At the virtual Enigma Conference, Google’s Project Zero’s Maggie Stone gave a talk about zero-day exploits in the wild. In it, she talked about how often vendors fix vulnerabilities only to have the attackers tweak their exploits to work again. From a MIT Technology Review article: Soon after they were spotted, the researchers saw one … Read More “On Vulnerability-Adjacent Vulnerabilities” »
Category: patching
Auto Added by WPeMatico
Last year, ZecOps discovered two iPhone zero-day exploits. They will be patched in the next iOS release: Avraham declined to disclose many details about who the targets were, and did not say whether they lost any data as a result of the attacks, but said “we were a bit surprised about who was targeted.” He … Read More “New iPhone Zero-Day Discovered” »
There’s a vulnerability in Wi-Fi hardware that breaks the encryption: The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter a chipmaker Cypress acquired in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, and Wi-Fi routers from Asus and Huawei, as well as the Raspberry … Read More “Wi-Fi Chip Vulnerability” »
The Zoom conferencing app has a vulnerability that allows someone to remotely take over the computer’s camera. It’s a bad vulnerability, made worse by the fact that it remains even if you uninstall the Zoom app: This vulnerability allows any website to forcibly join a user to a Zoom call, with their video camera activated, … Read More “Zoom Vulnerability” »
WhatsApp fixed a devastating vulnerability that allowed someone to remotely hack a phone by initiating a WhatsApp voice call. The recipient didn’t even have to answer the call. The Israeli cyber-arms manufacturer NSO Group is believed to be behind the exploit, but of course there is no definitive proof. If you use WhatsApp, update your … Read More “WhatsApp Vulnerability Fixed” »
Zcash just fixed a vulnerability that would have allowed “infinite counterfeit” Zcash. Like all the other blockchain vulnerabilities and updates, this demonstrates the ridiculousness of the notion that code can replace people, that trust can be encompassed in the protocols, or that human governance is not ncessary. Powered by WPeMatico
The module “event-stream” was infected with malware by an anonymous someone who became an admin on the project. Cory Doctorow points out that this is a clever new attack vector: Many open source projects attain a level of “maturity” where no one really needs any new features and there aren’t a lot of new bugs … Read More “Distributing Malware By Becoming an Admin on an Open-Source Project” »
A security vulnerability in Belkin’s Wemo Insight “smartplugs” allows hackers to not only take over the plug, but use it as a jumping-off point to attack everything else on the network. From the Register: The bug underscores the primary risk posed by IoT devices and connected appliances. Because they are commonly built by bolting on … Read More “Security Vulnerability in Smart Electric Outlets” »
Last week, researchers disclosed vulnerabilities in a large number of encrypted e-mail clients: specifically, those that use OpenPGP and S/MIME, including Thunderbird and AppleMail. These are serious vulnerabilities: An attacker who can alter mail sent to a vulnerable client can trick that client into sending a copy of the plaintext to a web server controlled … Read More “E-Mail Vulnerabilities and Disclosure” »
Researchers have disclosed a massive vulnerability in the VingCard eletronic lock system, used in hotel rooms around the world: With a $300 Proxmark RFID card reading and writing tool, any expired keycard pulled from the trash of a target hotel, and a set of cryptographic tricks developed over close to 15 years of on-and-off analysis … Read More “Security Vulnerabilities in VingCard Electronic Locks” »