Mozilla yesterday took the unusual step of yanking Firefox 16 from distribution just a day after its release.
The company said a critical vulnerability triggered the move.
The bug was apparently overlooked by Mozilla while it was developing Firefox 16, or introduced by the fixes baked into the upgrade that started reaching users early Tuesday.
"Mozilla is aware of a security vulnerability in the current release version of Firefox (version 16). Firefox version 15 is unaffected," said Michael Coates, Mozilla's director of security assurance, in a Wednesday post to the company's security blog.
On Tuesday, Mozilla rolled out Firefox 16, which featured patches for 24 vulnerabilities, 21 of which were judged "critical," the open-source developer's highest threat ranking. Read more...
Microsoft has promised it will release a fix “in the next few days” to address the recently-identified flaw in Internet Explorer. At the time of writing, it is only possible to work around the bug, or stop using Internet Explorer, if one wishes to avoid the potential effects of attacks exploiting the vulnerability.
In a new TechNet post, Microsoft's Director of Trustworthy Computing Yunsun Wee writes that Redmond will issue a fix he describes as “an easy-to-use, one-click, full-strength solution any Internet Explorer user can install.” Read more...
Attackers are exploiting a new and unpatched vulnerability that affects the latest version of Java -- Java 7 Update 6 -- in order to infect computers with malware, according to researchers from security vendor FireEye.
So far, the vulnerability has been exploited in limited targeted attacks, FireEye's senior staff scientist Atif Mushtaq said Sunday in a blog post. "Most of the recent Java run-time environments i.e., JRE 1.7x are vulnerable."
The exploit is hosted on a website that resolves to an Internet Protocol address in China and its payload is a piece of malware that connects to a command and control server located in Singapore.
The malware installed in the attacks seen so far appears to be a variant of Poison Ivy, Jaime Blasco, a researcher with security firm AlienVault, said Monday in a blog post. Read more...
Graphics chip maker Nvidia released a new version of its Unix driver on Friday in order to address a high-risk vulnerability that can be exploited by local users to gain root privileges on Linux systems.
The privilege escalation vulnerability fixed in the new 304.32 version of the Nvidia Unix driver 304.32 was publicly disclosed last Wednesday by Dave Airlie, a principal engineer in the graphics team at Linux vendor Red Hat.
The public disclosure was done at the request of an anonymous researcher who originally discovered the flaw and after Nvidia failed to respond to a private report about the vulnerability, Airlie said in an email sent to the Full Disclosure mailing list.
Airlie's message also included proof-of-concept exploit code created by the anonymous researcher to demonstrate the vulnerability. Read more...
Adobe on Wednesday patched seven critical vulnerabilities in Flash Player, including one reported by Google researchers that hackers are using in "active targeted attacks." The bug attackers have been exploiting is a cross-site scripting (XSS) flaw in the Flash Player plug-in used by Microsoft's Internet Explorer (IE).
"This update resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or Web mail provider, if the user visits a malicious website," read the Adobe security advisory that accompanied yesterday's Flash update. "There are reports that this vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message." Read more...
Adobe has released a beta version of Flash Player for Firefox, which has better protection against vulnerability exploits because of a new sandboxed architecture.
"The design of this sandbox is similar to what Adobe delivered with Adobe Reader X Protected Mode and follows the same Practical Windows Sandboxing approach," said Peleus Uhley, platform security strategist at Adobe, in a blog post on Monday. "Like the Adobe Reader X sandbox, Flash Player will establish a low integrity, highly restricted process that must communicate through a broker to limit its privileged activities."
In secure software development, sandboxing refers to the practice of isolating a process from the operating system in order to minimize the fallout of a potential exploit. This type of technology has gained popularity in recent years, primarily because of its use in Google Chrome, a browser that has never experienced a successful remote code execution attack so far. Read more...
Security researchers from antivirus vendor Trend Micro have come across a Web-based attack that exploits a known vulnerability in Windows Media Player.
"Earlier today, we encountered a malware that exploits a recently (and publicly) disclosed vulnerability, the MIDI Remote Code Execution Vulnerability (CVE-2012-0003)," Trend Micro threat response engineer Roland Dela Paz said in a blog post on Thursday.
The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player.
Microsoft released a security fix for it on Jan. 10, as part of its monthly patch cycle. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," the company said at the time. Read more...
Adobe warned users of its Reader software earlier this week that hackers were using a critical vulnerability in the program to enable "limited, targeted attacks." Today security firm Symantec provided details of the compromise, which appear to have been well-funded efforts aimed at stealing secrets from specific industries and government agencies in the United States and United Kingdom.
The attacks used crafted emails designed to look like personal communications to specific managers or executives at the targeted organization, the company states in its brief analysis. Once the PDF attachment is opened, a Trojan -- dubbed "Sykipot" by Symantec -- infects the system using the vulnerability. Once a system is compromised, it communicates with a network of command-and-control servers hosted on at least a dozen and perhaps more than 50 domains. Read more...
Security researchers at Symantec today confirmed that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses.
"We've seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector," said Joshua Talbot, senior security manager in Symantec's security response group, in an interview Wednesday.
Symantec mined its global network of honeypots and security detectors -- and located email messages with attached malicious PDF documents -- to come to that conclusion.
The inclusion of defense contractors was not unexpected. Read more...
Those attacks may have been aimed at defense contractors.
Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of next week. Tuesday, Dec. 12 is also Microsoft's regularly-scheduled Patch Tuesday for the month.
The upcoming patch will be Adobe's sixth for Reader and Acrobat this year.
"A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning email. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." Read more...
A data logger pushed out by HTC to Android handsets has opened up a vulnerability allowing any app with internet permissions to access private customer information.
The vulnerability was spotted by Trevor Eckhart, who informed HTC about it and waited five days for a response. Following that he decided to go public and gave Android Police the details along with demonstration code and a video showing how an application that is supposed to see almost nothing can now see almost everything.
So an application that is supposed to be restricted to accessing the internet - a common ability requested by freebie apps to collect advertisements - can also access the user's location and details of all their synchronised accounts, not to mention the list of running tasks, the state of Wi-Fi connections, and system logs.
The data is being collected by a system package called HtcLoggers.apk, installed by HTC onto a range of Android handsets for reasons that aren't clear. That logging package accumulates data all the time, but it also has an accessible interface that other applications can use to request specific information - it even has a "help" command for those who don't know what it is they want to know. Read more...
Earlier threats aimed at Google's Android, including the widely-distributed DroidDream and DroidDream Light, exploited bugs in older versions of the mobile operating system but were not able to hijack Gingerbread-powered smartphones.
Last Thursday, Xuxian Jiang, an assistant professor in computer science at North Carolina State University, said that his team and Beijing-based NetQin Mobile Security had identified new "high-risk" malware that can root, or completely compromise, Android 2.3. Read more...