Archive for the ‘security’ Category

Full LastPass 4.1.42 Exploit Discovered

Tuesday, March 21st, 2017

Password managers must make an incredibly tempting target for hackers. Heads up, LastPass users!

Tavis Ormandy, a prolific member of Google’s Project Zero initiative, revealed that he discovered a new security issue in LastPass 4.1.42 (and maybe earlier). Ormandy revealed that he discovered an exploit, but did not reveal it. Project Zero discoveries are reported to the companies who produce the affected products. The companies have 90 days to react, usually by creating a new product version that they make available publicly to all customers.

(more…)

Pwn2Own 2017: Windows, Ubuntu, Edge, Safari and Firefox Exploited

Friday, March 17th, 2017

The good news is that Chrome managed to resist hacking (this time.)

The tenth anniversary of the Pwn2Own gathering of hackers, Pwn2Own 2017, saw eleven teams attempt to exploit products across four categories. The products that teams were allowed to target this year included operating systems and web browsers, but also the new product categories Enterprise applications and server-side. Programs like Adobe Reader, and Apache Web Server, were added as targets by the Pwn2Own committee.

(more…)

NoScript 5.0 Add-On for Firefox Released

Wednesday, March 15th, 2017

Although it’s a little bit of a hassle to be busy continuously whitelisting sites that you want to allow, but the ability to block scripts is probably one of the most effective PC security measures available.

NoScript 5.0, a popular script blocker (and more) for Firefox has just been released to the public after two release candidate build releases. The browser add-on is a script blocker first and foremost. It blocks any script from running on sites you visit, unless you whitelist them. The approach makes it one of the best add-ons from a security point of view, but means that you will have to adjust website permissions regularly as sites may fail to load completely or partially due to scripts not being loaded when the site is opened in the Firefox web browser.

(more…)

Windows Defender Application Guard – A Quick Summary

Tuesday, March 14th, 2017

Protection for Windows Edge is a nice start, but Microsoft needs to go a step further and include protection for IE as well as the user’s system.

Windows Defender Application Guard is a new security feature of the Windows 10 operating system that Microsoft revealed back in 2016. The company revealed back then that it would integrate the feature in a future Windows Insider build before shipping it with the new feature update of Windows, the Windows 10 Creators Update.

(more…)

Security Issues Found in Nine Password Managers for Android (LastPass, Dashlane, …)

Monday, March 6th, 2017

Considering how often major security problems with password managers seem to turn up, you’d probably be better off just writing down your passwords down on the back of a business card.

Security researchers of the Fraunhofer Institute found severe security issues in nine password managers for Android that they analyzed as part of their research. Password managers are a popular option when it comes to storing authentication information. All promise secure storage either locally or remotely, and some may add other features to the mix such as password generation, automatic sign ins, or the saving of important data such as Credit Card numbers or Pins.

(more…)

Report – Non-Admin Accounts Mitigate 94% of Critical Windows Vulnerabilities

Wednesday, March 1st, 2017

This probably goes without saying, but here it is anyway, just in case anyone needs a reminder.

A new report suggests that Windows admins and users could mitigate 94% of all critical vulnerabilities automatically by running non-admin accounts. It is common sense that using standard user accounts on Windows, opposed to accounts with elevated privileges, is a good security practice. The main reason behind this practice is simple: if a user cannot perform certain operations due to limited rights, then malware can’t perform those operations either.

(more…)

Google Discloses Edge and IE Vulnerability

Monday, February 27th, 2017

This is a fairly serious vulnerability. It’s surprising that we’re hearing about this from Google, rather than Microsoft.

Google disclosed a security vulnerability in Microsoft Edge and Internet Explorer yesterday that Microsoft failed to patch up until now. This is the second vulnerability that Google disclosed this month. Last week, the company disclosed a Windows vulnerability that affected the gdi32.dll dynamic link library in Windows. The new vulnerability that Google disclosed yesterday affects the web browsers Microsoft Internet Explorer and Microsoft Edge.

(more…)

Chrome – The “HoeflerText Font wasn’t Found” Scam

Friday, February 24th, 2017

Here’s a clever new scam that disguises itself as a font error.

It is interesting from a purely scientific angle how attackers come up with new methods and schemes to distribute malicious payloads on to user systems. The “HoeflerText” font wasn’t found is a recent attack that changes website text so that it looks as if a font is missing, to get users to download and install an alleged update for Chrome that adds the font to the system.

(more…)

How to Force Flash Updates in Chrome

Thursday, February 23rd, 2017

Even though Flash is quickly falling out of favor with many users, there are still plenty of folks who rely on Flash. Since Chrome is sometimes a bit slow about pushing Flash updates, security conscious Flash users might want to be a bit more proactive about updates.

The following guide walks you through the steps of checking the installed Flash version in Google Chrome, and forcing it to update if an outdated version is used by the browser. All versions of the Google Chrome web browser ship with Adobe Flash installed natively in the browser. While Chrome does not support classic NPAPI plugins anymore, Chrome is still supporting PPAPI plugins of which Flash is one.

(more…)

Microsoft Publishes Long-Awaited February 2017 Flash Update KB4010250

Wednesday, February 22nd, 2017

Better late than never, I guess …

Microsoft announced last week that it would not release security patches on February’s Patch Day. In fact, the February Patch Day was canceled completely by the company; a first in the Patch Day’s history. Microsoft revealed that it would delay the February Patch Day to the March Patch Day. This means that the February 2017 security patches will be released alongside the March 2017 patches by the company. This would not be a problem where it not for known unpatched security issues. A SMB security issue was revealed on February 3rd, 2017 that affects Windows 8, Windows 10 and Windows Server.

(more…)