Monthly Archives: April 2014

Apple iOS 7.1.1 patches flaws and fingerprints

Apple has released an update for its iOS software for iPad and iPhone devices, which includes improvements to its Touch ID fingerprint scanner and keyboard input, as well as several security updates. The 7.1.1 update is only 18.8MB in size and Apple states in the text accompanying the update that it contains “improvements, bug fixes and security updates.” The most noteworthy fixes are for Apple’s Touch ID fingerprint scanner to improve its recognition capabilities – which will only affect iPhone 5S devices – as well as a bug fix for keyboard responsiveness. <more>

Twitter experiences Tsunami of malicious messages

Twitter, the popular online service that lets you share a message in 140 characters or less to the rest of the world, has been hit by a massive wave of malicious messages. These messages were sent by hundreds of accounts that mention about dramatic weight loss as well as offering a link to a similar site that suspiciously pedals diet pills. When one has fallen to the temptation of clicking on one of those messages, they would be on the receiving end of a warning as seen above instead. It seems that this is the result of hundreds of Twitter accounts that have been hijacked earlier today in order to create this particular tsunami of malicious messages. <more>

Oracle fixes 104 security holes with April 2014 CPU

Oracle’s April 2014 Critical Patch Update has been released, and solves a total of 104 vulnerabilities found across many of its products, including Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL. The most important ones for regular users are the patches addressing 37 vulnerabilities in Java SE, as four received a CVSS Base Score of 10.0 (Highly Critical – remote code execution, easily exploitable). “Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply it as soon as possible,” the company advised. <more>

Samsung Galaxy S5 fingerprint scanner hacked

Samsung’s newly released Galaxy S5 phone sports a fingerprint scanner embedded in the home button that works well but unfortunately, like iPhone 5S’ TouchID before it, can be tricked with a mould of the user’s fingerprint. “Samsung’s implementation of fingerprint authentication leaves much to be desired,” researchers from Berlin-based security firm Security Research Labs (SRLabs) noted, and demonstrated how these flaws can be used to expose users’ devices, data, and even bank accounts to thieves or other attackers. The researchers used the same fingerprint mould they employed to fool iPhone 5s’ TouchID last year. The spoof was made under lab conditions, they noted, but is based on a camera phone photo of an unprocessed latent print lifted off a smartphone screen. <more>

Windows XP’s final Patch Tuesday

Microsoft has released its final security fixes for Windows XP as part of its latest Patch Tuesday update. The latest set of releases is quite light, with just four patches issued, two labelled as ‘critical’ and two as ‘important’. These cover key Microsoft products Windows, Office and Internet Explorer. The six fixes within the patch for Internet Explorer cover several versions of Windows, including Windows XP, and is one of the critical releases. The issues were spotted by researchers at firms including Trend Micro, HP and Palo Alto Networks. “These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer,” Microsoft said. “An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user.” The other critical fix covers Microsoft Office and Word, and also relates to a remote code execution vulnerability. <more>

Heartbleed bug exposes passwords

Internet security experts are scrambling to assess the extent of the breach caused by a massive bug called Heartbleed in the OpenSSL technology that runs encryption for two-thirds of the web and went unnoticed for two years until last week. A newly discovered bug in software supposed to provide extra protection for thousands of the world’s most popular websites has exposed highly sensitive information such as credit card numbers, usernames, and passwords, security researchers said. The discovery of the bug, known as Heartbleed, has caused several websites to advise their users to change their passwords. “This might be a good day to call in sick and take some time to change your passwords everywhere – especially your high-security services like email, file storage, and banking, which may have been compromised by this bug,” Tumblr wrote in a note to its many users. “The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit.” Yahoo, the owner of Tumblr, confirms that its users’ passwords have been compromised. The bug was discovered late last week in the OpenSSL technology that runs encryption for two-thirds of the Internet. <more>

Apple releases Safari 7.0.3 update for Mavericks

Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month’s Pwn2Own hacking contest, where a team cracked the browser to win $65,000. The Cupertino, Calif. company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3. Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks. Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, “arbitrary code execution,” Apple’s terminology for the most serious bugs. <more>

Oracle Java Cloud Service bugs publicly disclosed

Researchers have released technical details and attack code for 30 security issues affecting Oracle’s Java Cloud Service. Some of the issues make it possible for attackers to read or modify users’ sensitive data or to execute malicious code, the researchers warned. Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems. <more>

Microsoft reveals zero-day attacks against Word

The exploit that attackers are using to target a zero day vulnerability in Microsoft Word relies on a complex series of pieces, including an ASLR bypass, ROP techniques and shellcode with several layers of tools designed to detect and defeat analysis. Microsoft officials said the exploit is being used in targeted attacks right now and attackers are employing it to drop a backdoor on vulnerable machines. The vulnerability, which Microsoft acknowledged yesterday in a security advisory, affects several versions of Word and Office, both on Windows and OS X, and is related to a problem in the handling of RTF files. Microsoft also acknowledged that there is a theoretical method through which an attacker could trigger the vulnerability in Outlook, but that method hasn’t been seen in the wild yet. <more>

Facebook shows off epic ThreatData security platform

Facebook unveiled a new automated ThreatData security service, claiming the advanced malware-detection and mitigation service has already helped take down a criminal campaign. Facebook unveiled the ThreatData service in a blog post. ThreatData is a central intelligence tool designed to automatically detect, catalogue, offer IT administrators information on and combat incoming cyber threats. The company said it has already successfully used ThreatData to spot and mitigate a campaign targeting feature phones. “In the summer of 2013, we noticed a spike in malware samples containing the string ‘J2ME’ in the antivirus signature. Further investigation revealed a spam campaign using fake Facebook accounts to send links to malware designed for feature phones,” read the post. <more>