Friday, December 26, 2014

'mailx' security fix for various Linux flavors

'mailx' used for sending and receiving mail - widely used in several Linux distributions get the patch for two security flaws. Both the vulnerabilities occur due to improper parsing of email addresses and rated as "moderate". CVE-2014-7844 covers the execution of arbitrary shell commands locally, whereas CVE-2004-2771 fixes the execution of arbitrary commands by leveraging the fact that mailx interprets shell meta-characters in certain email addresses. BSD mailx and Heirloom mailx implementations are vulnerable to these issues affecting Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, and possibly other distributions. Users are advised to apply the updates on earliest basis. CVE-2004-2771 is almost a decade old vulnerability. <more>

Android Coolpad devices bundled with backdoor

Coolpad - an Android based smartphones are equipped with a backdoor from the manufacturer. Obviously the idea is not only to give user preferences advertisement, but also install applications without the knowledge of users. Coolpad devices have a strong user base in China and Taiwan. Security researchers of Palo Alto Networks, discovers a security flaw in the backend management interface that uncover the backdoor's control system. According to Ryan Olson, intelligence director at Palo Alto, the CoolReaper backdoor is not only responsible for connecting to various C&C servers, but can also download, install and even activate any Android application without the user's permission. <more>

Thursday, December 18, 2014

Microsoft Last Patch Tuesday of 2014

Microsoft released last Patch Tuesday for 2014 year covering fixes for Internet Explorer, Office and Exchange Server. This month Patch Tuesday contains seven security bulletins - addressing twenty four security vulnerabilities. Out of seven, three bulletins are rated 'CRITICAL' i.e.  MS14-080, MS14-081 and MS14-084. Internet Explorer gets fixes for 14 security flaws under MS14-080. Most of the vulnerabilities are related to memory corruption that allows remote code execution. MS14-084 also targets Internet Explorer due to improper rendering of VBScript engine causing memory corruption. MS14-081 addresses remote code execution vulnerabilities in Word and Microsoft Office Web Apps. <more>

Adobe plugs Flash Player 0-day vulnerability

Along with Microsoft, Adobe not only patched six security flaws in Flash but also addresses 20 vulns Reader and Acrobat. Out of six vulns patched in Flash, one is believed to be exploited wild. According to Adobe advisory, all fixes for Flash are rated as 'CRITICAL' allowing intruders to take complete control of the vulnerable system. These vulnerabilities affect Windows, Mac and Linux platforms. Adobe credits security researcher 'bilou' who flagged the issue via Zero Day Initiative (ZDI) owned by HP. Flash versions and earlier, and earlier 13.x versions, and and earlier versions for Linux are vulnerable and urged users to apply the fix on earliest basis, Adobe stated in the advisory. <more>

Monday, December 8, 2014

OOPS!! Another Flash Player update

This month is quite worrisome for Adobe Systems as it issues out-of-cycle Flash Player update. The reason is to fix a highly critical security flaw that allows cybercriminals to take complete control of vulnerable system. This issue was already covered under CVE-2014-8439 - released on 14th October'14 and further restriction being made on 25th November. Adobe credits Sebastien Duquette of ESET, Timo Hirvonen of F-Secure and cyber security researcher Kafeine for finding the vulnerability. According to Timo Hirvonen that they received the Flash exploit from Kafeine and analyzed the exploit by using Angler exploit kit. The result reveals that the issue is different from vulnerabilities patched in APSB14-22 advisory. We contacted the Adobe Product Security Incident Response Team about the issue. They acknowledges it and released an emergency update. <more>

Google's Dashboard leverages users about devices accessibility

Google rolls out new tools targeting enterprise apps customers to provide more control over the devices. According to post on Google work blog, this new dashboard shows all the devices that have accessed Google accounts during the last 4 weeks period. It will aid users to figure out unsolicited access at a glance. A guide for managing Google for Work security is also released so that end user will not face any issue during the setup and usage. The dashboard also provide an opportunity of IT managers to have a comprehensive view of device activity and can remotely alter security settings. Google believes that security is a shared responsibility in the cloud environment, so we all should make every step to ensure corporate information is secure. <more>

Friday, November 28, 2014

Microsoft rushes patch for Kerberos flaw

Windows security flaw being exploited by cyber criminals got an urgent patch apart from November Patch Tuesday. Kerberos - an authentication system used by all versions of Microsoft Windows is responsible for the issue that allows remote attackers to gain elevated privileges of domain administrator. Microsoft advisory states, "A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged." Microsoft credits information security and risk management team of Qualcomm for identifying the issue. According to company, Windows Server 2012 and Windows Server 2012 R2 machines are not prone to this vulnerability. Users are advised to apply the patch on earliest basis. <more>

Google patches 42 flaws for Chrome

Google rolls out Chrome 39.0.2171.65 that fixes 42 security flaws in the web browser. Google Chrome now supports Apple Mac OS X running on 64-bit. Google has rewarded $41,500 to cyber security researchers for 12 security flaws reported. Researcher identified as "biloulehibou" got the highest reward of $7,500 for finding out an issue related to Adobe Flash player used in Chrome. Adobe advisory covered this issue under "double-free" vulnerability that allows intruders to execute arbitrary code. Chen Zhang of the NSFocus Security Team rewarded $5,500 for finding two bugs in the Blink rendering engine and Pepper plug-in interface used by Chrome. These issues are related to use-after-free vulnerabilities that allow remote code execution or possibly crash the vulnerable application. Latest version of Google Chrome disable fallback support for SSL 3.0 due to POODLE vulnerability. <more>

Friday, November 21, 2014

BIG Patch Tuesday fixes 33 vulns

November Patch Tuesday contains 14 security bulletins providing fixes for 33 vulnerabilities affecting all versions of Windows. Out of 14 bulletins, 4 bulletins are rated 'CRITICAL' whereas 8 bulletins declared 'Important' and the remaining 2 bulletins indicate moderate level severity. MS14-065 bulletin addresses 17 vulnerabilities affecting Internet Explorer. Most of the vulns are related to memory corruption and allows remote code execution by enticing a user to view malformed webpage. A vulnerability related to OLE which was previously exploited during Sandworm campaign is also patched under the CVE-2014-6352. A security flaw in the TCP/IP stack in Windows Server that allows remote attackers to execute arbitrary code on the vulnerable system is also patched along with other security bypass and privilege escalation issues. <more>

Apple devices HIT by Masque iOS malware

Security researchers at FireEye identified a new malware dubbed Masque targeting iOS devices. According to cyber security researchers, iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta enterprise provisioning features are vulnerable that means almost 95% devices are under attacked by this malware. Hui Xue, design engineer at FireEye believes that at the moment not many users are affected on large scale, but admit that in near future the scope can be widen. FireEye contacted vendor and they are working on it. FireEye advised users to download apps only from Apple App store and don't click on pop-ups. <more>

Saturday, November 15, 2014

Google unleashes 'nogotofail' security testing tool

Google rolls out a security testing tool dubbed 'nogotofail' designed to help developers and cyber security researchers to make sure that the HTTPS connections are not vulnerable to security flaws or common configuration errors that allow intruders to exploit it. 'nogotofail' tool is used to counter 'goto fail' security flaw that affected Apple machines and other systems. The tool ensures that internet-connected devices and applications are not susceptible to transport layer security (TLS) and secure sockets layer (SSL) flaws. The deployment of this tool can be made on router, a Linux machine, or a VPN server and works for Android, Chrome OS, iOS, Linux, OS X, and Windows. The aim of this tool is to provide users a risk free HTTPS connection to ensure that their information is transmitted securely over the internet. <more>

Visa's contactless payment system security flaw

Visa - a digital payment company is under fire for its contactless payment system by a cyber security researcher from Newcastle University. According to researcher, criminals can make illegal huge transactions in any currency from visa holder accounts through point-of-sale machines. The researcher claims, an intruder enters the amount needed to be transferred after creating a fake POS terminal on a mobile phone or ATM. When a Visa card contacts with that POS terminal, approval of transaction is made with a code supplied by the card. That code is used by the bank to release the fund. Lead researcher, Martin Emms told that POS terminal can read a card even it is placed in the wallet. <more>

Friday, November 7, 2014

0-day flaw in Samsung 'Find My Mobile' service

Samsung smartphones users are being warned by National Institute of Standards and Technology (NIST) due to a newly discovered zero-day security flaw found in its 'Find My Mobile' service. The issue occurs due to improper validation of a lock-code data of the sender received during communication. 'Find My Mobile' service provides users to locate their lost devices and allow users to lock down their devices remotely so that no one else is able to access it. Cyber security researcher Mohamed Abdelbaset Elnoby is credited for finding out security vulnerability in the service. The flaw allows remote attackers to lock or unlock the affected device via CSRF attack. <more>

IBM Enterprise Insight Analysis to counter cyber crime

IBM talked about its latest service with a goal to improve data gathering and cater the need to fight against cyber crime promptly and efficiently. IBM launched this service at IBM Insight conference held in Las Vegas. IBM i2 Enterprise Insight Analysis (EIA) uncover hidden patterns found in huge volumes of data within few seconds. It works on data-to-decision process that makes it more reliable findings against cyber threats than formal security analysis which may take long durations to find out. IBM i2 Enterprise Insight Analysis works on IBM Power Systems to investigate "non-obvious" connections between data and uncover hidden activities. <more>

Saturday, November 1, 2014

HIGH RISK Windows bug exploited in the wild

Except for Windows Server 2003 all remaining versions of Microsoft Windows are susceptible to 0-day flaw found in the OLE (Object Linking and Embedding) technology that allows remote code execution on the victim's machine. OLE is used in the Microsoft Office applications to create and edit data in multiple formats. The company is also aware of targeted attacks which can be exploited by using PowerPoint documents. Due to this, Microsoft has come up with a workaround dubbed 'Fix it'. Microsoft gives credit to cyber security researchers Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team and Haifei Li and Bing Sun of the McAfee Security Team for finding and analyzing the vulnerability. Company also urged users to perform double-check before opening Office documents especially PowerPoint documents. <more>

Google supports 2FA security mechanism for USB

In order to secure user accounts, Google is providing additional support to physical USB through two-factor authentication mechanism. Google has already implemented 2FA verification mechanism for their accounts which ask for user to provide input one-time-use codes received via text message or generated through mobile application. According to Google Security product manager, USB uses security key which starts after verifying the legitimacy of Google website. The Security Key only works with Chrome version 38 and later that uses Universal 2nd Factor (U2F) developed by the FIDO Alliance. <more>

Wednesday, October 22, 2014

Microsoft Patch Tuesday for October '14

In October's Patch Tuesday, Microsoft has rolled out eight security bulletins covering 24 security vulnerabilities across Windows, .Net Framework and Internet Explorer (IE). The update also cover a bug which reportedly targets NATO machines. The advisory contains three security bulletins declared as CRITICAL i.e., MS14-056 addresses Internet Explorer, MS14-057 addresses .NET Framework and MS14-058 addresses Microsoft Windows kernel mode driver. According to cyber security researcher from FireEye, two 0-day vulnerabilities targeting Windows Machines used by some major corporations are being exploited by cyber criminals. One of the patches addresses Sandworm cyberattack that allows remote code execution on Microsoft Windows Server 2008 and Windows Server 2012. Other five remaining updates are rated as IMPORTANT covering issues in ASP.NET MVC, Windows OLE and Microsoft office applications. <more>

Oracle Critical Patch Update fixes 155 vulns

This month is quite busy for system admins as there are plenty of security updates available due to Microsoft Patch Tuesday along with Adobe, Firefox, OpenSSL and now Oracle has released 155 security vulnerabilities in its quarterly update. The CPU addresses 25 bugs related to Oracle Java SE, 24 fixes for security flaws in Oracle MySQL, 31 fixes for Oracle Database Server in which only two could be remotely exploited without authentication. Besides this, 15 security fixes for Oracle Sun Systems, Oracle Fusion Middleware gets 18 fixes and 10 fixes for flaws in Oracle E-Business Suite. Oracle PeopleSoft Products and Oracle Supply Chain Products Suite also get 5 fixes each. The CPU contains 7 fixes for Oracle Virtualization while 2 fixes for Oracle Communications Applications. <more>

Wednesday, October 15, 2014

Google Chrome 38 gets HUGE patch this month

Google released the latest version of Chrome browser fixing almost around 159 security vulnerabilities. It's usually not often that Google addresses too many security patches simultaneously. Out of 159 bugs, 113 fixes related to minor vulnerabilities. Google also patched multiple high-risk vulnerabilities and one highly critical flaw in the V8 engine and IPC that brings $27,000 bug bounty reward for a researcher Juri Aedla that allows attackers to bypass sandbox and execute arbitrary code. <more>

PayPal flaw leverages access to blocked accounts

Global payment service provider PayPal is exposed to security threat that allows intruders to gain access to blocked accounts without providing further security information. The issue resides in the mobile API responsible for filtering of account access restrictions. Benjamin Kunz Mejri from Vulnerability Laboratory discovered the vulnerability and reported to Paypal in March 2013. The vulnerable application is based on iOS used by iPhone and iPad unable to check properly for restriction flags that would stop access to victim's account. Although the reported version was 4.6.0, but security researcher believes that latest version is also prone to this issue. <more>

Saturday, October 11, 2014

Joomla CRITICAL vulnerability PATCHED!!

Joomla, a widely used content management system (CMS) gets new security update which rectifies issues present in the previously released security patch. Earlier Joomla versions 3.3.5, 3.2.6 and 2.5.26 were rolled out to patch remote file inclusion and denial-of-service (DoS) attack. But later on, Joomla developer requested users to halt their systems patching as they found some errors in the earlier released patch. On Wednesday, Joomla released new versions 3.3.6, 3.2.7 and 2.5.27. Extension Manager should be used by those users who updated the earlier released patch, as they will not be able to get it through normal update. <more>

TRIPLE rewards in Google Chrome bug bounties

Bug bounties play a huge role in finding out security threats that make vendor applications more stable and at the same time researchers get monetary benefits, so we can say it's a win-win situation for everyone. Google has also realized the importance and thus increased the payment of bug bounty program. According to Google, the company has stretched the maximum payment limit to $15000 for finding a bug that means it is almost triple the payment which was earlier $500-to-$5,000 per bug. Google claims that over 700 security flaws have already been fixed through bug bounty programs. Company has also amend its submission policy in order to ease out submit process for cyber security researchers. This will give researcher an option to submit the vulnerability in the first step and provide the exploit later on. <more>

Friday, October 3, 2014

iPhone 6 TouchID scanner susceptible to hacking.

As far as Apple TouchID fingerprint security scanner is concerned it is pretty much the same as what we had in iPhone 5s. Apple iPhone 6 TouchID is still prone to hacking like last year's TouchID. It plays a vital part in the company's upcoming mobile payment service. According to a researcher at cyber security company Lookout Inc., TouchID can be hacked and can be used for fraudulent activities. To prove his point security researcher Marc Rogers created an exploit in which he used multiple forged fingerprints in order to deceive the scanner by using the same technique that was used by him when exploiting iPhone 5s. TouchID does not have time-out feature which allows attackers to perform brute-force attacks. <more>

Bash command flaw affects Linux and Mac machines.

Bash is a Unix shell used to control the command prompt. Recently discovered Bash flaw put computers running on Linux and Mac platforms at risk. Security researchers considered Bash command flaw as a bigger threat when comparing with the Heartbleed bug which made the headlines in April. According to experts from cyber security companies, hacker can take full control of the vulnerable system by exploiting bash flaw. US-CERT advises Linux and Mac users to obtain OS 'security patches' from their respective vendors. Heartbleed flaw is used for spying purposes where as Bash flaw allows remote code execution on the vulnerable system that makes it more devastating than Heartbleed. <more>

Friday, September 26, 2014

Apple iOS 8 fixes 53 vulns

Apple has released the latest version of iOS 8, fixing 53 vulnerabilities. Among these vulnerabilities, the most sever 'security threats' allow code execution with root privileges. Similarly other flaws can be exploited to execute arbitrary code with kernel or system privileges. Most vulnerabilities affect the WebKit browser engine that can be exploited when a victim is enticed to visit a specially crafted web page. iOS 8 minimize the threat of stealing Wi-Fi credentials by disabling the Lightweight Extensible Authentication Protocol (LEAP) which was not disabled by default in the earlier versions. <more>

Android flaw puts privacy at risk

According to security researcher Rafay Baloch, Android versions prior to 4.4 are prone to security bypass issue that allows intruders to gain control of a user's sessions on other sites. The issue is actually related to XSS flaw due to improper handling of javascript: strings preceded by a null byte character in the browser, which hampered the enforcement of same-origin policy. After the 'exploit' released under a Metasploit module by Rapid7 team, Google has acknowledged it and start working on a 'security patch' for earlier version KitKat. <more>

Friday, September 19, 2014

September’s PATCH TUESDAY fixes 42 flaws

On September 9th, Patch Tuesday fixes 42 security flaws covering Windows, Internet Explorer, .NET Framework, and Lync Server. This month Patch Tuesday contains a total of FOUR different bulletins, one of which was rated as CRITICAL. Internet Explorer (IE) has clinched the limelight by addressing 37 vulnerabilities under MS14-052 bulletin. Where as MS14-053 and MS14-055 fix Denial of Service (DoS) issues in the .Net framework and Lync Server respectively. MS14-054 security update addresses a vulnerability in Microsoft Windows Task Scheduler that allows attackers to gain elevated privileges via a crafted application. <more>

Google Glass susceptible to hacker profiling

According to Kaspersky Lab, a wearable technology Google Glass is prone to hacker profiling through network vendors attacks. Kaspersky researchers, Roberto Martinez and Juan Andres Guerrero have done in-depth analysis of Google Glass and Samsung Galaxy Gear 2 in search of privacy issues that could be faced by users. Bluetooth or Wi-Fi can be used to browse the web through Google Glass. Wi-Fi doesn’t need a separate mobile device to access the Internet. According to security researcher, as the data transmission is not fully encrypted giving an opportunity for intruders to intercept sensitive information via Man-in-The-Middle (MiTM) attacks. <more>

Monday, September 15, 2014

NO MORE!! Man-In-The-Middle attacks in Firefox

Latest Firefox implements support for public-key pinning feature. This newly added feature validates the authorization of a server based on an internal list of trusted certificates. Secure communication can be accomplished by encrypting the data, based on a digital certificate issued by any Certificate Authority (CA) and then verify the service identity. Earlier forged certificates had been obtained by cybercriminals and get valid SSL certificate for a domain by deceiving Certificate Authority (CA). Another way of getting the certificate through hacking into their systems and issued on their behalf. The latest firefox wiped out these risks through public-key pinning where digital certificate of the website compares with the certificate present in the browser and it must be matched for communication. <more>

Twitter unleashes bug bounty program

Online social networking service Twitter has launched a bug bounty program in an effort to eliminate the security flaws by giving the opportunity to researchers to formally disclose vulnerabilities and in return get the reward. Twitter has outsourced this program to HackerOne. Although there is no maximum limit for the reward but a minimum reward of $140 is offered for one vulnerability. The security flaws include XSS, CSRF, remote code execution and unauthorized access to tweets and direct messages. Only way a researcher is eligible to monetary reward is to report the bug and will not disclose publicly until the patch is available. <more>

Saturday, September 6, 2014

50 security fixes for Google Chrome

Google Chrome latest version 37.0.2062.94 got 50 security fixes last Tuesday. Security researcher 'lokihardt@asrt' received a huge amount of $30,000 for finding out flaws in Chrome JavaScript engine V8, the Inter-process Communication (IPC), the data synchronization component and extensions. Most of the vulnerabilities allow remote code execution. Besides this other researchers found use-after-free vulnerabilities in DOM, SVG and bindings, spoofing of the extension permission dialog, uninitialized memory read in WebGL and Web Audio. Researchers who worked with the Chrome development also discovered flaws based on internal audits, fuzzing and other types of activities through Address Sanitizer tool. <more>

Facebook to fix auto iPhones calls

Social networking giant Facebook will soon release an update for its messenger app. The patch will fix the issue on iOS that allows attackers to make calls automatically from users' phones by clicking on web link. Andrei Neculaesei a developer from Copenhagen discovered the flaw which can be triggered through the tel URL scheme. According to Apple document, tel URL scheme is used to launch the mobile app on iOS devices and allow dialing of the specified phone number. Applications like Facebook Messenger, Apple's Facetime, Google+ and Gmail usually don't show a pop-up for alerts when users tap a telephone link in a webpage and allow making calls without user consent. <more>

Wednesday, August 27, 2014

Massive DDoS attacks from Facebook datacenters

The issue is being first reported by Teofil Cojocariu, a researcher with the Cyber Security Research Center from Romania (CCSIR) in June when Facebook added a new feature allowing administrators to refresh the content of attachments. Cojocariu created an exploit that can cause DDoS attacks through Facebook datacenters. After Facebook fixed the issue, the impact on smaller websites especially with limited bandwidth could be more devastating. Larger companies are no more vulnerable to this after getting the patch. First, the intruder look for large image on the vulnerable server/website and published that image link on a Facebook page with Only Me privacy parameter. Then attacker uses "Refresh share attachment" feature which refreshes the attachment and captures the request. By forcing server to request for the same file can cause huge traffic. <more>

Google Chrome bolsters safe browsing mechanism

Google Chrome enhancing the capabilities for safe browsing protection mechanism and now generating alerts for users to protect them from downloading deceptive apps. On 14th August, Moheeb Abu Rajab, a Google security staff engineer announced the added protection on the Google Chrome Blog. "We'll show a warning in Chrome whenever an attempt is made to trick you into downloading and installing such software," wrote Rajab. "If you still wish to proceed despite the warning, you can access it from your Downloads list." Additional information about user protection can be obtained from Google's Safety Center. <more>

Wednesday, August 20, 2014

MS14-045 - 'Blue Screen of Death' update

On 12th August, Microsoft released updates on its monthly Patch Tuesday. The update MS14-045 rated as 'important' that fixes Windows kernel security issues related to privilege escalation and code execution. Users have reported a blue screen of death (BSoD) on their machines which prompts Microsoft to pulled off the vulnerable patch. According to company, a blue screen of death is occurred due to mishandling of a Windows font cache file in certain machines. Meanwhile Microsoft has come up with a workaround. <more>

Symantec bundles NINE products into ONE

California-based security company Symantec has decided to bundle Nine Norton products into one product which will be available in the market from 23rd September for $79 on annual basis. Products like Norton Internet Security, Norton AntiVirus and Norton360 won't be available separately as it will be stream line in a new tool 'Norton Security'. Other features are improved user interface along with cloud based management that provides the ability for users to manage devices through Norton online accounts. <more>

Saturday, August 16, 2014

0-day in Adobe Reader and Acrobat Patched

Adobe systems has rolled out a new version of Adobe Reader and Acrobat 11.0.08. The latest release fixes zero-day vulnerability in the applications that allow an intruder to bypass sandbox protection mechanism. Only Windows platform are susceptible to this issue while OS X variants remain unaffected. Although advisory does not give enough information about the issue, but it seems that it is exploited by criminals. Names of Costin Raiu and Vitaly Kamluk of Kaspersky Labs are mentioned in 'Acknowledgments' section of the advisory. Users are advised to apply the patch on earliest basis to remain secure. <more>

Apple addresses Safari Webkit flaws

Apple releases Safari 6.1.6 and 7.0.6 in order to fix WebKit issues and other security concerns. Seven vulnerabilities are fixed that allow remote code execution or crash the vulnerable browser. Out of Seven, Five were discovered by Apple and the rest two are credited to Google's Chrome Security Team along with an anonymous researcher. Earlier same issue was reported in May that can cause Macs machines to crash and it was patched by the company. Users are advised to go for new versions which can be downloaded through Software update. <more>

Friday, August 8, 2014

Symantec Endpoint Protection 0-day bug PATCHED!!

After being alerted about some privilege escalation vulnerabilities in its Endpoint Protection product on July 29, Symantec immediately released an advisory with mitigation solutions, and now it has made available a patch for administrators. They need to access the FileConnect service and download the Symantec Endpoint Protection 12.1 Release Update 4 Maintenance Patch 1b (RU4 MP1b), which updates the product to version 12.1.4112.4156. The client update can be applied to version 11.0 of the product too. <more>

Cisco fixes OSPF flaw affecting multiple products

Cisco has shipped a patch for a buggy Open Shortest Path First (OSPF) routing implementation it says offers exploits that include traffic blackholing or interception. As the advisory notes, the vulnerability "could allow an unauthenticated attacker to take full control of the OSPF Autonomous System (AS) domain routing table, blackhole traffic, and intercept traffic". Crafted OSPF packets can be sent to devices running the faulty code, and those packets would make the targeted router flush its routing table. A crafted OSPF Link State Advertisement (LSA) type 1 update can then be propagated through a targeted domain. <more>

Friday, July 25, 2014

Mozilla patches security bugs in Firefox

Mozilla officially released the stable version of Firefox 31 for all supported platforms, integrating 11 security fixes, three of them being marked as critical. One of the major vulnerabilities corrected would allow exploitation of a WebGL crash with Cesium JavaScript library. Details about this glitch are not available at the moment, but Mozilla notes that it cannot be leveraged through email in the Thunderbird client because scripting is disabled. Another flaw refers to a use-after-free vulnerability when handling DirectWrite font. Exploiting it would be possible on Windows platform only, OS X and Linux remaining unaffected. <more>

Backdoor discovered in Apple iOS devices

A security researcher is claiming to have found a set of services in iOS that appear to be a firmware-level backdoor in iOS devices. What's more interesting is that Apple has, in a very non-Apple manner, responded to his claims by posting a support page about it. He claims that these are confirmations of the backdoors that he found in iOS and that Apple claims to use them for diagnostic and enterprise purposes. These backdoors can only be accessed by Apple (or anyone that has access to Apple's services) so they're mostly secure backdoors, but they are backdoors nonetheless. Most consumers are completely and wholly unaware that alternative pathways into their devices exist and can be exploited by anyone (in this case Apple) other than themselves. <more>

Saturday, July 19, 2014

Oracle patches 113 updates

Oracle has issued 113 fixes relating to products in nearly its entire services portfolio in its latest quarterly Critical Patch Update. Oracle announced the details of its July Critical Patch Update, which was released on Tuesday, via a threat advisory on its website. The advisory details fixes for key Oracle products and services, including Fusion Middleware, Database, Server, Hyperion, Enterprise Manager Grid Control, E-Business Suite, Supply Chain, PeopleSoft, Siebel CRM, Communications, Retail, MySQL, Virtualization, Sun Systems and Java SE (JSE). Oracle urged customers to update their systems as soon as possible: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible." <more>

Google Project ZERO

Google has set up an internal task force that will work to expose the activities and techniques of malicious Internet wrongdoers, aiming to cut down on the number of targeted cyberattacks. "You should be able to use the Web without fear that a criminal or state-sponsored actor is exploiting software bugs to infect your computer, steal secrets or monitor your communications," wrote Chris Evans, a Google security researcher, in a blog post Tuesday announcing the initiative, called Project Zero. <more>

Saturday, July 12, 2014

Microsoft July Patch Tuesday updates

Microsoft has released a critical fix for vulnerabilities in its popular Internet Explorer web browser, as a part of its latest monthly Patch Tuesday update. The Internet Explorer (IE) update is one of two critical updates this month and could theoretically be used by hackers to mount remote code-execution attacks. Qualys CTO Wolfgang Kandek said, while serious, none of the vulnerabilities are zero-day, meaning their potential use to hackers is limited. "There are no zero-days open for IE, which would dictate the shortest turnaround possible for the installation of the patch, but nevertheless IT admins should schedule the IE patch for a quick installation," he said. The second critical bulletin relates to Microsoft's now ancient Windows XP Tablet Edition, and its Windows Journal note-taking application. <more>

Stealing password via Google Glass

A new computer vision attack could allow Google Glass wearers to steal passwords typed in on nearby tablet or smartphones - even if the attackers do not have a clear view of the screen, according to a report by CNN. The technique could allow attackers to crack 90% of passcodes from up to ten feet distance - and regardless of whether the screen is obscured by glare. The distance is even bigger if an attacker uses a hi-def camcorder - up to 150ft. "I think of this as a kind of alert about Google Glass, smartwatches, all these devices," says Dr Xinwen Fu of University of Massachusetts in Lowell. "If someone can take a video of you typing on the screen, you lose everything." Instead of "watching" the screen, the software developed by Dr tracks the user's finger in video recordings - tracking the fingertip's relative position to the screen. <more>

Saturday, July 5, 2014

Apple releases security fixes for iOS, OS X, Safari

Apple on Monday updated both OS X and iOS, patching 19 security vulnerabilities in the former and 44 in the latter. OS X 10.9.4, aka "Mavericks," and iOS 7.1.2 each contained several non-security fixes as well. Mavericks received 19 patches, 11 of them rated critical with the description that an exploit may be able to execute "arbitrary code," Apple-speak for the most serious tier of vulnerabilities. The separate Security Update 2014-003 addressed three bugs in Lion and eight in Mountain Lion, the precursors to Mavericks which shipped in 2011 and 2012, respectively. Nine of the 19 Mavericks vulnerabilities -- and 8 of the 11 critical flaws -- were reported to Apple by Ian Beer, a Google security engineer. <more>

Microsoft boosts ENCRYPTION in, OneDrive

Microsoft is making good on the promises they made last December, when they announced that they will - among other things - strengthen the encryption of customer data across their networks and services, including, Office 365, SkyDrive and Windows Azure. Matt Thomlinson, VP of Microsoft's Trustworthy Computing Security, has disclosed on Tuesday that Transport Layer Security (TLS) and Perfect Forward Secrecy (PFS) encryption support has been added to, for both outbound and inbound email. He noted that TLS works well only if other email service provider support it, and has shared that Microsoft has been working with several international providers such as Deutsche Telekom, Yandex and Mail.Ru to test the feature. <more>

Saturday, June 28, 2014

Android 4.4 is PATCHED but earlier versions still vulnerable

IBM researchers have discovered a critical security vulnerability in Android 4.3 (Jelly Bean) and below which could allow attackers to exfiltrate sensitive information - credentials, private keys - from vulnerable devices. The vulnerability is found in Android's secure storage service KeyStore, and can be misused to cause a stack-based buffer overflow, which would then allow malicious code to be executed under the keystore process. The vulnerability was discovered last September, and immediately disclosed to the Android Security Team. A patch for the flaw was included in the new Android version (4.4 - KitKat) a few months later <more>

PayPal's Two-Factor authentication bypass vulnerability

PayPal was one of the first large online services providers to offer two-factor authentication to its users, but until recently the company's implementation had a loophole that could have allowed attackers to bypass this additional protection. Two-factor authentication (2FA) systems prevent hackers from misusing stolen user names and passwords by requiring an additional randomly generated security code during the authentication process. Depending on implementation, the secret codes can be generated using a special mobile application, can be received via text message or can be generated by a physical hardware device. According to researchers from 2FA provider Duo Security, the PayPal "Security Key" feature -- which is what the payment service provider calls its two-factor authentication system -- could have easily been bypassed until Monday through the company's mobile apps and API (application programming interface). <more>

Saturday, June 21, 2014

Microsoft fixes DoS flaw in its Malware Protection Engine

The Microsoft Malware Protection Engine that is integrated into several Microsoft anti-malware products, including Microsoft Security Essentials, was updated on Tuesday to address a vulnerability that could enable a denial-of-service (DoS). Microsoft Forefront Client Security, Microsoft Forefront Endpoint Protection 2010, Microsoft Forefront Security for SharePoint Service Pack 3, Microsoft System Center 2012 Endpoint Protection, Microsoft Malicious Software Removal Tool, and Windows Intune Endpoint Protection, as well as various versions of Window Defender, are among the affected software. Microsoft has deemed the vulnerability to be "important", meaning it could be exploited to compromise user data or processing resources, but not without user action, according to a Microsoft advisory posted on Tuesday. <more>

Android and iOS both have security risks

When it comes to enterprise security, most often the platform used behind the company's network is rarely a compelling argument, a report from a security company shows. From a regular user's standpoint, iOS offers more security thanks to Apple's controlled app distribution and limitations imposed to the operating system. On the other hand, Android users have more resources to pull the apps from, hence they're exposed to a higher security. If the user downloads the resources from reputable places, the danger is greatly mitigated. However, a threat report around the BYOD (Bring Your Own Device) theme, released by Marble Security, shows that in an enterprise environment, neither operating system "is inherently more secure than the other." The report explains that despite Apple's tight app distribution control, a non-jailbroken iOS device can still download software from enterprise app market places, through various testing apps and programs. <more>

Friday, June 13, 2014

Microsoft massive Patch Tuesday for June

Microsoft has released updates for critical flaws in Word, Office, and Internet Explorer, along with firmware updates for its Surface 2 tablet line. Microsoft said that the June edition of Patch Tuesday would address a total of 66 common vulnerabilities and exposures (CVE)–class vulns, most of them in Internet Explorer. In total, the IE bulletin addresses 59 flaws, an unusually large patch load considering Microsoft's monthly update cycle. The update, which applies to all versions of Internet Explorer 8 through 11, includes fixes for remote code execution and elevation of privilege flaws in the browser. The company said that two of the flaws have already been publicly disclosed, and that the update should be considered a top priority for testing and deployment. The second critical bulletin will address a flaw in the Microsoft Graphics Component which could potentially allow remote code execution by way of a specially crafted webpage or file. The flaw is present in all currently supported versions of Windows, Office, and Lync. <more>

Mozilla addresses seven flaws in Firefox 30

The Mozilla Firefox 30 browser does not include major new features, yet it does provide users with security fixes and some incremental updates. Released on June 10, Firefox 30 improves on the Firefox 29 browser, which debuted April 29 with the biggest user interface update for the open-source browser in years. Firefox 30.0 includes seven security advisories attached to the open-source browser release. As is common in nearly every Firefox release, one of the security advisories is identified as fixing "miscellaneous memory safety hazards."  In the case of Firefox 30, only two memory hazards, CVE-2014-1533 and CVE-2014-1534, are patched. Firefox isn't the only Web browser that has to face the challenge of memory-related security vulnerabilities. As part of its June Patch Tuesday update, Microsoft patched the Internet Explorer browser for 54 memory-corruption vulnerabilities. In addition to the miscellaneous memory safety hazards, three of the Firefox security advisories deal with use-after-free memory vulnerabilities. <more>

Friday, June 6, 2014

SIX more bugs found in OpenSSL

The OpenSSL team released a security update that fixes 6 vulnerabilities, two of which could be considered critical. The first one is an SSL/TLS MITM vulnerability (CVE-2014-0224). "An attacker using a carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. This can be exploited by a Man-in-the-middle (MITM) attack where the attacker can decrypt and modify traffic from the attacked client and server," it has been explained. "The attack can only be performed between a vulnerable client and server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution." <more>

Apache releases Tomcat patches

Apache recently patched Tomcat, fixing a trio of information disclosure bugs and a denial of service bug in the open source web server and servlet container. The denial of service bug, discovered in February by David Jorm of the Red Hat Security Response Team, could have allowed an attacker to create a malformed chunk size as part of a chunked request that would've allowed an unlimited amount of data to be streamed to the server. This would have bypassed the size limits enforced on a request and triggered a denial of service condition. <more>

Friday, May 30, 2014

Android devices and routers over Wi-Fi under New Heartbleed attack

The Heartbleed attack that left encrypted data vulnerable to theft is still causing problems, according to a new report. Luis Grangeia, partner and security services manager at information security firm SysValue, claims to have found a new vector that leaves wireless routers and Android devices vulnerable to attack. Dubbed "Cupid", the vulnerability theoretically lets attackers capture data transmitted between Android devices and Wi-Fi routers. Grangeia claims the attack uses the same procedure as Heartbleed, but it is carried out over Wi-Fi rather than the open web. Devices running Android 4.1.1 are already known to be vulnerable to Heartbleed, however Grangeia warns iOS and OSX may also be at risk from Cupid and that administrators should "test everything". <more>

Microsoft warns against Windows XP security update hack

Microsoft has warned Windows XP users against using a hack that tricks the company's servers into applying security patches to the now-unsupported operating system. The workaround first appeared on a forum website called Sebijk, which revealed how making a small change in XP's registry will fool Microsoft's upgrade servers into thinking they are applying security patches to newer versions of Windows. However, Microsoft has stressed that XP users exploiting the hack may encounter various problems and would not be fully protected. Microsoft said: "The security updates that could be installed are intended for Windows Embedded and Windows Server 2003 customers and do not fully protect Windows XP customers. Windows XP customers also run a significant risk of functionality issues with their machines if they install these updates, as they are not tested against Windows XP." It is not clear how long the update hack will remain usable now that Microsoft is aware of its existence. <more>

Friday, May 23, 2014

New IE 0-day details released

Hewlett Packard's Zero Day Initiative has released information about a zero-day vulnerability in Internet Explorer 8 that empowers the attacker to remotely execute code. The bug was discovered by Peter 'corelanc0d3r' Van Eeckhoutte of the Corelan Team. ZDI disclosed the vulnerability to Microsoft in October, which confirmed it in February. In keeping with its policy at the time of giving vendors 180 days to patch, ZDI decided to release general details of the bug today to the public. That policy was changed in February to 120 days. "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Internet Explorer," according to ZDI's advisory. "User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of CMarkup objects," ZDI continues. <more>

Facebook plans to offer free browser-based malware scanner

Facebook has announced plans to integrate anti-malware technologies from security firms Trend Micro and F-Secure into its services, in a bid to help spot and clean infected machines logging in to the service. Facebook software engineer Chetan Gowda announced that the company will offer the technologies to customers in a public blog post. "We've worked with F-Secure and Trend Micro to incorporate free anti-malware software downloads directly into our existing abuse detection and prevention systems," explained Chetan Gowda. "When logging in from the infected device, you'll see a notification screen about a malware infection, along with a recommendation to use F-Secure's malware scanning and cleanup technology or HouseCall from Trend Micro." Chetan Gowda said that people can choose to not use the services, but recommended that they heed Facebook's malware warnings. <more>

Friday, May 16, 2014

Eight security updates in May's Patch Tuesday

Microsoft released eight bulletins addressing 13 vulnerabilities in Internet Explorer, Windows, and Office as part of May's Patch Tuesday update. Three of them are already being exploited in the wild, Microsoft said. While Microsoft did not release any patches for XP users, experts believe the issues affect the old operating system as well. Microsoft ended support for Windows XP last month, which means users no longer receive security patches for the old operating system. Enterprises who shelled out for extended support contracts will still receive updates. The Internet Explorer update (MS14-029) is the highest priority patch this month. It is different from other IE patches because this is not a cumulative patch, which means users must install last month's cumulative IE update (MS14-018) before installing this patch. This month's bulletin includes the out-of-band fix from earlier this month which fixed a zero-day vulnerability (CVE-2014-1776). <more>

Adobe fixes Acrobat, Reader, Flash and Illustrator

Adobe Systems released critical security updates for several products Tuesday in order to fix vulnerabilities that could allow attackers to take remote control of systems running the vulnerable software. The products that received security patches were Flash Player, the Adobe AIR SDK (software development kit) and Compiler for building rich Internet applications, Adobe Reader, Adobe Acrobat, and Adobe Illustrator for CS6 (Creative Suite 6). While security updates for Flash Player, AIR, Reader and Acrobat are released on a monthly basis, security patches for Illustrator, especially critical ones, are rare, the previous one being released two years ago. In a security advisory Adobe said that the new Illustrator hotfix addresses a vulnerability that could be exploited to gain remote code execution on the affected system, but didn't specify how. The company recommends that users of Adobe Illustrator on Windows and Mac upgrade to the newly released 16.2.2 or 16.0.5 versions, depending on whether they're on a subscription or not. The new Flash Player versions released Tuesday, for Windows and Mac and for Linux, fix a total of six vulnerabilities. <more>

Friday, May 9, 2014

Apple iOS 7.1.1 flaw bypasses lock screen

A researcher has discovered an exploit in iOS 7.1.1 that allows hackers to bypass the iPhone's lock screen to send a text, email or call contacts simply by activating Siri. Egyptian neurosurgeon and part-time white hat hacker Shefif Hashim discovered the glitch earlier this week and posted a Youtube video detailing the steps of the iOS exploit. Hashim first tried and failed to unlock an iPhone 5S using its built-in fingerprint sensor, showing that the phone was locked. <more>

IBM kicks off new Cyber-Security services

IBM is offering organisations concerned about the risk of security breaches, attacks and data losses a software and services suite that mitigates against the impact of such incidents. The firm said that its Threat Protection System "disrupts threats", and will limit data losses, an increasingly common occurrence that can harm reputations and lead to financial and business penalties. The system has a range of features and tools and IBM said that one part, the Critical Data Protection Program, would help organisations identify and manage their key data and weak points. <more>

Saturday, May 3, 2014

IE security flaw patched by Microsoft, includes XP

Microsoft has released an emergency patch for Windows XP, 7 and 8.1, plugging a critical zero-day vulnerability in its Internet Explorer (IE) web browser that is known to be leaving one in four web users vulnerable to cyber attacks. The vulnerability was discovered by security firm FireEye at the end of April and is known to affect the IE6 to IE11 web browser versions. The vulnerability is particularly dangerous as it affects the older unsupported Windows XP as well as newer Windows 7 and Windows 8.1 versions of Microsoft's operating system (OS). Microsoft officially ceased support for Windows XP on 8 April, warning users that they would no longer receive security updates for newly discovered vulnerabilities affecting the OS. <more>

Facebook announces Anonymous Login

Facebook has unveiled a new tool that lets users log in to apps anonymously so they do not have to share information from their profile. Currently many applications allow users to log in with their Facebook profiles. However, many web users are wary about this as they are forced to let their data be siphoned off before they know anything about the app. Facebook has attempted to counter these concerns with its Anonymous Login service, so people can log in with their Facebook account, but not share any data. Users can choose to sign in with their account in full at a later date. The firm said: "Anonymous Login lets people log in to apps so they don't have to remember usernames and passwords, but it doesn't share personal information from Facebook. People can decide later if they want to share any additional information, once they understand more about the app." As well as introducing this functionality, Facebook also improved its normal login service, by giving users more control over the information they share with specific apps and other websites. <more>

Saturday, April 26, 2014

Apple iOS 7.1.1 patches flaws and fingerprints

Apple has released an update for its iOS software for iPad and iPhone devices, which includes improvements to its Touch ID fingerprint scanner and keyboard input, as well as several security updates. The 7.1.1 update is only 18.8MB in size and Apple states in the text accompanying the update that it contains "improvements, bug fixes and security updates." The most noteworthy fixes are for Apple's Touch ID fingerprint scanner to improve its recognition capabilities - which will only affect iPhone 5S devices - as well as a bug fix for keyboard responsiveness. <more>

Twitter experiences Tsunami of malicious messages

Twitter, the popular online service that lets you share a message in 140 characters or less to the rest of the world, has been hit by a massive wave of malicious messages. These messages were sent by hundreds of accounts that mention about dramatic weight loss as well as offering a link to a similar site that suspiciously pedals diet pills. When one has fallen to the temptation of clicking on one of those messages, they would be on the receiving end of a warning as seen above instead. It seems that this is the result of hundreds of Twitter accounts that have been hijacked earlier today in order to create this particular tsunami of malicious messages. <more>

Saturday, April 19, 2014

Oracle fixes 104 security holes with April 2014 CPU

Oracle's April 2014 Critical Patch Update has been released, and solves a total of 104 vulnerabilities found across many of its products, including Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle Supply Chain Product Suite, Oracle iLearning, Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Java SE, Oracle and Sun Systems Products Suite, Oracle Linux and Virtualization, and Oracle MySQL. The most important ones for regular users are the patches addressing 37 vulnerabilities in Java SE, as four received a CVSS Base Score of 10.0 (Highly Critical - remote code execution, easily exploitable). "Due to the relative severity of a number of the vulnerabilities fixed in this Critical Patch Update, Oracle strongly recommends that customers apply it as soon as possible," the company advised. <more>

Samsung Galaxy S5 fingerprint scanner hacked

Samsung's newly released Galaxy S5 phone sports a fingerprint scanner embedded in the home button that works well but unfortunately, like iPhone 5S' TouchID before it, can be tricked with a mould of the user's fingerprint. "Samsung's implementation of fingerprint authentication leaves much to be desired," researchers from Berlin-based security firm Security Research Labs (SRLabs) noted, and demonstrated how these flaws can be used to expose users' devices, data, and even bank accounts to thieves or other attackers. The researchers used the same fingerprint mould they employed to fool iPhone 5s' TouchID last year. The spoof was made under lab conditions, they noted, but is based on a camera phone photo of an unprocessed latent print lifted off a smartphone screen. <more>

Saturday, April 12, 2014

Windows XP's final Patch Tuesday

Microsoft has released its final security fixes for Windows XP as part of its latest Patch Tuesday update. The latest set of releases is quite light, with just four patches issued, two labelled as 'critical' and two as 'important'. These cover key Microsoft products Windows, Office and Internet Explorer. The six fixes within the patch for Internet Explorer cover several versions of Windows, including Windows XP, and is one of the critical releases. The issues were spotted by researchers at firms including Trend Micro, HP and Palo Alto Networks. "These vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer," Microsoft said. "An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user." The other critical fix covers Microsoft Office and Word, and also relates to a remote code execution vulnerability. <more>

Heartbleed bug exposes passwords

Internet security experts are scrambling to assess the extent of the breach caused by a massive bug called Heartbleed in the OpenSSL technology that runs encryption for two-thirds of the web and went unnoticed for two years until last week. A newly discovered bug in software supposed to provide extra protection for thousands of the world's most popular websites has exposed highly sensitive information such as credit card numbers, usernames, and passwords, security researchers said. The discovery of the bug, known as Heartbleed, has caused several websites to advise their users to change their passwords. "This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services like email, file storage, and banking, which may have been compromised by this bug," Tumblr wrote in a note to its many users. "The little lock icon (HTTPS) we all trusted to keep our passwords, personal emails, and credit cards safe, was actually making all that private information accessible to anyone who knew about the exploit." Yahoo, the owner of Tumblr, confirms that its users' passwords have been compromised. The bug was discovered late last week in the OpenSSL technology that runs encryption for two-thirds of the Internet. <more>

Saturday, April 5, 2014

Apple releases Safari 7.0.3 update for Mavericks

Apple on Tuesday patched the security vulnerability in Safari that was successfully exploited at last month's Pwn2Own hacking contest, where a team cracked the browser to win $65,000. The Cupertino, Calif. company seeded updates for both Safari 6 and Safari 7 yesterday, promoting the former to version 6.1.3 and the latter to 7.0.3. Safari 6.x runs on OS X 10.7, aka Lion, and OS X 10.8, better known as Mountain Lion. Safari 7.x runs on OS X 10.9, or Mavericks. Apple patched 27 vulnerabilities in Safari 6 and Safari 7, all in WebKit, the open-source browser engine that powers Safari, and all but one considered critical in that they could allow, the company said, "arbitrary code execution," Apple's terminology for the most serious bugs. <more>

Oracle Java Cloud Service bugs publicly disclosed

Researchers have released technical details and attack code for 30 security issues affecting Oracle's Java Cloud Service. Some of the issues make it possible for attackers to read or modify users' sensitive data or to execute malicious code, the researchers warned. Poland-based Security Explorations typically withholds such public airings until after any vulnerabilities have been fixed to prevent them from being exploited maliciously. The researchers broke from that tradition this week after Oracle representatives failed to resolve issues including bypasses of the Java security sandbox, bypasses of Java whitelisting rules, the use of shared WebLogic server administrator passwords, and the availability of plain-text use passwords stored in some systems. <more>

Tuesday, April 1, 2014

Microsoft reveals zero-day attacks against Word

The exploit that attackers are using to target a zero day vulnerability in Microsoft Word relies on a complex series of pieces, including an ASLR bypass, ROP techniques and shellcode with several layers of tools designed to detect and defeat analysis. Microsoft officials said the exploit is being used in targeted attacks right now and attackers are employing it to drop a backdoor on vulnerable machines. The vulnerability, which Microsoft acknowledged yesterday in a security advisory, affects several versions of Word and Office, both on Windows and OS X, and is related to a problem in the handling of RTF files. Microsoft also acknowledged that there is a theoretical method through which an attacker could trigger the vulnerability in Outlook, but that method hasn't been seen in the wild yet. <more>

Facebook shows off epic ThreatData security platform

Facebook unveiled a new automated ThreatData security service, claiming the advanced malware-detection and mitigation service has already helped take down a criminal campaign. Facebook unveiled the ThreatData service in a blog post. ThreatData is a central intelligence tool designed to automatically detect, catalogue, offer IT administrators information on and combat incoming cyber threats. The company said it has already successfully used ThreatData to spot and mitigate a campaign targeting feature phones. "In the summer of 2013, we noticed a spike in malware samples containing the string 'J2ME' in the antivirus signature. Further investigation revealed a spam campaign using fake Facebook accounts to send links to malware designed for feature phones," read the post. <more>

Saturday, March 22, 2014

New exploits arrive for old PHP vulnerability

The number of cyber attacks targeting PHP sites using a known vulnerability has skyrocketed over the past six months, despite the availability of a patch fix for the exploit. Security firm Imperva reported detecting a marked increase in the number of attacks targeting a vulnerability in PHP, which was patched in May 2012, in its Threat Advisory: PHP-CGI white paper. "On October 2013, a public exploit in PHP was disclosed, the exploit uses a vulnerability found in May 2012 and categorised as CVE-2012-1823," read the report. "Soon after the exploit was released, our honeypots have detected web servers being attacked with this exploit in different flavours. In the three first weeks following the publication we were able to record as many as 30,000 attack campaigns using the exploit." PHP is a common coding language used by 82 percent of the world's websites. The Imperva researchers said since the exploit was detailed, attacks targeting it have also increased in sophistication. <more>

Mozilla fixes Firefox flaws exploited at HP's Pwn2own

Mozilla on Tuesday patched five vulnerabilities exploited by researchers last week at the Pwn2Own hacking contest, where they were awarded $200,000 for their collective efforts. Firefox 28 was primarily a security update, patching the five Pwn2Own flaws and 15 others. At the hacking challenge, co-sponsored by HP TippingPoint's Zero Day Initiative (ZDI) bug bounty program and Google, Firefox fell to four teams or individuals, twice the number of hacks as any other browser. Each successful exploit earned the researcher(s) $50,000, the lowest award for any of the browsers: Apple's Safari, Google's Chrome, Microsoft's Internet Explorer and Firefox. Google patched the Chrome vulnerabilities last Friday, the day after Pwn2Own ended. <more>

Friday, March 14, 2014

Microsoft Patch Tuesday for March 2014

Microsoft has plugged a critical vulnerability in its Windows XP operating system in its latest patch Tuesday update, just weeks before it is due to end support for the decade-old platform. The Windows XP patch related to a critical vulnerability in the operating system's DirectShow service that could theoretically have been used by hackers to remotely execute code. Microsoft downplayed the significance of the vulnerability, confirming that it had been disclosed to the firm privately and only affects Windows XP. However, the flaw is troubling as Microsoft is due to officially cease support for Windows XP on 8 April. The cut-off has led to concerns within the security community. Experts from EY, FireEye and Trend Micro said they believe hackers are preparing XP exploits for use after Microsoft officially cuts support which could pose seriously problems for firms still running XP. Microsoft also released a permanent fix for a critical flaw in Internet Explorer (IE). FireEye discovered the flaw on 14 February and it is known to have been used by criminals to mount a sophisticated hacking campaign, codenamed Operation SnowMan. <more>

Samsung Galaxy devices backdoor discovered

One of the major issues with closed source operating systems is that there is no independent code review: you can never truly tell what is happening. Backdoors that have been placed in a device, maliciously or otherwise, could allow an attacker to have the power to wreak havoc on an unsuspecting victim. Paul Kocialkowski, a developer for a fully free/open version of Android, published a guest post on the Free Software Foundation detailing his discovery of a backdoor that has been implemented in a range of Samsung Galaxy devices. He commented on how he had found a Samsung program running in the background, binded to the communications processor, that allows the modem to remotely read, write, and delete files on the user's phone storage. Several Samsung devices give that program sufficient rights to access and modify the user's personal data. <more>

Friday, February 28, 2014

Apple iOS bug puts iPhones and iPads at risk

Security researchers have discovered a new flaw in Apple's iOS that could expose every action the user takes to a third party, even down to each letter and number typed. A team from security company FireEye have outlined how they were able to get an app onto iOS 7 devices such as iPads and iPhones that would monitor every single tap of the screen and broadcast that information to any remote server. Such information would potentially give hackers access to every single SMS, email and written note as the location of the screen presses gives away which button is being pressed on the virtual keyboard. The app can also record every home button press, changes of volume and TouchID fingerprint scanner use. Researchers claim that the attack is only at the "proof-of-concept" stage and there is no evidence that it has been used outside of a lab. And the group have informed Apple of their work and claim to be "collaborating on the issue". The attack works on even the latest version 7.0.4 of iOS and on non-jailbroken iPhones. <more>

Wi-Fi 'virus' could be used to attack wireless access points

Researchers from the University of Liverpool have demonstrated that a computer virus can spread through Wi-Fi access points between homes and businesses just like the common cold spreads from one human to another. The researchers have performed an experiment in a laboratory setting with the aid of the Chameleon virus, which uses a WLAN attack technique to infect access points and collect the credentials of all Wi-Fi users who connect to it. Then, it seeks out other access points, connects to them and infects them. The main issue highlighted by the researchers is the fact that many Wi-Fi access points are unprotected, allowing viruses like Chameleon to spread without difficulty. In their experiment, researchers simulated an attack on the cities of Belfast and London. While the virus can't spread via access points protected by encryption and passwords, it relies on ones that are not protected, like the ones in airports and coffee shops. <more>

Friday, February 21, 2014

Microsoft delivers 'Fix it' solution for IE10 attacks

Microsoft has finally issued a security advisory addressing the IE zero-day that has been recently actively exploited in attacks in the wild, and has followed with a Fix it tool to temporarily mitigate the issue until a patch is released. This zero-day is a remote code execution vulnerability, which may corrupt memory and allow an attacker to execute arbitrary code in the context of the current user within Internet Explorer. The vulnerability is easily triggered, and requires the targets to simply visit a specially crafted website hosting the exploit, or websites that accept or host user-provided content or advertisements that could exploit the vulnerability. It's only a matter of luring users to such a site. <more>

Adobe releases another emergency update for Flash

Adobe has released an emergency update for its widely used Flash Player to combat active attacks that exploit a previously unknown security bug that hackers are actively exploiting to surreptitiously install malware on end-user computers. The vulnerability, which affects the latest versions of Flash, was being exploited in drive-by attacks on the websites of at least three nonprofit organizations, according to a blog post published Thursday by researchers from security firm FireEye. <more>

Friday, February 14, 2014

Critical IE vulns addressed in Feb's Patch Tuesday

Microsoft has released 31 security fixes as part of its Patch Tuesday software update. These cover major products including Windows and Internet Explorer, as well as the firm's .NET Framework and Forefront Protection for Exchange. Four of the updates are marked as critical and three as important. Dustin Childs, group manager for Microsoft's Trustworthy Computing division, gave some more information in a blog post about the nature of the fixes, explaining that the issues with Internet Explorer were widespread. "This cumulative update addresses one public and 23 privately disclosed issues in Internet Explorer," he wrote. <more>

DoS issue puts Apache Tomcat servers at risk

Apache Tomcat is a widely used Web server for hosting applications developed with the Java Servlet and the JavaServer Pages (JSP) technologies are at risk due to denial-of-service issue. Recently, Security researchers published a proof-of-concept exploit for vulnerability that allows attackers to launch denial-of-service attacks against websites hosted on Apache Tomcat servers. The new denial-of-service vulnerability is located in Apache Commons FileUpload, a stand-alone library that developers can use to add file upload capability to their Java Web-based applications. This library is also included by default in Apache Tomcat versions 7 and 8 in order to support the processing of mime-multipart requests. The multipart content type is used when an HTTP request needs to include different sets of data in its body. <more>

Saturday, February 8, 2014

Adobe releases critical 0-Day exploit patch for Flash

Adobe has released a patch for a critical flaw in its Flash Player, which is believed to have been actively exploited by hackers. The patch addresses a flaw prevalent in the Windows and Mac OS versions of Adobe Flash Player and earlier, and Adobe Flash Player and earlier in Linux. The vulnerability was originally discovered by Kaspersky Labs researchers on 3 February. The Kaspersky researchers warned that the vulnerability is being used by an advanced group of hackers to mount sophisticated attacks capable of bypassing most security tools. "During the past months we have been busy analysing yet another sophisticated cyber espionage operation, which has been going on at least since 2007, infecting victims in 27 countries. We deemed this operation 'The Mask'," read the research note. "The Mask is leveraging high-end exploits, an extremely sophisticated malware which includes a bootkit and rootkit, Mac and Linux versions and a customised attack against Kaspersky products. <more>

Firefox 27 fixes 13 security holes

Mozilla has addressed a total of 13 security vulnerabilities with the release of Firefox 27. The list includes four critical, four high, four moderate and one low-impact flaws. The critical vulnerabilities, which can be exploited to execute arbitrary code without user interaction, are a use-after-free during image processing, an issue with image decoding in RasterImage, a crash when terminating a web worker running asm.js code, and miscellaneous memory safety hazards. The high-impact security holes are a cross-origin information leak through web workers, NSS ticket handling problems, and cloning protected XUL elements with XML Binding Language scopes. Boris Zbarsky, a Mozilla developer, has identified an inconsistency with the different JavaScript engines in the way they handle "window" objects. For additional details on the vulnerabilities fixed in Firefox 27, check out the vendor security advisories. <more>

Saturday, January 18, 2014

Oracle fixes 144 bugs including 36 Java flaws

Oracle has issued its first patch update of 2014 on Tuesday and it just so happens that it has been one of its biggest ever that includes a slew of security patches, many of which address vulnerabilities in Java. The Critical Patch Update will address 144 flaws in hundreds of Oracle products, 36 of which apply to vulnerabilities in Java SE, including 34 that are bugs that can be exploited remotely by an attacker without requiring authentication. "Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products", Oracle said in its pre-release announcement. "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible." <more>

Only FOUR bulletins for January Patch Tuesday

Microsoft disclosed four security bulletins describing a total of six vulnerabilities and released product updates to address these vulnerabilities. January Patch Tuesday repairs a privilege escalation bug in the ND Proxy Driver that manages Microsoft's Telephony API. Microsoft had released a mitigation that would have rendered the API unusable. The vulnerability was rated important because it could not be exploited remotely. An attacker would need to log in to a system with valid credentials and run a malicious application in order to exploit the vulnerability locally. <more>

Saturday, January 11, 2014

Yahoo found serving Java malware-spreading ads

Malicious ads served through Yahoo's ad network delivered malware to thousands of site visitors, according to researchers at Fox-IT, but Yahoo subsequently blocked the attack. Fox-IT's post said that visitors who saw the ads in their browsers were redirected to a "Magnitude" exploit kit. "This exploit kit exploits vulnerabilities in Java and installs a host of different malware," Fox-IT said, including ZeuS, Andromeda, Dorkbot/Ngrbot, ad-clicking malware, Tinba/Zusy and Necurs. The security company's investigation dated the start of the infection to December 30 but it said it might have begun earlier. Yahoo confirmed the infection and said it had taken action to remove it. <more>

Expert finds flaws in Google and Facebook

Security researcher Jitendra Jaiswal has identified a couple of interesting vulnerabilities in Facebook and Google. Both of them have been addressed. The security hole that plagued Facebook was an open URL redirect issue that allowed an attacker to redirect victims to any website without any restriction and without interaction on the user's part. Facebook rewarded the expert with $1,000 for his findings. As far as Google vulnerability is concerned, Jaiswal found a clickjacking (UI redressing) flaw on the Google Maps website that could have been exploited to change a user's Google+ profile picture, hijack his webcam, and update his status. Proof-of-Concept videos are available to see how the vulnerabilities could have been exploited. The issues were discovered last year in November, but the expert has only published their details now. <more>

Saturday, January 4, 2014

Unencrypted Windows crash reports open to hijacking

Microsoft's handy automated Windows error report feature "Dr. Watson" mostly transmits crash log data in the clear, leaving organizations that use the function vulnerable to targeted attacks, researchers say. Websense Security Labs found in a study of risks posed by some popular applications and services that Microsoft Windows Error Reporting, which automatically sends to the software giant details of a system crash, does so without encrypting the information. The sensitive information in these reports, which includes the make and model of the machine, BIOS version, ID, and applications, can help bad guys and even the National Security Agency profile potential targeted machines and networks. Word that the NSA was likely doing just that came among other new revelations in a report over the weekend by German publication Der Spiegel that pulled back the curtain on an elite team of NSA hackers called the Tailored Access Operations (TAO) Group. According to the report, TAO appears to use NSA's XKeyscore spy tool to grab Windows crash reports from Internet traffic it captures, and the intelligence can be used to profile a machine and exploit its vulnerabilities. <more>

Skype social media accounts hacked

Skype said its social media properties were targeted, with a group styling itself as the Syrian Electronic Army appearing to claim credit for the hacks. "You may have noticed our social media properties were targeted today," Skype said in a Twitter message late Wednesday. "No user info was compromised. We're sorry for the inconvenience." Skype's Twitter account, blog and Facebook page appeared to have been attacked by the SEA, a group that supports the Syrian government, according to reports. The Skype blog was still inaccessible late Wednesday and redirected users to the Skype home page. The SEA reproduced in a Twitter message a copy of what appeared to be its message using the Skype account on Twitter. <more>