InfoQ Homepage Security Vulnerabilities Content on InfoQ
-
Lenovo Responds to Superfish Vulnerability
Lenovo has responded to the criticism of the Superfish software pre-loaded onto its computers with advice on how to remove the offending tool. But what was the issue, and why was it pre-loaded in the first place? InfoQ investigates. Meanwhile, Microsoft has pushed out a definition of Microsoft Defender to remove Superfish and its root certificate.
-
Google to remove support for SSL 3.0
Google have announced that they will remove support for the obsolete SSL 3.0 after discovering vulnerabilities that may be exploitable by forcing clients or servers to downgrade. Removing SSL 3.0 may also unlock stalled negotiations with HTTP2. Read on for more details.
-
Heartbleed’s Aftermath: OpenBSD Developers Start Purifying OpenSSL
OpenSSL's Heartbleed vulnerability has brought the project under the intense scrutiny of the OpenBSD development team. The team began a massive cleanse and repair of the OpenSSL codebase last week with impressive results.
-
Heartbleed allows dumping client and server memory remotely
The recently disclosed Heartbleed bug allows a remote client to query the contents of a remote SSL server's memory when using vulnerable versions of OpenSSL, disclosing passwords and other secure credentials to eavesdroppers. Application sites like Yahoo! Mail and Amazon Web Services have been affected. Read on to find out more about what the bug entails,and what you should do.
-
Patterns and Anti-Patterns for Scalable and Available Cloud Architectures
More than anything else, architectural choices matter when designing a system with high scalability and availability. Using Azure customers as an example, Microsoft talks about the patterns and anti-patterns they see with their Azure customers and how it affects the four facets of system architecture.
-
Continuous Security Testing With Gauntlt
James Wickett, from Gauntlt core team, gave a tutorial at Velocity Conf London about integrating security testing in the continuous integration cycle for early feedback on application security level. James stressed the importance of regularly checking for security as release delivery rates increase with continuous delivery.
-
Securing Docker and Containers
Jérôme Petazzoni, senior engineer at dotCloud, examined the progress of security concerning Docker compared with other virtualization and container like technology in his recent blog post "CONTAINERS & DOCKER: HOW SECURE ARE THEY?". Jérôme makes a case for the techniques that secure Docker, in spite of the acknowledgement that improvements are needed.
-
Tune Up Your Online Privacy with Clef
Clef is like a retina scan for your smart phone, which gives a whole new meaning to Retina Display. You can use Clef as an Open ID to log in from your smart phone only once to access many different web sites when online. Rather than typing in your user ID and password for each web site.
-
Derailed: Hackers Exploit Months Old Rails Flaw
A months old Ruby on Rails security flaw is now being exploited on systems where tardy patch deployment has left them vulnerable to malicious attackers.
-
Java Still Vulnerable, Despite Latest Patches
Just days after the latest fix, security researcher Adam Gowdiak has found another Java vulnerability. In addition, in the past few days, attack code targeting one of the many remote-code-execution vulnerabilities fixed in Java 7 Update 21 have also begun circulating in the wild.
-
ASP.NET Anti-Forgery Tokens With JSON Payloads
ASP.NET MVC has AntiForgeryToken helper that allow you to detect and block CSRF attacks using user-specific tokens. However when making primarily ajax requests or using javascript frameworks such as Knockout and Backbone which have JSON payloads, the approach needs to change a bit.
-
Another Week, Another Java Security Issue Found
Polish security start-up Security Explorations has found another hole that allows hackers to bypass critical security measures, affecting Java SE 5, 6 and 7 - the last eight year's worth of Java releases.
-
Oracle and Apple Struggle to Deal with Java Security Issues
Java has been in the news a lot recently thanks to a rather messy response to a high profile Java security issue, CVE-2012-4681, and a related set of vulnerabilities which target the Java browser plug-in.
-
GitHub Compromised by Mass Assignment Vulnerability
GitHub was recently compromised by a vulnerability in Ruby on Rails know as mass assignment. This vulnerability is thought to not only affect a large number of Ruby-based websites, but also those using ASP.NET MVC and other ORM-backed web frameworks.
-
Major Denial of Service Vulnerability Affects Most Web Servers
Security researcher Alexander Klink and Julian Wälde revealed a serious vulnerability that until recently affected the vast majority of web server. The attack only requires a single HTTP request that is specially designed to create hash code collisions in POST form data. When first discovered this attack affected Python, Ruby, PHP, Java, and ASP.NET, but vendors have been working on patches.