• CNET
  • All exploits posts

exploits

Deadly exploit briefly massacres World of Warcraft

Imagine your virtual character relaxing in the confines of the massive World of Warcraft city Orgrimmar, when suddenly, zero health points. Upon spinning the mouse cursor around, everything around you also simultaneously perishes. Not long after the death, countless skeletons of fallen players stack up upon the city streets.

While this sounds like a bad dream that might strike someone who plays World of Warcraft too much, the deadly scenario played out yesterday across many WoW servers around the world. Entire Horde and Alliance megacities -- including Stormwind -- suddenly became graveyards for thousands afflicted by an in-game exploit carried out by malicious players. … Read more

ExploitShield appears to live up to its name

A new company called ZeroVulnerabilityLabs says that it has solved the Gordian knot of exploits, slicing through the complicated, Hydra-headed problem with a single stroke from a software weapon it calls ExploitShield.

Available exclusively today from Download.com, the first ExploitShield Browser Edition beta (download) appears to stop all manner of exploits, from those affecting browsers directly to browser plug-ins like PDF readers, Flash, and Java, to Microsoft Office components, to a handful of media players. The potential for raising the level of computer security here is huge, as a vast number of threats are actually mutations of malware, sold in kits like BlackHole, … Read more

New Internet Explorer weakness already exploited in attacks

A previously unknown security hole in Internet Explorer 7, 8 and 9 is being actively exploited to deliver a back door trojan known as "Poison Ivy," researchers warned.

Security blogger Eric Romang, who uncovered the vulnerability this weekend, wrote on his blog yesterday:

I can confirm, the zero-day season is really not over yet. Less than three weeks after the discovery of the Java SE 7 0day, aka CVE-2012-4681, potentially used by the Nitro gang in targeted attacks, a potential Microsoft Internet Explorer 7 and 8 zero-day is actually exploited in the wild. Romang found an attack that … Read more

A conversation with the first PlayStation Vita hacker

Those hoping to see a PlayStation Vita hack could have their wishes answered in a few months. Some anonymous programmers announced they discovered an exploit allowing them application-level (userland) access into the Sony gaming device.

Before you get all excited about the idea of illegally downloading full PS Vita games, you should know that this purported hack can't grant such abilities. However, if the group of developers creates a loader, the hack could open the door for homebrew, and more importantly, emulation. Which means that one day the Vita could play Super Nintendo, Nintendo 64, Nintendo DS, Sega, and many other games, similar to a hacked PSP. … Read more

New vulnerabilities found in latest Java update

Only hours after Oracle released its latest Java 7 update to address active exploits, security researchers found yet another vulnerability that can be exploited to run arbitrary code on systems that have the runtime installed.

Oracle's latest release of its Java 7 runtime has come under scrutiny in the past few weeks after it was found being actively exploited in malware attacks that target Windows systems. While so far the vulnerability has only been found being used against Windows, other platforms such as the Mac OS could potentially be targeted through the same exploit.

In response to these findings, … Read more

Microsoft implements BlueHat prize tech

LAS VEGAS -- A year ago this week, Microsoft announced a startup-style contest with serious reward money called BlueHat to get security researchers to apply their expertise to innovative defenses. Today, the company revealed that the efforts of one of the three BlueHat finalists would be incorporated into its Enhanced Mitigation Experience Toolkit tool.

Mike Reavey, the senior director of Microsoft's Security Response Center, explained that the BlueHat contest process was a big win for Microsoft. "In less than a year, we were able to solicit for ideas, receive them, implement them, and get them to customers," … Read more

App Store hacker says the 'game is over'

The creator of an exploit that let users purchase digital goods inside of iOS apps without actually paying for them said today that Apple's fix puts the hack out of business.

"Currently we have no way to bypass [the] updated APIs," creator Alexei Borodin wrote in a post on his development blog. "It's a good news for everyone, we have updated security in iOS, developers have their air-money."

Borodin says that the exploit, which requires the use of third-party servers and specially-installed security certificates, will continue to be up and running until Apple releases … Read more

In-app purchase hacker sets sights on Mac App Store

The exploit that allowed users to purchase digital goods inside iOS apps without actually paying has jumped platforms and now works on Apple's Mac platform.

The Next Web notes that programmer Alexei Borodin, who created the iOS in-app purchase exploit, now has a similar solution for apps purchased in Apple's Mac App Store. Like the exploit for iOS, this too requires that users install special security certificates on their machines, though it also requires the installation of an extra helper program.

Earlier today Apple said it had a fix coming in the next version of iOS, due out … Read more

Apple fights back at in-app freebie exploit

Apple is not too pleased with Russian hacker Alexey V. Borodin, and a hack he developed that allows iDevice owners to install in-app goods without paying for them.

According to The Next Web, Apple over the weekend blocked the IP addresses of the server Borodin used to facilitate the hack. In addition, the company issued a takedown request to his server's hosting provider. Apple even requested that the video Borodin posted showing his technique in action be removed from YouTube due to a copyright violation.

Borodin last week surfaced with an exploit that re-routes in-app purchase requests away from Apple or a developer's secured serverRead more

New iOS hack yields in-app freebies

A new exploit aimed at iOS devices enables users to gain free access to paid content within applications, thereby circumventing built-in security measures.

The hack, which was detailed by a Russian programmer and picked up by 9to5mac this morning (via i-ekb.ru), uses a proxy system to send purchase requests to third-party servers where they are validated and sent back to the application as if the transaction had gone through. However before that happens, users need to install special security certificates on their device, as well as be on a Wi-Fi network.

The individual behind the effort has already created … Read more