VB Migration

Tag: vulnerability

  • POODLE is the brown M&Ms of security

    Just because it won’t be exploited, doesn’t mean you shouldn’t patch it. There is a famous story about the rock band Van Halen whose lists of requirements when performing a show included some M&Ms — but “absolutely no brown ones”. The story is true and has little to do with childish rock star behaviour. The…

  • The ghost of Stuxnet past

    Microsoft patches .LNK vulnerability after 2010 patch was found to be incomplete. Mention Stuxnet and you’ll have many a security researcher’s attention. The worm, which was discovered in 2010, used a number of zero-day vulnerabilities to reach its target: air-gapped Windows PCs at the Natanz nuclear plant in Iran. Most prominent among these was CVE-2010-2568…

  • FREAK attack takes HTTPS connections back to 1990s security

    Golden keys from the (first) crypto wars have come back to haunt us. When a web client makes a secure connection to a web server (using HTTPS), it starts by sending a ‘Hello’ message in which it announces which cipher suites it supports. The web server then chooses one, presumably the one that offers the…

  • Paper: Script in a lossy stream

    Dénes Óvári explains how to store code in lossily compressed JPEG data. Malformed PDFs have become a common way to deliver malware. Naturally, when this started to happen, anti-virus products began scanning inside PDF files for traces of malicious code and, equally naturally, malware authors started to obfuscate that code to circumvent scanners. Not everything…

  • Almost 50% increase in reported vulnerabilities as non-Windows operating systems lead the table

    Each discovered vulnerability is actually a good news story. Last week, security firm GFI published some research in which it looked at the number of vulnerabilities reported last year, their severity, and which operating systems they affect. The surprising result is that Apple ‘s OS X and iOS lead the table, followed by the Linux…

  • Google relaxes disclosure policy following criticism

    Grace period added for vulnerabilities that are about to be patched. Last year, Google announced a new disclosure policy, where details of a vulnerability discovered by the company’s researchers would be published within 90 days of the affected vendor being notified, regardless of whether or not a patch had been released. If the vulnerability were…

  • Adobe issues patch for yet another Flash Player zero-day

    CVE-2015-0313 used in the wild as long ago as December. Adobe has just issued an out-of-band patch for its Flash Player to fix a zero-day vulnerability that is actively being exploited in the wild. You may be forgiven for thinking you had already patched this two weeks ago when Flash Player version 16.0.0.287 fixed CVE-2015-0310…

  • Linux systems affected by ‘GHOST’ vulnerability

    Proof-of-concept email gives remote access to Exim mail server. If you administer Linux -based systems, you’d better schedule some time for patching, as a serious buffer overflow vulnerability has been discovered in the glibc library. The vulnerability exists in the gethostbyname() and gethostbyname2() functions, which are used to resolve hostnames – hence any piece of…

  • Microsoft no longer publishes advance notifications for its Patch Tuesdays

    Company unhappy with Google going full disclosure on privilege escalation vulnerability. Tomorrow is the second Tuesday of the month and, as most people reading this blog will know, this means Microsoft will release security updates for its software products. But this “Patch Tuesday” will be slightly different from previous ones, as the company has stopped…

  • CVE-2012-0158 continues to be used in targeted attacks

    30-month old vulnerability still a popular way to infect systems. If all you have to worry about are zero-day vulnerabilities, you have got things pretty well sorted. Although it is true that sometimes zero-days are being used to deliver malware (such as the recent use of CVE-2014-4114 by the SandWorm group), in many cases even…