vulnerabilities – Page 8 – SSL and internet security news

Hiding Vulnerabilities in Source Code

November 1, 2021 infossl

academic papers, operating systems, security engineering, Security technology, steganography, Uncategorized, usability, vulnerabilities

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about. From Ross Anderson’s blog: We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see … Read More “Hiding Vulnerabilities in Source Code” »

The Missouri Governor Doesn’t Understand Responsible Disclosure

October 18, 2021 infossl

courts, disclosure, overreactions, Security technology, Uncategorized, vulnerabilities

The Missouri governor wants to prosecute the reporter who discovered a security vulnerability in a state’s website, and then reported it to the state. The newspaper agreed to hold off publishing any story while the department fixed the problem and protected the private information of teachers around the state. […] According to the Post-Dispatch, one … Read More “The Missouri Governor Doesn’t Understand Responsible Disclosure” »

Zero-Click iMessage Exploit

September 17, 2021 infossl

apple, exploits, patching, Security technology, spyware, Uncategorized, vulnerabilities

Citizen Lab released a report on a zero-click iMessage exploit that is used in NSO Group’s Pegasus spyware. Apple patched the vulnerability; everyone needs to update their OS immediately. News articles on the exploit. Powered by WPeMatico

Tracking People by their MAC Addresses

September 6, 2021 infossl

bluetooth, Security technology, tracking, Uncategorized, vulnerabilities

Yet another article on the privacy risks of static MAC addresses and always-on Bluetooth connections. This one is about wireless headphones. The good news is that product vendors are fixing this: Several of the headphones which could be tracked over time are for sale in electronics stores, but according to two of the manufacturers NRK … Read More “Tracking People by their MAC Addresses” »

Interesting Privilege Escalation Vulnerability

August 26, 2021 infossl

privilege escalation, Security technology, Uncategorized, vulnerabilities, windows, zero-day

If you plug a Razer peripheral (mouse or keyboard, I think) into a Windows 10 or 11 machine, you can use a vulnerability in the Razer Synapse software — which automatically downloads — to gain SYSTEM privileges. It should be noted that this is a local privilege escalation (LPE) vulnerability, which means that you need … Read More “Interesting Privilege Escalation Vulnerability” »

Cobolt Strike Vulnerability Affects Botnet Servers

August 11, 2021 infossl

patching, penetration testing, Security technology, Uncategorized, vulnerabilities

Cobolt Strike is a security tool, used by penetration testers to simulate network attackers. But it’s also used by attackers — from criminals to governments — to automate their own attacks. Researchers have found a vulnerability in the product. The main components of the security tool are the Cobalt Strike client — also known as … Read More “Cobolt Strike Vulnerability Affects Botnet Servers” »

Nasty Printer Driver Vulnerability

July 22, 2021 infossl

cyberattack, hp, printers, privilege escalation, Security technology, Uncategorized, vulnerabilities

From SentinelLabs, a critical vulnerability in HP printer drivers: Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new … Read More “Nasty Printer Driver Vulnerability” »

Details of the REvil Ransomware Attack

July 8, 2021 infossl

cyberattack, malware, ransomware, russia, Security technology, supply chain, Uncategorized, vulnerabilities, zero-day

ArsTechnica has a good story on the REvil ransomware attack of last weekend, with technical details: This weekend’s attack was carried out with almost surgical precision. According to Cybereason, the REvil affiliates first gained access to targeted environments and then used the zero-day in the Kaseya Agent Monitor to gain administrative control over the target’s … Read More “Details of the REvil Ransomware Attack” »

Vulnerability in the Kaspersky Password Manager

July 6, 2021 infossl

Password Safe, passwords, random numbers, Security technology, Uncategorized, vulnerabilities

A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords: The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. … Read More “Vulnerability in the Kaspersky Password Manager” »

Risks of Evidentiary Software

June 29, 2021 infossl

courts, cybersecurity, false positives, forensics, Security technology, Uncategorized, vulnerabilities

Over at Lawfare, Susan Landau has an excellent essay on the risks posed by software used to collect evidence (a Breathalyzer is probably the most obvious example). Bugs and vulnerabilities can lead to inaccurate evidence, but the proprietary nature of software makes it hard for defendants to examine it. The software engineers proposed a three-part … Read More “Risks of Evidentiary Software” »