Monthly Archives: September 2013

Serious Javascript flaw in Mailbox iPhone app

Italian Researcher Michele Spagnuolo recently revealed a serious vulnerability in the popular Mailbox iPhone app. Mailbox is a tidy iOS the email app recently purchased by Dropbox, has a pretty wide-open hole that could allow bad actors to hijack your device. The flaw occurs in the latest version of Mailbox (1.6.2) currently available from the App Store, that executes any Javascript which is present in the body of HTML emails. With exploitation of this vulnerability, users could be subject to account hijacking, spam and phishing attacks by simply opening an HTML email containing embedded javascript. <more>

Microsoft releases fix for 0-day IE browser bug

A vulnerability in Microsoft Internet Explorer (IE) browser is leaving thousands of businesses open to targeted attacks. Microsoft group manager of response communications Dustin Childs revealed the threat in a security advisory, confirming that hackers are actively exploiting a weakness in the browser. “Today we released Security Advisory 2887505 regarding an issue that affects IE. There are only reports of a limited number of targeted attacks specifically directed at IE8 and 9, although the issue could potentially affect all supported versions,” Childs said. “This issue could allow remote code execution if an affected system browses to a website containing malicious content directed towards the specific browser type. This would typically occur when an attacker compromises the security of trusted websites regularly frequented, or convinces someone to click on a link in an email or instant message.” Since being revealed numerous security vendors have released their own advisories warning of the potential damage an attack targeting the vulnerability could do. noted the vulnerability could be used for a variety of purposes by hackers. <more>

Self-healing BIOS for HP Systems

HP has released a self-healing computing startup software that can repair a PC from a malware attack. HP BIOSphere with SureStart technology is a new kind of startup software that runs when a PC is turned on. The BIOS, basic input output software, runs on every PC and loads before even the operating system. HP has created its own BIOS software because hackers have been able to get around other BIOS software underneath the OS or gain root access to compromise OS security protections. The new HP BIOS makes it so the PC can heal itself by comparing the BIOS attempting to load against an image of the BIOS that is supposed to run on the PC. <more>

Adobe patches Flash Player, Shockwave Player & Reader

Adobe released security updates for Flash Player, Adobe Reader and Shockwave Player on Tuesday to address critical vulnerabilities that could allow attackers to take control of systems running vulnerable versions of those programs. The Flash Player updates address four memory corruption vulnerabilities that can lead to arbitrary code execution. The updates are version numbers 11.8.800.168 for Windows and Mac OS X; 11.2.202.310 for Linux; 11.1.115.81 for Android 4.x; and 11.1.111.73 for Android 3.x and 2.x. The same Flash Player vulnerabilities were patched in Adobe AIR, a runtime for rich Internet applications that also bundles Flash Player. Adobe released version 3.8.0.1430 of AIR and AIR SDK (software development kit) for Windows, Mac OS X and Android. <more>

Microsoft issued 13 bulletins in September’s Patch Tuesday

Microsoft has dispatched 13 patches for 47 bugs in its Windows, Office, Internet Explorer and SharePoint Server products. The Patch Tuesday release includes four critical patches, or Microsoft “bulletins,” with the bug of utmost concern being a privately reported vulnerability in Microsoft Outlook. The bug could allow a remote attacker to execute code if a user merely previews a malicious email message in Outlook or opens it, a Tuesday bulletin summary said. On Tuesday, Dustin Childs, group manager of response communications for the Microsoft Trustworthy Computing team, wrote in a blog post that the patch for Outlook was the “first bulletin that caught [his] attention.” <more>

Windows 8 Picture Passwords CrackABLE

The “picture passwords” used in Windows 8 machines are more vulnerable than Microsoft hoped, a research team claims. An analysis of more than 10,000 picture passwords found that a significant percentage could be cracked – due to the predictable “points of interest” that users chose. The “gesture” passwords allow users to pick points in an image, instead of using a text-based password. People tend to choose faces, colourful points and eyeglasses, so it’s often possible to “guess” such passwords, the team from Arizona State University and Delaware State University said. The team developed algorithms which could crack picture passwords with a high success rate. In a paper presented at the Usenix Conference, “On the Security of Picture Gesture Authentication,” the reseearchers, computer science doctoral student Ziming Zhao and computer science master’s degree student Jeong-Jin Seo, along with Hongxin Hu, now an assistant professor of at Delaware State University, found that people’s choice of “gesture” password tended to follow patterns. <more>

Heartbeat is NOW your Password!!!

Our heartbeats could be used instead of traditional passwords to unlock smartphones, tablets and cars using a new device being developed by Canadian company Bionym. Passwords scrawled on a scrap of paper are easily lost, jumbled letters and numbers are quickly forgotten and, with “password” still the most popular password, it’s no wonder that identity theft has become a million-dollar enterprise. But now security experts may have hit upon a type of identification that can’t be lost, forgotten, or stolen: your heart. With usernames and passwords fast becoming unreliable, companies are now turning towards our internal features as an authentication alternative. One of the new developments in this line of research is the Nymi wristband being developed by Canadian firm Bionym. The hi-tech gadget monitors the unique pattern of the wearer’s heartbeat, which can be used to wirelessly unlock smartphones, tablets, gaming consoles, and cars. It may even be used to pay for shopping, or act as a replacement for your credit card PIN number. <more>