Microsoft plans to patch critical Windows, IE bugs next week

Microsoft has marked two of the five security updates it plans to release next week as "critical," including one that addresses a vulnerability in Internet Explorer that is currently being exploited in the wild.

One of the updates announced in a security bulletin Thursday will patch a flaw in IE 10 -- discovered last month by security company FireEye -- being exploited by attack code found on the Veterans of Foreign Wars' Web site. Security firm Websense reported finding similar code exploiting the same flaw on the compromised Web site of a French aerospace association, indicating there was … Read more

Microsoft finally fixes critical Internet Explorer vulnerability

In its security update for this month, Microsoft has patched a critical Internet Explorer vulnerability that possibly exposed users to malware and hacks for the last three months.

The permanent patch is for an exploit known as CVE-2013-3893, which had the capability to work its way into all supported versions of Internet Explorer. Microsoft announced the existence of the vulnerability in September and released a downloadable "Fix It" tool until the permanent patch was ready.

"The most severe vulnerabilities could allow remote code execution if a customer views a specially crafted webpage using Internet Explorer," Microsoft'… Read more

Facebook flaw allowed hackers to delete posted photos

A security flaw that allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar -- and he has been rewarded for his efforts.

The Facebook flaw, explained in length on Kumar's blog, exploits the Facebook Support Dashboard. Considered "critical," the bug works with any browser and any version, but was most successfully exploited through mobile devices.

The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image's owner. A link … Read more

Google confirms Android flaw that led to Bitcoin theft

Google has confirmed a flaw in Android's operating system, which could make Bitcoin digital wallets vulnerable to theft.

Android security engineer Alex Klyubin penned a blog post on Wednesday outlining the root cause of the vulnerability.

"We have now determined that applications which use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation may not receive cryptographically strong values on Android devices due to improper initialization of the underlying PRNG," Klyubin wrote. "Applications that directly invoke the system-provided OpenSSL PRNG without explicit initialization on Android are also affected."

The flaw was … Read more

Android-based Bitcoin digital wallets vulnerable to theft

A critical weakness in Android leaves digital wallets on the mobile platform vulnerable to theft, Bitcoin developers warned Sunday.

The vulnerability occurs in an Android component that generates secure random numbers, developers wrote in a Bitcoin.org blog post. Because the problem is rooted in the operating system, every Bitcoin digital wallet generated by an Android app is affected by the weakness, they said.

They suggest securing existing wallets by creating a new address with a repaired digital random numbers generator and then sending the wallet's balance back to itself.

"If you use an Android wallet then we … Read more

SIM card flaw said to allow hijacking of millions of phones

A vulnerability on SIM cards used in some mobile phones could allow malware infection and surveillance, a security researcher warns.

Karsten Nohl, founder of Security Research Labs in Berlin, told The New York Times that he has identified a flaw in SIM encryption technology that could allow an attacker to obtain a SIM card's digital key, the 56-digit sequence that allows modification of the card. The flaw, which may affect as many as 750 million mobile phones, could allow eavesdropping on phone conversations, fraudulent purchases, or impersonation of the handset's owner, Nohl warned.

"We can remotely install … Read more

Google beefs up the cash bounty for reporting vulnerabilities

Noting the contribution made by those who try to hack its security, Google has once again increased the cash rewards it pays out for identifying vulnerabilities in its services.

The Internet giant, which began swapping security research for cash a couple of years ago, announced the higher payouts and new rules for the program Thursday on the company's Online Security Blog.

The bounty for cross-site scripting bugs on Google Accounts more than doubled from $3,133.70 to $7,500. The reward for reporting cross-site scripting bugs in other sensitive areas such as Gmail and Google Wallet more than … Read more

Samsung lock screen flaw found; company working on fix

A security researcher has revealed a method for accessing applications running on a locked Samsung handset.

The flaw is somewhat similar to one that was revealed by another researcher earlier this year on iPhones. On a Samsung handset, users can, from the lock screen, pretend to dial an emergency services number, quickly dismiss it, and with some sleight of hand, quickly gain access to any app or widget, or the settings menu in the device. The dialer can also be launched, allowing the "hacker" to place a call.

According to Terence Eden, who discovered the flaw and posted … Read more

Microsoft to patch IE zero-day flaw today

Microsoft will fix a zero-day hole in IE today almost a week after this month's regular Patch Tuesday updates.

Discovered late last month, the vulnerability could allow attackers to gain control of a Windows computer running one of the older versions of IE by directing users to malicious Web sites. In response, Microsoft had suggested several workarounds and even offered a "one-click fix" designed to mitigate the problem, but those were considered temporary solutions.

Today's update will fully resolve the issue, according to Microsoft. Scheduled for rollout at 10 a.m. PT, the fix will be … Read more

Adobe mends security holes in Flash, Reader, Acrobat

Security flaws in Adobe Flash, Reader, and Acrobat could have been the cause of computer crashes recently. The software company announced today that it sent out updates for these three programs, which are meant to patch security vulnerabilities that cause such system crashes.

"These updates address a vulnerability that could cause a crash and potentially allow an attacker to take control of the affected system," the company wrote in a security bulletin today. "Adobe recommends users update their product installations to the latest versions."

Adobe does not give any further detail on the security vulnerabilities but … Read more