New Attack Uses SSL/TLS Information Leak to Hijack HTTPS Sessions

There is a feature supported by the SSL/TLS encryption standard and used by most of the major browsers that leaks enough information about encrypted sessions to enable attackers decrypt users’ supposedly protected cookies and hijack their sessions. The researchers who developed the attack that exploits this weakness say that all versions of TLS are affected, including TLS 1.2, and that the cipher suite used in the encrypted session makes no difference in the success of the attack.

Facebook Timeline Eraser Chrome Plugins Dupe Tens of Thousands of Users

Nearly 100,000 Facebook users have been duped into installing third-party Chrome plugins over the past few weeks that have access to all of their data on every Web site they visit. According to research recently conducted by security firm Barracuda Networks, the unsuspecting users were tricked into thinking the plugins could block Timeline, a new profile feature Facebook first introduced at the end of 2011.

Qubes OS Release Enhances Security Via Domain Isolation

With the deluge of malware and advanced attacks continuing unabated, security approaches that sandbox applications or isolate processes are garnering increased attention. Researcher Joanna Rutkowska and Invisible Things Lab were the latest to go in that direction with the official release on Tuesday of the Qubes operating system.

UPDATE–The Antisec arm of hacktivist group Anonymous published one million unique device identifier numbers, or UDIDs, for Apple devices, including iPhones and iPads, on Monday night. The group alleges the slew of information was swiped from a laptop belonging to the FBI earlier this year.

UPDATE–Oracle last week patched the two zero-day vulnerabilities in Java that attackers had been exploiting in targeted attacks, but it didn’t take long for researchers to poke more holes in the software. A new bug that allows a complete Java sandbox escape has been identified already, the latest in what has become a long line of flaws haunting the Java software running on hundreds of millions of machines.

Oracle on Thursday released a new version of Java that included a fix for the CVE-2012-4681 vulnerability that has been used in limited targeted attacks in the last couple of weeks. The release of Java 7 update 7 comes about four days after the Java flaw was publicly disclosed, but several months after researchers say they notified Oracle of the problem.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.