Vulnerability

(get it in RSS or Atom)

Oracle's "Patch Tuesday" brings 113 patches across 13 product families

0-250

Oracle's July 2014 security patches are out, and there's a ton of them.

Literally and figuratively...

LibreSSL ships first portable version, now up to 48% less huge!

LibreSSL, OpenBSD's drop-in replacement for OpenSSL started after the pain of Heartbleed, has just published its first "portable" version.

If you're a coder and you're interested in security, why not try it and see what you think?

SSCC 155 - cybercrime bust, cloud laws, phishing and malware back from extinction [PODCAST]

chet-chat-logo-featured-250

In this episode, Sophos experts John Shier and Paul Ducklin tackle the week's interesting security stories.

John and Duck get stuck into: a high-profile cybercrime arrest; how mainstream brands help phishers; and why macro malware is making a comeback.

Google Drive security hole leaks users' files

Google Drive security hole leaks users' files

The flaw, which Google recently patched, was giving out original documents to unauthorized users via embedded links. It's yet another example of how storing documents "in the cloud" means "heaven knows with whom".

Patch Tuesday wrap-up, July 2014 - Adobe fixes "Rosetta", plus a new risky file type on Windows...

pt-250

Patch Tuesday for July 2014 is just behind us in the case of Microsoft and Adobe, and just ahead of us in the case of Oracle.

Paul Ducklin tells you what you need to know...

Monday review - the hot 22 stories of the week

dow-250

It's weekly roundup time!

Here's all the great stuff we've written in the past seven days.

Patch Tuesday for July 2014 - 6 bulletins, 2 RCEs, 3 EoPs and get ready to reboot

pt-2014-07-250

Here's what to expect from Microsoft in the July 2014 edition of Patch Tuesday, scheduled to ship on Tuesday 08 July 2014...

Is Apple slack at security on iOS? 60 Sec Security [VIDEO]

60ss-video-250

What went wrong with PayPal's 2FA? Why did Microsoft do an email U-turn? Is Apple slack at security on iOS?

It'll only take a minute to find out...

SSCC 154: Fraud, viruses, patches and encryption (in that order!) [PODCAST]

chet-chat-logo-featured-250

Where does your country sit on the fraud list? Just how much can you trust SMSes on Android? Is Apple serious enough about iOS security? And will Google's End-To-End email encryption plugin save the world?

Find out with Chet and Duck in this week's Chet Chat podcast...

EFF sues NSA over hoarding of zero days

nsa-250

Wouldn't it be nice to know just how, exactly, the spy agency decides whether to silently exploit zero days for snooping purposes while leaving businesses and individuals in the dark with their bellies exposed? The EFF has filed a FOIA lawsuit to help find answers.

Anatomy of a buffer overflow - Google's "KeyStore" security module for Android

ks-250

Here's a cautionary tale about a bug, courtesy of IBM.

Not that IBM had the bug, just to be clear: Google had the bug, and IBM researchers spotted it.

Apple ships updates, including Snow Leopard (ONLY KIDDING!)‏

apple-250

Apple just published its latest round of updates for iOS, Apple TV, Safari and OS X, including dozens of security fixes.

OS X Snow Leopard users...we're afraid you missed out once again.

From the Labs: PlugX - the next generation

X. Image courtesy of Shutterstock

In this new paper from SophosLabs, Principal Researcher Gabor Szappanos takes a look into a new variation of the PlugX malware.

Flaw in PayPal’s two-factor authentication, but keep calm and carry on!

Security researchers in the USA have just disclosed a flaw in PayPal's 2FA system.

Paul Ducklin looks at the mistakes that PayPal made, and what's been done to sort them out...

TimThumb plugin for WordPress - zero-day remote code execution hole disclosed, quickly fixed

thumb-250

WordPress sites with the TimThumb image thumbnailing plugin could be taken over by attackers.

Paul Ducklin looks at what went wrong and explains how to fix the hole...

"Towelroot" app makes it easy to root Galaxy S5 and other locked Androids...

towels-250

Galaxy S5 users will be cheering. System administrators are probably groaning.

Paul Ducklin looks at an Android-era variant of Hamlet's dilemma: "To root or not to root, that is the question."

SSCC 153: TrueCrypt, Towelroot, Cryptowall, and spam in Canada [PODCAST]

chet-chat-logo-featured-250

Chester Wisniewski and Paul Ducklin present this week's edition of the regular Sophos security podcast, the "Chet Chat."

In this episode: the TrueCrypt saga continues; the Towelroot software for unlocking Androids; ransomware after CryptoLocker; and Canada's long, long, long-awaited anti-spam law.

59 vulns in IE, teenager versus Turing, and Twitter gets wormed - 60 Sec Security [VIDEO]

60ss-video-250

Is 59 vulns in IE some kind of record? Did a computer really pass the Turing Test? Can a network worm ever be a joke?

Find out in one minute!

SSCC 151 - Measuring vulns, Apple and Wi-Fi privacy, Android ransomware and more [PODCAST]

sscc-151-250

It's our weekly security pocast!

Chester Wisniewski and Paul Ducklin dig into the latest security news for lessons we can all learn...

Twitter jumps to block XSS worm in Tweetdeck

TweetDeckLogo-250

A cross-site scripting flaw was disclosed this morning affecting the popular Twitter application Tweetdeck. It has now been fixed, but not before it wormed its way through thousands of browsers.