Vulnerabilities and attacks

Microsoft isn't too happy with the results of a recent test that found fault with its antivirus software.

For the second time in a row, the company's Security Essentials failed to win certification from AV-Test, a German-based testing lab that evaluates the efficacy of antivirus products. Out of 25 programs tested, only three failed to gain AV-Test's thumb's up for certification.

Microsoft's Forefront Endpoint Protection, which is geared toward corporate customers, also failed to gain certification.

Microsoft responded to the test via a blog posted yesterday, challenging its findings.

"Our review showed that 0.… Read more

Lately Java has been getting a bit of bad press, thanks to several consecutive security holes that have been exploited by malware developers. One notable occurrence was the Flashback malware threat that affected a number of OS X users, which (though due in part to Apple's negligence about Java upkeep) was rooted in the Java runtime. More recently, Java 7 has seen a new zero-day vulnerability that has been circulating in exploit kits.

In response to these threats, many in the tech community have recommended that people uninstall Java altogether. However, this can be impractical for some, as many … Read more

Despite an emergency software update issued yesterday by Oracle, the U.S. Department of Homeland Security is still advising computer users to disable Java on their Web browsers, fearing that an unpatched vulnerability remains.

Oracle released a software update on Sunday to address a critical vulnerability in Oracle's Java 7 after the DHS' Computer Emergency Readiness Team issued an advisory last week recommending users disable the cross-platform plugin on systems where it was installed. The flaw could allow a remote, unauthenticated attacker to execute arbitrary code when a vulnerable computer visits a Web site that hosts malicious code designed … Read more

Microsoft will fix a zero-day hole in IE today almost a week after this month's regular Patch Tuesday updates.

Discovered late last month, the vulnerability could allow attackers to gain control of a Windows computer running one of the older versions of IE by directing users to malicious Web sites. In response, Microsoft had suggested several workarounds and even offered a "one-click fix" designed to mitigate the problem, but those were considered temporary solutions.

Today's update will fully resolve the issue, according to Microsoft. Scheduled for rollout at 10 a.m. PT, the fix will be … Read more

Oracle released an emergency software update today to fix a security vulnerability in its Java software that could allow attackers to break into computers.

The update, which is available on Oracle's Web site, fixes a critical vulnerability in Oracle's Java 7 that could allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

Oracle said the update modifies the way Java interacts with Web applications.

"The default security level for Java applets and … Read more

A new Trojan horse called Mal/JavaJar-B has been found that exploits a vulnerability in Oracle's Java 7 and affects even the latest version of the runtime (7u10).

The exploit has been described by Sophos as a zero-day attack since it has been found being actively used in malware before developers have had a chance to investigate and patch it. The exploit is currently under review at the National Vulnerability Database and has been given an ID number CVE-2013-0422, where it is still described as relatively unknown:

Security researchers have spotted a new vulnerability in the widely used Java software that could give attackers access to your computer.

The US-CERT group today issued an alert saying that Java 7 Update 10 and earlier versions of the software contain an unspecified vulnerability that can allow a remote, unauthenticated attacker to execute arbitrary code. The attack can be induced if someone visits a Web site that's been set up with malicious code to take advantage of the hole.

This weak spot is already being attacked "in the wild" -- that is, it's a real-world threat … Read more

It's hard to imagine a group that adheres to anarchic ideology would want its actions legalized under U.S. law. But that is exactly what Anonymous is doing.

The loose-knit group of hackers submitted a petition to President Obama this week asking that distributed denial-of-service attacks be recognized as a legal form of protest.

The petition, which is posted on the White House's "We the People" Web site, claims that DDoS attacks are not illegal hacking but rather a way for people to carry out protests online. Similar to the Occupy movement when protesters pitched tents … Read more

Several U.S. banks were hit with online attacks over the past few months, but it's been unclear who was responsible. Now, government officials and security researchers are saying Iran was waging these cyberattacks, according to a report by the New York Times.

"There is no doubt within the U.S. government that Iran is behind these attacks," James A. Lewis, a former official in the State and Commerce departments and a computer security expert at the Center for Strategic and International Studies in Washington, told the Times.

The attacks were aimed at several major banks, including … Read more