Tag: google
-
Google relaxes disclosure policy following criticism
Grace period added for vulnerabilities that are about to be patched. Last year, Google announced a new disclosure policy, where details of a vulnerability discovered by the company’s researchers would be published within 90 days of the affected vendor being notified, regardless of whether or not a patch had been released. If the vulnerability were…
-
Microsoft no longer publishes advance notifications for its Patch Tuesdays
Company unhappy with Google going full disclosure on privilege escalation vulnerability. Tomorrow is the second Tuesday of the month and, as most people reading this blog will know, this means Microsoft will release security updates for its software products. But this “Patch Tuesday” will be slightly different from previous ones, as the company has stopped…
-
POODLE attack forces the Internet to move away from SSL 3.0
Users and administrators urged to stop supporting the protocol, or at least to prevent downgrade attacks. After Heartbleed and Shellshock, or the SSL/TLS attacks CRIME and BEAST, ‘POODLE’ does sound rather cute. Yet the vulnerability in version 3.0 of the SSL protocol that was disclosed by Google researchers yesterday is fairly serious and shouldn’t be…
-
Google’s Project Zero to hunt for zero-days
Bugs to be reported to the vendor only, and to become public once patched. Google has created a new team, called Project Zero, whose task is to find vulnerabilities in any kind of widely used software and to report them to the respective vendor. Few subjects in security are as controversial as the disclosure of…
-
OpenSSL vulnerability lets attackers quietly steal servers’ private keys
Security firm advises regenerating keys and replacing certificates on vulnerable servers. A very serious vulnerability in OpenSSL has caused panic among network administrators: CVE-2014-0160 allows an attacker to read the memory of a vulnerable server and thus obtain private encryption keys, passwords and other kinds of sensitive information. OpenSSL is a widely used open-source implementation…
-
VirusTotal support integrated into new version of Process Explorer
Sysadmins can check hashes of processes against file-checking service database. Microsoft and Google are known for their fierce competition, but when it comes to security, the tech giants are eager to put that aside. Hence as of this week, Google ‘s VirusTotal has been integrated into Microsoft ‘s Process Explorer . The planned integration was…
-
Weak cryptography keys allow others to add valid DKIM signatures to fake emails
512-bit key cracked within 72 hours. A Florida-based mathematician has caused a stir in the email community by adding a valid DKIM signature for google.com to an email after cracking the company’s private signing-key. When the first SMTP standard was published just over three decades ago, email spam barely existed. The email landscape has changed…
-
Spammers using Google open redirect
Vulnerability ‘not worthy of bug bounty program’. Researchers at Solera Labs have discovered spammers using an open redirect at Google to hide the final destination of their link from both users and filters. Open redirects on a domain allow for the creation of redirects to arbitrary third-party sites. They are usually enabled by a site’s…
-
Google AdWords phishing campaign spreads
Users urged to login because of ‘issues’. A new phishing campaign that targets users of Google AdWords looks worryingly real, GFI reports. The phish begins with an email claiming the recipient’s Google ads have stopped running because of ‘a number of issues’. A link in the email can be clicked for more information, which sends…