Oracle Corp. has rushed out an update for its Java Standard Edition software after malicious hackers jumped on a security hole in widespread, web-based attacks. Oracle released Java Standard Edition Update 11 on Sunday, less than a week after news first broke that cyber criminals had woven exploit code for the security hole into push button “exploit kits” that are for sale in the cyber underground. The update fixes CVE-20130-0422, and Oracle urged Java users to apply the update as soon as possible. Java technology powers billions of laptop and desktop computers, as well as smart phones and embedded devices. However, the platform has been the subject of repeated, critical security holes. Most recently, in August, Oracle was forced to rush out a similar update – Java Standard Edition Update 10 – in the face of similar attacks on another security hole. Attacks using the exploit were reported to be […]
Vulnerabilities
Lights Out For Java: Experts Say Turn It Off – And Leave It Off
Security experts from around the globe are warning Internet users to disable Java while browsing the web, after attacks using a previously unknown (“zero day”) vulnerability in Java began to surface, as part of multi-purpose “exploit kits” that are used to launch attacks from hostile or compromised web sites. The exploit works on all versions of Java 7, including update 10 – the latest release from Oracle, which now manages the Java technology, after acquiring it with the assets of Sun Microsystems, according to an analysis by the firm Alienvault, which said that the exact nature of the vulnerability wasn’t known because the exploit was heavily obfuscated to slow down security researchers. According to this report from Krebsonsecurity, the first word of the new exploit came by way of underground forums, where the administrators of popular exploit kits like Blackhole and the Nuclear exploit kits added the Java exploit as […]
Update: Plumbing Facebook, Researcher Finds Hole In Secure File Transfer Platform
Updated to include response from Accellion. 1/9/2013 A security researcher who was looking for vulnerabilities in Facebook’s platform instead stumbled on a much larger hole that could affect scores of firms who rely on a secure file transfer platform from Accellion. Writing on his blog on Monday, Israeli researcher Nir Goldshlager said he uncovered a security hole affecting Accellion’s Secure File Transfer service that could allow an attacker to take control of a user’s Secure File Transfer account with little more than the e-mail address associated with the account. Accellion Secure File Transfer is a service that allows enterprises to offer secure transfer and storage of large files (up to 100GB). In contrast to consumer-focused services like DropBox, Accellion offers comprehensive file tracking and reporting as well as data security features necessary to satisfy government regulations like HIPAA, GLBA, and SOX. Secure File Transfer is offered to companies as a private cloud, public […]
Microsoft Rushes Fix for IE Hole Used in Attacks on DC’s Elite
Microsoft issued an emergency fix for its Internet Explorer web browser on Monday, just days after security researchers reported finding a previously unknown (zero day) vulnerability in IE that was being used in targeted attacks against members of Washington D.C.’s media, government and policy elite. Microsoft’s Security Response Center (MSRC) released the fix for IE versions 6, 7 and 8 on Monday following reports of sophisticated and targeted attacks using the vulnerability were detected on the web site of the Council of Foreign Relations, a leading think tank whose members include senior government officials. In a Security Advisory (#2794220), Microsoft described the flaw as a “remote code execution vulnerability” in code that governs the way that “Internet Explorer accesses an object in memory that has been deleted or (improperly) allocated.” The vulnerability could allow a malicious attacker to create a malicious web page that would exploit the vulnerability to corrupt memory in […]
Security Hole in Samsung Smart TVs Could Allow Remote Spying
The company that made headlines in October for publicizing zero day holes in SCADA products now says it has uncovered a remotely exploitable security hole in Samsung Smart TVs. If left unpatched, the vulnerability could allow hackers to make off with owners’ social media credentials and even to spy on those watching the TV using compatible video cameras and microphones. In an e-mail exchange with Security Ledger, the Malta-based firm said that the previously unknown (“zero day”) hole affects Samsung Smart TVs running the latest version of the company’s Linux-based firmware. It could give an attacker the ability to access any file available on the remote device, as well as external devices (such as USB drives) connected to the TV. And, in a Orwellian twist, the hole could be used to access cameras and microphones attached to the Smart TVs, giving remote attacker the ability to spy on those viewing […]
