02/07, 10:00pm
Exploits affect both platforms, one targets the Mac specifically
Adobe has issued a patch to update Flash on both the Mac and Windows platform in order to fix two new vulnerabilities already being exploited "in the wild" to spread malware. One of the targeted attacks using the exploit works equally well against Mac users as it does against Windows users. Visitors are tricked into downloading and opening MS Word files that contain malicious Flash content, while the other vulnerability users a similar technique but only affects Windows users.
more
01/07, 1:34pm
Hacker details attack process in YouTube video
[Updated with Yahoo response] Yahoo Mail accounts have been hacked, with a DOM-based cross-site scripting vulnerability being the main vector of attack. Details of the hack, including how to perform the attack on specific e-mail accounts, has appeared online in a YouTube video demonstration, with the entire attacking process taking just a couple of minutes.
more
10/26, 9:40pm
Proof-of-concept code knocks affected devices offline
Proof-of-concept example code shows a vulnerability in the firmware of two wireless chips sold by Broadcom -- the BCM4325 and the BCM4329. The chips are found in recent devices such as the iPhone 4, iPad, iPad 2, HTC Droid Incredible 2, Motorola Droid X2, and some Edge model cards manufactured by Ford. The flaw makes the devices vulnerable to attacks that render the Wi-Fi connection unusable for the duration of the attack.
more
08/17, 10:59am
Could allow messages to silently re-direct to phishing sites
Security researcher Pod2g has discovered a flaw in the way iOS handles SMS messages that could conceivably allow for malicious texters to disguise messages as being from a known or trusted source, potentially getting users to reveal information they normally would not, or rack up inadvertent charges on their bill. Pod2g refers to the flaw as "severe" and plans on releasing a tool to allow iPhone 4 users to send messages in "raw" PDU format until the vulnerability is fixed.
more
04/23, 6:25pm
Google raises Vulnerability Reward Program prizes
Google has updated the bounties for its Vulnerability Reward Program. Users who report a bug from one of Google's products stand to earn up to $20,000 for each potential vulnerability declared to the search giant.
more
02/08, 10:25pm
Google working quickly to fix bug
Researchers at security firm Zvelo have released details surrounding a Google Wallet vulnerability that is claimed to leave a user's PIN data exposed. Engineers were reportedly able to develop a crack that quickly determines a user's four-digit PIN, which serves as an essential security layer to prevent the NFC system from transmitting card data without authorization.
more
12/28, 12:00am
Flaw makes for easier brute-force attacks
The US Computer Emergency Readiness Team (US-CERT) has reportedly issued a warning regarding a vulnerability in Wi-Fi routers that use Wi-Fi Protected Setup (WPS) PINs. The security flaw, which was said to be discovered by security researcher Stefan Viehbock, enables hackers to easily gain access to routers by using brute-force attacks and software tools to guess the PIN codes.
more
12/20, 8:30pm
Gives attacker ability to run arbitrary code
Microsoft is said to be looking into a new vulnerability in the 64-bit version of Windows 7 that can be exploited through Apple's Safari web browser for Windows, according to a report on Threat Post. The flaw, reported a few days ago by an independent researcher on Twitter and confirmed by Secunia, would allow an attacker to run arbitrary code on victimized machines.
more
10/04, 7:25am
HTC to plug major security hole ASAP
HTC has confirmed that it has commenced work on a patch for the gaping security hole that was discovered in its Android phones over the weekend. HTC has has also acknowledged that the vulnerability could allow a maliciously crafted third-party application to access a customer’s data without permission. The company claims that it is working quickly to issue a security update for its Android devices.
more
09/20, 7:25pm
Users' address books could be copied
A security researcher going by "Phil P" and running the Superevr security blog has found a serious scripting vulnerability in the chat messaging feature of Skype versions 3.01 and earlier for the iPhone and iPod Touch that could execute malicious Javascript code without the user being fully aware, giving the attacker access to file contents of any file that the Skype app would have access to -- such as a user's address book.
more
06/15, 9:45pm
Issue affects desktop platforms, Android
Adobe has again issued a security update for a critical issue affecting Adobe Flash Player 10.3 and earlier versions for Macintosh, Windows, Linux, Solaris and Android, just over a week since the previous update. A new memory corruption vulnerability (marked by the company as CVE-2011-2110) can cause a crash and potentially allow an attacker to take control of the affected system, with reports that the problem has been spotted in the wild.
more
03/09, 10:05pm
Team exploits WebKit vulnerability
Security researches from the French company Vupen hacked a MacBook running Safari to win the recent Pwn2Own hacking contest this week at the CanSecWest security conference. The group discovered and exploited an unpatched vulnerability in Safari's WebKit engine. The browser was directed to a website designed to take advantage of the flaw, enabling the hackers to remotely launch the calculator application and write a file to the disk.
more
07/15, 12:40am
Firefox security issue
A new security vulnerability affecting Firefox 3.5 has been discovered, according to Secunia. The issue, spotted by Simon Berry-Byrne, relates to an error when processing JavaScript code, such as "font" HTML tags, and can be exploited to cause memory corruption. The flaw potentially could be used to allow malicious code to enable unauthorized control of a system.
more
05/21, 4:05pm
iCal vulnerable to bad ics
A new vulnerability in iCal has been discovered that allows un-authenticated attackers to execute arbitrary code on vulnerable systems with (and potentially without) the assistance from the end user of the application or to repeateadly execute a denial of service attack to crash the iCal application. Core Security writes that "the most serious of the three vulnerabilities is due to potential memory corruption resulting from an resource liberation bug that can be triggered with a malformed .ics calendar file specially crafted by a would-be attacker".
more
04/24, 9:00pm
URL spoofing flaw
A little over a week after Apple offered a security update to Safari 3.1.1, security research site Secunia warned users about another, but "less critical," vulnerability that could allows malicious sites to "spoof" other websites. Reported by Juan Pablo Lopez Yacubian, the security advisory notes that Safari 3.11 has a flaw that can be exploited by malicious people to display a fake URL in the address bar. "The problem is that it is possible to hide the actual location of a page in the address bar via a specially crafted URL containing a number of certain special characters in the 'user' field before the '@' character," the report noted. It affects both Mac OS X and Windows Vista of the browser and may also affect older versions. Secunia, however, rates the flaw as "less critical," but warns that users should avoid untrusted websites and untrusted links.
more
03/19, 12:30am
Code crashes iPhone 1.1.4
A new exploit has surfaced for the iPhone's Safari browser that, while drawing parallels to an earlier issue, requires no user input to function. According to iPhone World, the vulnerability is triggered by previously conceived code that has been refined in the above manner. The issue affects firmware version 1.1.4 iPhones, and presumably previous versions. Safari on the Mac and PC were also affected by this vulnerability, but it was recently fixed in Safari 3.1, released today.
more
01/26, 1:25pm
New iPhone vulnerability
iPhone owners should be on guard against a new threat, which fortunately doesn't harm the device, but still induces a freeze by taking all available system memory. According to security firm SecurityFocus, the vulnerability is exposed by a Denial of Service attack, when a maliciously crafted webpage is viewed. The page will insert code into the iPhone, which continually eats up available system memory before causing a kernel panic.
more
01/09, 12:10am
First iPhone Trojan attack
The iPhone recently fell victim to its first Trojan attack, which came in the form of a malicious file named “113 prep”. While installation of the phony application is relatively benign – the app merely says “shoes” when activated – uninstalling the file causes damage to or deletes system-critical files in the /bin directory on the iPhone. In addition to harming the devices own software, third party utilities are also being rendered useless through the same means. This attack was orchestrated by an 11-year-old, and has some modmyifone.com forum members laughing to ease the pressure using references to the 1995 film Hackers, due to the similarity of circumstances.
more
12/17, 11:20pm
Firebox X updated
WatchGuard Technologies recently updated its Firebox X network protection hardware to neutralize the latest Java threats against Mac OS X 10.4 Tiger users. Malicious web pages are reportedly the most common methods of implementation for viruses or attacks, but WatchGuard says that its equipment prevents against these kind of incursions by running network traffic through its Application Proxy technology – a proxy that separates user traffic from web-source to neutralize these exploits. Application Proxy is currently available in all of WatchGuard's products, including the Firebox X line of protective hardware.
more
12/11, 5:25pm
iPhone target of choice
The iPhone will be a major target for hackers in 2008, with attacks centered around the included Safari web browser, according to a prediction by Arbor Networks Security. The attacks will most likely be bits of malicious code that, when intertwined with benign digital material such as image files, could be capable of executing various harmful commands on the device. Arbor believes that the prospect of attacking Apple users and being among the first to hack a new platform are both big draws for malevolent hackers.
more
12/11, 3:25pm
First look at NAV 11
Viruses have been of little concern to most Mac users since OS X made its first appearance in 2001. Apple's switch to Intel processors, and the various virtualization processes that exist for running Windows, have eroded that confidence for some users. Although Apple is usually on the ball with fixing system vulnerabilities, some larger problems can go for several days or weeks before a proper fix is available. Symantec's Norton AntiVirus 11 aims to compliment the Mac OS' natural sturdiness by providing anti-viral services and fixes for security holes while Apple works on a true solution for the problem.
more
12/10, 5:25pm
Security flaws in Leopard
A new denial of service (DoS) vulnerability has surfaced in Apple's Mac OS X Leopard operating system that can result in crashes, according to Heise Security. The flaw, which is an integer overflow in the load_threadstack function in mach_loader.c, occurs when processing Mach-O binaries and can lead to a kernel panic. Single user systems should not be at risk, according to the company, but multi-user setups are vulnerable because attackers do not require any special privileges to provoke the error.
more
11/30, 1:20am
QuickTime 7.2 exploit
Symantec has notified DeepSight customers that a bug in QuickTime's Real Time Streaming protocol can lead towards the execution of malicious code on any computer running QuickTime 7.2 or later, and that a working proof-of-concept set of code being circulated on the internet. Computerworld reports that the bug was originally posted on milw0rm.com, and that the exploit code had worked when tested against Windows XP and later in Vista. Mac OS X 10.4 Tiger and 10.5 Leopard are said to be vulnerable as well, but took considerably more time for researches to craft a reliable, working exploit.
more
11/29, 4:45pm
SonicWALL Quicktime issue
Networking security hardware manufacturer SonicWALL recently announced that it has distributed defensive measures to users of it's Unified Threat Management technology, against zero-day vulnerability exploits found in QuickTime. Malicious websites are able to create a stack-based buffer overflow in Apple's media player, by providing a phony movie file that, when activated, executes a series of code that allows a users machine to be taken over. SonicWALL says that the problem lies within the "Content-Type" header field that is sent from the server, which is not properly verified by the client's QuickTime. Once the "Content-Type" field reaches a certain length, a Buffer Overflow condition occurs, and through this, malevolent users can rewrite a user's privileges so that they have read-write access to the machine.
more
