Last year was a landmark time for Android security. Google dealt with a major vulnerability in Stagefright, launched a monthly patch release and vulnerability rewards program, and continued to chip away at the number of malicious applications that find their way onto devices. Given all of that progress, however, Google still struggles with the economics...

The Mousejack vulnerability raised awareness of the potential risks introduced by a wireless mouse or keyboard to the enterprise. From a relatively short distance, a hacker could send packets to the device that generate keystrokes on the host computer rather than mouse clicks. In short order, attackers could install malware, including dangerous rootkits in a...

Google has trumpeted its Safe Browsing alerts as a key component in redirecting victims away from potentially malicious websites. An offshoot of that work is that apparently webmasters heed those warnings too and remediate vulnerabilities and bugs quicker. A co-branded study between Google and the University of California-Berkeley looked at more than 760,000 website hijackings...

A new web application security scanner, developed by a former MIT student now Berkeley postdoctoral researcher, could be a real find for developers wishing to lock down bugs that live outside the OWASP top 10. The static-analysis tool is called Space and will be unveiled at the upcoming International Conference on Software Engineering (ICSE). Space, used...

Cisco Talos said on Friday that 3.2 million servers are vulnerable to the JBoss flaw used as the initial point of compromise in the recent SamSam ransomware attacks. Worse, researchers said that thousands of servers have already been backdoored. Hardest hit have been K-12 schools running library management software published by Follett called Destiny, Cisco...

VMware fixed a critical vulnerability in one of its products this week that if exploited by an attacker, could’ve led to a man-in-the-middle attack. According to an advisory, the problem existed in VMware’s Client Integration plugin, a collection of tools present in a handful of other products the company ships, including some versions of its vCenter Server,...

Mike Mimoso and Chris Brook recap the news of the week, including the Badlock bust, encryption legislation (Burr-Feinstein, the California decryption bill) and the dawn of ‘cryptoworms’ – Mike also discusses last week’s Infiltrate Conference in Miami. Download: Threatpost_News_Wrap_April_15_2016.mp3 Music by Chris Gonsalves

The Zero Day Initiative has publicly disclosed a pair of serious vulnerabilities in Apple QuickTime for Windows that will not be patched because Apple is deprecating the product for the Microsoft platform. US-CERT today pushed out an alert advising QuickTime for Windows users that the only mitigation is to uninstall the software. “Computers running QuickTime...

Threatpost Op-Ed is a regular feature where experts contribute essays and commentary on what’s happening in security and privacy. Today’s contributor is Katie Moussouris @k8em0.  Today marks an exciting development in the often monotonous rehashing of vulnerability disclosure. The ISO standard that began about 11 years ago with the emotionally loaded title “Responsible Vulnerability Disclosure,”...

Mike Mimoso talks to Katie Moussouris about her newly launched consultancy Luta Security, the Hack the Pentagon bug bounty program, and some ISO news around vulnerability disclosure. Download: Katie_Moussouris_on_Her_New_Consultancy_Hack_the_Pentagon_and_More.mp3 Music by Chris Gonsalves