Vulnerabilities and attacks

Apple has finally fixed a security flaw in its application store that for years has allowed attackers to steal passwords and install unwanted or extremely expensive applications.

The flaw arose because Apple neglected to use encryption when an iPhone or other mobile device tries to connect to the App Store, meaning an attacker can hijack the connection. In addition to a security flaw, the unencrypted connections also created a privacy vulnerability because the complete list of applications installed on the device are disclosed over Wi-Fi.

It also allows the installation of apps, including extremely expensive ones that top out at … Read more

Windows users will get the usual round of security patches from Microsoft next Tuesday.

Among the seven fixes due to roll out March 12, four are rated critical, which means they address flaws that could let an attacker execute malware on a remote PC by steering a user to a malicious Web site or e-mail link.

The patch for Internet Explorer is designed to shore up all versions from IE6 to IE10 across all iterations of Windows from XP to Windows 8 and RT. The patch for Microsoft's Silverlight, a browser plug-in that can display online videos and other … Read more

In response to discovering that hackers were actively exploiting two vulnerabilities in Java running in Web browsers, Oracle has released an emergency patch that it says should deal with the problem.

"These vulnerabilities may be remotely exploitable without authentication, i.e., they may be exploited over a network without the need for a username and password," Oracle wrote in a security alert today. "For an exploit to be successful, an unsuspecting user running an affected release in a browser must visit a malicious web page that leverages these vulnerabilities. Successful exploits can impact the availability, integrity, and … Read more

Web security service CloudFlare was offline for about an hour this morning due to a systemwide failure of its edge routers.

The outage, which began around 1:47 a.m. PT, removed the security layer for 785,000 Web sites, including 4chan and Wikileaks, according to TechCrunch. CloudFlare said the outage occurred while it was trying to defend one of its customers from a distributed denial-of-service attack.

The outage affected Juniper routers running the Flowspec protocol, which allows customers to broadcast router rules to a large number of routers efficiently. CloudFlare uses the protocol to update the rules on routers … Read more

Java cannot seem to get a break. Only a few days after patching the last zero-day vulnerability, two more exploits are being found that make use of the runtime. One, as noted by Kaspersky, is a recent exploit of the latest runtime's attempts to install a McRAT executable by overwriting memory in the JVM that will trigger the executable to run.

Once installed, the McRAT malware will attempt to contact command and control servers and copy itself into dll files in Windows systems.

This malware is specifically Windows-based; however, a second one outlined by Intego, is a Minecraft password-stealing … Read more

China has accused the U.S. for most of the cyberattacks launched against its military networks.

In a statement released today, China's Ministry of National Defense said that cyberattacks against its military sites have increased over the past few years. Based on checks of IP addresses, the Defense Ministry claimed an average of 144,000 cyberattacks per month last year, according to Reuters.

And it fingered the U.S. for almost 63 percent of them.

The allegations from Beijing come hot on the heels of a recent report from U.S. security firm Mandiant, linking the Chinese army to cyberattacks … Read more

The idea of governments waging futuristic cyberbattles and online espionage campaigns actually isn't too farfetched. A new study released today by Team Cymru basically says as much.

The study, shared exclusively with The Verge, says that overseas hackers are stealing as much as one terabyte of data per day from governments, businesses, militaries, and academic facilities. Apparently, the hackers are using a network of 500 computer servers.

According to a lengthy article by The Verge, Team Cymru concludes that the hackers are so sophisticated and are running such massive campaigns that they must be state-sponsored. "This is Internet … Read more

A new attack is targeting European governments through flaws exploited in Adobe's Reader software, according to security researchers.

Kaspersky Lab and CrySys Lab today detailed a new malicious program in the wild, called "MiniDuke," that has been attacking government entities and institutions across Europe. Government entities in the Ukraine, Portugal, Romania, and others have been targeted, according to the security researcher.

MiniDuke finds its way to infected computers through PDFs. The malicious hackers -- who Kaspersky believes might have been dormant for some time because of the technique's similarity to those from the late-1990s -- have … Read more

Adobe Systems released an emergency security update today that addresses a trio of vulnerabilities in Flash, two of which the company said were already being exploited by hackers.

Today's surprise update -- the company's third for the browser plug-in this month -- patches holes "that could cause a crash and potentially allow an attacker to take control of the affected system," Adobe said in a security bulletin.

"Adobe is aware of reports that CVE-2013-0643 and CVE-2013-0648 are being exploited in the wild in targeted attacks designed to trick the user into clicking a link which … Read more