Mozilla is delivering security updates fast and furious this month, the latest coming late last week when a new version of Firefox repaired three vulnerabilities related to the Location object. The Location object is supported by all major browsers and contains information about the URL being requested.The vulnerabilities were closed in Firefox 16.0.2, Firefox ESR 10.0.10, Thunderbird 16.0.2, Thunderbird ESR 10.0.10 and SeaMonkey 2.13.2.
An alert from the Department of Homeland Security late last week urges private- and public-sector industrial control system (ICS) owners to be proactive in auditing the security, particularly, authentication controls of their systems. The alert is in response to a growing concern over the number of exploit tools available online targeting ICS and SCADA systems responsible for running critical infrastructure, as well as an evolving interest from hacktivists who are using specialized search engines to find control systems reachable online.
Older versions of Broadcom firmware found in a number of mobile devices from major vendors including the Apple iPhone, iPad, Samsung Galaxy S and HTC Droid Incredible are vulnerable to a denial of service attack.Researchers Andres Blanco and Matias Eissler of Core Security Technologies reported the vulnerability in August, and this week published details on proof-of-concept exploit code.
Today’s release of the Microsoft Windows 8 operating system brings embedded hardware-level security to the forefront. Microsoft, going forward, will require the Trusted Platform Module (TPM) chip on Windows PCs, phones and tablets, moving security checks to the platoform’s lowest level. TPM isn’t new, but security experts hope this move by Microsoft lays the foundation for future security mechanisms built on top of TPM that deter today’s most sophisticated boot-level incursions.
Patches released this week by database and mobile management vendor Sybase did not completely repair serious privilege escalation and remote code execution vulnerabilities in versions 15.0.3 and later of its Adaptive Server Enterprise (ASE) product.Researchers at Application Security Inc., which specializes in database security, reported a dozen vulnerabilities to the SAP company in July. AppSec also sent along proof-of-concept exploit code with details of the vulnerabilities.
The death knell for SSL is getting louder.Researchers at the University of Texas at Austin and Stanford University have discovered that poorly designed APIs used in SSL implementations are to blame for vulnerabilities in many critical non-browser software packages.
A fraud ring that attacked financial transfer systems in an attempt to get at wealthy high-end banking customers used a complicated web of malware and compromised servers in several countries to walk off with an estimated $78 million earlier this year. While the attacks targeted financial systems, the victims seem to be limited to companies involved in manufacturing, import-export businesses, and state or local governments.
Verizon has further dissected breach data from its annual Data Breach Investigations Report (DBIR) and built a profile of intellectual property theft that points to a disturbing combination of factors leading to successful infiltrations by cybercriminals, competitors, hacktivists and nation-state sponsored attackers.
Regardless of the market or industry, the majority of attacks are financially motivated. Even in data-rich environments such as health care, attackers are still after profits and exploit the same weaknesses and transaction processing systems that are vulnerable in other industries such as hotels and accommodations, food services and financial services. Verizon’s latest Data Breach Investigations Report (DBIR) broke out data breach characteristics by those industries, and came to a stunningly simple conclusion: Attackers will seek out the easiest way in, take what they need and get out quickly.
Adobe announced today it has repaired a host of critical buffer overflow vulnerabilities and an array out of bounds vulnerability in Shockwave Player and urges users to update to the latest version of the software, version 11.6.8.638.
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.
