Firefox 101 is out, this time with no 0-day scares (but update anyway!)

By Paul Ducklin — June 1^st 2022 at 14:31

After an intriguing month of Firefox releases, here's one with a bit less drama, probably to the collective relief of Mozilla's coders.

Naked Security

Mysterious “Follina” zero-day hole in Office – here’s what to do!

By Paul Ducklin — May 30^th 2022 at 23:01

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Naked Security

S3 Ep84: Government demand, Mozilla velocity, and Clearview fine [Podcast]

By Paul Ducklin — May 27^th 2022 at 11:17

Latest episode - listen now!

Naked Security

Poisoned Python and PHP packages purloin passwords for AWS access

By Paul Ducklin — May 24^th 2022 at 23:04

More supply chain trouble - this time with clear examples so you can learn how to spot this stuff yourself.

Naked Security

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

By Paul Ducklin — May 20^th 2022 at 23:47

That was quick! 48 hours from exploit report to published patch.

Naked Security

Microsoft patches the Patch Tuesday patch that broke authentication

By Paul Ducklin — May 20^th 2022 at 22:35

Remember the good old days when security patches rarely needed patches? Because security patches themlelves were rare enough anyway?

Naked Security

US Government says: Patch VMware right now, or get off our network

By Paul Ducklin — May 20^th 2022 at 14:03

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

Naked Security

S3 Ep83: Cracking passwords, patching Firefox, and Apple vulns [Podcast]

By Paul Ducklin — May 19^th 2022 at 13:56

Latest episode - listen now!

Naked Security

Pwn2Own hacking schedule released – Windows and Linux are top targets

By Paul Ducklin — May 18^th 2022 at 13:04

What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?

Naked Security

Apple patches zero-day kernel hole and much more – update now!

By Paul Ducklin — May 17^th 2022 at 09:30

You'll find fixes for numerous kernel-level code execution holes, including an 0-day vulnerability in many (though not all) versions.

Naked Security

S3 Ep82: Bugs, bugs, bugs (and Colonial Pipeline again) [Podcast]

By Paul Ducklin — May 12^th 2022 at 15:46

Latest episode - lots to learn - plain English - fun with a serious side - listen now!

Naked Security

Serious Security: Learning from curl’s latest bug update

By Paul Ducklin — May 12^th 2022 at 15:08

Learn how to write plain-speaking and purposeful security advisories from one of the most widely-used open source tools in the world.

Naked Security

RubyGems supply chain rip-and-replace bug fixed – check your logs!

By Paul Ducklin — May 9^th 2022 at 15:41

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

ruby-1200

Naked Security

You didn’t leave enough space between ROSE and AND, and AND and CROWN

By Paul Ducklin — May 6^th 2022 at 16:59

What weird Google Docs bug connects the words THEREFORE, AND, SECONDLY, WHY, BUT and BESIDES?

Naked Security

S3 Ep81: Passwords (still with us!), Github, Firefox at 100, and network worms [Podcast]

By Paul Ducklin — May 5^th 2022 at 14:16

Latest episode - listen now!

Naked Security

World Password Day – the 1960s just called and gave you your passwords back

By Paul Ducklin — May 5^th 2022 at 01:06

Yes, passwords are going away. No, it won't happen tomorrow. So it's still worth knowing the basics of picking proper passwords.

Naked Security

Android monthly updates are out – critical bugs found in critical places!

By Paul Ducklin — May 4^th 2022 at 15:54

Android May 2022 updates are out - with some critical fixes in some critical places. Learn more...

Naked Security

Firefox hits 100*, fixes bugs… but no new zero-days this month

By Paul Ducklin — May 3^rd 2022 at 16:42

Despite concerns that some websites might break when Chromium and then Firefox reached version 100, the web still seems to be intact.

Naked Security

GitHub issues final report on supply-chain source code intrusions

By Paul Ducklin — April 29^th 2022 at 16:15

Learn how to find out which apps you've given access rights to, and how to revoke those rights immediately in an emergency.

Naked Security

S3 Ep80: Ransomware news, phishing woes, NAS bugs, and a giant hole in Java [Podcast]

By Paul Ducklin — April 28^th 2022 at 13:18

Latest episode - listen now!

Naked Security

Ransomware Survey 2022 – like the Curate’s Egg, “good in parts”

By Paul Ducklin — April 27^th 2022 at 15:22

You might not like the headline statistics in this year's ransomware report... but that makes it even more important to take a look!

Naked Security

QNAP warns of new bugs in its Network Attached Storage devices

By Paul Ducklin — April 22^nd 2022 at 15:15

Here's what you need to know - plus some sensible advice for all the devices on your home or small biz network!

nas-1200

Naked Security

S3 Ep79: Chrome hole, a bad place for a cybersecurity holiday, and crypto-dodginess [Podcast]

By Paul Ducklin — April 21^st 2022 at 13:41

Do you know your Adam Osborne from your John Osbourne? Your Z80 from your 6502? Latest episode - listen now!

Naked Security

Critical cryptographic Java security blunder patched – update now!

By Paul Ducklin — April 20^th 2022 at 16:43

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Naked Security

Beanstalk cryptocurrency heist: scammer votes himself all the money

By Paul Ducklin — April 19^th 2022 at 16:00

Voting safeguards based on commuity collateral don't work if one person can use a momentary loan to "become" 75% of the community.

Naked Security

Yet another Chrome zero-day emergency update – patch now!

By Paul Ducklin — April 16^th 2022 at 00:33

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.

Naked Security

S3 Ep78: Darkweb hydra, Ruby, quantum computing, and a robot revolution [Podcast]

By Paul Ducklin — April 14^th 2022 at 13:39

Latest episode - listen now!

Naked Security

Hospital robot system gets five critical security holes patched

By Paul Ducklin — April 12^th 2022 at 18:58

Fortunately, we're not talking about a robot revolution, or about hospital AI run amuck. But these bugs could lead to ransomware, or worse...

Naked Security

Popular Ruby Asciidoc toolkit patched against critical vuln – get the update now!

By Paul Ducklin — April 8^th 2022 at 15:38

A rogue line-continuation character can trick the code into validating just the second half of the line, but executing all of it.

ruby-1200

Naked Security

S3 Ep77: Bugs, busts and old-school PDP-11 hacking [Podcast]

By Paul Ducklin — April 7^th 2022 at 12:24

Latest episode - listen now! Cybersecurity news and advice in plain English.

Naked Security

Firefox 99 is out – no major bugs, but update anyway!

By Paul Ducklin — April 5^th 2022 at 16:21

Firefox's four-weekly updates just dropped - here's what you need to know.

Naked Security

Google’s monthly Android updates patch numerous “get root” holes

By Paul Ducklin — April 5^th 2022 at 14:44

Get the update now... if it's available for your phone. Here's how to check.

android-1200

Naked Security

Apple pushes out two emergency 0-day updates – get ’em now!

By Paul Ducklin — March 31^st 2022 at 23:38

More Apple zero-days - mobile devices, laptops and desktops affected. Update now!

apple-1200

Naked Security

S3 Ep76: Deadbolt, LAPSUS$, Zlib, and a Chrome 0-day [Podcast]

By Paul Ducklin — March 31^st 2022 at 13:38

Latest episode - listen now!

Naked Security

Zlib data compressor fixes 17-year-old security bug – patch, errrm, now

By Paul Ducklin — March 29^th 2022 at 16:37

This code is venerable! Surely all the bugs must be out by now?

Naked Security

Google Chrome patches mysterious new zero-day bug – update now

By Paul Ducklin — March 28^th 2022 at 14:18

CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!

Naked Security

S3 Ep75: Okta hack, CryptoRom, OpenSSL, and CafePress [Podcast]

By Paul Ducklin — March 24^th 2022 at 13:49

Latest episode - listen now!

Naked Security

Serious Security: DEADBOLT – the ransomware that goes straight for your backups

By Paul Ducklin — March 23^rd 2022 at 19:58

Some tips on how to keep your network safe - even (or perhaps especially!) if you think you're safe already.

Naked Security

OpenSSL patches infinite-loop DoS bug in certificate verification

By Paul Ducklin — March 18^th 2022 at 17:59

When it comes to writing loops in your code... never sit on the fence!

Naked Security

S3 Ep74: Cybercrime busts, Apple patches, Pi Day, and disconnect effects [Podcast]

By Paul Ducklin — March 17^th 2022 at 13:32

Latest episode - listen now!

Naked Security

CISA warning: “Russian actors bypassed 2FA” – what happened and how to avoid it

By Paul Ducklin — March 16^th 2022 at 01:22

Don't leave old accounts lying around where someone sketchy could reactivate them.

Naked Security

Apple patches 87 security holes – from iPhones and Macs to Windows

By Paul Ducklin — March 15^th 2022 at 16:36

Lots of fixes, with data leakage flaws and code execution bugs patched on iPhones, Macs and even Windows.

apple-1200

Naked Security

S3 Ep73: Ransomware with a difference, dirty Linux pipes, and much more [Podcast + Transcript]

By Paul Ducklin — March 10^th 2022 at 19:37

Latest episode - listen now!

Naked Security

“Dirty Pipe” Linux kernel bug lets anyone write to any file

By Paul Ducklin — March 8^th 2022 at 19:37

Even read-only files can be written to, leading to a dangerously general purpose elevation-of-privilege attack.

pipe-1200

Naked Security

Adafruit suffers GitHub data breach – don’t let this happen to you

By Paul Ducklin — March 7^th 2022 at 12:47

Training data stashed in GitHub by mistake... unfortunately, it was *real* data

Naked Security

Firefox patches two actively exploited 0-day holes: update now!

By Paul Ducklin — March 5^th 2022 at 19:06

Firefox just published a double-zero-day patch - "remote code execution" combined with "sandbox escape". Update now!

Naked Security

S3 Ep72: AirTag stalking, web server coding woes and Instascams [Podcast + Transcript]

By Paul Ducklin — March 3^rd 2022 at 14:04

Latest episode - listen now (or read it, if that's your preference)...

Naked Security

Ransomware with a difference: “Derestrict your software, or else!”

By Paul Ducklin — March 2^nd 2022 at 16:33

"Change your code to improve cryptomining"... or we'll dump 1TB of stolen secrets.

Naked Security

S3 Ep71: VMware escapes, PHP holes, WP plugin woes, and scary scams [Podcast + Transcript]

By Paul Ducklin — February 24^th 2022 at 16:51

Latest episode - listen now!

Naked Security

WordPress backup plugin maker Updraft says “You should update”…

By Paul Ducklin — February 22^nd 2022 at 17:26

A straight-talking bug report written in plain English by an actual expert - there's a teachable moment in this cybersecurity story!

Naked Security

French speakers blasted by sextortion scams with no text or links

By Paul Ducklin — February 21^st 2022 at 17:59

You'd spot this one a mile away... but what about your friends or family?

Naked Security

Irony alert! PHP fixes security flaw in input validation code

By Paul Ducklin — February 18^th 2022 at 17:59

What's wrong with this sequence? 1. Step into the road 2. Check if it's safe 3. Keep on walki...

Naked Security

S3 Ep70: Bitcoin, billing blunders, and 0-day after 0-day after 0-day [Podcast + Transcript]

By Paul Ducklin — February 17^th 2022 at 17:12

Latest episode - listen and learn!

Naked Security

VMware fixes holes that could allow virtual machine escapes

By Paul Ducklin — February 16^th 2022 at 19:32

Hats off to VMware for not using weasel words: "When should you act?" Immediately...

Naked Security

Google announces zero-day in Chrome browser – update now!

By Paul Ducklin — February 15^th 2022 at 19:17

Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"

Naked Security

Adobe fixes zero-day exploit in e-commerce code: update now!

By Paul Ducklin — February 14^th 2022 at 22:38

There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.

Naked Security

Power company pays out $3 trillion compensation to astonished customer

By Paul Ducklin — February 14^th 2022 at 14:58

More money than the UK's economy produces in a year!

Naked Security

Apple zero-day drama for Macs, iPhones and iPads – patch now!

By Paul Ducklin — February 11^th 2022 at 14:25

Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...

apple-1200

Naked Security

S3 Ep69: WordPress woes, Wormhole holes, and a Microsoft change of heart [Podcast + Transcript]

By Paul Ducklin — February 10^th 2022 at 01:15

Latest episode - listen now!

Naked Security

Self-styled “Crocodile of Wall Street” arrested with husband over Bitcoin megaheist

By Naked Security writer — February 9^th 2022 at 14:44

The cops say they've recovered 80% of a $72 million cryptocoin heist... but the recovered funds alone are now worth over $4 billion!