17.8 C
Wednesday, August 16, 2017

Apple Patches Safari to Fix Memory-Corruption Flaws

Apple issued a pair of new Safari browser releases this week to fix memory-corruption vulnerabilities. Safari versions 7.0.6 and 6.16 were released Aug. 13 and provide fixes for seven different common vulnerabilities and exposures (CVE), all affecting the WebKit rendering engine. WebKit is an open-source browser engine framework that is used within Safari. Until April 2013, WebKit was also the primary engine underneath Google's Chrome. Google has since forked WebKit with its own Blink rendering engine, though there are still many similarities such as common areas of code shared across the two technologies. Google has been a large contributor to Apple Safari security this year and was credited with the discovery of eight vulnerabilities in WebKit for the Safari 7.0.5 update, released June 30. Google researchers also contributed heavily to the Safari 7.0.3 update in April and Safari 7.04 update in May. With the new Safari 7.0.6 update, Google is only credited with a single vulnerability (CVE-2014-1387).  Apple's security team discovered five of the vulnerabilities (CVE-2014-1384, CVE-2014-1385, CVE-2014-1388, CVE-2014-1389 and CVE-2014-1390). CVE-2014-138 is credited to an anonymous researcher. While there are seven different vulnerabilities, Apple notes in its advisory that the effect across all of them is the same. "Visiting a maliciously crafted Website may lead to an unexpected application termination or arbitrary code execution," Apple stated in its advisory. The fix for all the issues also received a generic explanation from Apple. The company noted that all the issues "were addressed through improved memory handling." While there are other types of browser security issues, memory corruption is increasingly common across all modern Web browsers. As part of its August Patch Tuesday update, Microsoft delivered fixes for 25 CVEs, most of which were memory-corruption-related flaws. Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.

Payment Card Breach Hits 180 Supervalu Stores and Affiliates

[unable to retrieve full-text content]Attackers went shopping and picked up much more than just a carton of eggs. Supervalu was the latest retail chain to reveal a payment card breach.

After years of hype, patent troll Vringo demolished on appeal

Vringo stock drops 70%, as Google shuts down dreams of a billion-dollar payday.

Grocery shoppers nationwide probably had credit card data stolen

Coast-to-coast: Albertsons, Acme Markets, Jewel-Osco and more were hit.

10 Ways to Ensure Sync-and-Share Works Well for IT, Users

Enterprise users and consumers alike need the simplicity and ease of use of consumer-grade sharing and synchronization. The common denominator here is ease of use at all times, across the board, and for any application or function. Sync-and-sharing sol...

Premier League warns fans not to tweet goal videos, animated GIFs

EPL using crawlers to find violations, admits "it sounds as if we're killjoys."

Comcast, TWC pull $132,000 donation from event honoring FCC commissioner

Controversial donations will be redirected toward group promoting diversity.

Facebook, the security company

CSO Joe Sullivan talks about PrivateCore and Facebook's homegrown security clout.

The internet runs out of memory, and the unhackable is hacked:...

On the flipside, the NHS is grabbing some excellent IT budget-saving opportunities as NPfIT is laid to rest

US supermarket retail chain Supervalu reports cyber breach

Supervalu is the latest in a string of US retailers to report a breach of its card payment network, but says there is no evidence that cardholder data was stolen. However, in a consumer security advisory, the company said the intruders may have accessed account numbers, expiry dates, other numerical information and cardholders' names. In recent months, data breaches have been reported by Target, Neiman Marcus, Sears and Michaels, affecting millions of US cardholders. Supervalu said it had not determined that any such cardholder data was in fact stolen by the intruder, and it has no evidence of any misuse of such data. The company said it had issued the security advisory “out of an abundance of caution”. Supervalu believes the payment cards from which such cardholder data may have been stolen were used during the period of 22 June to 17 July 2014, at 180 retail outlets owned by the company. The intrusion may also have resulted in the theft of such cardholder data from some cards used during this period at 29 franchised Cub Foods retail outlets. Supervalu said it believes the intrusion did not affect any of its owned or licensed Save-A-Lot stores or any of the independent grocery stores supplied by the company. Supervalu investigates data breach The company – one of the largest retailers in the US with annual sales of $17bn – said that, as soon as the intrusion was detected, it took immediate steps to secure the affected part of its network.  “An investigation supported by third-party data forensics experts is ongoing, to understand the nature and scope of the incident,” the company said. “Supervalu believes the intrusion has been contained and is confident customers can safely use their credit and debit cards in its stores.” The company said it had no reason to believe that additional information may have been stolen, but said an investigation was still in progress. Supervalu said it has notified federal law enforcement authorities and is co-operating in their efforts to investigate the intrusion and identify those responsible. Consumer identity protection The retailer has notified the major payment card brands and is co-operating in their investigation of the intrusion. Supervalu said that, although there is no evidence that cardholder data was stolen, the company is offering customers whose payment cards may have been affected 12 months of free consumer identity protection. The retailer has set up a callcentre to answer customer questions about the intrusion and the identity protection services offered.  Supervalu said it has insurance for cyber threats, which should mitigate the financial effect of these intrusions, including claims that might be made against the company as a result of the intrusion. Data security practice Mark Bower, vice president at Voltage Security said the simple fact being compliant with the payment card industry data security standard (PCI DSS) does not equate to mitigating advanced threats. “The only way to neutralise the risk of malware in the point of sale (POS) systems is to avoid any sensitive data passing in and through the vulnerable POS or retail IT,” he said. According to Bower, hundreds of thousands of merchants already do this today with proven approaches using the latest innovations in data-centric security. “These risks are totally avoidable – and at a fraction of the cost of  the fallout  from dealing with the consequences,” he said. Retailers struggle with basics of data security However, Verizon's 2014 Data Breach Investigations Report (DBIR) revealed that attackers continue to use only a few simple techniques to steal data from retail organisations. According to Verizon, very few data breaches in the retail sector can be attributed to advanced attacks. The most basic problem is that POS devices are often open to the internet and protected only by weak passwords, default passwords and even no passwords, the report said. The second most common scenario is that attackers use credentials stolen from technology suppliers, accounting for 38% of POS intrusions covered by the 2014 DIBR. The problem, said Verizon, is that retailers are not in control of access to their networks because many allow technology suppliers remote access to their networks and even their POS systems. The problem was exacerbated by the same password being used for all organisations managed by the supplier, making them all targets. Also, the flat hub-and-spoke architecture used by many retailers make it easier for attackers to move across a network once they are inside. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

Google Chrome warns of deceptive software downloads

Google is to update the Safe Browsing feature of its Chrome browser to warn users about deceptive software downloads that make unexpected changes to computers. From next week, Chrome users will get a warning if they try to download software that appears to be helpful – such as a toolbar that actually does other things in the background such as change browser settings. “We’ll show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software,” said Google security engineer Moheeb Abu Rajab in a blog post. The new feature will provide protection against third-party download sites that bundle browser toolbars, adware and scripts with well-known software. Although the update will raise an alert, it will not block users from downloading software. “If you still wish to proceed despite the warning, you can access it from your Downloads list,” said Rajab, adding that everyone should always ensure they trust the source of any software they download. Safe Browsing is designed to identify unsafe websites and notify users and webmasters so they can protect themselves from harm. Safe Browsing displays warnings to users of Google Chrome, Mozilla Firefox and Apple Safari when they attempt to access phishing sites or download malware. “We’re currently showing more than three million download warnings per week—and because we make this technology available for other browsers to use, we can help keep 1.1 billion people safe,” said Rajab. According to several reports, Mozilla has responded positively to the news of the Safe Browsing update. Mozilla said in a statement: “We are happy to see that Google is continuing to improve its detection of potentially unwanted software, especially since Firefox relies on Google Safe Browsing to block malicious downloads. “We are investigating implementing this new extension, especially if it reduces unofficial rebundled software that targets Firefox,” Mozilla said. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com RELATED CONTENT FROM THE TECHTARGET NETWORK

How Verizon lets its copper network decay to force phone customers...

Fiber is fast, but copper is reliable—even during multi-week power outages.