Friday, November 28, 2014

Microsoft rushes patch for Kerberos flaw

Windows security flaw being exploited by cyber criminals got an urgent patch apart from November Patch Tuesday. Kerberos - an authentication system used by all versions of Microsoft Windows is responsible for the issue that allows remote attackers to gain elevated privileges of domain administrator. Microsoft advisory states, "A remote elevation of privilege vulnerability exists in implementations of Kerberos KDC in Microsoft Windows. The vulnerability exists when the Microsoft Kerberos KDC implementations fail to properly validate signatures, which can allow for certain aspects of a Kerberos service ticket to be forged." Microsoft credits information security and risk management team of Qualcomm for identifying the issue. According to company, Windows Server 2012 and Windows Server 2012 R2 machines are not prone to this vulnerability. Users are advised to apply the patch on earliest basis. <more>

Google patches 42 flaws for Chrome

Google rolls out Chrome 39.0.2171.65 that fixes 42 security flaws in the web browser. Google Chrome now supports Apple Mac OS X running on 64-bit. Google has rewarded $41,500 to cyber security researchers for 12 security flaws reported. Researcher identified as "biloulehibou" got the highest reward of $7,500 for finding out an issue related to Adobe Flash player used in Chrome. Adobe advisory covered this issue under "double-free" vulnerability that allows intruders to execute arbitrary code. Chen Zhang of the NSFocus Security Team rewarded $5,500 for finding two bugs in the Blink rendering engine and Pepper plug-in interface used by Chrome. These issues are related to use-after-free vulnerabilities that allow remote code execution or possibly crash the vulnerable application. Latest version of Google Chrome disable fallback support for SSL 3.0 due to POODLE vulnerability. <more>

Friday, November 21, 2014

BIG Patch Tuesday fixes 33 vulns

November Patch Tuesday contains 14 security bulletins providing fixes for 33 vulnerabilities affecting all versions of Windows. Out of 14 bulletins, 4 bulletins are rated 'CRITICAL' whereas 8 bulletins declared 'Important' and the remaining 2 bulletins indicate moderate level severity. MS14-065 bulletin addresses 17 vulnerabilities affecting Internet Explorer. Most of the vulns are related to memory corruption and allows remote code execution by enticing a user to view malformed webpage. A vulnerability related to OLE which was previously exploited during Sandworm campaign is also patched under the CVE-2014-6352. A security flaw in the TCP/IP stack in Windows Server that allows remote attackers to execute arbitrary code on the vulnerable system is also patched along with other security bypass and privilege escalation issues. <more>

Apple devices HIT by Masque iOS malware

Security researchers at FireEye identified a new malware dubbed Masque targeting iOS devices. According to cyber security researchers, iOS versions 7.1.1, 7.1.2, 8.0, 8.1 and 8.1.1 beta enterprise provisioning features are vulnerable that means almost 95% devices are under attacked by this malware. Hui Xue, design engineer at FireEye believes that at the moment not many users are affected on large scale, but admit that in near future the scope can be widen. FireEye contacted vendor and they are working on it. FireEye advised users to download apps only from Apple App store and don't click on pop-ups. <more>

Saturday, November 15, 2014

Google unleashes 'nogotofail' security testing tool

Google rolls out a security testing tool dubbed 'nogotofail' designed to help developers and cyber security researchers to make sure that the HTTPS connections are not vulnerable to security flaws or common configuration errors that allow intruders to exploit it. 'nogotofail' tool is used to counter 'goto fail' security flaw that affected Apple machines and other systems. The tool ensures that internet-connected devices and applications are not susceptible to transport layer security (TLS) and secure sockets layer (SSL) flaws. The deployment of this tool can be made on router, a Linux machine, or a VPN server and works for Android, Chrome OS, iOS, Linux, OS X, and Windows. The aim of this tool is to provide users a risk free HTTPS connection to ensure that their information is transmitted securely over the internet. <more>

Visa's contactless payment system security flaw

Visa - a digital payment company is under fire for its contactless payment system by a cyber security researcher from Newcastle University. According to researcher, criminals can make illegal huge transactions in any currency from visa holder accounts through point-of-sale machines. The researcher claims, an intruder enters the amount needed to be transferred after creating a fake POS terminal on a mobile phone or ATM. When a Visa card contacts with that POS terminal, approval of transaction is made with a code supplied by the card. That code is used by the bank to release the fund. Lead researcher, Martin Emms told that POS terminal can read a card even it is placed in the wallet. <more>

Friday, November 7, 2014

0-day flaw in Samsung 'Find My Mobile' service

Samsung smartphones users are being warned by National Institute of Standards and Technology (NIST) due to a newly discovered zero-day security flaw found in its 'Find My Mobile' service. The issue occurs due to improper validation of a lock-code data of the sender received during communication. 'Find My Mobile' service provides users to locate their lost devices and allow users to lock down their devices remotely so that no one else is able to access it. Cyber security researcher Mohamed Abdelbaset Elnoby is credited for finding out security vulnerability in the service. The flaw allows remote attackers to lock or unlock the affected device via CSRF attack. <more>

IBM Enterprise Insight Analysis to counter cyber crime

IBM talked about its latest service with a goal to improve data gathering and cater the need to fight against cyber crime promptly and efficiently. IBM launched this service at IBM Insight conference held in Las Vegas. IBM i2 Enterprise Insight Analysis (EIA) uncover hidden patterns found in huge volumes of data within few seconds. It works on data-to-decision process that makes it more reliable findings against cyber threats than formal security analysis which may take long durations to find out. IBM i2 Enterprise Insight Analysis works on IBM Power Systems to investigate "non-obvious" connections between data and uncover hidden activities. <more>

Saturday, November 1, 2014

HIGH RISK Windows bug exploited in the wild

Except for Windows Server 2003 all remaining versions of Microsoft Windows are susceptible to 0-day flaw found in the OLE (Object Linking and Embedding) technology that allows remote code execution on the victim's machine. OLE is used in the Microsoft Office applications to create and edit data in multiple formats. The company is also aware of targeted attacks which can be exploited by using PowerPoint documents. Due to this, Microsoft has come up with a workaround dubbed 'Fix it'. Microsoft gives credit to cyber security researchers Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team and Haifei Li and Bing Sun of the McAfee Security Team for finding and analyzing the vulnerability. Company also urged users to perform double-check before opening Office documents especially PowerPoint documents. <more>

Google supports 2FA security mechanism for USB

In order to secure user accounts, Google is providing additional support to physical USB through two-factor authentication mechanism. Google has already implemented 2FA verification mechanism for their accounts which ask for user to provide input one-time-use codes received via text message or generated through mobile application. According to Google Security product manager, USB uses security key which starts after verifying the legitimacy of Google website. The Security Key only works with Chrome version 38 and later that uses Universal 2nd Factor (U2F) developed by the FIDO Alliance. <more>