Naked Security

Performance and security clash yet again in “Collide+Power” attack

It's a real vulnerability, but the data leakage rate can be as low as... let's just say that an IMAX-quality copy of the new "Oppenheimer" movie could take you 4 billion years to exfiltrate.

Naked Security

Zenbleed: How the quest for CPU performance could put your passwords at risk

You need to turn on a special setting to stop (the code you wrote to stop [the code you wrote to improve performance] from reducing performance) from reducing security.

Naked Security

Urgent! Apple fixes critical zero-day hole in iPhones, iPads and Macs

Don't delay, do it today. This is a code-implantation bug in WebKit that attackers already know how to exploit.

Naked Security

Ghostscript bug could allow rogue documents to run system commands

Even if you've never heard of the venerable Ghostscript project, you may have it installed without knowing.

Naked Security

WordPress plugin lets users become admins – Patch early, patch often!

Ultimate Member plugin lets rogue users choose their own site capabilities, including becoming admins.

Naked Security

More MOVEit mitigations: new patches published for further protection

Good news... more patches, this time available proactively

Naked Security

Firefox 114 is out: No 0-days, but one fascinating “teachable moment” bug

With the right (or wrong, if you're on the right side of the fence) timing...

Naked Security

Chrome and Edge zero-day: “This exploit is in the wild”, so check your versions now

Chrome and Edge 0-days patched.

Naked Security

MOVEit zero-day exploit used by data breach gangs: The how, the why, and what to do…

Little Bobby Tables is back!

Naked Security

S3 Ep137: 16th century crypto skullduggery

Lots to learn, clearly explained in plain English... listen now! (Full transcript inside.)

Naked Security

Serious Security: That KeePass “master password crack”, and what we can learn from it

Here, in an admittedly discursive nutshell, is the fascinating story of CVE-2023-32784. (Short version: Don't panic.)

Naked Security

Serious Security: Verification is vital – examining an OAUTH login bug

What good is a popup asking for your approval if an attacker can bypass it simply by suppressing it?

Naked Security

PaperCut security vulnerabilities under active attack – vendor urges customers to patch

If you have the product, but you haven't patched - well, the crooks have now landed, so please don't delay. Do it today...

Naked Security

VMware patches break-and-enter hole in logging tools: update now!

You know jolly well/What we're going to say/And that's "Do not delay/Simply do it today."

Naked Security

Microsoft assigns CVE to Snipping Tool bug, pushes patch to Store

Microsoft says "successful exploitation requires uncommon user interaction", but it's the innocent and accidental leakage of private data you should be concerned about.

Naked Security

Windows 11 also vulnerable to “aCropalypse” image data leakage

Turns out that the Windows 11 Snipping Tool has the same "aCropalypse" data leakage bug as Pixel phones. Here's how to work around the problem...

Naked Security

Google Pixel phones had a serious data leakage bug – here’s what to do!

What if the "safe" images you shared after carefully cropping them... had some or all of the "unsafe" pixels left behind anyway?

Naked Security

Password-stealing “vulnerability” reported in KeePass – bug or feature?

Is it a vulnerability if someone with control over your account can mess with files that your account is allowed to access anyway?

Naked Security

Serious Security: The Samba logon bug caused by outdated crypto

Enjoy our Serious Security deep dive into this real-world example of why cryptographic agility is important!

Naked Security

Apple patches are out – old iPhones get an old zero-day fix at last!

Don't delay, especially if you're still running an iOS 12 device... please do it today!

Naked Security

Microsoft dishes the dirt on Apple’s “Achilles heel” shortly after fixing similar Windows bug

It happens to the best of us: Microsoft highlights a security bypass bug on Macs that is curiously similar to a recent Windows 0-day.

Naked Security

Apple patches everything, finally reveals mystery of iOS 16.1.2

There's an update for everything this time, not just for iOS.

Naked Security

Number Nine! Chrome fixes another 2022 zero-day, Edge patched too

Ninth more unto the breach, dear friends, ninth more.

Naked Security

How to hack an unpatched Exchange server with rogue PowerShell code

Review your servers, your patches and your authentication policies - there's a proof-of-concept out

Naked Security

Log4Shell-like code execution hole in popular Backstage dev tool

Good old "string templating", also known as "string interpolation", in the spotlight again...

Naked Security

Dangerous SIM-swap lockscreen bypass – update Android now!

A bit like leaving the front door keys under the doormat...

Naked Security

Emergency code execution patch from Apple – but not an 0-day

Not a zero-day, but important enough for a quick-fire patch to one system library...

Naked Security

The OpenSSL security update story – how can you tell what needs fixing?

How to Hack! Finding OpenSSL library files and accurately identifying their version numbers...

Naked Security

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway!

That bated-breath OpenSSL update is out! It's no longer rated CRITICAL, but we advise you to patch ASAP anyway. Here's why...

Naked Security

SHA-3 code execution bug patched in PHP – check your version!

As everyone waits for news of a bug in OpenSSL, here's a reminder that other cryptographic code in your life may also need patching!

Naked Security

Chrome issues urgent zero-day fix – update now!

We've said it before/And we'll say it again/It's not *if* you should patch/It's a matter of *when*. (Hint: now!)

Naked Security

Updates to Apple’s zero-day update story – iPhone and iPad users read this!

Turns out that Tuesday's zero-day for iOS 16 is Friday's zero-day for iOS 15...

Naked Security

Apple megaupdate: Ventura out, iOS and iPad kernel zero-day – act now!

Ventura hits the market with 112 patches, Catalina's gone missing, and iPhones and iPads get a critical kernel-level zero-day patch...

Naked Security

Zoom for Mac patches sneaky “spy-on-me” bug – update now!

Hey! That back door isn't supposed to be there at all, let alone propped open...

Naked Security

Dangerous hole in Apache Commons Text – like Log4Shell all over again

Third time unlucky. Time to put your patching boots on again...

Naked Security

Mystery iPhone update patches against iOS 16 mail crash-attack

The problem with crashy messaging apps is that *other people* get to choose if and when to send you messages...

Naked Security

S3 Ep102.5: “ProxyNotShell” Exchange bugs – an expert speaks [Audio + Text]

Who's affected, what you can do while waiting for Microsoft's patches, and how to plan your threat hunting...

Naked Security

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different”

Double-play 0-day in Exchange - what you need to know, and what you can do

Naked Security

Chrome and Edge fix zero-day security hole – update now!

This time, the crooks got there first - only 1 security hole patched, but it's a zero-day.

Naked Security

URGENT! Apple slips out zero-day update for older iPhones and iPads

Patch as soon as you can - that recent WebKit zero-day affecting new iPhones and iPads is apparently being used against older models, too.

Naked Security

JavaScript bugs aplenty in Node.js ecosystem – found automatically

How to get the better of bugs in all the possible packages in your supply chain?

Naked Security

Laptop denial-of-service via music: the 1980s R&B song with a CVE!

We haven't validated this vuln ourselves... but the source of the story is impeccable. (Impeccably dressed, at least.)

Naked Security

Apple patches double zero-day in browser and kernel – update now!

Double 0-day exploits - one in WebKit (to break in) and the other in the kernel (to take over). Patch now!

Naked Security

Zoom for Mac patches critical bug – update now!

There's many a slip 'twixt the cup and the lip. Or at least between the TOC and the TOU...

Naked Security

APIC/EPIC! Intel chips leak secrets even the kernel shouldn’t see…

If you've ever written code that left stuff lying around in memory when you didn't need it any more... we bet you've regretted it!

Naked Security

GnuTLS patches memory mismanagement bug – update now!

GnuTLS may well be the most widespread cryptographic toolkit you've never heard of. Learn more...

Naked Security

Critical Samba bug could let anyone become Domain Admin – patch now!

It's a serious bug... but there's a fix for it, so you know exactly what to do!

Naked Security

Apache “Commons Configuration” patches Log4Shell-style bug – what you need to know

It's a bit like Log4J, but for configuration files, not for logging.

Naked Security

Google patches “in-the-wild” Chrome zero-day – update now!

Running Chrome? Do the "Help-About-Update" dance move right now, just to be sure...

Naked Security

S3 Ep87: Follina, AirTags, ID theft and the Law of Big Numbers [Podcast]

Lastest epsiode - listen now!

Naked Security

Follina gets fixed – but it’s not listed in the Patch Tuesday patches!

We tried it out to make sure, so you don't have to.

Naked Security

You’re invited! Join us for a live walkthrough of the “Follina” story…

Live demo, plain English, no sales pitch, just a chance to watch an attack dissected in safety. Join us if you can!

Naked Security

Atlassian announces 0-day hole in Confluence Server – update now!

Zero-day announced - here's what you need to know

Naked Security

S3 Ep85: Now THAT’S what I call a Microsoft Office exploit! [Podcast]

Latest episode - listen now!

Naked Security

Mysterious “Follina” zero-day hole in Office – here’s what to do!

News has emerged of a "feature" in Office that has been abused as a zero-day bug to run evil code. Turning off macros doesn't help!

Naked Security

Mozilla patches Wednesday’s Pwn2Own double-exploit… on Friday!

That was quick! 48 hours from exploit report to published patch.

Naked Security

US Government says: Patch VMware right now, or get off our network

Find and patch. Right now. If you can't patch, get it off the network. Right now! Oh, and show us what you did to comply.

Naked Security

RubyGems supply chain rip-and-replace bug fixed – check your logs!

Imagine if you could assume the identity of, say, Franklin Delano Roosevelt simply by showing up and calling yourself "Frank".

Naked Security

Critical cryptographic Java security blunder patched – update now!

Either know the private key and use it scrupulously in your digital signature calculation.... or just send a bunch of zeros instead.

Naked Security

Yet another Chrome zero-day emergency update – patch now!

The third emergency Chrome 0-day in three months - the first one was exploited by North Korea, so you might as well get this one ASAP.