Login
FreshRSS
Login
Naked Security
S3 Ep102.5: βProxyNotShellβ Exchange bugs β an expert speaks [Audio + Text]
By
Paul Ducklin
β October 1
st
2022 at 14:05
Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...
Naked Security
URGENT! Microsoft Exchange double zero-day β βlike ProxyShell, only differentβ
By
Paul Ducklin
β September 30
th
2022 at 18:25
Double-play 0-day in Exchange - what you need to know, and what you can do
Naked Security
Uber and Rockstar β has a LAPSUS$ linchpin just been busted (again)?
By
Paul Ducklin
β September 24
th
2022 at 22:57
Is this the same suspect as before? Is he part of LAPSUS$? Is this the man who hacked Uber and Rockstar? And, if so, who else?
Naked Security
S3 Ep101: Uber and LastPass breaches β is 2FA all itβs cracked up to be? [Audio + Text]
By
Paul Ducklin
β September 22
nd
2022 at 18:42
Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...
Naked Security
Chrome and Edge fix zero-day security hole β update now!
By
Paul Ducklin
β September 5
th
2022 at 15:12
This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.
Naked Security
URGENT! Apple slips out zero-day update for older iPhones and iPads
By
Paul Ducklin
β August 31
st
2022 at 18:42
Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.
Naked Security
Laptop denial-of-service via music: the 1980s R&B song with a CVE!
By
Paul Ducklin
β August 22
nd
2022 at 16:03
We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)
Naked Security
Apple patches double zero-day in browser and kernel β update now!
By
Paul Ducklin
β August 17
th
2022 at 23:33
Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!
Naked Security
Zoom for Mac patches critical bug β update now!
By
Paul Ducklin
β August 15
th
2022 at 18:26
There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...
Naked Security
APIC/EPIC! Intel chips leak secrets even the kernel shouldnβt seeβ¦
By
Paul Ducklin
β August 10
th
2022 at 16:59
If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!
Naked Security
GnuTLS patches memory mismanagement bug β update now!
By
Paul Ducklin
β August 1
st
2022 at 16:55
GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn more...
Naked Security
Critical Samba bug could let anyone become Domain Admin β patch now!
By
Paul Ducklin
β July 27
th
2022 at 21:15
It's a serious bug... but there's a fix for it, so you know exactly what to do!
Naked Security
Facebook 2FA scammers return β this time in just 21 minutes
By
Paul Ducklin
β July 13
th
2022 at 16:46
Last time they arrived 28 minutes after lighting up their fake domain... this time it was just 21 minutes
Naked Security
Apache βCommons Configurationβ patches Log4Shell-style bug β what you need to know
By
Paul Ducklin
β July 8
th
2022 at 00:59
It's a bit like Log4J, but for configuration files, not for logging.
Naked Security
S3 Ep90: Chrome 0-day again, True Cybercrime, and a 2FA bypass [Podcast + Transcript]
By
Paul Ducklin
β July 7
th
2022 at 18:46
Listen now! Or read if you prefer...
Naked Security
Google patches βin-the-wildβ Chrome zero-day β update now!
By
Paul Ducklin
β July 5
th
2022 at 15:55
Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...
Naked Security
Facebook 2FA phish arrives just 28 minutes after scam domain created
By
Paul Ducklin
β July 1
st
2022 at 20:01
The crooks hit us up with this phishing email less than half an hour after they activated their new scam domain.
Naked Security
S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]
By
Paul Ducklin
β June 16
th
2022 at 16:52
Lastest epsiode - listen now!
Naked Security
Follina gets fixed β but itβs not listed in the Patch Tuesday patches!
By
Paul Ducklin
β June 15
th
2022 at 01:20
We tried it out to make sure, so you don't have to.
Naked Security
Youβre invited! Join us for a live walkthrough of the βFollinaβ storyβ¦
By
Paul Ducklin
β June 13
th
2022 at 16:28
Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!
Naked Security
Atlassian announces 0-day hole in Confluence Server β update now!
By
Paul Ducklin
β June 3
rd
2022 at 18:59
Zero-day announced - here's what you need to know
Naked Security
S3 Ep85: Now THATβS what I call a Microsoft Office exploit! [Podcast]
By
Paul Ducklin
β June 2
nd
2022 at 18:37
Latest episode - listen now!
Naked Security
Mysterious βFollinaβ zero-day hole in Office β hereβs what to do!
By
Paul Ducklin
β May 30
th
2022 at 23:01
News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!
Naked Security
Mozilla patches Wednesdayβs Pwn2Own double-exploitβ¦ on Friday!
By
Paul Ducklin
β May 20
th
2022 at 23:47
That was quick! 48 hours from exploit report to published patch.
Naked Security
US Government says: Patch VMware right now, or get off our network
By
Paul Ducklin
β May 20
th
2022 at 14:03
Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.
Naked Security
Pwn2Own hacking schedule released β Windows and Linux are top targets
By
Paul Ducklin
β May 18
th
2022 at 13:04
What's better? Disclose early, patch fast? Or dig deep, disclose in full, patch more slowly?
Naked Security
Firefox out-of-band update to 100.0.1 β just in time for Pwn2Own?
By
Paul Ducklin
β May 15
th
2022 at 21:53
A new point-release of Firefox. Not unusual, but the timing of this one is interesting, with Pwn2Own coming up in a few days.
Naked Security
RubyGems supply chain rip-and-replace bug fixed β check your logs!
By
Paul Ducklin
β May 9
th
2022 at 15:41
Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".
ruby-1200
Naked Security
Critical cryptographic Java security blunder patched β update now!
By
Paul Ducklin
β April 20
th
2022 at 16:43
Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.
Naked Security
Yet another Chrome zero-day emergency update β patch now!
By
Paul Ducklin
β April 16
th
2022 at 00:33
The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.
Naked Security
Two different βVMware Springβ bugs at large β we cut through the confusion
By
Paul Ducklin
β March 31
st
2022 at 16:59
Whoever came up with the name "Spring4Shell" didn't help at all... we cut through the Spring Bug confusion
Naked Security
βVMware Spring Cloud Functionβ Java bug gives instant remote code execution β update now!
By
Paul Ducklin
β March 30
th
2022 at 20:38
Easy unauthenticated remote code execution - PoC code already out
Naked Security
Zlib data compressor fixes 17-year-old security bug β patch, errrm, now
By
Paul Ducklin
β March 29
th
2022 at 16:37
This code is venerable! Surely all the bugs must be out by now?
Naked Security
Google Chrome patches mysterious new zero-day bug β update now
By
Paul Ducklin
β March 28
th
2022 at 14:18
CVE-2022-1096 - another mystery in-the-wild 0-day in Chrome... check your version now!
Naked Security
OpenSSL patches infinite-loop DoS bug in certificate verification
By
Paul Ducklin
β March 18
th
2022 at 17:59
When it comes to writing loops in your code... never sit on the fence!
Naked Security
CISA warning: βRussian actors bypassed 2FAβ β what happened and how to avoid it
By
Paul Ducklin
β March 16
th
2022 at 01:22
Don't leave old accounts lying around where someone sketchy could reactivate them.
Naked Security
S3 Ep73: Ransomware with a difference, dirty Linux pipes, and much more [Podcast + Transcript]
By
Paul Ducklin
β March 10
th
2022 at 19:37
Latest episode - listen now!
Naked Security
βDirty Pipeβ Linux kernel bug lets anyone write to any file
By
Paul Ducklin
β March 8
th
2022 at 19:37
Even read-only files can be written to, leading to a dangerously general purpose elevation-of-privilege attack.
pipe-1200
Naked Security
WordPress backup plugin maker Updraft says βYou should updateββ¦
By
Paul Ducklin
β February 22
nd
2022 at 17:26
A straight-talking bug report written in plain English by an actual expert - there's a teachable moment in this cybersecurity story!
Naked Security
Irony alert! PHP fixes security flaw in input validation code
By
Paul Ducklin
β February 18
th
2022 at 17:59
What's wrong with this sequence? 1. Step into the road 2. Check if it's safe 3. Keep on walki...
Naked Security
Google announces zero-day in Chrome browser β update now!
By
Paul Ducklin
β February 15
th
2022 at 19:17
Zero-day buses: none for a while, then three at once. Here's Google joining Apple and Adobe in "zero-day week"
Naked Security
Adobe fixes zero-day exploit in e-commerce code: update now!
By
Paul Ducklin
β February 14
th
2022 at 22:38
There's a remote code execution hole in Adobe e-commerce products - and cybercrooks are already exploiting it.
Naked Security
Apple zero-day drama for Macs, iPhones and iPads β patch now!
By
Paul Ducklin
β February 11
th
2022 at 14:25
Sudden update! Zero-day browser hole! Drive-by malware danger! Patch Apple laptops and phones now...
apple-1200
Naked Security
Microsoft blocks web installation of its own App Installer files
By
Paul Ducklin
β February 7
th
2022 at 16:36
It's a big deal when a vendor decides to block one of its own "features" for security reasons. Here's why we think it's a good idea.
Naked Security
Linux kernel patches βperformance can be harmfulβ bug in video driver
By
Paul Ducklin
β February 1
st
2022 at 19:59
This bug is fiendishly hard to exploit - but if you patch, it won't be there to exploit at all.
Naked Security
S3 Ep67: Tax scams, carder busts and crypto capers [Podcast + Transcript]
By
Paul Ducklin
β January 27
th
2022 at 19:57
Latest episode - listen now!
Naked Security
βPwnKitβ security bug gets you root on most Linux distros β what to do
By
Paul Ducklin
β January 26
th
2022 at 19:58
An elevation of privilege bug that could let a "mostly harmless" user give themselves a instant root shell
Naked Security
Cryptocoin broker Crypto.com says 2FA bypass led to $35m theft
By
Paul Ducklin
β January 21
st
2022 at 16:25
The company has put out a brief security report that summarises the 'what', but not yet the 'how' or 'why'.
Naked Security
Wormable Windows HTTP hole β what you need to know
By
Paul Ducklin
β January 12
th
2022 at 16:24
One bug in the January 2022 Patch Tuesday list is getting lots of attention: "HTTP Protocol Stack Remote Code Execution Vulnerability".
Naked Security
Home routers with NetUSB support could have critical kernel hole
By
Paul Ducklin
β January 11
th
2022 at 17:42
Got a router that supports USB access across the network? You might need a kernel update...
Naked Security
Log4Shell-like security hole found in popular Java SQL database engine H2
By
Paul Ducklin
β January 7
th
2022 at 19:32
"It's Log4Shell, Jim, but not as we know it." How to find and fix a JNDI-based vuln in the H2 Database Engine.
Naked Security
Log4Shell vulnerability Number Four: βMuch ado about somethingβ
By
Paul Ducklin
β December 29
th
2021 at 19:12
It's a Log4j bug, and you ought to patch it. But we don't think it's a critical crisis like the last one.
Naked Security
SFW! The Top N CyberΒsecurity Stories of 2021 (for small positive integer values of N)
By
Paul Ducklin
β December 24
th
2021 at 17:44
Happy Holidays! Our Top N stories, all totally SFW!
Naked Security
Apacheβs other product: Critical bugs in βhttpdβ web server, patch now!
By
Paul Ducklin
β December 21
st
2021 at 19:57
The Apache web server just got an update - this one is nothing to do with Log4j!
Naked Security
Log4Shell: The Movie⦠a short, safe visual tour for work and home
By
Paul Ducklin
β December 20
th
2021 at 13:20
Be happy that your sysadmins are taking one (three, actually!) for the team right now... here's why!
Naked Security
Serious Security: OpenSSL fixes βerror conflationβ bugs β how mixing up mistakes can lead to trouble
By
Paul Ducklin
β December 17
th
2021 at 17:57
Have you ever seen the message "An error occurred"? Even worse, the message "This error cannot occur"? Facts matter!
Naked Security
S3 Ep63: Log4Shell (what else?) and Apple kernel bugs [Podcast+Transcript]
By
Paul Ducklin
β December 16
th
2021 at 17:41
Latest episode - listen now! (Yes, there are plenty of critical things to go along with Log4Shell.)
Naked Security
Log4Shell explained β how it works, why you need to know, and how to fix it
By
Paul Ducklin
β December 13
th
2021 at 19:41
Find out how to deal with the Log4Shell vulnerability right across your estate. Yes, you need to patch, but that helps everyone else along with you!
Naked Security
βLog4Shellβ Java vulnerability β how to safeguard your servers
By
Paul Ducklin
β December 10
th
2021 at 19:22
Just when you thought it was safe to relax for the weekend... a critical bug showed up in Apache's Log4j product
Naked Security
Check your patches β public exploit now out for critical Exchange bug
By
Paul Ducklin
β November 23
rd
2021 at 14:36
It was a zero-day bug until Patch Tuesday, now there's an anyone-can-use-it exploit. Don't be the one who hasn't patched.
Load more articles