HackDig : Dig high-quality web security articles

Java “RAT-as-a-Service” backdoor openly sold through website to scammers

A family of Java-based malware that has given attackers a backdoor into Windows, Linux, Mac OS X, and Android devices since 2013 has risen from the dead once again as a "commercial" backdoor-as-a-service. It was recently detected in an attack on a Singapore bank employee. Previously known as AlienSpy or Adawind, the malware was all but shut down in 2015 afte
Publish At:2016-02-08 21:50 | Read:5305 | Comments:0 | Tags:Risk Assessment Technology Lab Java malware RAT remote acces

Java installer flaw shows why you should clear your Downloads folder

On most computers, the default download folder quickly becomes a repository of old and unorganized files that were opened once and then forgotten about. A recently fixed flaw in the Java installer highlights why keeping this folder clean is important.On Friday, Oracle published a security advisory recommending that users delete all the Java installers th
Publish At:2016-02-08 19:00 | Read:5630 | Comments:0 | Tags:Security Java

Oracle is planning to kill an attacker's favorite: The Java browser plug-in

Oracle will retire the Java browser plug-in, frequently the target of Web-based exploits, about a year from now. Remnants, however, will likely linger long after that."Oracle plans to deprecate the Java browser plugin in JDK 9," the Java Platform Group said in a blog post Wednesday. "This technology will be removed from the Oracle JDK and JRE in a future
Publish At:2016-01-28 11:45 | Read:5285 | Comments:0 | Tags:Security Application Development Java

Oracle fixes critical flaws in Java, Database Server

Oracle issued a gargantuan quarterly patch update this week, fixing a whopping 248 vulnerabilities across its product portfolio. Despite its size, Oracle Database, MySQL, and Java accounted for just a third of the fixes in the January Critical Patch Update.The January CPU addressed seven vulnerabilities in the Oracle Database Server, three for the Oracle
Publish At:2016-01-21 17:00 | Read:4959 | Comments:0 | Tags:Security Java Patches

Oracle Settles with FTC Over ‘Deceptive’ Java Security Updates

Oracle’s stewardship of Java has been scrutinized by the security community, which in 2013 languished through nearly a full year of targeted attacks exploiting zero days and other vulnerabilities in the platform.Since then, Oracle has improved the Java user experience by denying unsigned applets the ability to execute by default, and putting security r
Publish At:2015-12-22 19:45 | Read:6884 | Comments:0 | Tags:Web Security Vulnerabilities Government vulnerabilities gove

Oracle settles FTC dispute over Java updates

Oracle promises to give customers tools that easily uninstall insecure older versions of Java SE that may still lurk as vulnerabilities within Web browsers.That promise comes in a consent decree with the Federal Trade Commission that is currently up for public review before taking effect in January.+More on Network World: After Juniper security mess, Cis
Publish At:2015-12-22 13:40 | Read:4146 | Comments:0 | Tags:Security Java Legal

Oracle settles with FTC over Java’s “deceptive” security patching

Oracle received a public slap on the wrist from the US Federal Trade Commission over Java SE, the desktop runtime for Java. The FTC announced today that it had reached a settlement with Oracle Corporation over a complaint not about the security of Java itself, but about Oracle's patching process—and how it unintentionally left consumers to believe that the p
Publish At:2015-12-21 22:25 | Read:4715 | Comments:0 | Tags:Risk Assessment Technology Lab Java oracle security fails

Critical Java Bug Extends to Oracle, IBM Middleware

For close to 10 months, a critical vulnerability in a library found in most Java rollouts has been twisting in the wind, unpatched, and until this week without proof-of-concept exploits that people paid attention to.Two researchers with NTT Com Security changed that dynamic last week when they released PoCs that leverage the bug in the Apache Commons Collect
Publish At:2015-11-10 15:50 | Read:4206 | Comments:0 | Tags:Vulnerabilities Web Security Apache Commons Chris Frohoff Co

Custom Google App Engine Tweak Still Leads to Java Sandbox Escapes

A tweak carried out by Google in the Google App Engine for Java continues to stir up security concerns.Oracle this week patched the latest vulnerability in Java SE-the flaw also lives in Google’s platform-as-a-service entry-after it was privately disclosed by Java bug-hunters from Security Explorations, a security consultancy in Poland. The vulnerabi
Publish At:2015-10-22 21:40 | Read:12614 | Comments:0 | Tags:Google Vulnerabilities Web Security Adam Gowdiak GAE google

This isn’t the Java I ordered!

On several sites, we have seen reports of popups that look very similar to the one Java used to notify users when the content of a site requires the Java plugin to show the full content. But if we follow this particular prompt we get something completely different called “Media Downloader”. The downloaded file is called setup.exe and is recognized by a few
Publish At:2015-10-22 14:50 | Read:6136 | Comments:0 | Tags:Online Security fake java Pieter Arntz popups PUPs

"Breaking CSRF: Spring Security and Thymeleaf"

As someone who spends half of their year teaching web application security, I tend to give a lot of presentations that include live demonstrations, mitigation techniques, and exploits. When preparing for a quality assurance presentation earlier this year, I decided to show the group a demon
Publish At:2015-09-03 11:55 | Read:6618 | Comments:0 | Tags:CSRF java Csrf

Latest APT 28 Campaign Incorporates Fake EFF Spearphishing Scam

Attackers, possibly associated with the Russian government, registered a phony Electronic Frontier Foundation domain earlier this month in an attempt to dupe users into thinking correspondence from the site was coming from the well-known privacy watchdog.The scheme, largely carried out via spear phishing, appears to be part of a larger campaign previously du
Publish At:2015-08-28 19:55 | Read:4723 | Comments:0 | Tags:Malware Web Security APT 28 EFF Java Pawn Storm Phishing spe

Money may grow on trees

By Fernando ArnaboldiSometimes when buying something that costs $0.99 USD (99cents) or $1.01 USD (one dollar and one cent), you may pay an even dollar. Eitheryou or the cashier may not care about the remaining penny, and so one of youtakes a small loss or profit.Rounding at the cash register is a common practice, just asit is in programming languages when d
Publish At:2015-08-25 18:25 | Read:6932 | Comments:0 | Tags:bugs fernando arnaboldi hacking java javascript numbers prob

Adobe, MS Push Patches, Oracle Drops Drama

Adobe today pushed another update to seal nearly three dozen security holes in its Flash Player software. Microsoft also released 14 patch bundles, including a large number of fixes for computers running its new Windows 10 operating system. Not to be left out of Patch Tuesday, Oracle‘s chief security officer lobbed something of a conversational hand gr
Publish At:2015-08-12 07:10 | Read:6219 | Comments:0 | Tags:Time to Patch adobe adobe flash player CVE-2015-1

Oracle Patches Java Zero Day

Oracle has released its quarterly patch update, which includes fixes for nearly 200 vulnerabilities. The most notable bug fixed in this release is the Java zero day that’s been used in an ongoing attack campaign.The massive release from Oracle has patches for a long list of products, but the Java vulnerabilities are the heart of the July update. There
Publish At:2015-07-16 00:10 | Read:4561 | Comments:0 | Tags:Vulnerabilities Web Security Java Oracle vulnerabilities Web


Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud