Rich Trouton, a Mac systems administrator who runs the Der Flounder blog, discovered yesterday that a Java installer is installing adware, in the form of the Ask Toolbar. (He first wrote about it on JAMF Nation, but has published additional information in his Der Flounder post today.) Fortunately, in the course of trying to duplicate his findings, it appears that this installer is a bit finicky, and may not always install the toolbar properly.
Read the rest of this entry »

60 Comments

It has been a little more than a year since the last new variant of the Tibet malware was discovered, but today, Intego reported that a fourth variant has been found. They are calling this new variant OSX/Tibet.D. There are a few important lessons we can learn from this malware.
Read the rest of this entry »

2 Comments

This still doesn’t change my opinion that Java needs to be avoided. These fixes came after almost two months of vulnerability, and Java has had a recent history of becoming vulnerable again within days of each fix. We’ll see how things fall out at this point, but I don’t have high hopes. If you have to use Java in your web browser, though, you should not delay installing this update. Be cautious, though, as some Java applets may not function well (or at all) with the update, so check compatibility beforehand. Of course, that may leave you in the unenviable position of having to choose between staying vulnerable and losing access to the applet that you need Java for in the first place.

2 Comments

Apple posted a couple updates yesterday with some very important security content, and I advise updating as soon as you can. Both Mac OS X 10.8.3 and Security Update 2013-001, available for both Snow Leopard and Lion, contain a number of important security updates. However, one in particular is likely to cause the hair to stand up on the back of the neck of anyone who has been following the saga of Java’s recent descent into vulnerability perdition.
Read the rest of this entry »

25 Comments

Every year, at the CanSecWest security conference, an infamous competition is held, called Pwn2Own. The basic idea of the contest is to “pwn,” or hack, different web browsers or technologies. Hacks must involve previously unknown vulnerabilities, and winners not only get a sizable cash prize, but they also win the computer that they hacked (thus the “Pwn2Own” name).
Read the rest of this entry »

9 Comments

According to ThreatPost, yet another new Java vulnerability has been discovered. Do I really have to say what I’ve said a thousand times before? Nah, there are only so many times one can beat a dead horse. Disable Java in your web browser, or it’s probably only a matter of time before you get infected with something.

7 Comments

Minecraft has been targeted by malware before (see Cross-platform malware Jacksbot found in the wild), and with Minecraft and Minecraft modifications continuing to be popular, it’s no surprise that it has happened again. Intego announced today the discovery of a new trojan that it has named Minesteal.
Read the rest of this entry »

5 Comments

Once again, Java is in the news after new vulnerabilities have been found. Adam Gowdiak, of Security Explorations, has reported to Softpedia the discovery of two new issues in Java. These issues can, when used together, allow an attacker to once again bypass the Java sandbox altogether and gain access to the user’s machine through a malicious Java applet embedded in a web site.
Read the rest of this entry »

6 Comments

This has been quite an interesting month in security news. Multiple major companies have been hacked, including Apple themselves, and there are rumors of yet another new bit of malware for the Mac. Yet all is still rather unclear. Is this all related? It’s probably too soon to say for sure, but I am guessing that it may be.
Read the rest of this entry »

9 Comments

Security researcher Adam Gowdiak has announced the discovery of two more vulnerabilities affecting the latest version of Java (Java 7 update 11). These are completely separate vulnerabilities from the still not yet fully repaired bug that caused the vulnerability prompting the latest Java update. Of course, it’s not exactly news, at this point, that Java is full of holes that hackers love to exploit. So why am I continuing to beat a dead horse? Primarily, because I continue to hear people dismiss concerns about Java’s security. Java is a sinking ship, folks… you can either hop in a lifeboat and get away or go down with the ship. The choice is yours.

19 Comments