Credit to Author: Jovi Umawing| Date: Tue, 05 Feb 2019 16:00:44 +0000Read more
Credit to Author: Darlene Storm| Date: Wed, 31 May 2017 06:31:00 -0700
If your web browser was recording audio and video of you without any indication it was doing so, would you consider that invasion of privacy a security issue? Chrome doesn’t.
After AOL web developer Ran Bar-Zik discovered that a website can record audio and video without the red recording light appearing on the Chrome tab, he reported the bug.
But since users are the crux of problem, Google doesn’t classify it as a security flaw. That’s because before any audio or video recordings, a user has to give a site permission before it can access a user’s webcam or microphone.
Credit to Author: Gregg Keizer| Date: Thu, 30 Mar 2017 12:03:00 -0700
The update to version 57.0.2987.133 contained fixes for five vulnerabilities, one marked “Critical” — the most serious rating in Google’s system — and the others tagged “High.”
Of the four vulnerabilities ranked High, one was attributed to “Team Sniper,” one of five groups from Chinese company Tencent Security that participated in this year’s edition of Pwn2Own, one of the world’s best-known hacking contests. Pwn2Own ran March 15-17 alongside the CanSecWest conference in Vancouver, British Columbia.
Credit to Author: Lily Hay Newman| Date: Thu, 30 Mar 2017 11:18:16 +0000
A VPN’s not a perfect solution to your privacy problems, but it’s a start. The post If You Want a VPN to Protect Your Privacy, Start Here appeared first on WIRED.Read more
Credit to Author: Lucian Constantin| Date: Wed, 22 Mar 2017 14:21:00 -0700
Developers of the popular LastPass password manager rushed to push out a fix to solve a serious vulnerability that could have allowed attackers to steal users’ passwords or execute malicious code on their computers.
The vulnerability was discovered by Google security researcher Tavis Ormandy and was reported to LastPass on Monday. It affected the browser extensions installed by the service’s users for Google Chrome, Mozilla Firefox and Microsoft Edge.
According to a description in the Google Project Zero bug tracker, the vulnerability could have given attackers access to internal commands inside the LastPass extension. Those are the commands used by the extension to copy passwords or fill in web forms using information stored in the user’s secure vault.
Credit to Author: Gregg Keizer| Date: Mon, 20 Mar 2017 17:26:00 -0700
Mozilla last week patched a Firefox vulnerability just a day after it was revealed during Pwn2Own, the first vendor to fix a flaw disclosed at the hacking contest.
“Congrats to #Mozilla for being the first vendor to patch vuln[erability] disclosed during #Pwn2Own,” tweeted the Zero Day Initiative (ZDI) Monday. ZDI, the bug brokerage run by Trend Micro, sponsored Pwn2Own.
Mozilla released Firefox 52.0.1 on Friday, March 17, with a patch for the integer overflow bug that Chaitin Security Research Lab leveraged in an exploit at Pwn2Own on Thursday, March 16. The Beijing-based group was awarded $30,000 by ZDI for the exploit, which combined the Firefox bug with one in the Windows kernel.
Credit to Author: Lucian Constantin| Date: Fri, 24 Feb 2017 10:44:00 -0800
Google’s Project Zero team has disclosed a potential arbitrary code execution vulnerability in Internet Explorer because Microsoft has not acted within Google’s 90-day disclosure deadline.
This is the second flaw in Microsoft products made public by Google Project Zero since the Redmond giant decided to skip this month’s Patch Tuesday and postpone its previously planned security fixes until March.
Microsoft blamed the unprecedented decision to push back scheduled security updates by a month on a “last minute issue” that could have had an impact on customers, but the company hasn’t clarified the nature of the problem.
Credit to Author: Evan Schuman| Date: Tue, 21 Feb 2017 03:00:00 -0800
Privacy-concerned consumers desperately want a magic bullet, some simple thing they can use that will protect their identities and their web activity. And although there are a plethora of offerings today that make such a claim — VPNs, privacy-focused browsers such as Tor, privacy search engines such as DuckDuckGo, quite a few services that claim to anonymize anyone’s activity — the practical realities of human behavior make such privacy claims bogus.
Let me stress that almost all of these services do indeed help a person remain anonymous from the casual, untrained observer (the typical roommate, spouse, co-worker, boss, etc.). But any consumer who thinks that these tools will thwart a law enforcement agent, motivated cyberthief or identity thief, or anyone who is willing to spend the time to track you down is in for unhappiness.
Credit to Author: Lucian Constantin| Date: Wed, 15 Feb 2017 10:13:00 -0800
Researchers have devised a new attack that can bypass one of the main exploit mitigations in browsers: Address space layout randomization (ASLR). The attack takes advantage of how modern processors cache memory and, because it doesn’t rely on a software bug, fixing the problem is not easy.
Researchers from the Systems and Network Security Group at Vrije Universiteit Amsterdam (VUSec) unveiled the attack, dubbed AnC, Wednesday after having coordinated its disclosure with processor, browser and OS vendors since October.
ASLR is a feature present in all major operating systems. Applications, including browsers, take advantage of it to make the exploitation of memory corruption vulnerabilities like buffer overflows more difficult.
Cisco Systems has started to patch a critical vulnerability in its WebEx collaboration and conferencing browser extension that could allow attackers to remotely execute malicious code on computers.
The company released a patched version of the extension — 1.0.7 — for Google Chrome on Thursday and is working on similar patches for the Internet Explorer and Mozilla Firefox versions.
The vulnerability was found by Google security researcher Tavis Ormandy and stemmed from the fact that the WebEx extension exposed functionality to any website that had “cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html” in its URL or inside an iframe. Some of that WebEx functionality allowed for the execution of arbitrary code on computers.