flaw
Latest
Firefox has a new security hole, but you can already patch it
Yesterday, someone noticed that an ad from a Russian news site was exploiting a serious vulnerability in the Firefox browser. According to a Mozilla security post, the attacker was able to bypass the browser's "origin policy" (its front line of security), inject a malicious javascript script and download sensitive local files to a server in the Ukraine. Mozilla said the attack was "surprisingly developer-focused for an exploit launched a general audience news site," because it hunted browser and FTP configuration files. It added that the "exploit leaves no trace that it has run on the local machine."
Android app tells you if you have 'Stagefright' vulnerability
Got Stagefright? Not the fear of an audience, but an Android vulnerability that could hijack your smartphone via a garden-variety MMS. The company that discovered the flaw, Zimperium, has now released a tool, the Stagefright Detector App, to at least let you know if you're patched against it. Google issued a fix a while ago, and you're protected if you have a Nexus device. But if you own nearly any other smartphone -- even a brand new one like Samsung's Galaxy S6 -- you're probably still at risk.
OS X flaw leaves Macs vulnerable to attacks, no password required
The latest version of OS X contains a serious flaw that hackers can use to attack your computer without ever needing your password. The issue is around a hidden document -- Sudoers -- which is effectively a list of permissions as to which pieces of software are allowed to mess around with your computer. Unfortunately, a change to how Yosemite stores the list means that it's now possible to add malware to the register. As such, if you inadvertently run an offending script, hackers can take advantage of your computer's unwitting hospitality to install crapware like VSearch and MacKeeper.
Researchers find another terrifying iOS flaw
It can't have escaped your attention that security experts have declared open season on Apple products over the last few weeks. At San Francisco's RSA conference, an even more terrifying exploit has been revealed that has the power to send your iPhone or iPad into a perpetual restart loop. Mobile security firm Skycure has discovered that iOS 8 has an innate vulnerability to SSL certificates that, when combined with another WiFi exploit, gives malicious types the ability to create "no iOS zones" that can render your smartphones and tablets unusable. Before you read on, grab a roll of tinfoil and start making a new case for your iPhone.
The phone designed to protect your information had a big hole
Folks buy the highly secure Blackphone handset for the warm and fuzzy feeling that nobody can see their stuff, but that trust was misplaced until recently, according to security expert Mark Dowd. He found a vulnerability in the text message application of the phone that let attackers steal messages, contacts and location info, and even execute malicious code to gain full control. All a bad guy needed to know was the device's "SilentCircle" account info or phone number.
Why Google won't fix a security bug in almost a billion Android phones
A day after Google publicized a flaw in Windows 8.1 before Microsoft could do anything about it, news broke about a security vulnerability in Android that the Mountain View company, well, won't fix at all. Rafay Baloch, an independent researcher, and Joe Vennix, an engineer at Rapid7 (a security and data analytics firm) found a serious bug in the WebView component of Android 4.3 and below. It's an older bit of software that lets apps view webpages without launching a separate app, and the bug in question potentially opens up affected phones to malicious hackers. Android 4.4 and 5.0 are unaffected by the bug, but as 60 percent of Android users -- that's close to a billion people -- still use Android 4.3 or lower, it still affects a lot of people. Unfortunately, as Tod Beardsley, a Rapid7 analyst, found out, there's no easy way for Google to fix it.
Microsoft says 'no fair' after Google exposes Windows flaw early
When the world's biggest technology companies start playing rough with each other, it's normally consumers who wind up suffering. This time out, it's Windows users who are feeling the pain after Google publicly posted the details of a Windows 8.1 flaw before Microsoft could fix it. In a public response to the disclosure, Microsoft's security chief Chris Betz says that Google's decision to publish and be damned before his company's scheduled patch was less about "principles" and more about getting one over on its rival.
Twitter login bug kicks users out (update: resolved)
Did your Twitter app suddenly give you the boot or otherwise behave strangely? It's not just you. The social network has confirmed a sign-in problem that's kicking out hordes of users (so far, mostly on Android) and preventing them from logging back in. Also, TweetDeck on the desktop is listing every new tweet as a year old. We've reached out to the company for more details, but it's possible that there's a date-related flaw at work -- a coder who intercepted the Android app's login traffic, Ninji, has noticed that the company's servers believe it's already 2015. Twitter has engineers tackling the issue, so sit tight if you want to tweet through your favorite apps. Update: And we're back. The issue that prevented some users from signing in to Twitter has been resolved. We apologize for the inconvenience: http://t.co/7BlGvFMC3e - Twitter Support (@Support) December 29, 2014
Critical flaw forces Apple to push first automatic OS X security update
A critical security issue in the network time protocol (NTP) has prompted Apple to push an automatic OS X update to users for the first time. Google researchers discovered the flaw which could allow a remote attacker to "send a carefully crafted packet that can overflow a stack buffer and allow malicious code to be executed." NTP is a common protocol that's been successfully hacked before, so the security hole could result in remote DDoS attacks on many UNIX-based systems, including Linux servers and OS X. The US government deemed it serious enough to flag it, and at first Apple advised users of Yosemite, Mountain Lion and Mavericks to update "as soon as possible." However, several years ago it introduced an automatic OS X update system that requires no user action, and decided to deploy it for the first time ever. An Apple spokesman told Reuters "the update is seamless. It doesn't even require a restart." Update: Patrick Nielsen, Senior Security Researcher at Kaspersky told us the vulnerability is quite widespread. "The software is installed on everything from consumer gadgets to critical infrastructure; it's possible to execute malicious code on both servers and clients, a dream situation for worms which can spread very quickly by compromising servers and then all their clients," he said. What's more, many firewalls don't block attacks against NTP servers, especially in corporate networks.
Google, Microsoft and Instagram rush to fix Flash flaw that could steal your data
Yet another critical security flaw has been found for Adobe's notoriously sieve-like Flash plug-in, this time by Google Engineer Michele Spagnuolo. His exploit tool, called "Rosetta Flash" is just a proof of concept, but could allow hackers to steal your cookies and other data using malicious Flash .SWF files. The exploit is well known in the security community, but had been left unfixed until now as nobody had found a way to harness it for evil. So how does this affect you? Many companies like Twitter, Microsoft, Google and Instagram have already patched their sites, but beware of others that may still be vulnerable. Adobe now has a fix, and if you use Chrome or Internet Explorer 10 or 11, your browser should automatically update soon with the latest versions of Flash, 14.0.0.145 (check your version here). However, if you have a browser like Firefox, you may want to grab the latest Flash version from Adobe directly (watch out for unwanted add-ons with pre-checked boxes). Finally, if you use apps like Tweetdeck or Pandora, you'll need to update Adobe AIR -- that should happen automatically, but the latest version is 14.0.0.137 for Windows, Mac and Android.
Dropbox cuts access to shared documents that were accidentally exposed to the web
If you've shared a Dropbox document recently, but your intended recipients are complaining that the link is bust, then here's the likely reason: The cloud storage service has been forced to sever many shared links after realizing, perhaps a bit late in the day, that they contained an inherent security flaw that could potentially expose documents to the wrong people. Specifically, an authorized user who opens a shared document and clicks on any hyperlink within its text could unwittingly expose the entirety of that document to the webmaster of the hyperlinked site.
Popular login services have a security hole, but Facebook and Microsoft can't fix it
The recent Heartbleed scare caused a huge stir, even though it was effectively fixed before it even happened. There are other sorts of security holes, however, which can't be plugged so readily, and which affected companies therefore have less incentive to publicize. A researcher in Singapore, Wang Jing, claims to have uncovered a potentially serious example of this involving the widely-used login services OAuth and OpenID. He says that he's tried to alert major web services that rely on these platforms, including Facebook, Microsoft and Google, but they're refusing to take responsibility for the issue.
Bloomberg: NSA used Heartbleed exploit for 'years' without alerting affected websites, the public (update: NSA response)
The United States National Security Security Agency reportedly used the recently uncovered "Heartbleed" security exploit to access information, Bloomberg reports. According to two unnamed sources, the NSA exploited the flawed security standard for the past two years without alerting affected companies and the public at large. It's unclear what the exploit was used to access, but the flaw affects a huge portion of the web: something like two-thirds. Major services like Google are already acting, updating services and patching the issue. For those services, we suggest updating your passwords ASAP. For the still affected sites? Sadly, your best option is to wait it out. Update: The NSA insists that it only became aware of Heartbleed at the same time as everyone else. This answer isn't going to satisfy everyone given the many contradictory claims about the agency's activities, but hey -- at least it's on top of the situation.
The Heartbleed bug is affecting routers, too
Read our Heartbleed defense primer? Good, but the fight for your privacy isn't over just yet: you might have to replace your router, too. Cisco Systems and Juniper Networks have announced that the Heartbleed bug -- a flaw in OpenSSL that lets attackers bypass common security protocols -- has been found in their networking products. This news isn't too surprising, as any device using OpenSSL is potentially vulnerable, but checking these devices for the flaw is a laborious process. Naturally, devices that don't use the affected versions of OpenSSL (like Linksys routers) are unaffected. Both firms are investigating their product libraries to compile lists of affected devices. You can find those lists here, here (for Juniper Networks) and here (for Cisco Systems). If one of your devices is listed, sit tight and watch for updates; both companies say they're working on patches.
How to avoid heartburn, er, Heartbleed
Don't change your password. It's strange advice to hear when the so-called Heartbleed bug is leaving databases all over the web open and exposed, but it's applicable. Yes, security has been compromised for many of your favorite websites and services (including Google, Flickr and Steam, at least initially) but protecting yourself isn't quite as easy as changing your password. Unlike past exploits, Heartbleed isn't a database leak or a list of plaintext logins; it's a flaw in one of the web's most prevalent security protocols -- and until its fixed, updating your login information won't do a darn thing to protect you. What, then, can you do to protect yourself? Wait, watch and verify.
Internet security key flaw exposes a whole load of private data
Most internet security holes, even the bigger ones, tend to be fairly limited in scope -- there are only so many people using the wrong software or visiting the wrong sites. Unfortunately, that's not true of the newly revealed Heartbleed Bug. The flaw, which affects some older versions of common internet encryption software, lets attackers grab both a site's secure content and the encryption keys that protect that content. As such, a successful intruder could both obtain your private information from a given site and impersonate that site until its operators catch on. Since the vulnerable code is both popular and has been in the wild for as long as two years, there's a real possibility that some of your online data is at risk.
Apple ID accounts reportedly vulnerable to password reset hack, forgot password page taken offline for maintenance (update 2: back)
Gaping security holes are a pretty terrifying thing, especially when they involve something as sensitive as your Apple ID. Sadly it seems that immediately after making the paranoid happy by instituting two-step authentication a pretty massive flaw in Cupertino's system was discovered and first reported by The Verge. Turns out you can reset any Apple ID password with nothing more than a person's email address and date of birth -- two pieces of information that are pretty easy to come across. There's a little more to the hack, but it's simple enough that even your non-tech savvy aunt or uncle could do it. After entering the target email address in the password reset form you can then select to answer security questions to validate your identity. The first task will be to enter a date of birth. If you enter that correctly then paste a particular URL into the address bar (which we will not be publishing for obvious reasons), press enter, then -- voilà -- instant password reset! Or, at least that's the story. While we were attempting to verify these claims Apple took down the password reset page for "maintenance." Though we've received no official confirmation from Apple, it seems the company is moving swiftly to shut down this particularly troublesome workaround before word of it spreads too far. Update: We've heard back from Apple on the matter, which stated, "Apple takes customer privacy very seriously. We are aware of this issue, and working on a fix." No real surprises that a fix is in the works, but there you have it from the horse's mouth. Update 2: The forgotten password page is back as of late Friday evening -- that was (relatively) quick. iMore reports (and we've verified ourselves) that the security hole is now closed.
Galaxy Note II info ticker, pop-up browser and ICE menu combo reveal another lock screen flaw (video)
The emergency contacts (ICE) menu is proving to be a Pandora's Box of lock screen vulnerabilities on several Samsung Galaxy handsets. Users are finding ways to exploit this weak point and the latest flaw that's come to our attention employs the pop-up browser on the Note II as an accomplice. It requires the information ticker to be active (found in lock screen settings) so news bites and such are displayed on the screen you encounter when waking the device. Touch upon something to find out more and you're sent to the lock screen; from there, head to the ICE menu to find a pop-up browser window containing the item you chose in the ticker. Within that window, anyone can access the handset's clipboard or point the browser to sites holding personal data. Sure, it isn't as bad as the bug that completely disables the lock screen -- identified on the Galaxy S III, but also found to work on the Note II -- but is just another reason to hope the mythical box is almost empty and at the bottom lies a fix.
Galaxy S III bug disables lock screen, grants full access, tests patience (updated)
Lock screens are around for a reason: to keep people from getting where they shouldn't. They aren't always infallible, though, and a few weeks ago, we saw a vulnerability in several builds of iOS 6 that granted access to the phone module without a passcode. Then, a couple of days ago, we reported on a Galaxy Note II bug that allows the quick-fingered to launch anything immediately behind the lock screen. Now, a similar flaw has been found on the Galaxy S III that breaks the lock screen altogether, permitting full use of the phone. To replicate the bug, you'll need to tap the "Emergency Call" button on the lock screen, then go into the ICE (emergency contacts) menu. From there, press the home button, followed quickly by the power button, and that's it. If successful, pressing the power button again will bring up the home screen straight away, and what's more, the lock screen won't return until the handset is restarted. Sounds worryingly simple, right? In our experience, not so much. We first tried this method on an S III running Android 4.0.4 ICS, and a Note II for good measure, but to no avail. Then, we had a crack at an S III running 4.1.2 Jelly Bean, and were close to giving up trying to replicate it when voilà, it worked. We hoped to provide you with a video of the bug, but it must be camera shy. Despite literally hundreds of attempts in front of the lens and several more behind it, we've only managed it once -- we found it impossible to nail down the correct timing between the home and power button pushes. Samsung's likely aware of the bug already and when quizzed about the Note II vulnerability, said a fix for lock screen issues on affected "Galaxy devices" was in the works (read: they didn't say the Note II specifically). We've reached out for comment just to be sure, but until a patch is provided, keep your phone concealed from nosey types who read tech sites and have saint-like patience. Update: Samsung has responded, confirming a fix is indeed on its way: "Samsung considers user privacy and the security of user data its top priority. We are aware of this issue and will release a fix at the earliest possibility."
iOS lock screen can be bypassed with some button mashing... again (video)
It seems that every time Apple introduces a new version of iOS, it creates some new method to get past the software's lock screen. A YouTube tutorial reveals the rather simple combination of button presses and fake emergency calls necessary to give you access to anyone's iDevice -- or more specifically to the iOS phone module, from where you can make calls, view and edit contacts, send email and perform any other linked function. You'll have to be quick-fingered, however, as you have to push the home button rapidly after getting into the iPhone's contact list. You can learn how to do it after the break, but until Cupertino issues an update, we'd suggest keeping your beloved fondlephone close by.
