Don't expect a patch for WebView in pre-KitKat Android devices
If you own an Android handset running a version of the open source operating system that predates Android 4.3 KitKat, you won't be the recipient of a patch for WebView, a component of Android that developers use to display web content in their apps. WebView is also the backbone of Android's built-in browser in all versions up to KitKat. Nevertheless, Google won't spend time plugging up any security holes for WebView in older Android devices because it's "no longer practical."
Fixes for vulnerabilities in 48 different products
Oracle today rolled out a Critical Patch Update for the month of January 2015, which contains fixes for 167 vulnerabilities found in hundreds of the company's products. The most severe of these received a score of 10.0 on the Common Vulnerability Scoring System (CVSS), the highest score available -- they pertain to Fujitsu M10-1 of Oracle Sun Systems Products Suite, Java SE of Oracle Java SE, M10-4 of Oracle Sun Systems Products Suite, and M10-4S Servers of Oracle Sun Systems Products Suite.
User a super hard password to guess, not a superhero
Dark Helmit warned viewers way back in 1987 that 1-2-3-4-5 is the kind of combination only an idiot would have on his luggage, yet nearly three decades later, it ranks number three on SplashData's list of the 25 worst passwords of 2014, which takes into account the most commonly used combinations from 3.3 million leaked passwords last year. In 2013, it ranked number 20.
Weeks after Google's Gmail service was blocked in China, Microsoft's Outlook email service was the target of a cyberattack over the weekend, with fingers once again pointing to Chinese authorities. Online censorship watchdog Greatfire.org said that China initiated what's known as a man-in-the-middle (MITM) attack, affecting people using email clients like Outlook, Mozilla's Thunderbird, and smartphone apps using the SMTP and IMAP protocols.
Google and Microsoft have different opinions on public disclosure policies
For the third time in a month, Google has gone ahead and disclosed all the gory details of a zero day vulnerability affecting Windows before Microsoft could get around to releasing a patch. It affects both Windows 7 and Windows 8.1 and has to do with how applications handle memory encryption to allow for data flow back and forth between processes running in the same logon session.
During the holiday break, Google's Project Zero team disclosed a vulnerability in Windows 8.1 after Microsoft failed to issue a patch within the 90-day deadline that Google gives vendors. That sparked a debate on whether or not Google did the right thing, and while many (not all) of our readers sided with Google, Microsoft has some information that warrants asking the question again. Specifically, Microsoft says it was scheduled to patch the vulnerability on Patch Tuesday, two days after Google's deadline, and that Google ignored its request to withhold details until that time.
There's a bit of debate brewing over whether or not Google did the right thing by posting a Windows 8.1 security vulnerability to the public before Microsoft was able to release a patch. The disclosure came from Google's Project Zero program, which hunts down vulnerabilities in software and alerts its findings to vendors "in as close to real-time as possible." Vendors are then given a 90-day deadline to issue a patch, and in this case, Microsoft didn't react in time.
Guardians of Peace hacking organization has unfinished business
The hacking organization that took credit for infiltrating Sony Pictures Entertainment and stealing 10TB worth of data has also threatened at least one news media organization, according to an FBI bulletin that's making the rounds in cyberspace. Known as the Guardians of Peace, or GOP, the group of hackers proved a major headache for Sony, who's antics appear to have been motivated by The Interview, a comedy involving an assassination attempt against North Korean leader Kim Jong-un.
As always, be suspicious of links in your Steam chat sessions
Hopefully you're getting to spend a bit of time in Steam over the holiday season, catching up on a treasure trove of games that you picked up on discount through various sales. While you're navigating Steam, however, be advised that there's a piece of malware spreading through Steam chat sessions. Messages on Steam chat saying "WTF?????" seem to link to a JPEG file, but it's really a malicious executable.
The Tor Project put out a warning to its users that there may be an attempt to incapacitate its network through the seizure of specialized servers called directory authorities, which help Tor clients learn the list of relays that make up the Tor network. Project leader Roger Dingledine, or "arma" as he commonly goes by, said steps are now being taken to ensure the safety of its users.