IE Security Hole Being Exploited in the Wild

A recently-patched IE exploit is being used in the wild. Make sure your patches are up to date! “When it released the emergency patch for the memory corruption flaw (CVE-2015-2502) on August 18, Microsoft warned that the weakness had been exploited in the wild. One day after the remote code execution vulnerability was addressed, security firms Heimdal Security and Symantec reported seeing watering hole attacks in which malicious actors leveraged the bug to deliver the PlugX remote access Trojan (RAT), also known as Korplug.”

Android Lock Patterns Suffer from Similarity Problem

We’ve been warned ten thousand times about common passwords. But what about common Android Lock Patterns (ALPs)? “The Tic-Tac-Toe-style patterns, it turns out, frequently adhere to their own sets of predictable rules and often possess only a fraction of the complexity they’re capable of. The research is in its infancy since Android lock Patterns (ALPs) are so new and the number of collected real-world-patterns is comparatively miniscule. Still, the predictability suggests the patterns could one day be subject to the same sorts of intensive attacks that regularly visit passwords.”

Microsoft Revealing Less in Non-Security Patches

First Microsoft stopped giving the heads-up on Windows patch releases. Now it’s not talking as much about what’s in the patches. “Microsoft has now released three cumulative updates for Windows 10. These updates combine security fixes with non-security bug fixes, and so far, Microsoft hasn’t done a very good job of describing the contents of these cumulative updates. While the security content is quite fully described, explanations of the non-security fixes have been lacking.”

Microsoft Issues Emergency IE Patch

Are you using Internet Explorer? You need to patch ASAP. “Microsoft today released an emergency software update to plug a critical security flaw in all supported versions of its Internet Explorer browser, from IE7 to IE 11 (this flaw does not appear to be present in Microsoft Edge, the new browser from Redmond and intended to replace IE). According to the advisory that accompanies the patch, this a browse-and-get-owned vulnerability, meaning IE users can infect their systems merely by browsing to a hacked or malicious Web site. “

Ashley Madison Hack Data Apparently Released

Hackers have apparently released the data from the Ashley Madison hack. “The data dump reportedly includes the login details of about 32 million users — all seeking extramarital or illicit affairs — and also provides a staggering amount of information such as their names, email and street addresses, how much they have spent on the site and even what they are looking for in a potential cheating partner.”

IRS Hack More Extensive Than First Thought?

The IRS hack appears to have been more extensive than originally thought. “The IRS said in May that cyber thieves used stolen Social Security numbers and other data to try to gain access to prior-year tax return data for about 225,000 U.S. households, which included 114,000 successful attempts. But on Monday, the agency said that an additional 390,000 households were targeted, including about 220,000 “where there were instances of possible or potential access” to prior-year return data, the Wall Street Journal reports. “

Another Malvertising Attack

There’s been yet another malvertising attack. “Millions of people visiting weather.com, drudgereport.com, wunderground.com, and other popular websites were exposed to attacks that can surreptitiously hijack their computers, thanks to maliciously manipulated ads that exploit vulnerabilities in Adobe Flash and other browsing software, researchers said. The malvertising campaign worked by inserting malicious code into ads distributed by AdSpirit.de, a network that delivers ads to Drudge, Wunderground, and other third-party websites, according to a post published Thursday by researchers from security firm Malwarebytes.” Y’all, please turn Flash off or use NoScript.

Firefox Getting More Private Browsing Options

Firefox is getting more private browsing options. “Mozilla is testing a new private browsing mode in Firefox that doesn’t just keep no trace of your… browsing habits on your machine but that also blocks online services that could track you while you’re surfing the web. That’s not unlike what plug-ins like Ghostery and the EFF’s Privacy Badger can do for you, but Firefox now combines that with its own incognito mode.”

Windows 10: Free Upgrade, Free Privacy Concerns

Even with all its settings tweaked, Windows 10 seems to have some privacy issues. “Windows 10 will periodically send data to a Microsoft server named ssw.live.com. This server seems to be used for OneDrive and some other Microsoft services. Windows 10 seems to transmit information to the server even when OneDrive is disabled and logins are using a local account that isn’t connected to a Microsoft Account. The exact nature of the information being sent isn’t clear—it appears to be referencing telemetry settings—and again, it’s not clear why any data is being sent at all. We disabled telemetry on our test machine using group policies.”

Google’s “Stagefright” Security Flaw Has Its Own Issues

Remember Android’s Stagefright security flaw? Apparently Google’s patch has its own issues. “On August 5, Google started releasing over-the-air (OTA) security updates for Nexus 4,5,6,7,9,10 and Nexus Player devices to address most of these flaws. However, shortly after the search giant started distributing the patches, researchers at Exodus Intel confirmed their suspicion that the fix for an integer overflow triggered in libstagefright during MPEG4 tx3g data processing (CVE-2015-3824) was flawed.”

Liking a Facebook Post = Violating a Restraining Order?

“Liking” a Facebook post means violating a restraining order? “[Justin] Bellanco’s ex-girlfriend April Holland had filed a restraining order against him after he had threatened to ‘shoot her knee cap to watch her suffer.’ The restraining order forbade Bellanco for having any contact with Holland for at least a year, but he was arrested earlier this week after Holland had told authorities that he had liked 22 of her photos and videos on Facebook.”

Lenovo Gets Caught With the Crapware Again

Ewww. Looks like Lenovo’s in the middle of another crapware scandal. I am actually typing this on a Lenovo, but happy, it’s a Lenovo which was formatted and set up with Linux. Ask me if I’m buying another one. (No.) “Windows 8 and Windows 10 contain a surprising feature that many users will find unwelcome: PC OEMs can embed a Windows executable in their system firmware. Windows 8 and 10 will then extract this executable during boot time and run it automatically. In this way, the OEM can inject software onto a Windows machine even if the operating system was cleanly installed. The good news is that most OEMs fortunately do not seem to take advantage of this feature. The bad news is that ‘most’ is not ‘all.’ Between October 2014 and April of this year, Lenovo used this feature to preinstall software onto certain Lenovo desktop and laptop systems, […]

Yet Another Flash Update

Oh how shocking: More Flash updates. “Adobe’s latest patch for Flash (it has issued more than a dozen this year alone) fixes at least 34 separate security vulnerabilities in Flash and Adobe AIR. Mercifully, Adobe said this time around it is not aware of malicious hackers actively exploiting any of the flaws addressed in this release.”

Twitter is Expanding Its Transparency Report

Twitter is expanding its transparency report. “Since 2012, we’ve published a biannual transparency report covering government requests and copyright notices. Now, for the first time, we’re expanding the scope of the report to include two new sections: trademark notices and email privacy practices. In addition to the two new sections and updated data, we’ve rolled out a site-wide redesign, including an updated homepage, more mobile-friendly layouts, and easier access to individual country reports.”