Copyright © 2016
Tag - Vulnerability
A new vulnerability -- albeit one that is extremely unlikely to happen "in the wild" -- has been discovered by security researcher Pedro Vilaca, where a flaw in pre-2014 Macs could conceivably allow an attacker access to a portion of OS X that has access to the Mac's Open Firmware and EFI (what PC users might call the BIOS of the machine) and possibly exploit other vulnerabilities to perhaps overwrite it with malicious firmware.
A flaw in a popular older version of an open-source networking library used by a number of iOS apps could create an exploitable vulnerability, particularly for users who do not keep their apps up-to-date. The issue could allow a hacker to bypass HTTPS security and conceivably steal passwords or other personal data. While the library in question was patched to address the problem three weeks ago, apps which include the older library are still vulnerable. According to SourceDNA, at least 1,500 iOS apps are currently exposed.
Apple on Thursday has updated OS X Yosemite 10.10.2 (only) with a new security update. While details are not available, the update could possibly be the first to address an https vulnerability known as FREAK, which can compromise secure web browsing on a variety of systems and applications. In addition, the company has issued an update for iPhoto to further help with the eventual transition to Photos, as well as clear up a few bugs.
Apple appears to have fixed a flaw in its password security just one day after a hacker announced a new tool that could conceivably breach the existing protection against "brute force" attacks on accounts by taking advantage of an exception. On January 1, a new tool called iDict emerged in a rough state that could bypass repeated password-attempt blocking due to an exception made for iPhones. On January 2, Apple closed that exception and began locking accounts iDict was being used against.
A new USB microcontroller -- roughly the size of a small thumb drive -- has been demonstrated as a proof-of-concept device that leverages a serious and unfixable vulnerability in USB easily take over and install malware on any unlocked computer. Though it requires physical access or tricking the user into inserting the controller into a USB port, the device has worrying implications for any computer left unattended for more than a minute -- the time it takes for the device to gain admin access, change network settings, install a backdoor and remove any obvious sign of intrusion.
Versions of WordPress from 3.0 up to 3.9.2 were discovered to contain a security vulnerability through the comment features on the site, making a large number of installs and servers vulnerable to attack. The bug was discovered by Jouko Pynnonen of the Finnish IT company Klikki Oy, indicating that the bug went unchecked for more than four years since it was introduced with version 3.0 in June 2010.
An Apple spokesperson has reassured Mac users that the "vast majority" of users are not at risk from a serious bug discovered in the UNIX shell Bash that some researchers have called "potentially bigger than the Heartbleed vulnerability." Apple says that only those who have configured "advanced UNIX services" using the Terminal in OS X could be a risk of the flaw -- which would mean that nearly all OS X users would be unaffected. Nevertheless, the company is said to be working on a fix.
A new bug may have a greater potential for harm than April's Heartbleed vulnerability, according to reports. The "Shellshock" vulnerability in Bash, a Unix shell typically used in Linux systems as well as in OS X, apparently allows for code held in environment variables to be executed within the shell as soon as it is invoked, potentially allowing for the control of affected systems to be taken over by another user.
Following an emergency patch issued by Adobe yesterday for a vulnerability in Flash Player and Adobe AIR that the company deemed "critical" for users to upgrade to, Apple is now blocking all un-upgraded versions of the plug-in in Safari, though the warning dialog will take users to the Flash Installer page where they can obtain the patched version. Users of OS X 10.6 and higher must be running version 18.104.22.168 in order for the Flash plug-in to work normally. Windows and Linux users are also affected by the flaw.