Tag: VULNERABILITY

Over the last few days, a mass SQL injection attack has been quickly gathering speed. Just three days ago only 28,000 URLs were affected, but at the time of writing, there could be up to 3.8 million infected URLs. Websense has a complete write up the attack, dubbed 'LizaMoon,' but here's the basic gist: it looks like someone is exploiting a vulnerabilty (or vulnerabilities) in hundreds of ...

One day after IE8 and Safari fell prey to eager hackers during Pwn2Own's first day this year, the iPhone 4 and the BlackBerry browser have been exploited as well. The former was pwned by veteran Pwn2Own winner Charlie Miller, who developed an exploit that enabled him to run arbitrary code on the iPhone after visiting a specially-formatted Web page. Once he was 'in' the iPhone, he was able to ...

Pwn2Own, the annual three-day browser hackathon, has already claimed its first two victims: IE8 on Windows 7 64-bit, and Safari 5 on Mac OS X. Google Chrome looks set to survive for its third year in a row. Internet Explorer 8 was thoroughly destroyed by independent researcher Stephen Fewer. "He used three vulnerabilities to bypass ASLR and DEP, but also escape Protected Mode. That's ...

Mike Cardwell, the Stallmanite who recently discovered a fantastically covert way of working out which Web services you're currently logged in to, has found a nasty XSS vulnerability in the LastPass password manager. The cross-site scripting (XSS) vulnerability not only allows nefarious types to see which sites you've recently logged in to, but it also provides access your email address and ...

On the upcoming Patch Tuesday, Microsoft will not be issuing a fix for a critical IE8 vulnerability discovered in December. If that wasn't bad enough, a vulnerability in Internet Explorer 8 discovered by a Google security researcher will also go unaddressed. The second bug was only discovered yesterday, so perhaps Microsoft simply hasn't had a chance to work out a fix yet -- but the first flaw ...

Microsoft has posted a new security bulletin which describes a critical flaw in Internet Explorer which -- wait for it -- could allow a remote attacker to execute arbitrary commands on a compromised computer. The flaw affects all supported versions of IE and occurs because of "the creation of uninitialized memory during a CSS function within Internet Explorer." Vista and Windows 7 users are at ...

A new vulnerability has been found in all major releases of Internet Explorer -- 6, 7 and 8 -- and a zero-day exploit is already in the wild. The exploit, HTML_BADEY.A, uses the vulnerability to remotely execute code. By visiting a compromised website, encrypted files are downloaded to your computer and then decrypted to become a Trojan backdoor. Little is known about what happens after that -- ...

Adobe has found a new critical zero-day vulnerability in Flash, Reader and Acrobat. This can be exploited to run malicious code on the victims' computers. Affected are Flash Player 10.1.85.3 and earlier on Windows, Mac, Linux and Solaris; Flash Player 10.1.95.2 and earlier for Android; Adobe Reader 9.4 and earlier 9.x versions for Windows, Mac and Unix-based operating systems; Adobe Acrobat 9.4 ...

After moving quickly to plug a critical vulnerability last month, Adobe has followed up by patching another 23 holes in both Reader and Acrobat. These vulnerabilities affect all versions of Adobe Reader and Acrobat for Windows and Mac, so you need to update your software immediately. Users of Acrobat and Reader 9 will have to update to version 9.4, while users of Acrobat 8 should update to ...

A few weeks ago, we told you about an exploit in the Windows version of Apple's QuickTime, based on a line of code from 2001. QuickTime 7.6.8, released Wednesday, finally fixes that vulnerability. The bug allowed the takeover of Windows XP, Vista and Windows 7 machines with Internet Explorer installed. The news isn't so much that Apple fixed the problem, but that they took longer to do so than ...

Anyone else having deja vu? Adobe's improved security efforts have been a welcome change, but it sure seems like they're still not doing enough. Of course, it's also possible that things have been footloose and fancy-free for so long that it's going to take a while to sort out. They've promised sandboxing is coming, and that should help. In the meantime, however, we're going to see more ...

Savvy Download Squad readers are already well aware of the fact that antivirus programs don't guarantee security. There's still one exploitable vector no program can do anything about: the end user. Regardless of how good a program is at protecting a system, a careless user can still wind up getting his or her machine infected. Regardless, it's generally regarded as a bad idea to use a ...

Microsoft has already fessed up -- admitting that a vulnerability in Internet Explorer was a key component in the Chinese attacks on companies including Google and Yahoo. Today, a post at Wired revealed some very disappointing news: Microsoft knew about the exploit as far back as September of 2009. Microsoft's senior security officer Jerry Bryant had this to say: "Our investigation into this ...

Recently, Internet Explorer has taken a lot of heat. This time, however, it hasn't been coming from disgruntled web devs or tech-savvy folks like our readers. No, this round of 'ditch IE' requests came from the governments of Germany, France, and Australia. The result: their citizens ditching IE en masse. As you can see in the chart, nearly 300,000 Germans have downloaded Firefox in the ...

It was bound to happen. In fact, security labs called it. Due to Google's open source platform, malware is starting to sneak its way into applications with the potential to gain access to your personal information - without you knowing it. According to a report filed by Google to the FCC [PDF], they removed about 1% of applications posted in the marketplace because they were suspected to be ...