Security Alerts & News
by Tymoteusz A. Góral

#1995 New ASLR-busting JavaScript is about to make drive-by exploits much nastier
For a decade, every major operating system has relied on a technique known as address space layout randomization to provide a first line of defense against malware attacks. By randomizing the computer memory locations where application code and data are loaded, ASLR makes it hard for attackers to execute malicious payloads when exploiting buffer overflows and similar vulnerabilities. As a result, exploits cause a simple crash rather than a potentially catastrophic system compromise.

Now, researchers have devised an attack that could spell the end of ASLR as the world knows it now. The attack uses simple JavaScript code to identify the memory addresses where system and application components are loaded. When combined with attack code that exploits vulnerabilities in browsers or operating systems, the JavaScript can reliably eliminate virtually all of the protection ASLR provides. The technique, which exploits what's known as a side channel in the memory cache of all widely used modern CPUs, is described in a research paper published on Wednesday. The researchers have dubbed the technique ASLR Cache or AnC for short.
#1994 Security updates available for Adobe Flash Player
Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.
#1993 Windows 10 mobile bug exposes personal photos on locked devices
A Brazilian man named Wallace Da Paula has discovered a bug in Windows 10 Mobile OS that lets anyone with access to your phone bypass your lockscreen passcode and access the device's image gallery.

The bug requires no technical skills, and anyone can reproduce it in a few easy steps. All is needed is physical access to a device, and around 30 seconds to go through the steps.
#1992 Microsoft shelves all February security updates
Microsoft today took the unprecedented step of postponing an entire month's slate of security updates for Windows and its other products just hours before the patches were to begin rolling out to customers.

"We discovered a last-minute issue that could impact some customers and was not resolved in time for our planned updates today," Microsoft said in a post to the MSRC (Microsoft Security Research Center) blog. "After considering all options, we made the decision to delay this month's updates."

Today was set as Patch Tuesday, the monthly release of security fixes from Microsoft. Normally, Microsoft issues the updates around 10 a.m. PT (1 p.m. ET). Although Microsoft did not time stamp its blog post, the SAN Institute's Internet Storm Center (ISC) pointed out the delay at 8:22 a.m. PT (11:22 ET).
#1991 Researchers create new ransomware to target industrial systems
Ransomware is already a concern for the enterprise, educational facilities, and healthcare providers, and now cybersecurity researchers have demonstrated that it is no challenge for the malware family to take down the core infrastructure our cities need to operate.

On Monday, cybersecurity researchers from the Georgia Institute of Technology revealed the development of a new, custom form of ransomware which was created specifically with industrial systems in mind.

The malware and subsequent attack on a simulated water treatment plant were designed to highlight how cyberattackers could disrupt key services which cater to our critical needs, such as energy providers, water management utilities, heating, ventilation and air conditioning (HVAC) systems, or escalator controllers.
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12