In the end, it was a nail-biter pitting Tencent Security Team Sniper (KeenLab and PC Manager) against JungHoon Lee (lokihardt) for the title of Master of Pwn for Pwn2Own 2016. After a tense last two minutes of the competition, it was Tencent Security Team Sniper and its successful code execution of a vulnerability in Microsoft’s...

Millions of Android users are at risk of a new Metaphor exploit that can take over Samsung, LG and HTC phones in under 20 seconds. The hack gives attackers access to the targeted phones including the ability to inject malware and take control over key smartphone functions. Discovered by Israeli-based security firm NorthBit, the vulnerability...

Mitre Corporation will introduce a new pilot program for classifying Common Vulnerabilities and Exposures (CVE) in the coming weeks. The move is in response to a backlash in the security community where some critics contend Mitre is failing to keep pace with a massive influx in the number of reported vulnerabilities to the organization. The...

Thousands of serial servers connected to the internet aren’t password protected and lack encryption, leaving data that transfers between them and devices they’re connected to open to snooping, experts warn. To make matters worse, the servers, manufactured by Taiwan-based networking device company Moxa, have had shoddy security for a while, according to researchers at Rapid7. Joakim...

Apple Safari and Adobe Flash have proved to be Pwn2Own 2016’s biggest punching bags so far—hackers took down both, earning $282,500 in prizes at the first day of the annual hacking challenge in Vancouver on Wednesday. There were four successful attempts, one partial, and one failed attempt at the competition, which is held in tandem with the...

Apple iOS devices are in the crosshairs of another malware attack that has already infected an estimated six million non-jailbroken iOS devices in China, according to researchers. Palo Alto Networks found the new malware called AceDeceiver that infects iOS devices via Windows PCs and which leverages design flaws in Apple’s DRM software. So far, AceDeceiver has only impacted iOS...

VMware patched two cross-site scripting vulnerabilities in its products this week that if exploited, could lead to the compromise of a user’s client workstation. The bugs, stored XSS vulnerabilities and rated important, exist in the company’s vRealize Automation and vRealize Business Advanced and Enterprise platforms. Linux users running 6.x of vRealize Automation, a cloud automation...

Big-name websites were hit with a cunning malvertising campaign over the weekend that attempted to sneak TeslaCrypt ransomware on computers vulnerable to the potent Angler Exploit Kit. Top sites running the malicious ads included The New York Times owned NYTimes.com, Answers.com and AOL.com, according three separate security firms that spotted a spike in malvertising over...

Users who choose to enable X11Forwarding in OpenSSH, or those who use software products that re-enable it, should pay close attention to last Wednesday’s OpenSSH security update. The latest version of the open source implementation of the SSH protocol patches a flaw that exposes it to command injection attacks. The open source project cautions that OpenSSH...

Threatpost editor Mike Mimoso talks to Chris Valasek, Security Lead, Uber ATC, about the talk he and Charlie Miller gave at RSA, hacking cars, the challenges around getting manufacturers to patch vulnerabilities in vehicles, IoT, and more. [embedded content]