Wednesday, October 22, 2014

Microsoft Patch Tuesday for October '14

In October's Patch Tuesday, Microsoft has rolled out eight security bulletins covering 24 security vulnerabilities across Windows, .Net Framework and Internet Explorer (IE). The update also cover a bug which reportedly targets NATO machines. The advisory contains three security bulletins declared as CRITICAL i.e., MS14-056 addresses Internet Explorer, MS14-057 addresses .NET Framework and MS14-058 addresses Microsoft Windows kernel mode driver. According to cyber security researcher from FireEye, two 0-day vulnerabilities targeting Windows Machines used by some major corporations are being exploited by cyber criminals. One of the patches addresses Sandworm cyberattack that allows remote code execution on Microsoft Windows Server 2008 and Windows Server 2012. Other five remaining updates are rated as IMPORTANT covering issues in ASP.NET MVC, Windows OLE and Microsoft office applications. <more>

Oracle Critical Patch Update fixes 155 vulns

This month is quite busy for system admins as there are plenty of security updates available due to Microsoft Patch Tuesday along with Adobe, Firefox, OpenSSL and now Oracle has released 155 security vulnerabilities in its quarterly update. The CPU addresses 25 bugs related to Oracle Java SE, 24 fixes for security flaws in Oracle MySQL, 31 fixes for Oracle Database Server in which only two could be remotely exploited without authentication. Besides this, 15 security fixes for Oracle Sun Systems, Oracle Fusion Middleware gets 18 fixes and 10 fixes for flaws in Oracle E-Business Suite. Oracle PeopleSoft Products and Oracle Supply Chain Products Suite also get 5 fixes each. The CPU contains 7 fixes for Oracle Virtualization while 2 fixes for Oracle Communications Applications. <more>

Wednesday, October 15, 2014

Google Chrome 38 gets HUGE patch this month

Google released the latest version of Chrome browser fixing almost around 159 security vulnerabilities. It's usually not often that Google addresses too many security patches simultaneously. Out of 159 bugs, 113 fixes related to minor vulnerabilities. Google also patched multiple high-risk vulnerabilities and one highly critical flaw in the V8 engine and IPC that brings $27,000 bug bounty reward for a researcher Juri Aedla that allows attackers to bypass sandbox and execute arbitrary code. <more>

PayPal flaw leverages access to blocked accounts

Global payment service provider PayPal is exposed to security threat that allows intruders to gain access to blocked accounts without providing further security information. The issue resides in the mobile API responsible for filtering of account access restrictions. Benjamin Kunz Mejri from Vulnerability Laboratory discovered the vulnerability and reported to Paypal in March 2013. The vulnerable application is based on iOS used by iPhone and iPad unable to check properly for restriction flags that would stop access to victim's account. Although the reported version was 4.6.0, but security researcher believes that latest version is also prone to this issue. <more>

Saturday, October 11, 2014

Joomla CRITICAL vulnerability PATCHED!!

Joomla, a widely used content management system (CMS) gets new security update which rectifies issues present in the previously released security patch. Earlier Joomla versions 3.3.5, 3.2.6 and 2.5.26 were rolled out to patch remote file inclusion and denial-of-service (DoS) attack. But later on, Joomla developer requested users to halt their systems patching as they found some errors in the earlier released patch. On Wednesday, Joomla released new versions 3.3.6, 3.2.7 and 2.5.27. Extension Manager should be used by those users who updated the earlier released patch, as they will not be able to get it through normal update. <more>

TRIPLE rewards in Google Chrome bug bounties

Bug bounties play a huge role in finding out security threats that make vendor applications more stable and at the same time researchers get monetary benefits, so we can say it's a win-win situation for everyone. Google has also realized the importance and thus increased the payment of bug bounty program. According to Google, the company has stretched the maximum payment limit to $15000 for finding a bug that means it is almost triple the payment which was earlier $500-to-$5,000 per bug. Google claims that over 700 security flaws have already been fixed through bug bounty programs. Company has also amend its submission policy in order to ease out submit process for cyber security researchers. This will give researcher an option to submit the vulnerability in the first step and provide the exploit later on. <more>

Friday, October 3, 2014

iPhone 6 TouchID scanner susceptible to hacking.

As far as Apple TouchID fingerprint security scanner is concerned it is pretty much the same as what we had in iPhone 5s. Apple iPhone 6 TouchID is still prone to hacking like last year's TouchID. It plays a vital part in the company's upcoming mobile payment service. According to a researcher at cyber security company Lookout Inc., TouchID can be hacked and can be used for fraudulent activities. To prove his point security researcher Marc Rogers created an exploit in which he used multiple forged fingerprints in order to deceive the scanner by using the same technique that was used by him when exploiting iPhone 5s. TouchID does not have time-out feature which allows attackers to perform brute-force attacks. <more>

Bash command flaw affects Linux and Mac machines.

Bash is a Unix shell used to control the command prompt. Recently discovered Bash flaw put computers running on Linux and Mac platforms at risk. Security researchers considered Bash command flaw as a bigger threat when comparing with the Heartbleed bug which made the headlines in April. According to experts from cyber security companies, hacker can take full control of the vulnerable system by exploiting bash flaw. US-CERT advises Linux and Mac users to obtain OS 'security patches' from their respective vendors. Heartbleed flaw is used for spying purposes where as Bash flaw allows remote code execution on the vulnerable system that makes it more devastating than Heartbleed. <more>