Even files on external storage devices are not safe
Barely a fortnight into the year and we have already got ourselves a strong contender (if not a shoo-in) for the year’s scariest Steam bug. The good news is that the vast majority of Steam users don’t have anything to worry about as the bug in question, which was reported by a user named “keyvin” on Valve’s GitHub repository, only affects the Steam for Linux client.
Opt for full disclosure in bid to goad manufacturers into taking flaw seriously
At this year’s Black Hat Conference, Security Research Labs researchers Karsten Nohl and Jakob Lell, warned of a serious flaw in USB devices that they dubbed “BadUSB.” The flaw, which can be used to reprogram otherwise harmless USB devices to wreak havoc by impersonating other USB devices (say a keyboard or a network card), remains unfixed to this day, fully living up to both its name and reputation in the two months since it first came to light. Meanwhile, two other researchers, Adam Caudill and Brandon Wilson, who recently managed to reverse engineer the same firmware as the SR Labs folks, have published the attack code online.
Over 86 percent of all Android devices remain vulnerable
The flagrant fragmentation that has come to be associated with Android is once again in focus, with IBM Security researchers shedding light on a major vulnerability (CVE-2014-3100) affecting the all-important Android KeyStore service, which is used for storing cryptographic keys and other sensitive credentials. Although the said vulnerability has been fixed in the latest version of the operating system (Android Kitkat 4.4), the problem is that the vast majority of Android users don’t have the latest version.
Russian security firm Group-IB claims to have uncovered a critical Adobe Reader vulnerability that is currently being exploited in the wild by attackers in order to circumvent the ubiquitous PDF viewer’s sandbox, a security feature Adobe first introduced as part of Reader X nearly two years ago. Even though this zero-day vulnerability is said to have a few “limitations”, they don’t seem to be crippling enough to stop it from being sold on the black market for anywhere between $30,000 and $50,000.
Microsoft will deliver six security bulletins on April 10, 2012 as part of its monthly security update, the Redmond-based company said in an advance notification Thursday. The six security bulletins will, between them, address 11 vulnerabilities in Windows, Office, Internet Explorer, SQL Server. .NET Framework and Forefront Unified Access Gateway. Hit the jump for more.
While it's not unusual for companies to promise a variety of things “in time for the holidays,” a patch for a zero-day bug being exploited in the wild is usually not one of them. But that’s something you can look forward to if you have Adobe Reader and/or Acrobat 9.x for Windows. In a security advisory issued on Tuesday, Adobe warned of a “critical” vulnerability in Adobe Reader and Acrobat that is being exploited in the wild. Hit the jump for more.
Yesterday was no ordinary Tuesday. It was Microsoft’s eleventh Patch Tuesday of 2011. In keeping with Microsoft’s practice of releasing a lower volume of patches during odd-numbered months as compared to even ones, this month’s Patch Tuesday only contains four security bulletins, which is half of what the company shipped in October.
A computer science student at Stanford University has discovered a hole in Adobe Flash that could be used by an attacker to furtively enable the victim’s camera and microphone. The vulnerability is not in Flash itself, but the Adobe Flash Settings Manager page. More details about the vulnerability can be found after the jump.
Outdated browser plugins pose a considerable security threat. According to a report published earlier this year by security and compliance management company Qualys, 80 percent of all browser vulnerabilities stem from outdated plugins. The company behind the browser security analysis tool BrowserCheck, Qualys has just ranked different browser plugins based on their affinity for remaining outdated.
Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.