Oracle’s stewardship of Java has been scrutinized by the security community, which in 2013 languished through nearly a full year of targeted attacks exploiting zero days and other vulnerabilities in the platform. Since then, Oracle has improved the Java user experience by denying unsigned applets the ability to execute by default, and putting security restrictions...

Researchers from two security firms have uncovered the password guarding one of the backdoors discovered in Juniper Networks’ ScreenOS, the operating system behind its NetScreen enterprise-grade firewalls. Fox-IT and Rapid7 found the secret code, which was disguised to look like debug code, said Rapid7 chief research officer HD Moore. “This password allows an attacker to...

Nothing in Google’s arsenal carries more weight than its search engine rankings. Pair that weapon with a desire to inspire encrypted connections on the web, and you have a pretty powerful combination. More than a year ago, Google said it was testing a method where a site’s search ranking would be influenced by whether it...

Juniper Networks today has released an emergency patch that removes what it’s calling “unauthorized code” from ScreenOS that could allow attackers to decrypt VPN traffic from NetScreen devices. Juniper has not commented on the origin of the code it found. However, Juniper’s products were singled out, among others, in the National Security Agency’s product catalog...

A security researcher is in a bit of a scrum with Facebook over vulnerability disclosures that not only tested the boundaries of the social network’s bug bounty program, but also prompted threats of legal and criminal action. Wesley Wineberg, a contract employee of security company Synack, said today in a personal blogpost and in emails...

Four leading network management system providers are busying patching and preparing fixes for a half-dozen critical cross-site scripting and SQL injection vulnerabilities disclosed Wednesday by Rapid7. Two of the affected vendors, Spiceworks and Opsview, have already patched their respective products, while Ipswitch had promised to patch two bugs in its NMS product yesterday, and Castle...

Attacks are accelerating against a now-patched Joomla zero-day vulnerability, putting pressure on site administrators to update quickly. The patch was published on Monday, but not before attacks were spotted in the wild and carried out for at least two days, said researchers at security company Sucuri. The zero-day vulnerability affects all Joomla versions from 1.5 to...

A relatively small number of Twitter users, including a few connected to security and privacy advocacy, have been informed that their accounts have been targeted by state-sponsored hackers. Notifications began appearing in the inboxes of affected users two days ago, with very little concrete information accompanying the warning. Twitter said in the notification that the...

A new run of Spy Banker banking malware infections has been targeting Portuguese-speaking victims in Brazil. While Spy Banker is an old threat, dating back to 2009 according to some security companies, the latest wrinkle attackers are taking is a new one. The campaign, spotted by researchers at Zscaler, spreads primarily over social media—Facebook for...

An unusual DDoS amplification attack was carried out 10 days ago against many of the Internet’s 13 root name servers, the authoritative servers used to resolve IP addresses. The attacks happened on Nov. 30 and again on Dec. 1, and each time, massive volumes of traffic, peaking at five million queries per second, were fired...