, image via Shutterstock

Tavis Ormandy to Microsoft: Have another Windows Defender vuln

Google Project Zero bug-hunter Tavis Ormandy has alerted the world to yet another way Microsoft's anti-virus tool Windows Defender could be attacked. Ormandy went public with the bug on Friday after Microsoft shipped its fix. He reported the issue to Redmond on June 9th. The bug is in the non-sandboxed x86 emulator Windows …
Toolkit from Shutterstock

What's got a vast attack surface and runs on Linux? Windows Defender, of course

Google Project Zero's Windows bug-hunter and fuzz-boffin Tavis Ormandy has given the world an insight into how he works so fast: he works on Linux, and with the release of a personal project on GitHub, others can too. Ormandy's project is to port Windows DLLs to Linux for his vuln tests (“So that's how he works so fast!” …
Image by gyn9037 http://www.shutterstock.com/gallery-691846p1.html

'Crazy bad' bug in Microsoft's Windows malware scanner can be used to install malware

Miscreants can turn the tables on Microsoft and use its own antivirus engine against Windows users – by abusing it to install malware on vulnerable machines. A particularly nasty security flaw exists in Redmond's anti-malware software, which is packaged and marketed in various forms: Windows Defender, Windows Intune Endpoint …
Iain Thomson, 9 May 2017
psycho

LastPass scrambles to fix another major flaw – once again spotted by Google's bugfinders

For most of us, Saturday morning is a time for a lie in, a leisurely brunch, or maybe taking the kids to the park. But for some it's bug-hunting time. Tavis Ormandy, a member of Google's crack Project Zero security team, was in the shower and thinking about LastPass – after finding a number of flaws in the password manager …
Iain Thomson, 27 Mar 2017
safecracker

What should password managers not do? Leak your passwords? What a great idea, LastPass

Updated Password vault LastPass is scrambling to patch critical security flaws that malicious websites can exploit to steal millions of victims' passphrases. The programming cockups were spotted by Tavis Ormandy, a white-hat hacker on Google's crack Project Zero security team. He found that the LastPass Chrome extension has an …
Iain Thomson, 21 Mar 2017

Cloudbleed: Big web brands 'leaked crypto keys, personal secrets' thanks to Cloudflare bug

Updated Big-name websites potentially leaked people's private session tokens and personal information into strangers' browsers, due to a Cloudflare bug uncovered by Google researchers. As we'll see, a single character – '>' rather than '=' – in Cloudflare's software source code sparked the security blunder. Cloudflare helps companies …
Iain Thomson, 24 Feb 2017
Tavis Ormandy's WebEx Proof-of-concept

Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'

Updated Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed. About 20 million people actively use this broken software. All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret " …

Adobe's naughty Chrome telemetry code had XSS problem

Adobe's pushed out a fix for its already-controversial Chrome telemetry extension after Project Zero's Tavis Ormandy found an egregious bug. The update that shipped last week pushed the extension to Chrome users. It was presented as a convenience update that let people print Web pages to PDF, and use Reader instead of Chrome's …
FACEPALM

Kaspersky fixing serious certificate slip

Updated Kaspersky is moving to fix a bug that disabled certificate validation for 400 million users. Discovered by Google's dogged bug-sleuth Tavis Ormandy, the flaw stems from how the company's antivirus inspects encrypted traffic. Since it has to decrypt traffic before inspection, Kaspersky presents its certificates as a trusted …

Symantec antivirus bug allows utter exploitation of memory

British white hat hacker and Google Project Zero chap Tavis Ormandy is making life miserable for Symantec again: the bug-hunter has turned up an exploitable overflow in “the core Symantec Antivirus Engine used in most Symantec and Norton branded Antivirus products”. Described here, the problem is in how the antivirus products …
Fitbit Aria scale

It's 2016 and now your internet-connected bathroom scales can be hacked

Owners of Fitbit's Aria internet-connected smart scales are being advised to install a firmware patch following the discovery of critical security flaws. Tavis Ormandy of Google's Project Zero was credited with finding the vulnerabilities in the Wi-Fi cyber-scales. While Fitbit isn't providing specific details on the nature of …
Shaun Nichols, 29 Apr 2016
fail

Comodo's 'security' kit installed a lame VNC server on PCs on the sly

Google's Project Zero has found yet another blunder in Comodo's internet "security" software – a VNC server enabled by default with a predictable password. Earlier this month, Googler Tavis Ormandy pointed out that Comodo's custom web browser, dubbed Chromodo, was about as unsafe as a lace condom thanks to terrible security …
Iain Thomson, 18 Feb 2016
SHUT UP!

Trend Micro AV gave any website command-line access to Windows PCs

Updated PCs running Trend Micro's Windows antivirus can be hijacked, infected with malware, or wiped clean by any website, thanks to a vulnerability in the security software. The design blunders in the consumer build of Trend's AV were discovered by Google Project Zero bod Tavis Ormandy. A patch is now available to address the remote- …
Iain Thomson, 11 Jan 2016

Project Zero bod says antivirus black market is growing

Google troublemaker Tavis Ormandy, whose credits include turning up security vuln in popular antivirus products, reckons he's identified an active market in antivirus exploits. In June, the Google Project Zero security bod found trivial bugs in the ESET tool, and earlier this month, he served a similar dish to Kaspersky. In …
The Register breaking news

Google cyber-knight lances Microsoft for bug-hunter 'hostilities'

Top Google engineer Tavis Ormandy has slammed Microsoft for apparently treating security bug hunters with “great hostility”. He blasted Redmond's behaviour towards those who report vulnerabilities as he publicly revealed a new unpatched security hole in the Windows operating system - a bug that can be exploited to crash …
John Leyden, 28 May 2013
The Register breaking news

Google bod exposes Sophos Antivirus' gaping holes

A security researcher has discovered embarrassing and critical vulnerabilities in Sophos' enterprise protection software. Tavis Ormandy, an information security engineer at Google, published a paper along with example attack code to highlight flaws present in Windows, Linux and Mac OS X builds of Sophos' antivirus product. …
John Leyden, 6 Nov 2012

Create a news alert about tavis ormandy, or find more stories about tavis ormandy.

Biting the hand that feeds IT © 1998–2018