Fresh on the heels of RSA, the security world is still rife with high-profile hacks, international crackdowns and mega security updates. Here is a look at last week's highlights.
Google Chrome Compromised, Patched: It might be a record, but Google was uber quick to patch critical zero-day security holes in its Chrome browser less than 24 hours after they were exposed in two separate attacks during the CanSecWest conference Wednesday. In one hack, Vupen Security researchers broke into the Chrome browser in a matter of minutes during Pwn2Own, the infamous hacker contest sponsored by HP Tipping Point, exploiting previously unknown vulnerabilities. The browser took another beating that same day during its own sponsored hacker contest, Pwnium, when researcher Sergey Glazunov bypassed the Chrome sandbox with two zero-day exploits—a move that earned him a $60,000 cash prize from the company. Google's comprehensive update covers Windows, Mac OS X, Linux and Chromium OS.
Mega Apple Update: Apple wowed fans with the release of its new iPad 3 and Apple T.V. last week while delivering a monster update, iOS 5.1, that repaired more than 80 security holes on the iPhone 3GS, 4 and 4S, as well as iPod touch, iPad and iPad 2. The new iOS 5.1, available for the iPhone, iPod and iPad via automated update on the device or iTunes, addressed a slew of security bugs, including major repairs for WebKit, Passcode Lock, Siri, Kernel and CFNetwork, among others. Many of the security holes, if left unpatched, could expose the user to cross-site scripting attacks, cross-origin vulnerabilities, information disclosure and arbitrary code execution. Meanwhile, Apple's update was followed by the announcement a tethered jailbreak exploit by members of the Apple Dev Team via Twitter within hours of the iOS 5.1 release.
Anonymous Arrests: Anonymous had its share of media attention last week, but this time not so much for their hacking shenanigans. Feds unsealed documents last week regarding the arrests total of five men in the U.S. and abroad suspected to be core leaders of the hacktivist group LulzSec--an Anonymous spinoff-- and announced the guilty plea of the elusive hacker group leader known as “Sabu.” Altogether, the arrests included Ryan Ackroyd, a.k.a “kayla,” Jake Davis a.k.a. “topiary,” Darren Martin, a.k.a “pwnsauce” and Donncha O'Cearrbhail, a.k.a “Palladium,” who were charged in Manhattan federal court with computer hacking in attacks against Fox Broadcasting, Sony Pictures Entertainment and Public Broadcasting Service, among others. Police also arrested suspected hacker Jeremy Hammond , a.k.a “Anarchaos,” for crimes related to Strategic Forecasting, Inc. Meanwhile Hector Xavier Monsegur, a.k.a “Sabu,” pleaded guilty to 12 counts of related computer crimes, including the hacks into HBGary Federal and FBI affiliate Infragard, as well as other charges of fraud. The indictments follow just weeks after an international crackdown by Interpol in February that led to the arrests of 25 suspected Anonymous members in both South America and Europe.
Panda Lab/Vatican Hacks: Needless to say, Anonymous members weren't going to take the news of the international crackdown laying down. In what appears to be a retaliatory attack, Anonymous and Antisec members claimed to have compromised data and defaced the Website of security firm Panda Labs. The move followed a day after federal investigators indicted five suspected core members of LulzSec for hacking and various computer crimes. Meanwhile, last week Italian hackers associated with Anonymous also targeted the Vatican by knocking its Website offline for a few hours. The attack apparently was in retaliation for a host of transgressions, they claimed, including untold child abuse scandals, ideological stances on abortion and birth control and the sale of indulgences, among other things.
Adobe Update: Adobe released an out-of-cycle patch at the beginning of last week addressing a pair of critical vulnerabilities in Adobe Flash Player 126.96.36.199 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 188.8.131.52 and earlier versions for Android 4.x, and Adobe Flash Player 184.108.40.206 and earlier versions for Android 3.x and 2.x. If exploited, the two security bugs, stemming from memory corruption errors in Matrix3D, could enable a hacker to launch an attack that could potentially allow information disclosure, crash a victim's system or remotely execute malicious code in order to take control of the affected machine. Thus far, it doesn't appear that either of the flaws have been exploited in the wild.