Search the Community
Showing results for tags 'vulnerability'.
A newly disclosed vulnerability could allow attackers to seize control of mobile phones and key parts of the world's telecommunications infrastructure and make it possible to eavesdrop or disrupt entire networks, security experts warned Tuesday. The bug resides in a code library used in a wide range of telecommunication products, including radios in cell towers, routers, and switches, as well as the baseband chips in individual phones. Although exploiting the heap overflow vulnerability would require great skill and resources, attackers who managed to succeed would have the ability to execute malicious code on virtually all of those devices. The code library was developed by Pennsylvania-based Objective Systems and is used to implement a telephony standard known as ASN.1, short for Abstract Syntax Notation One. "The vulnerability could be triggered remotely without any authentication in scenarios where the vulnerable code receives and processes ASN.1 encoded data from untrusted sources," researchers who discovered the flaw wrote in an advisory published Monday evening. "These may include communications between mobile devices and telecommunication network infrastructure nodes, communications between nodes in a carrier's network or across carrier boundaries, or communication between mutually untrusted endpoints in a data network." View the full article
Security holes and vulnerabilities are to be expected, but not enough is being done to patch holes quickly enough. This is the conclusion of Heimdal Security who conducted analysis of software vulnerabilities. The security firm found that while security problems are on the increase, companies are failing to keep pace and issues remain unaddressed for too long. It's something that hackers are taking advantage of, and user data is being left at great risk. Heimdal Security found that between 60 and 90 percent of attacks from hackers take advantage of this fact. A number of key culprits are singled out for particular attention -- names that will be familiar to most: Oracle Java Runtime environment, Adobe Acrobat Reader, Adobe Flash Player, and Apple QuickTime. The biggest offender, by quite some margin, is Java Runtime environment, blighted by 48 vulnerabilities in 2012, a staggering 180 in 2013, and 90 so far in 2014. According to CVE Details, the average severity rating for all of the vulnerabilities found in each of the four products. Using the CVSS (Computer vulnerability severity system), which rates issue severity on a 1 to 10 scale, the average rating is 7.8 for Java -- and that's the best of the bunch. Adobe's two products were rated 9.2. So what is being done to address the issues as they are detected? Not enough. CEO of Heimdal Security, Morten Kjaersgaard, says: "Considering the severity and mass of security flaws we see in software released by key vendors, you may think that security gaps should be closed faster. However, our data actually indicates that it can take as many as 12 months between patches for Apple Quicktime to be released." Despite the huge number of security holes detected in its software, Oracle pumps out an update once every couple of months on average. Adobe and Apple fare just about as badly. All of these products are still widely used. In fact, QuickTime is actually almost three times as popular now as in 2012. But while Apple's media player may only be installed on 33 percent of computers, the two Adobe products and Java Runtime are found on more than 80 percent of systems. Heimdal Security points out that this is particularly worrying as some 27 percent of emails contain malicious URLs which exploit known software vulnerabilities. What is perhaps more troubling is that it is business systems that have been used in the studies. The figures may be slightly different for home computers, but it is business systems that house the most sensitive data in the greatest quantities. View the full article
We reported earlier this week on how financial organizations are at risk from third parties with compromised security. It seems that the same thing applies to software. The latest review by IT security specialist Secunia shows that third-party programs are responsible for 76 percent of the vulnerabilities discovered in the 50 most popular programs in 2013. Secunia's review looks at the top 50 programs found on private PCs including those approved and maintained by IT departments and on those BYOD devices used with or without permission. Unsurprisingly 66 percent of the top 50 are Microsoft programs, however, they only accounted for 24 percent of the vulnerabilities in 2013. View the full article
The Internet Storm Center on Saturday boosted its threat level to "Yellow," indicating a "significant new threat" to Internet users from attacks exploiting an unpatched vulnerability in all versions of Microsoft's Internet Explorer (IE) browser. "The Internet Storm Center is beginning to see increased evidence of exploits in the wild regarding Microsoft Security Advisory 2887505," the security organization said on its website. "Accordingly, we're moving the InfoCon up to Yellow." Microsoft's advisory, published Sept. 17, acknowledged that hackers were exploiting Internet Explorer 8 (IE8) and IE9, but added that the vulnerability -- which remains unpatched -- affected all versions of the browser, from the 12-year-old IE6 to the not-yet-released IE11. Microsoft has not said when it will patch the bug, but it has offered protective steps customers can take in the meantime. View the full article