Google today patched two critical holes in its problematic Android Mediaserver component which would allow an attacker to use email, web browsing, and MMS processing of media files to remotely execute code. With this latest vulnerability, Google has patched its Mediaserver more than two dozen times since the Stagefright vulnerability was discovered in August. The patch...

Apple has yet to patch a series of bypass vulnerabilities in iOS that could enable an attacker to sidestep the passcode authorization screen on iPhones and iPads running iOS 9.0, 9.1, and the most recent build of the mobile operating system, 9.2.1. Like all passcode bypass bugs, an attacker would have to have the device in...

It’s likely that the first functional ransomware for OS X is a dud. Discovered on Friday by researchers at Palo Alto Networks, the KeRanger ransomware sits dormant for three days before encrypting files from a comprehensive list of 300 file extensions; today would be Day 3. The malware was included in a Trojanized version of...

Diplomats and military personnel in India have been victimized in targeted espionage attacks that use a number of means of infection including phishing and watering hole sites. Researchers at Proofpoint this week published a report on Operation Transparent Tribe, which was ongoing as of Feb. 11 when Proofpoint uncovered live attacks against Indian diplomats operating...

Amazon’s decision to remove encryption from its tablets running the latest Fire OS 5 release of its software has many privacy-minded tablet owners are crying foul. They are blasting Amazon for making their tablets less secure and no longer safe to store personal data from email credentials, credit card numbers and sensitive business information. “Amazon...

Mike Mimoso and Chris Brook recap RSA 2016, including how pervasive the FBI vs. Apple debate has been around the conference, OpenSSL two years after Heartbleed, and why hacking back is always a bad idea. Download: Threatpost_News_Wrap_March_4_2016.mp3 Music by Chris Gonsalves

Cisco Systems issued a “critical” patch on Wednesday for its Nexus 3000 and 3500 series switches that allow remote attackers to access default account and static password information on affected hardware. The vulnerability could allow an unauthenticated user to log in to the affected system with the privileges of a root user. The account is...

SAN FRANCISCO—A laundry list of past and present iPhone experts and cryptography experts today filed an amicus brief asking the courts to vacate their order mandating Apple assist the FBI in unlocking a phone belonging to San Bernardino shooter Syed Farook. Filed by Jennifer Granick and Riana Pfefferkorn of the Stanford Law School Center for...

Should passwords that protect your financial data be less secure than the ones used to lock up selfies, cat videos and tweets swapped on social networks? In a study that looked at the password strength required to access website account for Wells Fargo, Capital One and 15 other banks, researchers found that 35 percent had...

SAN FRANCISCO—Experts have stressed this week that DROWN is no Heartbleed, but at some point in the not too distant future, there’s going to be another major Internet vulnerability and developers at OpenSSL claim they’re battle tested. Rich Salz and Tim Hudson, members of OpenSSL’s development team, described in a talk at RSA Conference this week...