vulnerability

There is a rather serious vulnerability in Java version 1.6.0_26 that is apparently being actively pursued by hackers, one that is easy to implement and allows hackers to compromise systems without being detected.

The exploit was found a couple of months ago and was addressed in the latest round of Java updates both from Oracle and from Apple for OS X users; however, many people have not yet updated their systems and hackers are working to take advantage of this flaw on these systems.

The vulnerability allows a maliciously crafted Java applet to run undetected on many browsers … Read more

Recently the researchers at CoreLabs have uncovered a vulnerability in the OS X networking sandbox routines that allows a sandboxed program to bypass some of the restrictions imposed on it by the OS.

Sandboxing is supposed to limit a program's access to hardware (cameras, networking, and microphones) as well as software services in the system (address book, calendars, and directory services), but in this case the CoreLabs researchers have found that a program with limited networking access can use the technology behind AppleScript called "Apple Events" to gain access to network resources.

What this means is in … Read more

Microsoft issued a temporary fix this evening for a previously unknown critical Windows vulnerability being exploited by the Duqu Trojan to infect systems.

The software giant said in an advisory issued late tonight that a flaw in the Win32k TrueType font-parsing engine affected every version of Windows from XP through Windows 7. The vulnerability is related to the spread of the Duqu malware, a Stuxnet-like Trojan infecting computers via a Word document.

"An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode," the advisory warned. "The attacker could then install programs; view, change, … Read more

The next iPhone will be unveiled tomorrow, Facebook partners with Websense to check for malicious links, and a major security vulnerability in HTC Android phones reveals a huge amount of personal data.

Links from Monday's episode of Loaded:

A new security hole found in Skype for iOS could allow a hacker to access your entire address book, according to a blog post from security firm SuperEVR.

According to the post, "[a] Cross-Site Scripting vulnerability exists in the 'Chat Message' window in Skype 3.0.1 and earlier versions for iPhone and iPod Touch devices." So, what does this mean? Basically it means that when Skype users view a message, a hacker could have a JavaScript code that runs a check on a locally stored HTML file that is currently not encoded properly, revealing the user's … Read more

Apparently a major security hole has been found in OS X Lion systems that are set up to accept authentication through LDAP servers, where users may be allowed to log in to the system without providing a password. For networked systems that uses LDAP-based authentication for managing users and restricting network resources, this may be a fairly severe security risk.

Lightweight Directory Access Protocol (LDAP) is a technology that handles access to directory services on a network, with one of its uses being to deploy network user accounts to PCs on a network. The technology is extensively deployed by IT … Read more

Microsoft has rolled out a new update for Internet Explorer 9 that fixes a host of different security holes.

Launched yesterday on Microsoft's familiar "Patch Tuesday," the August 2011 Cumulative Security Update for Internet Explorer is a critical one that resolves issues not just in IE9 but in versions 6, 7, and 8 as well, according to a Microsoft blog. The update is available through Windows Update, so IE users who have Windows automatic updates turned on should have already received it.

The patch takes care of five holes in IE that were disclosed in coordination with … Read more

LAS VEGAS--Researchers at the Black Hat security conference here showed today how they could disrupt and snoop on home automation networks in residences and offices using devices connected to Ethernet networks that communicate via public power lines.

Dave Kennedy and Rob Simon have created a device that can be plugged in to a power outlet outside a target building or a nearby building and programmed to interfere with the home Ethernet network inside. The X10 Black Out device can be programmed to jam the signals that turn lights on and off and open doors, as well as disable security systems, … Read more

A security researcher in Italy has discovered a flaw in Internet Explorer that he says could enable hackers to steal cookies from a PC and then log onto password-protected Web sites.

Referring to the exploit as "cookiejacking," Rosario Valotta claims that a zero-day vulnerability found in every version of Microsoft's IE under any version of Windows allows an attacker to hijack any cookie for any Web site.

Demonstrating his findings at security conferences this month in Switzerland and Amsterdam, Valotta acknowledges that to exploit the hole, the hacker must employ a bit of social engineering because the … Read more