InfoQ Homepage Security Content on InfoQ
-
Remotely Exploitable Java Zero Day Exploits through Deserialization
According to a recent security analysis by Foxglove Security suggests that applications using deserialization may be vulnerable to a zero-day exploit. This includes libraries including OpenJDK, Apache Commons, Spring and Groovy. InfoQ investigates.
-
Oracle Patches 154 New Security Vulnerabilities
Oracle have announced 154 new security vulnerabilities in its latest Critical Patch Update -- but says there is no indication that any of the most severe vulnerabilities have been successfully exploited “in the wild.”
-
Internet Security, TLS, and HTTP/2: A Q&A with ThoughtWorks’ Vuksanovic and Gibson
InfoQ recently sat down with Marko Vuksanovic and Sam Gibson from ThoughtWorks, and asked about their recent study of TLS/HTTPS and HTTP/2 that was published in the ThoughtWorks P2 magazine. Both Vuksanovic and Gibson shared their expertise on a range of security-focused topics, including ubiquitous computing, the workings of TLS/HTTPS, certificate trust, and the security implications of HTTP/2.
-
Cambridge Study Analyzes State of Android Security
Researchers at the University of Cambridge have carried through an extensive research to assess security across Android devices, Android versions, and years. Their findings show 87% of Android devices to be vulnerable on average over the last four years. InfoQ has spoken with Daniel Thomas, lead author of the study.
-
Firefox Will No Longer Support Plug-ins Except for Flash
Mozilla has announced the end of NPAPI in Firefox by the end of 2016, the only plug-in continuing to be supported being Flash.
-
LinkedIn Release QARK to Discover Security Holes in Android Apps
LinkedIn has recently open sourced QARK, a static analysis tool meant to discover potential security vulnerabilities existing in Android applications written in Java.
-
Docker 1.8 Release with Multiple New Tools
Docker Inc have announced the release of Docker 1.8, which brings with it some new and updated tools in addition to new engine features. Docker Toolbox provides a packaged system aiming to be, ‘the fastest way to get up and running with a Docker development environment’. The most significant change to Docker Engine is Docker Content Trust, which provides image signing and verification.
-
First Zero-Day Java Vulnerability in Two Years
A zero-day vulnerability affecting sandboxed Java Web Start applications and sandboxed Java applets was recently announced, the first one for Java in nearly two years. Concerns that the vulnerability is already being exploited, together with the ease of exploitation, gave this vulnerability the highest CVSS risk score. Oracle has issued a patch and urges customers to upgrade as soon as possible.
-
Android 'Stagefright' Vulnerabilty puts Millions at Risk
Google has moved quickly to reassure Android users following the announcement of a number of serious vulnerabilities. The Stagefright Media Playback Engine Multiple Remote Code Execution Vulnerabilities allow an attacker to send a media file over a MMS message targeting the device's media playback engine, responsible for processing several popular media formats.
-
Mozilla Blocks Flash, Encourages HTML5 Adoption
Mozilla is encouraging developers towards HTML5 and JavaScript and away from Flash, after it blocked the plugin in browsers amid security concerns. Following Adobe's advice that two critical vulnerabilities would potentially allow attackers to take control of affected systems, Mark Schmidt, Firefox's head of support, announced the move on Twitter.
-
Symantec Claims Zero Day Flash Vulnerability Likely to be Exploited
Symantec is reporting that the zero-day vulnerability discovered (and weaponised) in the HackDay leak allows for remote code execution. Adobe will be updating Flash in the near future but disabling Flash may be the only solution at the moment.
-
Crossing the Chasm of Container Adoption in Production
Only 38% of IT professionals use containers in production environments, according to a recent survey. ClusterHQ, which ran the survey of the current state of container usage and adoption, also concludes that 73% of respondents are running containers in a VM environment.
-
Developments in IT Project Management
The demand for IT project managers is increasing. Agile methodologies support collaboration with distributed teams for creative problem solving. The Internet of Things, cloud, big data, and cyber security will continue to dominate the IT landscape. Project managers have to pioneer IOT initiatives, be prepared for the influx of data and ensure that deliverables from their projects are secure.
-
Password Manager LastPass Suffers Hacking Attack
The web-based LastPass password management service has been hacked according to the company, and the result is that some user data, including email addresses and authentication hashes were obtained by unknown assailants. The breach highlights the risks users take by storing all of their passwords in a centralized location.
-
SQL Server 2016: Row-Level Security
A common criticism for SQL Server’s security model is that it only understands tables and columns. If you want to apply security rules on a row-by-row basis, you have to simulate it using stored procedures or table value functions, and then find a way to make sure there is no way to bypass them. With SQL Server 2016, that is no longer a problem.