Monday, October 26, 2015

October's Patch Tuesday covers Windows, IE, Edge and Office

In October's Patch Tuesday, Microsoft rolled out SIX security bulletins that contain more than 30 vulnerabilities targeting Windows, Internet Explorer, Edge, and Office. Out of 6 bulletins released, 3 of them are rated as 'CRITICAL'. MS15-106 a critical rated bulletin addresses 14 vulnerabilities in the Internet Exlporer. The issues fixed in this bulletin are related to memory corruption, privilege escalation, information disclosure, and VBScript and JScript ASLR bypass issues. Another critical-rated bulletin is MS15-108 that patches various issues related to information disclosure, memory corruption, and ASLR bypass vulnerabilities in the VBScript and JScript scripting engines in Windows. Third and the last critical bulletin addresses a flaw in the Microsoft Windows that allows remote code execution by opening a specially crafted toolbar object in Windows. <more>

Wednesday, September 23, 2015

Apple iOS 9 PATCHES Airdrop flaw

Apple has released an update for iOS 9, fixes a critical security flaw allowing intruders to inject malicious files in iPhones that can be used to hijack victim's phone later on. Security researcher Mark Dowd from Azimuth Security found the issue which affects almost all devices using iOS 7 or later, along with all Mac OS X Yosemite versions. According to PoC where Mark Dowd was forcing crafted files to an iPhone using Apple's AirDrop, even though the request to transfer was denied by the user. AirDrop provides file sharing facility between iOS and OS X devices using WiFi and/or Bluetooth. AirDrop is vulnerable to directory traversal attack allowing intruders to make modification in victim's OS setting and install malicious apps and rest will be done accordingly. All an attacker needs to install a malicious app is to have a legitimate Apple enterprise certificate to validate the app's installation process. <more>

Beware!! Android Lollipop users

Researchers from University of Texas has found a security flaw in the lock screen feature of Android 5.x. According to John Gordon, a network security analyst at the University of Texas, the issue exists in the password field - unable to handle a sufficiently long string while the camera app is active, allowing an attacker to crash the lock screen. From the locked screen, one can easily bypass the security. The potential attacker can open the emergency call window, fill it with characters, then copy those into the password field via the settings option on the locked screen until the user interface crashes. By using USB debugging normally allows access to vulnerable device to execute arbitrary command or gain access to files with full rights. Google was notified about the issue earlier this year and responded swiftly to release a security patch in June to rectify this issue. Google urge users to apply updates on earliest basis. <more>