vulnerable

Google push for faster zero day fixes hits a wall: Other companies

Google has undertaken what some might call a Sisyphean effort: to get technology companies to patch publicly unknown security vulnerabilities, referred to as "zero day" exploits, more quickly.

In a blog post published Wednesday, two Google security engineers advised their counterparts at other companies to respond to actively exploited zero days within seven days.

The post's authors, Chris Evans and Drew Hintz, wrote, "Often, we find that zero day vulnerabilities are used to target a limited subset of people. In many cases, this targeting actually makes the attack more serious than a broader attack, and more … Read more

Top Wi-Fi routers easy to hack, says study

The Wi-Fi router you use to broadcast a private wireless Internet signal in your home or office is not only easy to hack, says a report released today, but the best way to protect yourself is out of your hands.

The report, written by research firm Independent Security Evaluators of Baltimore, found that 13 of the most popular off-the-shelf wireless routers could be exploited by a "moderately skilled adversary with LAN or WLAN access." It also concludes that your best bet for safer Wi-Fi depends on router vendors upping their game. All 13 routers evaluated can be taken … Read more

ACLU to FTC: Mobile carriers fail to provide good Android security

The America Civil Liberties Union filed a complaint with the Federal Trade Commission today asking the agency to investigate the four major mobile carriers' security practices in regards to smartphones.

The civil liberties group claims that AT&T, Verizon, T-Mobile, and Sprint are not doing enough to protect users' private and personal data -- specifically on Android devices. The gist of the complaint (PDF) is that these carriers aren't providing users with timely security updates, which the ACLU says is akin to "deceptive and unfair business practice."

"The major wireless carriers have sold millions of … Read more

Apple ID security issue fixed, password page back online

Apple has fixed the security issue involving its Apple ID password-reset page, a vulnerability that had made it possible for hackers with a user's e-mail address and birth date to reset the user's password.

Apple said yesterday that it was aware of the issue and was preparing a fix. Meanwhile, the company had taken the "iForgot" reset page offline for maintenance. Now the page is back up, and Apple has confirmed the fix with CNET.

The security exploit made use of a special URL that got around the need to answer a security question. Apple had … Read more

Microsoft's latest patches address new USB hack

A new kind of vulnerability popped up recently, one that lets hackers stick a USB thumb drive into a computer -- even if it's logged-off or locked -- type out a bit of attack code and steal whatever data they want.

In an effort to avoid this type of cyberattack, Microsoft issued its monthly software patches today and included a fix for this Windows vulnerability called MS13-027. This vulnerability lets a hacker get into the computer with a thumb drive and take over administrative privileges.

"When the Windows USB device drivers enumerate the device, parsing a specially crafted … Read more

Oracle issues emergency Java update to patch vulnerabilities

In response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.

"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," Oracle wrote in a security alert today. "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and … Read more

Adobe issues emergency patch for zero-day Flash vulnerabilities

Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.

Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which … Read more

Adobe patches critical security flaws in Reader, Acrobat

Adobe has issued a patch to plug up critical security holes in its Reader and Acrobat software.

Released yesterday, the security updates address flaws that could cause the applications to crash and potentially let an attacker gain control of an infected computer. Adobe confirmed last week that the exploits have already led to some targeted attacks against vulnerable systems.

The patches are directed toward the following products and versions:

Adobe Reader XI (11.0.01 and earlier) for Windows and Macintosh Adobe Reader X (10.1.5 and earlier) for Windows and Macintosh Adobe Reader 9.5.3 and earlier … Read more

Adobe confirms targeted attacks due to security hole in Reader

A zero-day security flaw in Adobe Reader and Acrobat is being exploited through a series of targeted attacks against vulnerable computers, Adobe Systems said yesterday.

In a security bulletin, Adobe confirmed that the vulnerabilities could cause Reader and Acrobat to crash, potentially opening the door for an attacker to gain control of the system.

"Adobe is aware of reports that these vulnerabilities are being exploited in the wild in targeted attacks designed to trick Windows users into clicking on a malicious PDF file delivered in an email message," the company revealed in the bulletin.

Adobe said it's … Read more