Last Friday, Tavis Ormandy from Google’s Project Zero contacted Cloudflare to report a security problem with our edge servers. He was seeing corrupted web pages being returned by some HTTP requests run through Cloudflare. It turned out that in some unusual circumstances, which I’ll detail below, our edge servers were running past the end of a buffer and returning memory that contained private information...
Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online. The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of...
The Google Pixel fell to a team of Chinese hackers alongside Apple Safari and Adobe Flash at the PwnFest hacking competition in Seoul on Friday. Mountain View’s latest offering was smashed by white-hat friendlies from Qihoo 360, who used an undisclosed vulnerability to gain remote code execution for $120,000 cash prize. The exploit launched the Google Play store before opening Chrome and displaying a...
Microsoft released 14 new security bulletins on Tuesday, in which, it addressed many security issues including a vulnerability actively exploited by a Russia-linked group and several other bugs for which exploits are publicly available. One of the security updates is MS16-135, a bulletin rated Important on severity level. MS16-135 resolves two information disclosure and three privilege elevation vulnerabilities, including a Windows kernel bug exploited...
As promised, Microsoft has issued a fix for the Windows security flaw that Google disclosed before a patch was ready. The update tackles vulnerabilities in numerous versions of Windows (from Vista through Windows 10) that would let an attacker get control of your system through a malicious app. You’re already safe if you use Windows 10 Anniversary Update and an up-to-date browser, we’d add...
Add-on companies are selling the browsing history of millions of users to third-parties according to a report that aired on German national TV. Reporters of Panorama managed to gain access to a large data collection that contained the browsing history of roughly 3 million German Internet users. The data was collected by companies that produce browser extensions for various popular browsers such as Chrome...
A serious vulnerability that has been present for nine years in virtually all versions of the Linux operating system is under active exploit, according to researchers who are advising users to install a patch as soon as possible. While CVE-2016-5195, as the bug is cataloged, amounts to a mere privilege-escalation vulnerability rather than a more serious code-execution vulnerability, there are several reasons many researchers...
A ruling to protect German WhatsApp users’ data from Facebook suggests that the EU bloc will not back down on protecting consumers’ data privacy, despite an earlier win by Facebook in a Belgian appeal case. This summer, the Brussels Court of Appeals decided to reverse an earlier ruling restricting Facebook from tracking non-Facebook users in Belgium through the use of cookies. The new ruling...
The Linux kernel today faces an unprecedented safety crisis. Much like when Ralph Nader famously told the American public that their cars were “unsafe at any speed” back in 1965, numerous security developers told the 2016 Linux Security Summit in Toronto that the operating system needs a total rethink to keep it fit for purpose. No longer the niche concern of years past, Linux...
Mozilla officials say they’ll release a Firefox update on Tuesday that fixes the same cross-platform, malicious code-execution vulnerability patched Friday in the Tor browser. The vulnerability allows an attacker who has a man-in-the-middle position and is able to obtain a forged certificate to impersonate Mozilla servers, Tor officials warned in an advisory. From there, the attacker could deliver a malicious update for NoScript or...
Recent Forum Activity