Skip to main content

FireEye

See All Stories

Security researchers highlight iOS flaw that enables hidden logging of touch events and other actions

fig1

Researchers at security firm FireEye are highlighting an exploit involving iOS’s multitasking architecture to enable a nefarious (or exploited) app to record user touch events, Home Button presses and other events even whilst the app is backgrounded. It has always been theoretically possible for apps to record touch events whilst foregrounded, as the app needs access to the touch input to respond to user events. However, FireEye are demonstrating that this is possible even when the iOS app is not frontmost.


Expand
Expanding
Close

Adobe releases Adobe Flash security update in second emergency fix this month

Site default logo image

Less than three weeks ago, Adobe released a critical security update for its Flash Player plug-in fixing an exploit that allowed machines to be accessed remotely by attackers.

Yet another security update is out today (and strongly recommended). The new build (Version 12.0.0.70) intends to address a vulnerability that allowed attackers to target at least three nonprofit websites according to security firm FireEye and reported by ArsTechnica


Expand
Expanding
Close

Site default logo image

Fool me twice: Apple releases Java update for the latest Zero Day

Screen Shot 2013-03-04 at 5.38.08 PM

Following a number of reports of new zero-day vulnerabilities in the Java browser plug-in, Oracle has today released an emergency update to Java 7 as Apple updates Java SE 6 to version 1.6.0_43.

Today Oracle released Security Alert CVE-2013-1493 to address two vulnerabilities affecting Java running in web browsers (CVE-2013-1493 and CVE-2013-0809).  One of these vulnerabilities (CVE-2013-1493) has recently been reported as being actively exploited by attackers to maliciously install the McRat executable onto unsuspecting users’ machines.  Both vulnerabilities affect the 2D component of Java SE.  These vulnerabilities are not applicable to Java running on servers, standalone Java desktop applications or embedded Java applications.  They also do not affect Oracle server-based software.  These vulnerabilities have each received a CVSS Base Score of 10.0.

Researchers from security firm FireEye warned users last week of yet another new Java zero-day vulnerability and recommended users disable Java until Oracle addresses the issue. Today, Oracle said it knew about the flaw since Feb. 1 but didn’t get around to patching it in the last release:

Though reports of active exploitation of vulnerability CVE-2013-1493 were recently received, this bug was originally reported to Oracle on February 1st 2013, unfortunately too late to be included in the February 19th release of the Critical Patch Update for Java SE

The company intended to include a fix for CVE-2013-1493 in the April 16, 2013 Critical Patch Update for Java SE (note that Oracle recently announced its intent to have an additional Java SE security release on this date in addition to those previously scheduled in June and October of 2013).  However, in light of the reports of active exploitation of CVE-2013-1493, and in order to help maintain the security posture of all Java SE users, Oracle decided to release a fix for this vulnerability and another closely related bug as soon as possible through this Security Alert.

Yet another Java vulnerability discovered, researchers recommend disabling browser plug-in

Site default logo image

url-3

Following an attack on a smaller number of corporate Macs that exploited a flaw in the Java browser plug-in, researchers from security firm FireEye warned users of yet another new Java zero-day vulnerability. According to a blog post published yesterday (via IDG), browsers running Java v1.6 Update 41 and Java v1.7 Update 15 are now vulnerable to a malware attack that installs a remote access tool known as McRAT. The exploit is reportedly different from the one used to attack Facebook, Twitter, Apple, and several other companies last month. Following the earlier attack, Apple released an update to Java for users to version 1.6.0_41. These recent vulnerabilities come after several updates over the last year to Java addressing exploits.

FireEye recommended users disable Java until Oracle addresses the issue:

We have notified Oracle and will continue to work with Oracle on this in-the-wild discovery. Since this exploit affects the latest Java 6u41 and Java 7u15 versions, we urge users to disable Java in your browser until a patch has been released; alternatively, set your Java security settings to “High” and do not execute any unknown Java applets outside of your organization.

Oracle provided the instructions below for uninstalling Java on Mac:
Expand
Expanding
Close