Week in Geek: Another New Java Security Hole Revealed – Affects All Recent Versions

Note: This article is part of our archive and is likely out of date.
(Links may not work, downloads have not been recently tested for safety)

By Akemi Iwaya on September 30th, 2012

Our last edition of WIG for September is filled with news link coverage on topics such as a beta of Mozilla’s new Persona login system has been released, a SourceForge mirror has been compromised, the Nintendo Wii U will be region-locked, and more.

Weekly News Links

Image courtesy of Identity at Mozilla Blog.

Security News

  • Yet another Java flaw allows “complete” bypass of security sandbox
    Flaw in last three Java versions, 8 years worth, puts a billion users at risk. Researchers have discovered a Java flaw that would let hackers bypass critical security measures in all recent versions of the software (Java SE 5, 6, and 7).
  • SourceForge mirror compromised, backdoor slipped into phpMyAdmin
    One of SourceForge’s mirrors was compromised this week, unwittingly serving users a version of phpMyAdmin containing a backdoor.
  • Adobe code signing infrastructure hacked by ‘sophisticated threat actors’
    The eyebrow-raising hack effectively gave the attackers the ability to create malware masquerading as legitimate Adobe software and signals a raising of the stakes in the world of Advanced Persistent Threats (APTs).
  • Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent
    A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.
  • Twitter users may be victims of direct message malware
    Security analysts say that suspicious direct messages from Twitter friends with links to Facebook, which have been popping up lately, could be malicious “backdoor trojans.”
  • Lost+Found: iPhone crashes, malware families and a Firefox hack
    Too short for news, too good to lose; Lost+Found is a roundup of useful security news. This time: crashing iPhones, dumping network traffic from iOS devices, ZeroAccess botnet distribution, visualising malware and its variants, silently installing malicious Firefox extensions, and Gamma International suggests someone is trying to torpedo its trojan business.
  • Ubuntu 12.10 Home Lens User Data Still Exposed, Despite Canonical Claims
    As the Ubuntu 12.10 privacy blunder continues, more and more people find that integrating online searches into Unity Dash has a lot more ramifications than initially thought.
  • Researcher says 100,000 passwords exposed on IEEE site
    Info on workers at Apple, Google, NASA, Stanford, and elsewhere was easily accessible owing to an oversight by the association for tech pros, a computer scientist in Denmark says.
  • Multiple Samsung handsets vulnerable to remote wipe hack
    The Galaxy S3 is among a growing list of Samsung models susceptible to remote wipe attack.
  • Why Flash updates might need to be delayed for IE, at least briefly
    IE’s Flash problem was communication not security, but there are reasons why Flash updates might sometimes take longer. The bigger question is how long Flash stays around.
  • Secret Microsoft policy limited Hotmail passwords to 16 character
    For years, Microsoft engineers have quietly limited Hotmail passwords to 16 characters, a revelation that has surprised and concerned some users who have long entered passcodes twice that long to access accounts.
  • Why is Open Source WebKit the Weak Link in Apple Security?
    To be fair, updating WebKit isn’t as easy for Apple on iOS as it might be on the Mac. Sure, Apple could *simply* update Safari whenever new WebKit issues arise, but the reality is that WebKit’s usage extends beyond the browser and is an integral part of iOS itself in a different way than WebKit on Mac OS X. Simply put, it’s not just about the browser.
  • Android control code issue affects almost all manufacturers
    An Android control code vulnerability originally reported as a Samsung problem in fact appears to affect most smartphones and UMTS tablets running Ice Cream Sandwich (version 4.0.x) or earlier versions of Android. Google updated the dialling software code in version 4.1.1 so that control codes are no longer executed automatically.
  • Malware programmers start using Go
    Google’s Go programming language has a growing number of users and, according to a report from Symantec, that number now includes some malware writers. The company says it recently found a trojan, Encriyoko, which included Go-based components, specifically a file named GalaxyNxRoot.exe.
  • Espionage Hackers Target ‘Watering Hole’ Sites
    Security experts are accustomed to direct attacks, but some of today’s more insidious incursions succeed in a roundabout way — by planting malware at sites deemed most likely to be visited by the targets of interest. New research suggests these so-called “watering hole” tactics recently have been used as stepping stones to conduct espionage attacks against a host of targets across a variety of industries, including the defense, government, academia, financial services, healthcare and utilities sectors.
  • Rent-to-own firms settle computer spying charges
    Rented computers had software on them that was used to surreptitiously log key strokes, capture screen shots and take photos of people who were late on payments, FTC says.
  • Feds snoop on social-network accounts without warrants
    Justice Department report shows real-time surveillance targeting social networks and e-mail providers jumped 80 percent from 2010 to 2011. The ACLU says current law doesn’t protect Americans’ privacy.
  • Cyberespionage skills go beyond technical ability
    Attackers may write good malware but their skills are worthless if they are not able to deceive employees into unknowingly deploying these programs onto corporate networks.
  • Iran deploys domestic Internet system, blocks Google
    Country announces plans to move citizens to its local Internet system after connecting government agencies to the platform, and said it will block access to Google’s search and e-mail services.

TinyHacker Links

  • Microsoft Office 2013 Will Bring Changes
    Microsoft Office 2013 will bring a lot of changes from a licensing and price perspective. You will find more details in this analysis by Ed Bott.
  • Kaspersky Internet Security 2013 – Is it Any Good?
    Kaspersky has launched their 2013 suite of products. If you would like to know what is new and how well it performs, read this thorough review.
  • EasyBCD: Bootload Editing Made Easy
    Whether you’re a dual booter or just need to manage or tweak some settings, freeware app EasyBCD is the tool you need. *Always* make a backup before making changes and if you ever need assistance, the EasyBCD forums are populated with some of the friendliest folks on earth.
  • How You Can Benefit by Using a VPN
    This infographic discusses what a VPN is, the different types of VPNs, benefits, and more.

How-To Geek Weekly Article Recap

Geeky Goodness from the ETC Side

One Year Ago on How-To Geek

How-To Geek Comics Weekly Roundup

How-To Geek Weekly Trivia Roundup

Akemi Iwaya is a devoted Mozilla Firefox user who enjoys working with multiple browsers and occasionally dabbling with Linux. She also loves reading fantasy and sci-fi stories as well as playing "old school" role-playing games. You can visit her on Twitter and .

  • Published 09/30/12
More Articles You Might Like

Enter Your Email Here to Get Access for Free:

Go check your email!