Vulnerabilities and attacks

Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.

The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat … Read more

It's hard to imagine a group that adheres to anarchic ideology would want its actions legalized under U.S. law. But that is exactly what Anonymous is doing.

The loose-knit group of hackers submitted a petition to President Obama this week asking that distributed denial-of-service attacks be recognized as a legal form of protest.

The petition, which is posted on the White House's "We the People" Web site, claims that DDoS attacks are not illegal hacking but rather a way for people to carry out protests online. Similar to the Occupy movement when protesters pitched tents … Read more

Several U.S. banks were hit with online attacks over the past few months, but it's been unclear who was responsible. Now, government officials and security researchers are saying Iran was waging these cyberattacks, according to a report by the New York Times.

"There is no doubt within the U.S. government that Iran is behind these attacks," James A. Lewis, a former official in the State and Commerce departments and a computer security expert at the Center for Strategic and International Studies in Washington, told the Times.

The attacks were aimed at several major banks, including … Read more

Microsoft's regular Patch Tuesday rolls around next week. But one flaw that won't be fixed in the mix is the latest zero-day exploit in Internet Explorer.

Last Saturday, Microsoft warned about the zero-day flaw in IE 6, 7, and 8 that could allow attackers to gain control of Windows computers to host malicious Web sites. In its advisory, the company noted that IE 9 and 10 are unaffected by the vulnerability and suggested a variety of workarounds to those running the older browser versions.

On Monday, the company issued a temporary fix that prevents the flaw from being … Read more

Samsung has issued a software update to address a nasty vulnerability found in a handful of smartphones that allowed attackers access to user data and left the handset vulnerable to malicious apps and bricking.

The vulnerability, which was discovered last month, lies in Exynos 4, the ARM-based system-on-a-chip typically found in Samsung smartphones and tablets. An exploit bypasses the system permissions, allowing any app to extract data from the device's RAM or inject malicious code into the kernel of a Galaxy S3. But other devices using the Exynos 4 were also found to be vulnerable, including select Galaxy S2 … Read more

Google and Microsoft revealed today that a certificate authority based in Turkey "mistakenly" issued security certificates last month, and that a recipient of one of the e-documents in turn created a bogus certificate that could let it impersonate various Google sites.

According to a blog post by Google engineer Adam Langley, Chrome detected and blocked an unauthorized security certificate for the domain "*.google.com" on December 24. After blocking the certificate, Langley said, Google investigated and determined the certificate came from an intermediate certificate authority that linked back to the Turkish certificate authority TurkTrust.

Fraudulent certificates … Read more

The hacking collective Anonymous has clarified that it has no plans to fade away in the New Year. It issued a statement over the weekend that warned the world to "Expect us 2013."

Along with the statement, the group created a video that boasts of its campaigns and exploits carried out in 2012. The video details the group's temporary shutdown of the U.S. Department of Justice, the FBI, Universal Music, and the Motion Picture Association of America's Web sites in protest of the U.S. government's indictment of the operators of popular file-hosting site … Read more

Microsoft issued a fix today for a zero-day vulnerability in older versions of Internet Explorer that could allow attackers to gain control of Windows-based computers to host malicious Web sites.

The company confirmed Saturday that it was investigating a remote code execution vulnerability in IE 6, IE 7, and IE 8 that could allow an attacker to use the corrupted PC to host a Web site designed to exploit the vulnerability with other users. Versions of the browser after IE 8 are unaffected, Microsoft said.

Microsoft said in an update to that security advisory that it has developed a one-click fix … Read more

Microsoft has confirmed that a zero-day vulnerability affecting older versions of Internet Explorer could allow attackers to gain control of Windows-based computers to host malicious Web sites.

The company acknowledged the issue in a security advisory yesterday that included advice on how users can mitigate the threat posed by the flaw.

"Microsoft is aware of targeted attacks that attempt to exploit this vulnerability through Internet Explorer 8," Microsoft said, noting that more recent versions of the Web browser, including IE 9 and IE 10, were unaffected.

The remote code execution vulnerability affects the way the browser accesses memory, … Read more