Apple has informed developers that, as of March 2012, any app submitted to the Mac App Store will have to include a sandbox. The move is an intriguing one from Apple, which has kept a low profile on security and typically handles Mac security on its own.
Browsing Tag: vulnerabilities
The Poison Ivy malware kit is old. It was first seen in 2005, which makes it about 762 years old in Internet years. But that doesn’t mean it’s no longer useful, as evinced by the data collected by Microsoft in a new report on the tool, which shows that it is still in active use and is turning up on thousands of infected PCs.
By any measure, Luigi Auriemma is a prolific vulnerability researcher. In the first ten months of 2011, the pay-for-bugs program Zero Day Initiative credited Auriemma with discovering 30 vulnerabilities, ranging from issues in Sybase enterprise software to Adobe Shockwave to Apple Quicktime. In its Upcoming Advisories section, ZDI listed Auriemma with finding another 35 vulnerabilities that still await fixes from their developers. The vulnerability researcher, who has made his name in part by finding SCADA bugs, is not yet ready to leave his day job. Despite ZDI’s bonus system, his independent research is not a career, he says.
The Black Hole exploit kit is really becoming a serious pain in the neck for people trying to use the Internet. At some point, it may become easier to start a list of the URLs that aren’t hosting the exploit kit, rather than the ones that are. For the time being, the latest entry in the latter category is a group of thousands of WordPress blogs that have been compromised and are now redirecting visitors to sites serving the Black Hole exploit kit.
A newly discovered installer for the Duqu malware includes an exploit for a previously unknown vulnerability in the Windows kernel that allows remote code execution. Microsoft is working on a fix for the kernel vulnerability right now. The exact location and nature of the flaw isn’t clear right now.
The Android platform has become one of the go-to choices for developers and device manufacturers in the last year or so, and that popularity has of course attracted the attention of attackers who have been busily coding up as much malware as they can for the platform. They’ve been quite successful, with hits such as DroidDream and its sequels popping up in dozens of compromised apps in the Android Market this year. Now, defenders are getting some tools of their own to help address the problem, with the release of the Android Reverse Engineering suite.
The Tor Project has released a new version of its client software to fix a serious vulnerability that allows an attacker to strip users of their anonymity on the network. The new version also includes a number of other security and privacy fixes.
WASHINGTON–The U.S. government has a lot of money. Not as much as it used to have, of course, but still, it has a lot. It also has a lot of computers and servers and routers and other things that move and store data. In fact, they have so many that they don’t really know what all of them are doing at any given time. That’s turning into a fairly thorny security problem for some of the country’s more vital networks, and even the most well-funded agencies are having a hard time addressing it.
WASHINGTON–One of the keys to addressing the widespread security threats facing both private and government networks is to develop more secure operating systems from the ground up and not rely on trying to secure existing ones, top CIA and Pentagon information assurance officials said.
Google has fixed more than two dozen vulnerabilities in its Chrome browser and also implemented a defense against the BEAST SSL attack. The bugs fixed in the new version of Chrome include 11 high-severity flaws.