Apple has released security patches for iOS and macOS that include, among other things, Meltdown and Spectre fixes. The new versions should be installed as soon as possible. […] Less-hyped, but still serious, are vulnerabilities in the macOS kernel that include an exploitable race condition (CVE-2018-4092), a validation issue (CVE-2018-4093), and memory initialization bug (CVE-2018-4090) Read more about It’s 2018 and your Macs, iPhones can be pwned by playing evil music: lots of patches[…]

Electron is a node.js and Chromium framework that lets developers use Web technologies (JavaScript, HTML and CSS) to build desktop apps. It’s widely-used: Skype, Slack, Signal, a Basecamp implementation and a desktop WordPress app all count themselves as adopters. Slack users should update to version 3.0.3 or better, and the latest version of Skype for Read more about Skype, Signal, Slack, other apps inherit Electron vuln[…]

As we start the week, I want to provide an update on the reboot issues we reported Jan. 11. We have now identified the root cause for Broadwell and Haswell platforms, and made good progress in developing a solution to address it. Over the weekend, we began rolling out an early version of the updated Read more about Intel patches for Spectre cause reboots, Intel tells people to stop installing them and also please help test for them[…]

Dark Caracal [PDF] appears to be controlled from the Lebanon General Directorate of General Security in Beirut – an intelligence agency – and has slurped hundreds of gigabytes of information from devices. It shares its backend infrastructure with another state-sponsored surveillance campaign, Operation Manul, which the EFF claims was operated by the Kazakhstan government last Read more about Someone is touting a mobile, PC spyware platform called Dark Caracal to governments[…]

Lenovo has patched an ancient vulnerability in switches that it acquired along with IBM’s hardware businesses and which Big Blue itself acquired when it slurped parts of Nortel. The bug, which Lenovo refers to as “HP backdoor”, for reasons it has not explained, has been in present in ENOS (Enterprise network operating system) since at Read more about Lenovo inherited a switch authentication bypass[…]

F-Secure reports a security issue affecting most corporate laptops that allows an attacker with physical access to backdoor a device in less than 30 seconds. The issue allows the attacker to bypass the need to enter credentials, including BIOS and Bitlocker passwords and TPM pins, and to gain remote access for later exploitation. It exists Read more about All Intel laptops open to unlocking with ctrl-P and “admin”. Another fatal flaw in Intel Management Engine.[…]

Let’s Encrypt – a SSL/TLS certificate authority run by the non-profit Internet Security Research Group (ISRG) to programmatically provide websites with free certs for their HTTPS websites – on Thursday said it is discontinuing TLS-SNI validation because it’s insecure in the context of many shared hosting providers. TLS-SNI is one of three ways Let’s Encrypt’s Read more about Let’s Encrypt plugs hole that let miscreants grab HTTPS web certs for strangers’ domains[…]

Researchers at the firm Digital Interruption on Tuesday warned that an adult-themed virtual reality application, SinVR, exposes the names, email and other personal information via an insecure desktop application – a potentially embarrassing security lapse. The company decided to go public with the information after being frustrated in multiple efforts to responsibly disclose the vulnerability Read more about Adult Themed Virtual Reality App spills Names, Emails of Thousands[…]

Spare a thought for Jasper Spaans, who hosts the Linux Kernel Mailing List archive from a single PC that lives in his home. And since things always happen this way the home machine died while he was on holiday. The archive was therefore unavailable for much of the weekend, although Linux developers could still use Read more about Wait, what? The Linux Kernel Mailing List archives lived on ONE PC? One BROKEN PC?[…]

While everyone was screaming about Meltdown and Spectre, another urgent security fix was already in progress for many corporate data centers and cloud providers who use products from Dell’s EMC and VMware units. A trio of critical, newly reported vulnerabilities in EMC and VMware backup and recovery tools—EMC Avamar, EMC NetWorker, EMC Integrated Data Protection Read more about EMC, VMware security bugs throw gasoline on cloud security fire[…]

Wi-Fi router vendors have started issuing patches to defend their products against Google Chromecast devices.TP-Link and Linksys were first out of the blocks with firmware fixes, and TP-Link has posted this explanation of the issue. The bug is not in the routers, but in Google’s “Cast” feature, used in Chromecast, Google Home, and other devices. Read more about Okay, Google: why does Chromecast clobber Wi-Fi connections?[…]

Only admins can add new members to private groups. But the researchers found that anyone in control of the server can spoof the authentication process, essentially granting themselves the privileges necessary to add new members who can snoop on private conversations. The obvious examples that come to mind are hackers who manage to gain access Read more about WhatsApp Security Design Could Let an Infiltrator Add Members to Group Chats[…]

An Apple developer has uncovered another embarrassing vulnerability in macOS High Sierra, aka version 10.13, that lets someone bypass part of the operating system’s password protections.This time, a vulnerable dialog box was found in the System Preferences panel for the App Store settings. The bug, reported by developer Eric Holtam to the Open Radar bug Read more about Stop us if you’ve heard this one: Apple’s password protection in macOS can be thwarted[…]

Yahoo! Mail – yes, amazingly it is still a thing – is today taking a break from business as usual norms with the service down for almost the past seven hours.Since circa 9am, the email service has received hundreds of complaints an hour on downdetector.co.uk, with users moaning about persistant “error 15” messages, and others Read more about Yahooooo! says! its! email! is! scrahoooo-ed![…]

Today, yet another security blunder becomes publicized, and it is really bad. You see, many Western Digital My Cloud NAS drives have a hardcoded backdoor, meaning anyone can access them — your files could be at risk. It isn’t even hard to take advantage of it — the username is “mydlinkBRionyg” and the password is Read more about Western Digital ‘My Cloud’ devices have a hardcoded backdoor — stop using these NAS drives NOW![…]

My disk is encrypted, but all it takes to bypass this protection is for an attacker — a malicious hotel housekeeper, or “evil maid,” for example — to spend a few minutes physically tampering with it without my knowledge. If I come back and continue to use my compromised computer, the attacker could gain access Read more about Edward Snowden’s New App Uses Your Smartphone to Physically Guard Your Laptop[…]

You can bypass Windows Hello with a low-res printed photoIn a report published yesterday, German pen-testing company SySS GmbH says it discovered that Windows Hello is vulnerable to the simplest and most common attack against facial recognition biometrics software — the doomsday scenario of using a printed photo of the device’s owner.Researchers say that by Read more about Windows 10 Facial Recognition Feature Can Be Bypassed with a low res Photo[…]

a prototype tool created by researchers from the University of California San Diego (UCSD) aims to bring greater transparency to such breaches. The system, called Tripwire, detects websites that were hacked, as is detailed in this study. Here’s here how it works: To detect breaches, the researchers created a bot that automatically registered accounts on Read more about Tripwire detects hacks companies haven’t told us about by creating accounts with unique emails on thousands of servers. If the email account is accessed, the site has been breached. No-one knows or cares that there has been a breach in vast majority of cases.[…]

A Google security researcher has found and helped patch a severe vulnerability in Keeper, a password manager application that Microsoft has been bundling with some Windows 10 distributions this year.”I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” said Tavis Ormandy, the Google Read more about Windows 10 Password Manager Keeper allows sites to steal any password.[…]

According to a blog post published Wednesday by Internet monitoring service BGPMon, the hijack lasted a total of six minutes and affected 80 separate address blocks. It started at 4:43 UTC and continued for three minutes. A second hijacking occurred at 7:07 UTC and also lasted three minutes. Meanwhile, a second monitoring service, Qrator Labs, Read more about “Suspicious” event routes traffic for big-name sites through Russia[…]

Tens of thousands, perhaps millions, of Google Chromebooks, widely prized by schools due to their low cost and ease of configuration, were reported to be offline for several hours on Tuesday. The apparent cause? A seemingly botched WiFi policy update pushed out by Google that caused many Chromebooks to forget their approved network connection, leaving Read more about Apparent Google update glitch disconnects student Chromebooks in schools across the U.S. – GeekWire[…]