Monthly Archives: July 2014

Mozilla patches security bugs in Firefox

Mozilla officially released the stable version of Firefox 31 for all supported platforms, integrating 11 security fixes, three of them being marked as critical. One of the major vulnerabilities corrected would allow exploitation of a WebGL crash with Cesium JavaScript library. Details about this glitch are not available at the moment, but Mozilla notes that it cannot be leveraged through email in the Thunderbird client because scripting is disabled. Another flaw refers to a use-after-free vulnerability when handling DirectWrite font. Exploiting it would be possible on Windows platform only, OS X and Linux remaining unaffected. <more>

Backdoor discovered in Apple iOS devices

A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What’s more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple’s services) so they’re mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by anyone (in this case Apple) other than themselves. <more>

Oracle patches 113 updates

Oracle has issued 113 fixes relating to products in nearly its entire services portfolio in its latest quarterly Critical Patch Update. Oracle announced the details of its July Critical Patch Update, which was released on Tuesday, via a threat advisory on its website. The advisory details fixes for key Oracle products and services, including Fusion Middleware, Database, Server, Hyperion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain, PeopleSoft, Siebel CRM, Communications, Retail, MySQL, Virtualization, Sun Systems and Java SE (JSE). Oracle urged customers to update their systems as soon as possible: “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.” <more>

Google Project ZERO

Google has set up an internal task force that will work to expose the activities and techniques of malicious Internet wrongdoers, aiming to cut down on the number of targeted cyberattacks. “You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications,” wrote Chris Evans, a Google security researcher, in a blog post Tuesday announcing the initiative, called Project Zero. <more>

Microsoft July Patch Tuesday updates

Microsoft has released a critical fix for vulnerabilities in its popular Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update. The Internet Explorer (IE) update is one of two critical updates this month and could theoretically be used by hackers to mount remote code-execution attacks. Qualys CTO Wolfgang Kandek said, while serious, none of the vulnerabilities are zero-day, meaning their potential use to hackers is limited. “There are no zero-days open for IE, which would dictate the shortest turnaround possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation,” he said. The second critical bulletin relates to Microsoft’s now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. <more>

Stealing password via Google Glass

A new computer vision attack could allow Google Glass wearers to steal passwords typed in on nearby tablet or smartphones – even if the attackers do not have a clear view of the screen, according to a report by CNN. The technique could allow attackers to crack 90% of passcodes from up to ten feet distance – and regardless of whether the screen is obscured by glare. The distance is even bigger if an attacker uses a hi-def camcorder – up to 150ft. “I think of this as a kind of alert about Google Glass, smartwatches, all these devices,” says Dr Xinwen Fu of University of Massachusetts in Lowell. “If someone can take a video of you typing on the screen, you lose everything.” Instead of “watching” the screen, the software developed by Dr tracks the user’s finger in video recordings – tracking the fingertip’s relative position to the screen. <more>

Apple releases security fixes for iOS, OS X, Safari

Apple on Monday updated both OS X and iOS, patching 19 security vulnerabilities in the former and 44 in the latter. OS X 10.9.4, aka “Mavericks,” and iOS 7.1.2 each contained several non-security fixes as well. Mavericks received 19 patches, 11 of them rated critical with the description that an exploit may be able to execute “arbitrary code,” Apple-speak for the most serious tier of vulnerabilities. The separate Security Update 2014-003 addressed three bugs in Lion and eight in Mountain Lion, the precursors to Mavericks which shipped in 2011 and 2012, respectively. Nine of the 19 Mavericks vulnerabilities — and 8 of the 11 critical flaws — were reported to Apple by Ian Beer, a Google security engineer. <more>

Microsoft boosts ENCRYPTION in Outlook.com, OneDrive

Microsoft is making good on the promises they made last December, when they announced that they will – among other things – strengthen the encryption of customer data across their networks and services, including Outlook.com, Office 365, SkyDrive and Windows Azure. Matt Thomlinson, VP of Microsoft’s Trustworthy Computing Security, has disclosed on Tuesday that Transport Layer Security (TLS) and Perfect Forward Secrecy (PFS) encryption support has been added to Outlook.com, for both outbound and inbound email. He noted that TLS works well only if other email service provider support it, and has shared that Microsoft has been working with several international providers such as Deutsche Telekom, Yandex and Mail.Ru to test the feature. <more>