Over 86 percent of all Android devices remain vulnerable
The flagrant fragmentation that has come to be associated with Android is once again in focus, with IBM Security researchers shedding light on a major vulnerability (CVE-2014-3100) affecting the all-important Android KeyStore service, which is used for storing cryptographic keys and other sensitive credentials. Although the said vulnerability has been fixed in the latest version of the operating system (Android Kitkat 4.4), the problem is that the vast majority of Android users don’t have the latest version.
Russian security firm Group-IB claims to have uncovered a critical Adobe Reader vulnerability that is currently being exploited in the wild by attackers in order to circumvent the ubiquitous PDF viewer’s sandbox, a security feature Adobe first introduced as part of Reader X nearly two years ago. Even though this zero-day vulnerability is said to have a few “limitations”, they don’t seem to be crippling enough to stop it from being sold on the black market for anywhere between $30,000 and $50,000.
Microsoft will deliver six security bulletins on April 10, 2012 as part of its monthly security update, the Redmond-based company said in an advance notification Thursday. The six security bulletins will, between them, address 11 vulnerabilities in Windows, Office, Internet Explorer, SQL Server. .NET Framework and Forefront Unified Access Gateway. Hit the jump for more.
While it's not unusual for companies to promise a variety of things “in time for the holidays,” a patch for a zero-day bug being exploited in the wild is usually not one of them. But that’s something you can look forward to if you have Adobe Reader and/or Acrobat 9.x for Windows. In a security advisory issued on Tuesday, Adobe warned of a “critical” vulnerability in Adobe Reader and Acrobat that is being exploited in the wild. Hit the jump for more.
Yesterday was no ordinary Tuesday. It was Microsoft’s eleventh Patch Tuesday of 2011. In keeping with Microsoft’s practice of releasing a lower volume of patches during odd-numbered months as compared to even ones, this month’s Patch Tuesday only contains four security bulletins, which is half of what the company shipped in October.
A computer science student at Stanford University has discovered a hole in Adobe Flash that could be used by an attacker to furtively enable the victim’s camera and microphone. The vulnerability is not in Flash itself, but the Adobe Flash Settings Manager page. More details about the vulnerability can be found after the jump.
Outdated browser plugins pose a considerable security threat. According to a report published earlier this year by security and compliance management company Qualys, 80 percent of all browser vulnerabilities stem from outdated plugins. The company behind the browser security analysis tool BrowserCheck, Qualys has just ranked different browser plugins based on their affinity for remaining outdated.
Adobe kicked off the week with a security advisory warning users of its Flash Player about a zero-day bug that is reportedly “being exploited in the wild in targeted attacks via a Flash (.swf) file embedded in a Microsoft Excel (.xls) file delivered as an email attachment.” The vulnerability has also been confirmed to affect the auth.dll component that accompanies certain versions of Reader and Acrobat X, but the company has yet to come across any exploits targeting them.
Hit the jump to find out more about the vulnerability, including when exactly Adobe hopes to have it patched.
A security researcher, known only by his nom de guerre “Cupidon-3005,” disclosed a new zero-day bug in Windows Server Message Block (SMB) on Monday. Opting for full disclosure, the security researcher posted exploit code for the vulnerability that, according to Secunia, can be exploited “to cause a DoS (Denial of Service) or potentially compromise a vulnerable system.” Hit the jump for Microsoft’s statement acknowledging the flaw.
Santa Clara, we have a problem. That's the message Intel engineers had to deliver to company execs after discovering a "design issue" in the company's 6-Series chipsets. The issue is severe enough that Intel decided to halt shipments while it implements a fix.
"In some cases, the Serial-ATA (SATA) ports within the chipsets may degrade over time, potentially impacting the performance or functionality of SATA-linked devices such as hard disk drives and DVD drives," Intel said in a statement. "The chipset is utilized in PCs with Intel's latest Second Generation Intel Core processors, code-named Sandy Bridge. Intel has stopped shipment of the affected support chip from its factories."
Intel said it has already corrected the issue and has started making a new version of the support chip that doesn't have the design flaw. In addition, the Santa Clara chip maker says Sandy Bridge processors and other other related products are unaffected.