Today is Safer Internet Day 2016, and to celebrate Google is giving users 2GB of free Google Drive storage. The only “catch” is that you have to go through a 2-minute security update , which you should do anyway. [ via ]
Read More:
An easy way to get 2GB of free Google Drive storage
Google The vast majority of sites that push malware on their visitors are legitimate online services that have been hacked as opposed to those hosted by attackers for the purposes of distributing malicious software, Google security researchers said Tuesday. The data, included for the first time as part of the safe browsing section of Google’s regular transparency report, further challenges the myth that malware attacks happen only on disreputable sites, such as those that peddle porn, illicit software (“warez”), and similar content. For instance, on June 9 only 3,891 of the sites Google blocked as part of its Safe Browsing program were dedicated malware sites, while the remaining 39,247 sites that were filtered offered legitimate services that had been compromised. In all, Google blocks about 10,000 sites per day as part of the program, which is designed to help people using Firefox, Chrome, and other participating browsers to steer clear of phishing scams and drive-by malware attacks. The program is also designed to inform webmasters of infections hitting their site and to take steps to fix the problems. In all, the Safe Browsing program helps protect about 1 billion people per day. Read 2 remaining paragraphs | Comments
View article:
Vast majority of malware attacks spawned from legit sites
If you haven’t installed last week’s patch from Oracle that plugs dozens of critical holes in its Java software framework, now would be a good time. As in immediately. As in, really, right now . In the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 was folded into either the folded into the RedKit or CrimeBoss exploit kit. By Sunday, that attack code was being actively unleashed on unsuspecting end users, according to a short blog post published by a researcher from antivirus provider F-Secure. The post doesn’t say where the attacks were being hosted or precisely how attackers are using them. Still, Oracle describes the vulnerability as allowing remote code execution without authentication. And that means you should install the patch before you do anything else today. The track record of malware purveyors of abusing advertising networks, compromised Apache servers , and other legitimate enterprises means readers could encounter attacks even when they’re browsing a site they know and trust. Read 3 remaining paragraphs | Comments
Originally posted here:
Java users beware: Exploit circulating for just-patched critical flaw
dimland.blogspot.com The recently discovered zero-day attacks targeting critical vulnerabilities in Adobe’s ubiquitous Reader application are able to bypass recently added security defenses unless end users manually make changes to default settings, company officials said. According to an advisory Adobe published Wednesday night , the “protected view” feature prevents the current attacks from working—but only if it’s manually enabled. To turn it on, access Preferences > Security (Enhanced) and then check the “Files from potentially unsafe locations,” or even the “All files” option. Then click OK. There’s also a way for administrators to enable protected view on Windows machines across their organization. The revelation is significant because it means users aren’t protected when using the default version of the widely used document reader. The limitation came to light following the discovery of in-the-wild attacks against current versions of Reader, which are being exploited to surreptitiously install malware on end-user computers. The exploit is also noteworthy because its intricate code base bypasses several additional protections added just four months ago with the goal thwarting malware attacks. Read 6 remaining paragraphs | Comments
Link:
Thanks, Adobe. Protection for critical zero-day exploit not on by default
Microsoft has released an emergency update to patch a security vulnerability in Internet Explorer that is being exploited in attacks aimed at government contractors and other targeted organizations. The patch fixes a “use after free” bug in versions 6, 7, and 8 of the Microsoft browser and will be automatically installed on affected machines that have automatic updating enabled, Dustin Childs, the Group Manager of the company’s Trustworthy Computing program wrote in a blog post published Monday . The unscheduled release comes just six days after Microsoft’s most recent monthly Patch Tuesday batch of security updates, but it was pushed out to counter an experienced gang of hackers who have infected websites frequented by government contractors to exploit the vulnerability. Monday’s update came hours after Oracle released an unscheduled patch to fix a critical vulnerability in its Java software framework. As Ars reported last week , the zero-day Java exploits were added to a variety of exploit kits that criminals use to turn compromised websites into platforms for silently installing keyloggers and other malware on the machines of unsuspecting visitors. Read 3 remaining paragraphs | Comments
Originally posted here:
Microsoft releases emergency update to patch Internet Explorer bug