Google, Facebook, Apple, and Microsoft all affected by “intentional” BGP mishap.
Source: “Suspicious” event routes traffic for big-name sites through Russia
Category Archives: exploits
The History of SQL Injection, the Hack That Will Never Go Away | Motherboard
Over 15 years after it was first publicly disclosed, SQL injection is still the number one threat to websites.
Source: The History of SQL Injection, the Hack That Will Never Go Away | Motherboard
My browser visited Weather.com and all I got was this lousy malware (Updated)
Millions of people visiting weather.com, drudgereport.com, wunderground.com, and other popular websites were exposed to attacks that can surreptitiously hijack their computers, thanks to maliciously manipulated ads that exploit vulnerabilities in Adobe Flash and other browsing software, researchers said.
The malvertising campaign worked by inserting malicious code into ads distributed by AdSpirit.de, a network that delivers ads to Drudge, Wunderground, and other third-party websites, according to a post published Thursday by researchers from security firm Malwarebytes. The ads, in turn, exploited security vulnerabilities in widely used browsers and browser plugins that install malware on end-user computers. The criminals behind the campaign previously carried out a similar attack on Yahoo’s ad network, exposing millions more people to the same drive-by attacks.
Update: A few hours after Ars published this article, Malwarebytes updated the blog post to say the campaign had moved to yet another ad network, which happens to be associated with AOL. Visitors to eBay were among those who were exposed to the malicious ads distributed through the newly discovered network.
Read 3 remaining paragraphs | Comments
Android security on the ropes with one-two punch from researchers
Android security woes got worse on Thursday, with two separate reports of code defects that put millions of end users at risk.
The first involves the update Google released last week fixing a flaw that allowed attackers to execute malicious code on an estimated 950 million phones with nothing more than a maliciously crafted text message. Seven days later, security researchers are reporting that the patch, which has been in Google’s possession since April, is so flawed that attackers can exploit the vulnerability anyway.
“The patch is 4 lines of code and was (presumably) reviewed by Google engineers prior to shipping,” Jordan Gruskovnjak and Aaron Portnoy, who are researchers with security firm Exodus Intelligence, wrote in a blog post published Thursday. “The public at large believes the current patch protects them when it in fact does not.”
Read 6 remaining paragraphs | Comments