System Integrity Protection (SIP) was implemented in OS X El Capitan and imposes limitations on what actions that Mac computers’ root accounts can take against protected paths of the operating system. Yesterday at the SysCan360 conference in Singapore, a researcher from SentinelOne disclosed details of a vulnerability that was patched by Apple this week only...

Oracle yesterday released an emergency patch for a Java vulnerability that was improperly patched in 2013. Researchers at Security Explorations in Poland two weeks ago disclosed that a Java patch for an issue the company reported in 2013, CVE-2013-5838, was still trivially exploitable, and it enabled attackers to remotely execute code and bypass the Java...

While the iMessage crypto bug got most of the attention among this week’s Apple patches, another vulnerability that was addressed represents a nasty trend of privilege escalation flaws that merit watching. Researchers at Cisco on Wednesday disclosed details on a flaw in an OS X graphics kernel driver that begs to be chained with any number of...

A rooting application has been found in the wild targeting Nexus mobile devices using a local privilege escalation vulnerability patched two years ago in the Linux kernel that remains unpatched in Android. Researchers at Zimperium, the same company that discovered last summer’s Stagefright flaws affecting Android, privately disclosed to Google last Tuesday they found an...

Uber’s bug bounty program emerged from private beta mode yesterday, which it used as a feedback forum for participants in order to develop the public program. “This was pretty unique in its approach,” said HackerOne CTO Alex Rice. Uber’s program is built on the HackerOne platform, and Uber announced that the program’s biggest payouts for...

In addition to fixing the serious crypto vulnerabilities in iMessage that surfaced yesterday, Apple also deployed patches for nearly all of its products, including Safari, OS X, iOS, Apple TV’s tvOS, and watchOS. The iOS update, 9.3, is arguably the most pressing given the cryptographic issue dug up by researchers at Johns Hopkins University, but it...

BinDiff is a constant presence inside a security researcher’s toolbox, ideal for patch and malware analysis or reverse engineering of code. The Google-owned software allows researchers to conduct side-by-side comparisons of binary files in disassembled code looking for differences in the samples. Until last week, BinDiff came with a price, but on Friday Google announced...

When Apple released its iOS Security Guide for public consumption, it was an unprecedented look inside the security architecture behind its products. For cryptographer and professor Matthew Green and a team of four Johns Hopkins University graduate students, it was a road map to understanding not only how secure Apple’s iMessage messaging application was, but...

Security researchers are applauding the FBI and the National Highway Traffic Safety Administration for warning the auto industry that cars and trucks are vulnerable to internet-based attacks. But, they argue, more needs to be done by the government and car makers to protect drivers. Last week, in a joint public service announcement, the FBI and NHTSA...

Home Depot agreed to pay $19.5 million to compensate the 40 million cardholders it said were impacted by a massive 2014 data breach. As part of a proposed settlement by Home Depot, it admits no wrongdoing or liability in the breach, according to court filings with the US District Court for the Northern District of...