Software Integrity Blog

Author Archive

Robert Vamosi

robertvamosi


Posts by Robert Vamosi:

 

When your anti-malware program has a zero-day

Software intended to protect your computer from malware and remote attackers shouldn’t be vulnerable to exploitation, yet that is what one security researcher is finding. Discovering password manager vulnerability Earlier this month, Tavis Ormandy, a Google Project Zero security researcher, disclosed his latest such vulnerability, this time affecting Trend Micro’s Password Manager. He found that the anti-malware company installed a wide-open Node.js server by default on all its customers’ computers. The software flaw could, if executed, allow a remote attacker using JavaScript to hijack a user’s web browser and steal all their passwords. Worse, the flaw exists as long as you have the Trend Micro malware suite installed –even if you never use the password manager.

Continue Reading...

Posted in General | Comments Off on When your anti-malware program has a zero-day

 

Nissan Leaf app flaw allows remote access

A security researcher disclosed on Wednesday that certain Nissan Leaf models can allow their heating and air-conditioning systems to be hijacked because of a flaw in its companion app. Security researcher Troy Hunt found that the NissanConnect app needed only the vehicle identification number (VIN) for any Nissan Leaf car to take control. However, he found that since the commands could also be sent via a web browser, one didn’t need the app to take control of the cars.

Continue Reading...

Posted in Automotive Security, Internet of Things | Comments Off on Nissan Leaf app flaw allows remote access

 

Asus settlement prompts federal monitoring

On Tuesday, the Federal Trade Commission (FTC) announced a decision to require network hardware manufacturer Asus to provide and maintain a comprehensive security program for the next 20 years and also be subject to audits. The action stems from a remote attack on Asus routers in February 2014.

Continue Reading...

Posted in Uncategorized | Comments Off on Asus settlement prompts federal monitoring

 

Software flaw postpones Lockheed Martin’s F-35

Lockheed Martin’s new F-35 fighter jet won’t begin testing to see how it will perform in combat until at least August 2018, one full year later than planned, according to sources. That’s because of software vulnerabilities. The F-35 has been characterized as a flying computer, with more than 8 million lines of software code, so the software has to be flawless. Flaws identified in the F-35 According to Michel Gilmore, the U.S. Defense Department’s top weapons tester, a number of flaws have been identified within the “3F” software, which is considered crucial to the fighter jet. For one thing, the 3F software gives the F-35 its full combat capability. The software delay hasn’t stopped production, however.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Software flaw postpones Lockheed Martin’s F-35

 

Mac apps vulnerable to third-party update flaw

A number of Mac apps, including popular ones such as Camtasia and uTorrent, are susceptible to man-in-the-middle attacks, according to new research. A vulnerability found in Sparkle, a third-party software framework used by Mac apps to receive updates, could allow a remote attacker to install malicious code.

Continue Reading...

Posted in Software Architecture and Design | Comments Off on Mac apps vulnerable to third-party update flaw

 

Backdoor found in government AV equipment

A supplier for audio-visual equipment to the US federal government on Thursday issued an update to its products that removed a potential backdoor that could allow “higher privileges than even administrative access to the system via the backdoor,” according to the researchers who first reported it.

Continue Reading...

Posted in Uncategorized | Comments Off on Backdoor found in government AV equipment

 

FDA clarifies medical device security

Hoping to end manufacturer responsibility around the issuance of software updates for medical devices, and whether or not such updates change the device’s compliance status, the Food & Drug Administration (FDA) last Friday released a new draft document that also calls for greater collaboration among medical device manufacturers around cybersecurity in general. The document looks at both pre-market considerations as well as post-market considerations for the mitigation of patient risk when improving the security posture of their products.

Continue Reading...

Posted in Healthcare Security, Medical Device Security | Comments Off on FDA clarifies medical device security