Home Tags Security Vulnerability

Tag: Security Vulnerability

Microsoft rushes emergency fix for critical antivirus bug

The point of antivirus is to keep malware off the system.

A particularly nasty software flaw in Microsoft’s antivirus engine could do the exact opposite and let attackers install malware on vulnerable systems. The critical security vulnerability in the Microsoft Malware Protection Engine affects a number of Microsoft products, including Windows Defender, Windows Intune Endpoint Protection, Microsoft Security Essentials, Microsoft System Center Endpoint Protection, Microsoft Forefront Security for SharePoint, Microsoft Endpoint Protection, and Microsoft Forefront Endpoint Protection.

These tools are enabled by default in Windows 8, 8.1, 10, and Windows Server 2012.To read this article in full or to leave a comment, please click here

Fuze flaw exposed private business meetings to eavesdroppers

The security vulnerability in the business software allowed attackers to access recorded conversations.

Xen Patches Hypervisor Breakout Risk Without Breaking the Cloud

The open-source Xen virtualization project patches a security vulnerability that could have enabled an attacker to breakout from hypervisor isolation.

But unlike a Xen flaw in 2014, this time public cloud providers do not have to reboot all their servers.

Kubernetes Security Policies Benefit from Best Practices

The open-source Kubernetes container management and orchestration system has implemented a security vulnerability disclosure policy that aims to help minimize risk.

Windows zero-day affects 600,000 older servers, but likely won’t be patched

The security vulnerability is publicly exploitable, but Microsoft only fixes "currently supported versions."

Mac OS IM tool Adium lagging on library security vulnerability

libpurple is a 'binary blob of unknown provenance' says researcher A developer is warning Adium users to pick a different messaging app because of an exploitable vulnerability in its underlying libpurple version.…

Increase in Available Security Patches + Decrease in Patch Rates =...

Annual Flexera Vulnerability Review Shows 81 Percent of All Vulnerabilities Had Available Patches, Yet Common Software Programmes Remain UnpatchedMaidenhead, U.K. – March 13, 2017 – Flexera Software, the leading provider of Software Vulnerability Management solutions for application producers and enterprises, today released Vulnerability Review 2017, the annual report from Secunia Research at Flexera Software, which presents global data on the prevalence of vulnerabilities and the availability of patches, maps the security vulnerability threat to IT... Source: RealWire

Why you need a bug bounty program

Every business needs to have a process in place for handling security vulnerability reports, but some organizations take a much more proactive approach to dealing with security researchers.To read this article in full or to leave a comment, please clic...

Xen Project asks to limit security vulnerability advisories

The organization is requesting permission to limit disclosures to only the most severe bugs.

XSS marks the spot: Steam vuln dangles potential phishing line

Flaw let users add malicious code to their profile pages Security researchers have discovered a significant security vulnerability in Steam, Valve's digital distribution platform for PC gaming.…

WhatsApp: Encrypted Message Backdoor Reports Are 'Baseless'

The security researcher cited in the report acknowledged that the word 'backdoor' was probably not the best choice.

WhatsApp this week denied that its app provides a "backdoor" to encrypted texts.

A report published Friday by The Guardian, citing cryptography and security researcher Tobias Boelter, suggests a security vulnerability within WhatsApp could be used by government agencies as a backdoor to snoop on users.

"This claim is false," a WhatsApp spokesman told PCMag in an email.

The Facebook-owned company will "fight any government request to create a backdoor," he added.

WhatsApp in April turned on full end-to-end encryption—using the Signal protocol developed by Open Whisper Systems—to protect messages from the prying eyes of cybercriminals, hackers, "oppressive regimes," and even Facebook itself.

The system, as described by The Guardian, relies on unique security keys traded and verified between users in an effort to guarantee communications are secure and cannot be intercepted. When any of WhatsApp's billion users get a new phone or reinstall the program, their encryption keys change—"something any public key cryptography system has to deal with," Open Whisper Systems founder Moxie Marlinspike wrote in a Friday blog post.

During that process, messages may back up on the phone, waiting their turn to be re-encrypted.

According to The Guardian, that's when someone could sneak in, fake having a new phone, and hijack the texts.

But according to Marlinspike, "the fact that WhatsApp handles key changes is not a 'backdoor,' it is how cryptography works.

"Any attempt to intercept messages in transmit by the server is detectable by the sender, just like with Signal, PGP, or any other end-to-end encrypted communication system," he wrote.

"We appreciate the interest people have in the security of their messages and calls on WhatsApp," co-founder Brian Acton wrote in a Friday Reddit post. "We will continue to set the record straight in the face of baseless accusations about 'backdoors' and help people understand how we've built WhatsApp with critical security features at such a large scale.

"Most importantly," he added, "we'll continue investing in technology and building simple features that help protect the privacy and security of messages and calls on WhatsApp."

In a blog post, Boelter said The Guardian's decision to use the word "backdoor" was probably not "the best choice there, but I can also see that there are arguments for calling it a 'backdoor.'" But Facebook was "furious and issued a blank denial, [which] polarized sides.

"I wish I could have had this debate with the Facebook Security Team in...private, without the public listening and judging our opinions, agreeing on a solution and giving a joint statement at the end," Boelter continued.
In an earlier post, Boelter said he reported the vulnerability in April 2016, but Facebook failed to fix it.

Boelter—a German computer scientist, entrepreneur, and PhD student at UC Berkeley focusing on Security and Cryptography—acknowledged that resolving the issue in public is a double-edged sword.

"The ordinary people following the news and reading headlines do not understand or do not bother to understand the details and nuances we are discussing now. Leaving them with wrong impressions leading to wrong and dangerous decisions: If they think WhatsApp is 'backdoored' and insecure, they will start using other means of communication. Likely much more insecure ones," he wrote. "The truth is that most other messengers who claim to have "end-to-end encryption" have the same vulnerability or have other flaws. On the other hand, if they now think all claims about a backdoor were wrong, high-risk users might continue trusting WhatsApp with their most sensitive information."

Boelter said he'd be content to leave the app as is if WhatsApp can prove that "1) too many messages get [sent] to old keys, don't get delivered, and need to be [re-sent] later and 2) it would be too dangerous to make blocking an option (moxie and I had a discussion on this)."

Then, "I could actually live with the current implementation, except for voice calls of course," provided WhatsApp is transparent about the issue, like adding a notice about key change notifications being delayed.

Oh Britain. Worried your routers will be hacked, but won’t touch...

Survey shows people don't act on insecure wireless routers Recent Mirai-style attacks against home broadband routers have had some effect but the majority of users have failed to act. A survey of 2,000 broadband users found the majority (53 per cent) have not changed the Wi-Fi password and other default settings, potentially opening themselves up to attack. The poll by independent switching site Broadband Genie found that more than half (54 per cent) were concerned about the possibility of their router being hacked. Shockingly, despite these concerns, the poll found that just 19 per cent had accessed the router administration controls on their router, 22 per cent had checked what devices are connected to their network, a meagre 17 per cent had changed their administrator password, and just 14 per cent had updated their router’s firmware. Women were less likely to update and change the settings on their router than men, according to the poll. A big majority (86 per cent) of users opted to stick with the router provided by their ISP rather than purchase an alternative. Ondrej Vlcek, CTO at security software firm Avast, commented: “Home routers are weak and, therefore, also vulnerable, because for the most part, internet service providers, router manufacturers and the security community have neglected to acknowledge, scrutinise, and address their weaknesses. “Over the last few months, Avast scanned over 4.3 million routers around the world and found that 48 per cent have some sort of security vulnerability. Today’s router security situation reminds me of the security of PCs in the 1990s, with simple vulnerabilities being discovered every day,” he added. Rob Hilborn, head of strategy at Broadband Genie, added: “Despite broadband being in the majority of UK homes, it feels as if routers haven’t been designed with your average consumer in mind. Usability is generally poor, and changing something as simple as a Wi-Fi password can require you to go through multiple pages and acronyms. Improving and simplifying these systems is a good place for us to start if we’re serious about the public doing more to protect their router.” More information on the survey can be found in a blog post by Broadband Genie here. ® Sponsored: Next gen cybersecurity. Visit The Register's security hub