Tag - Vulnerabilities
Researchers at Duo Security have released a scathing analysis of the PC industry and its lax security measures. In particular, the researchers found that every major Windows-based OEM, including Dell, Lenovo, Asus, Acer, and HP, ship brand-new PCs that are vulnerable to hackers from the moment that they are booted up out of the box, a phenomenon the report dubs "Out-of-Box Exploitation" (OOBE). The issues stem from the bloatware routinely pre-installed on new PCs, which include third-party software update tools -- even supposed "bloat-free" PCs carrying the Microsoft Signature Edition label are shipping with vulnerabilities.
A new exploit has been developed that could threaten Mac security by leveraging vulnerabilities in firmware rather than software, making the worm nearly impossible to remove. While sounding more ominous than any threat since the original firmware-based Thunderstrike (which was limited to a proof-of-concept with no reported attacks), leading security experts say this new threat is also very low-risk.
Adobe has updated Flash to version 18.104.22.168 for Windows and Mac in an effort to close yet another batch of security flaws. While no active use of the exploits had been discovered, the company had been notified earlier this week that some of the exploits had been discovered to be known by Hacking Team, a group of commercial security attackers that has sold such secrets and flaws to government agencies around the world.
Apple announced on Friday that it had implemented a server-side partial security update earlier this week to help protect Mac and iOS users against a "series of high-impact security weaknesses" discovered by researchers now collectively known as XARA vulnerabilities, that could potentially be used to obtain data being passed between sandboxed applications, such as passwords. No known cases of the exploits have been seen "in the wild," and Apple says it is working with researchers on a longer-term fix.
Microsoft is asking for the online security community to better coordinate on the disclosure of vulnerabilities in code, after a publication of a flaw in Windows 8.1 by Google. The search company released details about the vulnerability in the operating system yesterday as part of Project Zero, two days before Microsoft was to offer up a fix in its well-known Patch Tuesday schedule.
Google is increasing the rewards in its bug bounties program, as it tries to make its software more secure. The search company is updating its reward pricing range to between $500 and $15,000 per bug, up from the previous maximum of $5,000 for a high-quality report, with an increased focus on discovering potential vulnerabilities within the Chrome browser.
Microsoft is teaming up with Facebook to offer more bounties for bugs and flaws in software used to by a vast majority of websites. The Internet bug bounty, HackerOne, sees the two companies paying cash prizes of between $300 and $5,000 in exchange for details for vulnerabilities in server-based software and frameworks such as PHP, Ruby, Rails, OpenSSL, and Apache httpd.
For the fifth time this year, Apple has had to issue an update to Java for all three supported versions of OS X: Snow Leopard (10.6), Lion (10.7) and Mountain Lion (10.8). As has become the norm, the update was issued due to the discovery of "multiple vulnerabilities" in Java 1.6.0_51. The cross-platform development technology has been updated to version 1.6.0_65, and is referred to in Software Update as "Java for Mac OS X 10.6 Update 17" for Snow Leopard and "Java for OS X 2013-005" for newer systems.
On Tuesday, Microsoft issued a new security patch for all versions of its Microsoft Office for Mac 2011 edition, including academic, Standard and Home & Business editions and all the main applications contained therein. The update "fixes critical issues and also helps to improve security. It includes fixes for vulnerabilities that an attacker can use to overwrite the contents of your computer's memory with malicious code." The fix is intended for Intel Macs running OS X 10.5.8 or later.
IBM's security research and development group, X-Force, has released an annual report that suggests Mac is the most vulnerable operating system. The percentage of patched vulnerabilities compared to the total number of disclosed vulnerabilities was used for the rankings, with Mac OS X and OS X Server each leaving 14.3 percent of the problems unresolved. IBM gave the highest score to its own AIX platform, claiming to have fixed over 96 percent of the vulnerabilities, while Microsoft failed to patch between 5.5 percent and 4.1 percent of the reported issues for its Windows operating systems.