zero-day
Latest
Apple patches two security vulnerabilities on iPhone, iPad and Mac
Apple pushed updates to iOS, iPadOS and macOS software today to patch two zero-day security flaws. The company suggested the bugs had been actively deployed in the wild.
Apple's latest iOS and macOS updates fix a major web security flaw
Apple has released a swath of updates that fix a significant web security flaw on iOS, macOS and beyond.
Microsoft patches Exchange software flaws targeted by Chinese hackers
Microsoft has rolled out a security update to fix four zero-day flaws in Exchange Server that bad actors have been using to infiltrate companies and organizations across industries.
Chrome 88 update patches a zero-day that is being actively exploited
Google's latest version of Chrome (88.0.4324.150) fixes a 'zero-day' exploit attackers are already exploiting, so update your browser immediately.
Facebook paid for a tool to hack its own user, then handed it to the FBI
According to Motherboard, Facebook paid a security firm to develop a hack that the FBI eventually used to bring down a serial child abuser.
Apple releases iOS 13.5.1 to fix the flaw behind a well-known jailbreak
Less than two weeks after Apple released iOS 13.5, the company is rolling out iOS 13.5.1 to patch the vulnerability that enabled a high-profile jailbreak.
The latest iOS jailbreak cracks virtually any iPhone
A new jailbreak can open up virtually any iOS device, including ones using Apple's latest software.
Microsoft warns Windows users of two security holes already under attack
Today, Microsoft warned billions of Windows users that hackers are actively exploiting two critical zero-day vulnerabilities that could allow bad actors to take complete control of targeted computers. According to a security advisory, the vulnerabilities are being used in "limited targeted attacks," and all supported Windows operating systems could be at risk.
Homeland Security wants you to update your Firefox browser right now
The Department of Homeland Security is urging Firefox users to update their browsers. The rare warning was issued earlier this week, after Mozilla released two critical security updates. According to the Cybersecurity and Infrastructure Security Agency (CISA), the exploit could allow hackers to "take control of an affected system."
Google's new policy gives developers more time to address security flaws
Google's Project Zero disclosure program is supposed to encourage releases of security fixes in a timely fashion, but things haven't gone according to plan. Premature disclosures, half-hearted fixes and other issues have been a little too common. The company might address some of those problems in 2020, though. It recently revised its policies in a bid to encourage both more "thorough" security patches and wider adoption of those patches. Most notably, Google will wait 90 days to disclose a flaw even if it's fixed well ahead of that deadline. If developers act quickly, they'll have more time to both distribute patches and make sure that fixes address the root cause of a flaw.
You should update Firefox right now to fix a critical bug
If you have Firefox on your computer, you should update it right now. Mozilla has released security updates Firefox 67.0.3 and Firefox ESR 60.7.1 to fix a critical bug, which it says hackers are actively exploiting to take control of vulnerable systems. The US Cybersecurity and Infrastructure Security Agency also issued an alert urging users and system administrators to review Mozilla's security advisory and act accordingly -- in other words, update your browser.
Internet Explorer security flaw allows hackers to steal files
Microsoft's Internet Explorer has a longstanding reputation for poor security, but it's now bad enough that you could be attacked just by having it on your PC. Security researcher John Page has revealed an unpatched exploit in the web browser's handling of MHT files (IE's web archive format) that hackers can use to both spy on Windows users and steal their local data. As Windows opens MHT files using IE by default, you don't even have to run the browser for this to be a problem -- all you have to do is open an attachment sent through chat or email.
Google: Update Chrome now as attackers are 'actively exploiting' a bug
Google Chrome tends to auto update quickly and silently, but you may want to make sure you're on the latest version right now, as the company announced a zero-day vulnerability that it said attackers are "actively exploiting." As Chrome security engineer Justin Schuh explained in a series of tweets, the thing that makes this different from previous exploits that usually targeted Flash, is that the browser needs to be restarted for the fix to take effect. If you're on Chrome's stable channel, then the latest update should install version 72.0.3626.121 with the fix. Google also alerted users that the bug was being used in concert with a second exploit attacking the Windows operating system. According to its blog post, it may only impact people running Windows 7 32-bit systems, and those people are encouraged to upgrade to a newer version of the OS, or install patches when/if Microsoft makes them available (seriously, it's time to move on).
Microsoft patches Internet Explorer flaw being used to hijack PCs
Microsoft has rolled out a fix for a zero-day Internet Explorer vulnerability that hackers are already using for targeted attacks. The tech giant didn't elaborate on the scope of those attacks, but it did explain how criminals can use the memory-corruption flaw. Apparently, attackers simply have to get users to visit websites engineered to exploit it -- by sending them links via email, for instance -- in order to hijack their computers. Once attackers gain control of their system, they can install programs, view or even change data, as well as create new accounts with full user rights.
The bogus expert and social media chicanery of DC’s top cyber think tank
Like viruses, cybersecurity charlatans are incidental guests in the body of infosec. These men sell false expertise, conspiracy theories, and invisible security potions and they are as unintentionally hilarious as they are alarming. Case in point: BuzzFeed's exposé of James Scott, cofounder of Washington DC's big cybersecurity think tank, ICIT (Institute for Critical Infrastructure Technology).
iOS HomeKit bug exposed smart locks to unauthorized access
Apple has another security issue to deal with. As 9to5Mac reports today, Apple's HomeKit framework has a vulnerability that allows unauthorized access to connected smart devices like locks and garage door openers. Apple has already put in a server-side fix that rectifies the issue, but the fix also disables remote access to shared users. Apple says that the reduced functionality will be restored with an iOS 11.2 update next week.
Samsung's in-house OS is a security nightmare
Samsung's Tizen platform might give the company the technological independence it wouldn't have if it stuck to outside software like Android, but it's apparently a security disaster. Researcher Amihai Neiderman tells Motherboard he has discovered 40 unpatched vulnerabilities in Samsung's operating system, exposing many of its smartphones, smartwatches and TVs to remote attacks. Reportedly, it's the "worst code" the expert has "ever seen" -- it was designed by a team that had no real understanding of security concepts, and makes mistakes that virtually anyone else would avoid.
Microsoft patch for Google-outed exploit is still a week away
Microsoft is still more than a little upset at Google revealing unpatched Windows security flaws, but it'll at least have a solution in hand in the days ahead. The software giant now plans to issue a patch for affected version of Windows on November 8th. You're in good shape if you use both Windows 10 Anniversary Update and a sufficiently up to date browser (both Chrome and Edge should be safe), but you'll definitely have to be cautious if you can't use one of the known safe browsers or the latest version of Windows.
Homeland Security urges you to uninstall QuickTime on Windows
The Department of Homeland Security is echoing Trend Micro's advice to uninstall QuickTime if you have it on your Windows computer. While the multimedia program's working just fine, the security firm has discovered two new critical vulnerabilities lurking within it that could allow remote attackers to take over your system. Unfortunately, they might never be patched up: Trend Micro says Apple will no longer release security updates for the Windows version of the software, hence the call to jettison it completely.
FBI: Yes, we exploit unpatched security holes
It's no secret that the FBI uses tech tools like Stingray phone trackers to investigate suspects, but it's now clear that the bureau is willing to go even further than that. Operational Technology Division lead Amy Hess (above) tells the Washington Post that the FBI uses zero-day (that is, unknown by vendors) security software exploits for investigations -- the first time any official has admitted this on the record. The outfit doesn't prefer to use these hacks given how short-lived they are, Hess says, but they're still on the table.
