exploits

Buzz Out Loud 1307: A zero-day porn moment (podcast)

On today's Buzz Out Loud, Jason confesses his noob security mistake, Consumer Reports wants the world to know they STILL don't recommend the iPhone 4. Plus, Mark Zuckerberg's Hollywood moment isn't going to be as fun as he hoped, and we predict the MPAA will go nuclear if rumors of a permanent HDCP crack are true.

Subscribe:  iTunes (MP3)iTunes (320x180)iTunes (640x360)RSS (MP3)RSS (320x180)RSS (640x360)Read more

Zeus Trojan steals $1 million from U.K. bank accounts

Consumers and businesses in Great Britain have lost more than $1 million so far this summer from a Trojan that is infecting their computers, prompting them to log into their bank accounts, and then is surreptitiously transferring money to scammers in other countries, security researchers said on Tuesday.

About 3,000 bank accounts were found to be compromised at one financial institution, which was not identified, according to a white paper released by M86 Security.

The multilevel scheme uses a combination of a new version of the Zeus keylogger and password stealer Trojan, which targets Windows-based computers and runs on … Read more

Theoretical attacks exploit iOS browser flaw

The new browser security flaw in iPhones, iPods, and iPads could be more dangerous than initially suspected.

The vulnerability comes from the way the jailbreak software, released on Sunday, uses the mobile Safari browser instead of requiring that the device be connected to a computer. Jailbreaking the phone allows it to run apps not approved by Apple. But this flaw could be used to launch an exploit if the user were to surf to a Web site hosting a malicious PDF, giving unrestricted access to the device.

"The same PDF exploit used to jailbreak the device could also be … Read more

Buzz Out Loud 1284: Superman is faster than a foreclosing bank (podcast)

On today's show, Intel's FTC antitrust settlement, Darren Kitchen explains the iOS vulnerability that makes all your devices belong to PDF, and the feds admit they're storing some of your checkpoint body scan images ... for ... some reason. Yuck. Also, Facebook for Android finally comes into the modern age. Phew.

Subscribe:  iTunes (MP3)iTunes (320x180)iTunes (640x360)RSS (MP3)RSS (320x180)RSS (640x360)Read more

Safari autofill exploit can reveal user data

The autofill option in Apple's Safari browser can expose personal data without the user's consent, a security researcher reported on Wednesday. It remains unclear as to whether the problem affects Safari specifically or all WebKit-based browsers, which include Google Chrome. It's recommended that Safari and Chrome users disable the autofill feature immediately, until further notice.

Jeremiah Grossman, the chief technical officer of WhiteHat Security, documented the exploit in a blog post on Wednesday, saying that it affects both the current version of Safari, version 5, and the legacy version, Safari 4. He said that the exploit is … Read more

Adobe Reader to block attacks with sandbox tech

Adobe Reader will soon have an additional layer of protection against the many attacks that target the popular PDF viewer.

Adobe Systems is borrowing a page from Microsoft's and Google's playbook by turning to sandboxing technology designed to isolate code from other parts of the computer.

Adobe is adding a "Protected Mode" to the next release of Adobe Reader for Windows due out some time this year, said Brad Arkin, director of product security and privacy at Adobe. The feature will be enabled by default and included in Adobe Reader browser plug-ins for all the major … Read more

Unpatched Windows XP-related hole exploited in attacks

Malicious hackers were found to be exploiting a hole on Tuesday affecting Windows XP that a Google researcher disclosed last week before Microsoft had a chance to fix it, the software giant confirmed.

There was "limited exploitation" of the unpatched vulnerability, Jerry Bryant, group manager for response communications at Microsoft, said in an e-mail statement. The exploits have been taken down from the Web, but Bryant said he expects there to be further attacks "given the public disclosure of full details of the issue."

"We want to reiterate that customers using Windows 2000, Windows Vista, … Read more

Adobe to plug Flash hole this week

Adobe Systems said it will issue a patch for a critical hole being exploited in the wild by delivering an update for Flash Player by Thursday, and for Adobe Reader and Acrobat by June 29.

The update of Flash Player 10.x will support Windows, Macintosh, and Linux, while the date for the release of a Solaris version is still to be determined, Adobe said late Monday. Meanwhile, the Adobe Reader and Acrobat update to come in three weeks will support Windows, Mac, and Unix.

Adobe released the advisory late last week and said there had been reports of the … Read more

Unpatched Java hole exploited at lyrics site

An unpatched hole in Java was being exploited to target visitors to a song lyrics Web site and more attacks are likely, researchers warned on Wednesday.

The flaw in Java Web Start, disclosed last week by several security researchers, affects Windows systems running Firefox and Internet Explorer, said Roger Thompson, AVG chief research officer. He said he couldn't get it to work on Chrome though, despite reports that it does.

Thompson found exploit code for both the Java hole and one in Adobe Reader on servers in Russia that was triggered by computers visiting English-language site Songlyrics.com. The … Read more

Microsoft issues emergency patch for 10 IE holes

Microsoft issued an emergency security update on Tuesday to plug 10 holes in Internet Explorer, including a critical vulnerability that has been exploited in attacks in the wild.

The cumulative update, which Microsoft announced on Monday, resolves nine privately reported flaws and one that was publicly disclosed. The most severe vulnerabilities could lead to remote code execution and a complete takeover of the computer if a user were to view a malicious Web site using IE, Microsoft said in the bulletin summary.

Users of IE8 and Windows 7 are not vulnerable to the flaw being used in specific attacks, according … Read more