Apple Releases Security Update for OS X Yosemite

Original release date: March 20, 2015

Apple has released Security Update 2015-003 for OS X Yosemite v10.10.2 to address multiple vulnerabilities. Exploitation of one of these vulnerabilities may allow a remote attacker to take control of an affected system.

US-CERT encourages users and administrators to review Apple Security Update 2015-003 and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


Mozilla Releases Security Updates for Firefox, Firefox ESR, and SeaMonkey

Original release date: March 20, 2015

The Mozilla Foundation has released security updates to address vulnerabilities in Firefox, Firefox ESR, and SeaMonkey. Exploitation of these vulnerabilities may allow a remote attacker to take control of an affected system.

Available updates include:

  • Firefox 36.0.3
  • Firefox ESR 31.5.2
  • SeaMonkey 2.33.1

Users and administrators are encouraged to review the Security Advisories for Firefox, Firefox ESR, and SeaMonkey and apply the necessary updates.


This product is provided subject to this Notification and this Privacy & Use policy.


All four major browsers take a stomping at Pwn2Own hacking competition

The annual Pwn2Own hacking competition wrapped up its 2015 event in Vancouver with another banner year, paying $442,000 for 21 critical bugs in all four major browsers, as well as Windows, Adobe Flash, and Adobe Reader.

The crowning achievement came Thursday as contestant Jung Hoon Lee, aka lokihardt, demonstrated an exploit that felled both the stable and beta versions of Chrome, the Google-developed browser that's famously hard to compromise. His hack started with a buffer overflow race condition in Chrome. To allow that attack to break past anti-exploit mechanisms such as the sandbox and address space layout randomization, it also targeted an information leak and a race condition in two Windows kernel drivers, an impressive feat that allowed the exploit to achieve full System access.

"With all of this, lokihardt managed to get the single biggest payout of the competition, not to mention the single biggest payout in Pwn2Own history: $75,000 USD for the Chrome bug, an extra $25,000 for the privilege escalation to SYSTEM, and another $10,000 from Google for hitting the beta version for a grand total of $110,000," Pwn2Own organizers wrote in a blog post published Thursday. "To put it another way, lokihardt earned roughly $916 a second for his two-minute demonstration."

Read 2 remaining paragraphs | Comments

Windows 10 to make the Secure Boot alt-OS lock out a reality

Those of you with long memories will recall a barrage of complaints in the run up to Windows 8's launch that concerned the ability to install other operating systems—whether they be older versions of Windows, or alternatives such as Linux or FreeBSD—on hardware that sported a "Designed for Windows 8" logo.

To get that logo, hardware manufacturers had to fulfil a range of requirements for the systems they built, and one of those requirements had people worried. Windows 8 required machines to support a feature called UEFI Secure Boot. Secure Boot protects against that interferes with the boot process in order to inject itself into the operating system at a low level. When Secure Boot is enabled, the core components used to boot the machine must have correct cryptographic signatures, and the UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system won't boot.

This is a desirable security feature, but it has an issue for alternative operating systems: if, for example, you prefer to compile your own operating system, your boot files won't include a signature that Secure Boot will recognize and authorize, and so you won't be able to boot your PC.

Read 7 remaining paragraphs | Comments