Security

Security researchers have discovered a bug in Intel CPUs that could enable a hacker with physical access to obtain enhanced privileges on the system.

According to a report by researchers at Positive Technologies, the problem exists in the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These processors are used in both mobile devices and embedded systems, meaning everything from ultrabooks to Internet of Things (IoT) devices are affected.

Organisations working on Covid vaccine research were one of the main targets of cyber attacks dealt with by UK computer security experts last year. The National Cyber Security Centre says it handled a record 777 incidents between August 2020 and September 2021.

Its annual review said protecting the health sector became an urgent priority over the period. The NCSC - part of GCHQ - said one in five incidents were aimed at organisations with links to health.

Mozilla's release notes detail the updates, which include performance, security, and privacy enhancements.

Firefox will no longer prompt Windows users for updates, instead downloading and installing updates even when Firefox is closed. In Windows 11, Firefox will now support Snap Layouts menus.

Cisco Talos has a warning out for U.S. companies about a new variant of the Babuk ransomware. The security researchers discovered the campaign in mid-October and think that the variant has been active since July 2021. The new element in this attack is an unusual infection chain technique.

Researchers in the UK have discovered a flaw in Apple Pay that allows hackers to make unauthorized contactless payments from your iPhone. The researchers from the University of Birmingham and the University of Surrey published a paper on Thursday describing the method by which this flaw can be exploited. Hackers can even bypass the lock screen of an iPhone with this method.

The hits keep coming to Apple's bug-bounty program, which security researchers say is slow and inconsistent to respond to its vulnerability reports. This time, the vuln du jour is due to failure to sanitize a user-input field—specifically, the phone number field AirTag owners use to identify their lost devices.

Security researcher Amit Serper of Guardicore discovered a severe flaw in Microsoft's autodiscover—the protocol which allows automagical configuration of an email account with only the address and password required. The flaw allows attackers who purchase domains named "autodiscover"—for example autodiscover.com, or autodiscover.co.uk—to intercept the clear-text account credentials of users who are having network difficulty (or whose admins incorrectly configured DNS).

Nonprofit foundation Open Web Application Security Project (OWASP) has released an updated draft of its ranking of the top 10 vulnerabilities, the first changes to the list since November 2017.

The new list features considerable changes, including the emergence of Broken Access Control, which moved from fifth on the list to number 1. The organization said 94% of applications have been tested for some form of broken access control and "the 34 CWEs mapped to Broken Access Control had more occurrences in applications than any other category."

One day in the spring, all links to Apple's Shortcuts suddenly stopped working, which attracted the attention of several news sites. The cause was thought to be a bug or an internal mistake, but now it turns out that it was Swedish hacker and security researcher Frans Rosén who accidentally deleted all the content in a database.

Rosén explains in a blog post how he discovered several security flaws in iCloud's database management. Among other things, Apple had made it possible for anyone to add and delete content in a number of databases belonging to various iCloud services.

A cyber attack on Russian tech giant Yandex's servers (YNDX.O) in August and September was the largest known distributed denial-of-service (DDoS) attack in the history of the internet, the company said on Thursday.

The DDoS attack, in which hackers try to flood a network with unusually high volumes of data traffic in order to paralyse it when it can no longer cope with the scale of data requested, began in August and reached a record level on Sept. 5.