cert
Latest
Microsoft will fix an Internet Explorer security flaw under active attack
Mozilla isn't the only one grappling with a serious web browser security flaw. Microsoft has confirmed to TechCrunch that it will fix an Internet Explorer security exploit already being used for "limited targeted attacks." The vulnerability lets attackers corrupt memory used for the scripting engine in IE9, IE10 and IE11 in a way that would let the intruder run arbitrary code with the same permissions as the user, letting them hijack a PC. It's believed to be similar to the Firefox issue disclosed a week earlier.
Firefox disabled all add-ons because a certificate expired (updated)
Many Firefox users around the world are browsing without their usual set of extensions after they suddenly stopped working earlier this evening. The event occurred as the clock rolled over on UTC (Coordinated Universal Time, aka GMT or Greenwich Mean Time), and impacted users quickly narrowed it down to "expiration of intermediate signing cert" -- as it's described on Mozilla's bug tracker. This same problem almost happened three years ago, but "armagadd-on" 2.0 has torn things up once again. In a statement provided to Engadget, Product Lead Kev Needham said: We're sorry that there is currently an issue where existing and new add-ons are failing to run or be installed on Firefox. We know what the issue is and are working hard to restore add-on functionality to Firefox as soon as possible. We'll continue to provide updates via our Twitter channels. Please bear with us while we get the problem fixed.
US warns about spyware that many believe it wrote
Want to see a classic example of irony? Head to the US Computer Emergency Readiness Team (CERT) website. The government security group has issued a public warning about Regin... you know, the extra-sophisticated malware that many suspect the US wrote to spy on telecom networks. It's more than a little amusing to see one agency warn about a problem the other may have created, although it raises a few questions when there haven't been similarly direct warnings for (allegedly) state-created attacks like Stuxnet and Duqu. Is it evidence that the US wasn't involved, or that Regin is out of control? An attempt to throw people off the scent? Or something else?
Smile, and JavaTutor's AI knows when you're learning online
College-age kids these days are pretty good at a few things: selfies, social oversharing and staring into screens. But can you leverage that self-obsession into a mechanism for learning? The mad scientists at North Carolina State University think so and they've got a program to prove it. Dubbed JavaTutor, the software's aimed at teaching our future workforce the basics of computer science. And it does this by tracking facial expressions -- using the Computer Expressions Recognition Toolbox, or CERT, as its base -- during online tutorial sessions. Frown and the AI knows you're frustrated; concentrate intently and the same automated emotion detection applies. So, what's the end sum of all this? Well, it seems the research team wants to gauge the effectiveness of online courses and use the cultivated feedback to better tailor the next iteration of the JavaTutor system. But the greater takeaway here, folks, is that at NCSU, online tutoring learns you!
British government announces Cyber Reserve to protect the Queen's laptop
The British government has updated its online cyber-security strategy with a variety of new cyber-programs to protect the motherland's cyber-future. It's setting up a nationwide Computer Emergency Response Team in order to help companies deal with... you know, cyber-threats. Alongside it, will be a new Cyber Reserve, which will call upon the talents of the motherland's finest cyber-minds in times of dire cyber-need. The plan will be pressed into action later next year, just as soon as our politicians learn another buzzword.
WebGL flaw leaves GPU exposed to hackers
Google spent a lot of time yesterday talking up WebGL, but UK security firm Context seems to think users should disable the feature because it poses a serious security threat, and the US Computer Emergency Readiness Team (CERT) is encouraging people to heed that advice. According to Context, a malicious site could pass code directly to a computer's GPU and trigger a denial of service attack or simply crash the machine. Ne'er-do-wells could also use WebGL and the Canvas element to pull image data from another domain, which could then be used as part of a more elaborate attack. Khronos, the group that organizes the standard, responded by pointing out that there is an extension available to graphics card manufacturers that can detect and protect against DoS attacks, but it did little to satisfy Context -- the firm argues that inherent flaws in the design of WebGL make it very difficult to secure. Now, we're far from experts on the intricacies of low-level hardware security but, for the moment at least, there seems to be little reason for the average user to panic. There's even a good chance that you're not vulnerable at all since WebGL won't run on many Intel and ATI graphics chips (you can check by clicking here). If you're inclined to err on the side of caution you can find instructions for disabling WebGL at the more coverage link -- but come on, living on the cutting edge wouldn't be anywhere near as fun if it didn't involve a bit of danger. [Thanks, Tony]
CERT lists vulnerabilities addressed in 10.4.9/SecUpd003
Your tax dollars at work: the crack team at US-CERT (United States Computer Emergency Readiness Team) has posted a tech alert & vulnerability list for Apple's most recent security update and the 10.4.9 release, which both provide patches for a slew of flaws. Interestingly, some of the patches address problems in Apple-provided third party tools such as Adobe Flash Player and MySQL. Apple's security review page for the 2007-003 update and 10.4.9 was updated on Monday with additional details as well.
