Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Alert

NEWS - October 01, 2015

Oct 1, 2015 4:18PM PDT
Nerves rattled by highly suspicious Windows Update delivered worldwide [Updated]

"Strange payload raised concerns that Windows Update has been hacked."

Microsoft said a highly suspicious Windows update that was delivered to customers around the world was the result of a test that wasn't correctly implemented.

"We incorrectly published a test update and are in the process of removing it," a Microsoft spokesperson wrote in an e-mail to Ars. The message included no other information.

The explanation came more than 12 hours after people around the world began receiving the software bulletin through the official Windows Update, raising widespread speculation that Microsoft's automatic patching mechanism was broken or, worse, had been compromised to attack end users. Fortunately, now that Microsoft has finally weighed in, that worst-case scenario can be ruled out. What follows is the remainder of this post as it appeared before the company issued its explanation.

Continued : http://arstechnica.com/security/2015/09/nerves-rattled-by-highly-suspicious-windows-update-delivered-worldwide/

Related:
Suspicious Windows 7 Update Actually an Accidental Microsoft ‘Test’ Update
Weird garbled Windows 7 update baffles world – now Microsoft reveals the truth
Don't panic: Microsoft mistakenly posted a 'test' Windows update patch

Discussion is locked

- Collapse -
Stagefright is back, affecting millions of Android devices
Oct 1, 2015 4:22PM PDT

If you though the bluster of the first Stagefright vulnerability had blown over, think again.

A set of two new vulnerabilities, dubbed Stagefright 2.0, could allow an attacker to exploit a weakness in how Android processes audio (MP3) and video (MP4) files, which can be used to install malware.

The scope of the flaw isn't thought as wide as the first Stagefright vulnerability. The second flaw affects devices mostly running Android 5.0 "Lollipop" and later. The researchers said in a blog post that some Android phones running an older components may also "be impacted."

Continued : http://www.zdnet.com/article/new-stagefright-2-0-flaws-affect-millions-of-android-devices/

Related:
Stagefright 2.0 Vulnerabilities Affect 1 Billion Android Devices
Stagefright 2.0: A billion Android devices could be compromised
A billion Android phones are vulnerable to new Stagefright bugs

- Collapse -
Apple Patches 100+ Vulnerabilities in OS X, Safari, iOS
Oct 1, 2015 4:23PM PDT
UPDATE - Apple pushed out its latest operating system, El Capitan, yesterday, and while it boasts many security fixes, the update fails to address the outstanding vulnerability in Gatekeeper that came to light this week.

The issue with Gatekeeper, as described yesterday by Patrick Wardle, the director of research at Synack, fails to verify whether an app runs or loads other apps or dynamic libraries from the same or relative directory. Apple is reportedly working on a short term mitigation for the simple, but effective bypass that Wardle cooked up and presented at Virus Bulletin today in Prague.

Continued: https://threatpost.com/apple-patches-100-vulnerabilities-in-os-x-safari-ios/114876/

Related: Apple releases OS X El Capitan, patches passcode loophole in iOS
- Collapse -
Scammers use Google AdWords, fake Windows BSOD to steal ..
Oct 1, 2015 4:45PM PDT
... money from users

Faced with the infamous Windows Blue Screen of Death (BSOD), many unexperienced computer users' first reaction is panic. If that screen contains a toll free number ostensibly manned by Microsoft technicians who are there to help users overcome this problem, many are probably tempted to pick up the phone.

It is this reaction that cyber crooks are counting on. But how to make this fake screen appear on the user's computer?

According to Malwarebytes' researcher Jerome Segura, the latest scheme of this kind was detected only days ago. The crooks have been using Google's AdWords to make links to malicious pages appear at the top of the Google Search page when user searched for "youtube".

Continued: http://www.net-security.org/secworld.php?id=18913
- Collapse -
Highly personal data for 15 million T-Mobile applicants ..
Oct 1, 2015 5:07PM PDT
.. stolen by hackers

"Breach involves T-Mobile database maintained by credit-reporting service Experian."

Hackers broke into a server and made off with names, driver license numbers, and other personal information belonging to more than 15 million US consumers who applied for cellular service from T-Mobile.

The breach was the result of an attack on a database maintained by credit-reporting service Experian, which was contracted to process credit applications for T-Mobile customers, T-Mobile CEO John Legere said in a statement posted online. The investigation into the hack has yet to be completed, but so far the compromise is known to affect people who applied for T-Mobile service from September 1, 2013 through September 16 of this year. It's at least the third data breach to affect Experian disclosed since March 2013.

Continued: http://arstechnica.com/security/2015/10/highly-personal-data-for-15-million-t-mobile-applicants-stolen-by-hackers/

Related: Hackers Steal 15M T-Mobile Customers’ Data From Experian
- Collapse -
Car Hack Technique Uses Dealerships to Spread Malware
Oct 1, 2015 5:07PM PDT

Over the last summer, the security research community has proven like never before that cars are vulnerable to hackers—via cellular Internet connections, intercepted smartphone signals, and even insurance dongles plugged into dashboards. Now an automotive security researcher is calling attention to yet another potential inroad to a car’s sensitive digital guts: the auto dealerships that sell and maintain those systems.

At the Derbycon hacker conference in Louisville, Kentucky last week, security consultant Craig Smith presented a tool designed to find security vulnerabilities in equipment that’s used by mechanics and dealerships to update car software and run vehicle diagnostics, and sold by companies like Snap-On and Bosch. Smith’s invention, built with around $20 of hardware and free software that he’s released on GitHub, is designed to seek out—and hopefully help fix—bugs in those dealership tools that could transform them into a devious method of hacking thousands of vehicles.

Continued: http://www.wired.com/2015/10/car-hacking-tool-turns-repair-shops-malware-brothels/