Naked Security

Performance and security clash yet again in “Collide+Power” attack

It's a real vulnerability, but the data leakage rate can be as low as... let's just say that an IMAX-quality copy of the new "Oppenheimer" movie could take you 4 billion years to exfiltrate.

Naked Security

Zenbleed: How the quest for CPU performance could put your passwords at risk

You need to turn on a special setting to stop (the code you wrote to stop [the code you wrote to improve performance] from reducing performance) from reducing security.

Naked Security

Urgent! Apple fixes critical zero-day hole in iPhones, iPads and Macs

Don't delay, do it today. This is a code-implantation bug in WebKit that attackers already know how to exploit.

Naked Security

Ghostscript bug could allow rogue documents to run system commands

Even if you've never heard of the venerable Ghostscript project, you may have it installed without knowing.

Naked Security

WordPress plugin lets users become admins – Patch early, patch often!

Ultimate Member plugin lets rogue users choose their own site capabilities, including becoming admins.

Naked Security

More MOVEit mitigations: new patches published for further protection

Good news... more patches, this time available proactively

Naked Security

Firefox 114 is out: No 0-days, but one fascinating “teachable moment” bug

With the right (or wrong, if you're on the right side of the fence) timing...

Naked Security

Chrome and Edge zero-day: “This exploit is in the wild”, so check your versions now

Chrome and Edge 0-days patched.

Naked Security

MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…

Little Bobby Tables is back!

Naked Security

S3 Ep137: 16th century crypto skullduggery

Lots to learn, clearly explained in plain English... listen now! (Full transcript inside.)

Naked Security

Serious Security: That KeePass “master password crack”, and what we can learn from it

Here, in an admittedly discursive nutshell, is the fascinating story of CVE-2023-32784. (Short version: Don't panic.)

Naked Security

Serious Security: Verification is vital – examining an OAUTH login bug

What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?

Naked Security

Google leaking 2FA secrets – researchers advise against new “account sync” feature for now

You waited 13 years for this feature in Google Authenticator. Now researchers are advising you to wait a while longer, just in case...

Naked Security

PaperCut security vulnerabilities under active attack – vendor urges customers to patch

If you have the product, but you haven't patched - well, the crooks have now landed, so please don't delay. Do it today...

Naked Security

VMware patches break-and-enter hole in logging tools: update now!

You know jolly well/What we're going to say/And that's "Do not delay/Simply do it today."

Naked Security

S3 Ep131: Can you really have fun with FORTRAN?

Loop-the-loop in this week's episode. Entertaining, educational and all in plain English. Transcript inside.

Naked Security

Popular server-side JavaScript security sandbox “vm2” patches remote execution hole

The security error was in the error handling system that was supposed to catch potential security errors...

Naked Security

Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store

Microsoft says "successful exploitation requires uncommon user interaction", but it's the innocent and accidental leakage of private data you should be concerned about.

Naked Security

Windows 11 also vulnerable to “aCropalypse” image data leakage

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Naked Security

Google Pixel phones had a serious data leakage bug – here’s what to do!

What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

Naked Security

Microsoft fixes two 0-days on Patch Tuesday – update now!

An email you haven't even looked at yet could be used to trick Outlook into helping crooks to logon as you.

Naked Security

Serious Security: TPM 2.0 vulns – is your super-secure data at risk?

Security bugs in the very code you've been told you must have to improve the security of your computer...

Naked Security

S3 Ep124: When so-called security apps go rogue [Audio + Text]

Rogue software packages. Rogue "sysadmins". Rogue keyloggers. Rogue authenticators. Rogue ROGUES!

Naked Security

Beware rogue 2FA apps in App Store and Google Play – don’t get hacked!

Even in Apple's and Google's "walled gardens", there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.)

Naked Security

S3 Ep123: Crypto company compromise kerfuffle [Audio + Text]

Latest episode - listen now! Top-notch advice for cybersecurity, both at work and at home.

Naked Security

Twitter tells users: Pay up if you want to keep using insecure 2FA

Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.

Naked Security

Apple fixes zero-day spyware implant bug – patch now!

Everyone update now! Except for those who don't need to! Or who need to but will only get updates later on, though Apple isn't saying yet!

Naked Security

Password-stealing “vulnerability” reported in KeePass – bug or feature?

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

Naked Security

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Naked Security

Apple patches are out – old iPhones get an old zero-day fix at last!

Don't delay, especially if you're still running an iOS 12 device... please do it today!

Naked Security

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

Naked Security

Apple patches everything, finally reveals mystery of iOS 16.1.2

There's an update for everything this time, not just for iOS.

Naked Security

Pwn2Own Toronto: 54 hacks, 63 new bugs, $1 million in bounties

That's a mean average of $15,710 per bug... and 63 fewer bugs out there for crooks and rogues to find.

Naked Security

SIM swapper sent to prison for 2FA cryptocurrency heist of over $20m

Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.

Naked Security

Number Nine! Chrome fixes another 2022 zero-day, Edge patched too

Ninth more unto the breach, dear friends, ninth more.

Naked Security

The CHRISTMA EXEC network worm – 35 years and counting!

"Uh-oh, this viruses-and-worms scene could turn out quite troublesome." If only we'd been wrong...

Naked Security

Serious Security: MD5 considered harmful – to the tune of $600,000

It's not just the hashing, by the way. It's the salting and the stretching, too!

Naked Security

How to hack an unpatched Exchange server with rogue PowerShell code

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

Naked Security

Log4Shell-like code execution hole in popular Backstage dev tool

Good old "string templating", also known as "string interpolation", in the spotlight again...

Naked Security

Dangerous SIM-swap lockscreen bypass – update Android now!

A bit like leaving the front door keys under the doormat...

Naked Security

Emergency code execution patch from Apple – but not an 0-day

Not a zero-day, but important enough for a quick-fire patch to one system library...

Naked Security

Twitter Blue Badge email scams – Don’t fall for them!

That was the week that was...

Naked Security

The OpenSSL security update story – how can you tell what needs fixing?

How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...

Naked Security

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!

That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...

Naked Security

SHA-3 code execution bug patched in PHP – check your version!

As everyone waits for news of a bug in OpenSSL, here's a reminder that other cryptographic code in your life may also need patching!

Naked Security

Chrome issues urgent zero-day fix – update now!

We've said it before/And we'll say it again/It's not *if* you should patch/It's a matter of *when*. (Hint: now!)

Naked Security

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

Naked Security

Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!

Ventura hits the market with 112 patches, Catalina's gone missing, and iPhones and iPads get a critical kernel-level zero-day patch...

Naked Security

Zoom for Mac patches sneaky “spy-on-me” bug – update now!

Hey! That back door isn't supposed to be there at all, let alone propped open...

Naked Security

Dangerous hole in Apache Commons Text – like Log4Shell all over again

Third time unlucky. Time to put your patching boots on again...

Naked Security

Mystery iPhone update patches against iOS 16 mail crash-attack

The problem with crashy messaging apps is that *other people* get to choose if and when to send you messages...

Naked Security

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

Naked Security

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Double-play 0-day in Exchange - what you need to know, and what you can do

Naked Security

Uber and Rockstar – has a LAPSUS$ linchpin just been busted (again)?

Is this the same suspect as before? Is he part of LAPSUS$? Is this the man who hacked Uber and Rockstar? And, if so, who else?

Naked Security

S3 Ep101: Uber and LastPass breaches – is 2FA all it’s cracked up to be? [Audio + Text]

Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...

Naked Security

Chrome and Edge fix zero-day security hole – update now!

This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

Naked Security

URGENT! Apple slips out zero-day update for older iPhones and iPads

Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.

Naked Security

Laptop denial-of-service via music: the 1980s R&B song with a CVE!

We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)

Naked Security

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Naked Security

Zoom for Mac patches critical bug – update now!

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...