Articles about vulnerability research

The Register breaking news

Hotspot sniffer eavesdrops on iPhone in real-time

People who use public WiFi to make iPhone calls or conduct video conferences take heed: It just got a lot easier to monitor your conversations in real time. At a talk scheduled for Saturday at the Toorcon hacker conference in San Diego, two security researchers plan to show the latest advances in the open-source UCSniff tool …
Dan Goodin, 23 Oct 2009
The Register breaking news

Free download turns BlackBerry into remote bugging device

A free software program released Thursday turns everyday BlackBerry smartphones into remote bugging devices. Dubbed PhoneSnoop by creator Sheran Gunasekera, the software sits quietly on a targeted BlackBerry and monitors the phone number of each incoming call. When it detects a number set up in the program's preferences …
Dan Goodin, 22 Oct 2009
The Register breaking news

Bloggers howl after conference snoops on 'secure' network

Organizers of last week's SecTor security conference collected names, passwords, and all other traffic passing over two Wi-Fi networks provided to attendees, including one that was encrypted, the event's director has confirmed. Borrowing a page from the Wall of Sheep at the Defcon hacker conference each year in Las Vegas, the …
Dan Goodin, 15 Oct 2009
The Register breaking news

Microsoft's Patch Tuesday fixes record number of flaws

Microsoft on Tuesday patched a record number of security holes in its Windows operating systems and other software, a haul that included at least one security flaw that was already under attack in the wild. One of the updates fixed a vulnerability in Windows Media Runtime that allows an attacker to remotely execute malware by …
Dan Goodin, 14 Oct 2009
The Register breaking news

Man banished from PayPal for showing how to hack PayPal

PayPal suspended the account of a white-hat hacker on Tuesday, a day after someone used his research into website authentication to publish a counterfeit certificate for the online payment processor. "Under the Acceptable Use Policy, PayPal may not be used to send or receive payments for items that show the personal …
Dan Goodin, 6 Oct 2009
The Register breaking news

IE, Chrome, Safari duped by bogus PayPal SSL cert

If you use the Internet Explorer, Google Chrome or Apple Safari browsers to conduct PayPal transactions, now would be a good time to switch over to the decidedly more secure Firefox alternative. That's because a hacker on Monday published a counterfeit secure sockets layer certificate that exploits a gaping hole in a Microsoft …
Dan Goodin, 5 Oct 2009
The Register breaking news

White hats release exploit for critical Windows vuln

White-hat hackers have released reliable code that remotely exploits a critical vulnerability in the Vista and Server 2008 versions of Microsoft's Windows operating system. The exploit code, released Wednesday by security firm Immunity, came as separate researchers with the Metasploit penetration testing project said they were …
Dan Goodin, 16 Sep 2009
fingers pointing at man

Microsoft security tools give devs the warm fuzzies

Microsoft has released a general-purpose software tool for assessing the security of applications, part of a growing suite of free offerings designed to help third-party developers design safer programs. Microsoft Minifuzz is a lightweight file fuzzer, a type of tool that detects software bugs by throwing random data at an …
Dan Goodin, 16 Sep 2009
The Register breaking news

FreeBSD bug grants local root access

A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems. The bug in FreeBSD's kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, Przemyslaw …
Dan Goodin, 14 Sep 2009
The Register breaking news

Apple security lags (again) with critical Java patches

Comment Apple is once again playing security catch-up to the rest of the computing world, this time with an update for the Leopard version of its Mac operating system that patches critical holes in Java that were fixed on competing systems 29 days ago. The patch updates Leopard to Java versions 1.6.0_15, 1.5.0_20, and 1.4.2_22, which …
Dan Goodin, 4 Sep 2009
The Register breaking news

Microsoft rejects call to fix SQL password-exposure risk

Microsoft is butting heads with a company that provides software for database security over a weakness in SQL Server that can expose user passwords to anyone with administrative access to the program. Researchers at San Mateo, California-based Sentrigo warned Wednesday that the "significant vulnerability" is present in the …
Dan Goodin, 2 Sep 2009
The Register breaking news

IIS bug gives attackers complete server control

A hacker has uncovered a previously unknown bug in Microsoft's Internet Information Services webserver that in some cases gives attackers complete control of vulnerable machines. Proof-of-concept code published Monday has been confirmed to give remote root access to servers running version 5 of IIS on Windows 2000 with Service …
Dan Goodin, 31 Aug 2009
The Register breaking news

Seeking web security, exploit operators prefer Firefox

Criminals running websites that push drive-by exploits overwhelmingly prefer the Firefox browser, according to a researcher who spent the past three months surveilling their browsing habits. Mozilla's Firefox was used by 46 per cent of the exploit kit operators who were tracked in the study, according to Paul Royal, principal …
Dan Goodin, 21 Aug 2009
The Register breaking news

Bug exposes eight years of Linux kernel

Linux developers have issued a critical update for the open-source OS after researchers uncovered a vulnerability in its kernel that puts most versions built in the past eight years at risk of complete takeover. The bug involves the way kernel-level routines such as sock_sendpage react when they are left unimplemented. Instead …
Dan Goodin, 14 Aug 2009
The Register breaking news

Twitter transformed into botnet command channel

For the past couple weeks, Twitter has come under attacks that besieged it with more traffic than it could handle. Now comes evidence that the microblogging website is being used to feed the very types of infected machines that took it out of commission. That's the conclusion of Jose Nazario, the manager of security research …
Dan Goodin, 13 Aug 2009
The Register breaking news

Autocad attacks return after four years in wilderness

Viruses attacking users of the Autocad computer assisted design application have recently resurfaced after taking a four-year hiatus, prompting a call from one security watcher for more to be done to done to prevent such outbreaks. And indeed, that's exactly what Autodesk, the California-based maker of the high-end program, …
Dan Goodin, 13 Aug 2009
The Register breaking news

WordPress bug resets admin password

This story was updated to correct details of the bug. It allows attackers to reset passwords, but not take over accounts. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to …
Dan Goodin, 12 Aug 2009
The Register breaking news

Sequoia e-voting machine commandeered by clever attack

Computer scientists have figured out to how trick a widely used electronic voting machine into altering tallies with a technique that bypasses measures that are supposed to prevent unauthorized code from running on the device. The method, known as return-oriented programming, has already been used to defeat security measures …
Dan Goodin, 12 Aug 2009

Create a news alert about vulnerability research, or find more stories about vulnerability research.

Biting the hand that feeds IT © 1998–2017