Tag: vulnerabilities

Chrome 0Day A No-Show At Security Con

A planned talk that was to unveil a new and previously unknown (or “zero day”) vulnerability in Google’s Chrome web browser was cancelled on Saturday after the researcher, Ucha Gobejishvili, backed out, citing difficulties obtaining a visa to travel to New Dehli, India, where the Malcon hacking conference was held. The organizer of Malcon, Rajshekhar Murthy, confirmed in an email to Security Ledger that Gobejishvili cancelled his talk at the last minute. “(Ucha) did not come at (sp) the conference due to visa issues in the last minute,” Rajshekhar Murthy wrote in an e-mail to Security Ledger on Monday. “The issue stated was he was called in last minute (sp) by the military for compulsory service which conflicted with our event dates.” Gobejishvili did not respond to e-mail and instant message requests for comment. In a conversation with Security Ledger last week, he said he would use his talk at […]

Questions, Doubts greet Researcher’s Claim to have Chrome Zero Day

Google says that it will wait to see what transpires at a New Delhi hacking conference this week before responding to a researcher’s claim that he has discovered a remotely exploitable vulnerability in its Chrome web browser. Speaking with Security Ledger, Google spokeswoman Jessica Kositz said that the company was aware of claims by Georgian researcher Ucha Gobejishvili that he has discovered a previously unknown (zero day) security hole in Chrome and will demonstrate it at this week’s MalCon hacking conference. Gobejishvili described the security hole in Chrome as a “critical vulnerability.” “It has silent and automatically (sp) download function…and it works on all Windows systems” he told Security Ledger in an online chat session. While the Tbilisi-based researcher won’t say much about the hole, he told Security Ledger that he discovered it in July. The vulnerability is in a DLL (dynamic link library) that is part of the browser […]

Adobe Acknowledges Hack of User Forum For Connect Service

Software giant Adobe on Wednesday confirmed claims by a self-proclaimed “Egyptian” hacker to have compromised a user support forum frequented by customers of its Connect web conferencing technology, stealing user account information and posting some of it online. Adobe’s Director of Connect, Guillaume Privat, acknowledged in a blog post on Wednesday that the compromise of the Connectusers.com forum by an “unauthorized third-party” was for real and that the company has disabled the forum while it investigates the incident. The breach was first disclosed on Tuesday when a hacker calling himself “ViruS_HimA” posted what appeared to be account e-mail and password information online through web sites like pastebin.com and sendspace.com. The hacker claimed to have compromised a database server used to maintain the Connnectusers.com forum and downloaded information on 150,000 account holders, including the users names, login IDs, hashed password values, employer and e-mail address. The motive for the hack was […]

Support Forums Reveal Soft Underbelly of Critical Infrastructure

We hear a lot about vulnerabilities in industrial control system (ICS) software. In fact, that’s all we seem to hear about these days. The truth is: there’s a lot to write about. In just the last month, the Department of Homeland Security’s ICS-CERT warned its members about the ability of  sophisticated – and even unskilled – attackers to use tools like the Shodan and ERIPP search engines to locate and attack vulnerable industrial control systems (PDF) that are accessible from the public Internet. In the meantime, every couple of weeks brings revelations about serious and remotely exploitable software holes. Most recently, ICS-CERT warned about a critical vulnerability EOScada (PDF), a Windows-based Energy Management System that is used to configure and manage intelligent electronic devices (IEDs) used in electrical, water, sewage and gas applications. But what about real evidence of compromised SCADA and industrial control systems? That’s a taller order. After all: most […]

Medical Pumps Recall: Bug Causes Inaccurate Readings on Touchscreen

Mobile phones aren’t the only products to benefit from nifty touch screen displays. A whole range of medical devices now sport them, also – as any trip to your local emergency department (or dentist’s office) will reveal. Unfortunately, many of those devices are just as balky and bug ridden as your average mobile phone -despite the fact that patients’ lives can rely on them. And this week, there’s more evidence of the lurking epidemic of shoddy, IP enabled medical devices. The medical device maker Hospira issued a voluntary, nationwide recall of its Symbiq brand infusion systems after discovering a software error that caused the touch screen interfaces on the devices to respond incorrectly to user input. The problem could result in “a delayed response and or the screen registering a different value from the value selected by the user,” the company said in a statement. Symbiq is a drug infusion […]