Adobe Patches Critical Memory Vulnerabilities in Flash Player, AIR
Adobe has repaired a number of critical vulnerabilities in Flash Player that could lead to system crashes or remote attackers controlling computers running compromised software.
Michael Mimoso
Android Smishing Vulnerability Found in Android Open Source Project Firmware
A vulnerability discovered in the Android Open Source Project enables malicious applications to send SMS messages without user permission across all recent Android platforms.While no exploits are active in the wild, one could be built that could be at the center of various SMS phishing, or smishing, attacks, said Xuxian Jiang, associate professor in the North Carolina State University computer science department.
Side-Channel Attack Steals Crypto Key from Co-Located Virtual Machines
Side-channel attacks against cryptography keys have, until now, been limited to physical machines. Researchers have long made accurate determinations about crypto keys by studying anything from variations in power consumption to measuring how long it takes for a computation to complete.A team of researchers from the University of North Carolina, University of Wisconsin, and RSA Security has ramped up the stakes, having proved in controlled conditions that it’s possible to steal a crypto key from a virtual machine.
For the third time this year, VMware ESX source code has been posted online. A hacker known as Stun claiming to be affiliated with Anonymous tweeted a link to a torrent site hosting the stolen VMkernel source code. VMware director of platform security Iain Mulholland acknowledged the breach on Sunday and confirmed the source code, dating from 1998-2004, is related to code posted in April and May.
A little more than a month out from the release of iOS 6, which in addition to new functionality addressed almost 200 security vulnerabilities, Apple pushed out iOS 6.0.1 yesterday that repaired four new critical security issues.The most serious seems to be a kernel flaw discovered by researcher Mark Dowd of Azimuth Security and Eric Monti of Square that affects iPhone 3GS and later, as well iPod Touch and iPad2 and later. An attacker exploiting the vulnerability could essentially bypass address space randomization layout (ASLR) protections using a malicious application, and could determine addresses in the kernel, Apple’s advisory said.
Controversial bug hunters and exploit sellers VUPEN claimed to have cracked the low-level security enhancements featured in Windows 8, Microsoft’s latest operating system.
Cisco is warning its customers about a remote command execution vulnerability in its Cisco Prime Data Center Network Manager.The product manages Ethernet and storage networks and troubleshoots for performance issues on Cisco products running NX-OS software. Versions prior to 6.1.1 are vulnerable to remote exploits on the underlying system that hosts the application, Cisco said.
South Carolina governor Nikki Haley said a mouthful this week when she spilled a dirty industry secret that Social Security numbers are generally not encrypted by state agencies. Reeling from a Department of Revenue data breach that leaked 3.6 million Social Security and credit card numbers as well as other personally identifiable information for more than three-fourths of the state’s residents, Haley called encryption complicated and cumbersome technology.
A mid-year switch in communication protocol and distribution strategy is behind a spike in activity from the ZeroAccess botnet, a prolific and malicious ad click fraud network.
It looks like it’s time for a do-over for DNT. The oft-maligned specification has become—like many other standards efforts before it—a political football. Parties with interests on both sides of the issue have their own agendas, cannot agree on semantics and ignore, in this case, what should be the heart of the issue for users—a clear personal choice about browsing privacy.
