Monday, October 26, 2015

October's Patch Tuesday covers Windows, IE, Edge and Office

In October's Patch Tuesday, Microsoft rolled out SIX security bulletins that contain more than 30 vulnerabilities targeting Windows, Internet Explorer, Edge, and Office. Out of 6 bulletins released, 3 of them are rated as 'CRITICAL'. MS15-106 a critical rated bulletin addresses 14 vulnerabilities in the Internet Exlporer. The issues fixed in this bulletin are related to memory corruption, privilege escalation, information disclosure, and VBScript and JScript ASLR bypass issues. Another critical-rated bulletin is MS15-108 that patches various issues related to information disclosure, memory corruption, and ASLR bypass vulnerabilities in the VBScript and JScript scripting engines in Windows. Third and the last critical bulletin addresses a flaw in the Microsoft Windows that allows remote code execution by opening a specially crafted toolbar object in Windows. <more>

Wednesday, September 23, 2015

Apple iOS 9 PATCHES Airdrop flaw

Apple has released an update for iOS 9, fixes a critical security flaw allowing intruders to inject malicious files in iPhones that can be used to hijack victim's phone later on. Security researcher Mark Dowd from Azimuth Security found the issue which affects almost all devices using iOS 7 or later, along with all Mac OS X Yosemite versions. According to PoC where Mark Dowd was forcing crafted files to an iPhone using Apple's AirDrop, even though the request to transfer was denied by the user. AirDrop provides file sharing facility between iOS and OS X devices using WiFi and/or Bluetooth. AirDrop is vulnerable to directory traversal attack allowing intruders to make modification in victim's OS setting and install malicious apps and rest will be done accordingly. All an attacker needs to install a malicious app is to have a legitimate Apple enterprise certificate to validate the app's installation process. <more>

Beware!! Android Lollipop users

Researchers from University of Texas has found a security flaw in the lock screen feature of Android 5.x. According to John Gordon, a network security analyst at the University of Texas, the issue exists in the password field - unable to handle a sufficiently long string while the camera app is active, allowing an attacker to crash the lock screen. From the locked screen, one can easily bypass the security. The potential attacker can open the emergency call window, fill it with characters, then copy those into the password field via the settings option on the locked screen until the user interface crashes. By using USB debugging normally allows access to vulnerable device to execute arbitrary command or gain access to files with full rights. Google was notified about the issue earlier this year and responded swiftly to release a security patch in June to rectify this issue. Google urge users to apply updates on earliest basis. <more>

Monday, September 7, 2015

Google Chrome 45 addresses 29 flaws

Google has released Chrome 45 to address 29 security flaws affecting Windows, Mac, and Linux platforms. According to Google advisory, Six issues are rated as CRITICAL allowing remote code execution. These high-severity issues addressed cross-origin bypass flaws in DOM, covered in CVE-2015-1291 and CVE-2015-1293, where as a cross-origin bypass issue occurs in Service Worker that is covered in CVE-2015-1292. Besides this, multiple use-after-free flaws in Skia (CVE-2015-1294) and Printing (CVE-2015-1295), and a character spoofing bug in the Omnibox address bar (CVE-2015-1296). The latest version also patched medium severity vulnerabilities in WebRequests, extensions and in the Blink web browser engine. Google credits security researchers Mariusz Mlynski, Rob Wu, Alexander Kashev, and experts using the online monikers, cgvwzq, cloudfuzzer, and zcorpan for finding vulnerabilities in the browser. So far, company has given rewards of $40,500 through bug bounty program. Morever, Google has decided to stop running Flash Ads due to various flaws found in Adobe Flash from time to time. Google is automatically converting most of the Flash ads uploaded to AdWords to HTML5, otherwise it can be done manually using a tool provided by the company. <more>

Bugzilla hack eXposes Firefox 0-day flaw

Mozilla confirmed about Bugzilla breached by an attacker who was able to get access to sensitive information about zero-day flaws in Firefox. According to Mozilla, the intruder was able to breach a high-level user's account who had access to Bugzilla that contains information of non-public zero-day security flaws. Mozilla said attacker took control of the account since September 2013 and accessed approximately 185 vulnerabilities that were non-public, where 53 vulnerabilities considered CRITICAL flaws. However, company claims 43 of the severe flaws had already been patched, but 10 unpatched security flaws are still in the hands of intruder which pose a huge security risk for Firefox users. <more>

Wednesday, August 5, 2015

Not Again !! Another bug puts Android phone @ risk

Earlier it was Zimperium that informed about the Stagefright flaw affecting nearly 950 million (95%) smartphone across the globe, and now its Trend Micro turns to come up with another security flaw in the Android mediaservice which can cause your smartphone to become unresponsive. As compare to Stagefright bug, this new vulnerability affects Android versions 4.3 and above. So statistically 56.8% users are affected to this flaw. According to security researcher from Trend Micro, attackers can exploit the vulnerability using a malicious app installed and running on the user's device, or by accessing a URL where a malformed media file is hosted. For demonstration purpose, researcher choked the mediaserver service using a malformed MKV file. The issue exists in the way mediaserver service reads data from a Matroska media container, which is used with the .mkv extension. <more>

BIND Critical flaw causes Internet outage

Widely used DNS server software - BIND is under attacked to cause disruption in the internet service for many users. The BIND versions 9.1.0 to 9.10.2-P2 are affected and can be exploited to crash DNS servers that are powered by the software. Internet Systems Consortium (ISC) has released a patch to rectify this critical issue that affects both authoritative and recursive DNS servers with a single packet. ISP configures recursive DNS servers for most computers and routers. If those DNS servers becomes unresponsive due to any circumstances, the computers that users that use them will not be able to find websites. According to ISC advisory, patching is the only available option so operators are required to apply the security patch as early as possible. <more>

Tuesday, July 7, 2015

Apple PATCHES OS X and iOS bugs

Apple has releases patches for various security flaws found in its desktop and mobile operating systems. Apple users are waiting for the new releases of iOS 9 and OS X 10.11, but they have to apply security updates for iOS 8 and OS X 10.10. It is believed to be the first major Apple security patch updates since April 8. OS X 10.10.4 security update fixes three vulnerabilities in Apple's Admin framework allowing intruders to get full admin rights.  Apple Type Services also get the fix for four vulnerabilities allowing remote code execution on the compromised systems. Similarly, six security flaws have been fixed in the CoreText library. One fix is for Apple's high-speed Thunderbolt interface that could allow intruders to execute arbitrary code. Intel graphics driver used in OS X is being patched for eight vulnerabilities mostly occur due to buffer overflow. Apple iOS 8.4 addresses 30 vulnerabilities across Safari’s browser engine, the WiFi manager, the SQLite library, Safari, Mail, the OS kernel, FontParser, coreTLS and CoreText. Company urges users to apply the update on earliest basis. <more>

'Selfies' a new authentication method for MasterCard

Taking selfies usually considered by many people as a mental disorder and we have read several reports regarding this, but not anymore now as one of the largest online payment system is going for a trial to take selfies as replacement authentication for passwords. MasterCard said that it will test this new mechanism just to know that how much it will be effective to minimize fraud threats. Facial recognition is not new as several smartphones use this feature to unlock the device. Although security researchers still obscure about the robustness of such authentication system as there are multiple instances in the past where intruders are able to bypass the mechanism. If all goes well, MasterCard plans to integrate facial recognition in smartphone application that initiates when a payment needs to be made, asking for authorization through fingerprint or facial analysis. <more>

Monday, June 29, 2015

ZERO day fix for Adobe Flash Player

Adobe systems has released an out-of-cycle security patch to fix critical zero-day flaw in a Flash plugin that could allow remote code execution on a compromised system. According to advisory, this critical issue is covered in CVE-2015-3113 and affects Flash Player and earlier versions on Windows and Mac, and version and earlier releases on Linux. Adobe credits FireEye security researchers for finding it which was exploited in a phishing campaign. IE for Windows 7 and earlier along with Firefox on Windows XP are considered prime targets. However, Chrome users has not found with such attacks. Company urges users to apply the patch on earliest basis. <more>

HP releases unpatched IE exploit code

Although Microsoft paid a huge amount of $125,000 for finding Address Space Layout Randomisation (ASLR) vulnerability in Internet Explorer 11 to HP's Zero Day Initiative. Company still not eager to release the security patch to address the flaw. After Microsoft refusal, HP has decided to publish Proof-of-Concept code that could be used to exploit the vulnerability. According to HP, they are concerned about users and wanted to inform about the issue and then it's users call whatever they feel appropriate, where as, Microsoft believes that flaw does not affect the default configuration of IE, so there is no need to apply any fix for it. <more>

Tuesday, June 23, 2015

0-day identified in Apple OSX and iOS

Security researchers have spotted 0-day vulnerabilities targeting Apple operating systems, i.e., Mac OS X and iOS. The impact of the issue could allow an intruder to steal sensitive information that can aid further attacks later on. The security flaws presented in a joint research paper entitled 'Unauthorized Cross-App Resource Access on Mac OS X and iOS' by Indiana University's Xiaolong Bai, XiaoFeng Wang and Tongxin Li, with Peking University's Kai Chen and the Georgia Institute of Technology's Xiaojing Liao. The flaw named XARA given by security researchers, target major cross-app resource sharing mechanisms such as keychain and communication channels that includes WebSocket and Scheme - are not properly protected by both the OS and the apps using them and allows attackers to gain knowledge of sensitive user information through a malicious program. Similarly, sandbox mechanism is not reliable enough and can be exploited through malicious app - gaining full access to other apps' directories (called containers). <more>

Samsung Galaxy flaw affects 600M users globally

Most widely used smartphone Samsung Galaxy is feeling the heat these days as approx 600 million Samsung phones may be vulnerable to a serious security flaw. According to security researcher Ryan Welton from NowSecure, it allows hackers to stealthy monitor the camera and microphone, read incoming and outgoing text messages, and install malformed apps on the vulnerable smartphones. The issue exists in the update mechanism of SwiftKey - Smart prediction technology for easier mobile typing, available on the Samsung Galaxy S6, S5, and several other Galaxy models. Actually Samsung hasn't specify a mechanism to encrypt the executable files that could leverage attackers to modify upstream traffic during updates downloading. The intruder sitting on the same Wi-Fi network can replace the actual file with a malicious one. The demo of exploit is presented last Tuesday at the Blackhat security conference in London. <more>

Thursday, June 18, 2015

Critical Updates for Windows and Internet Explorer

A light Patch Tuesday for June has been released by Microsoft that contains security patches for just two 'CRITICAL' and eight 'important' rated vulnerabilities. Critical security updates target Windows and Internet Explorer. Critical issue that affects the Windows operating system is due to an error in the media player that allows remote code execution on the compromised machines. Similarly, IE gets a huge list of memory corruption flaws that allow remote code execution if a user views a specially crafted webpage. The 'important' rated updates plugs security flaws in Windows, Exchange Server and Office allowing intruders to gain elevated privileges or remote code execution depending on the scenario and attack vectors. There is also a minor tweaking about the removal of Windows 10 update reminders after critics last month compared them to adware. Company has reconsidered its policy and remove the reminders. <more>

Kaspersky a victim of a spohisticated cyber-attack

Kaspersky Lab revealed last wednesday that a very sophisticated cyber-attack named Duqu penetrated some of its internal systems by exploiting a zero-day flaw in the Windows Kernel. This APT attack is operating since 2012 that shows how sophisticated Duqu is - even a security giant Kaspersky is unable to figure out its presence for such a long period. A new version dubbed Duqu 2 arised in 2014 and continue its operations in 2015 as well targeting western countries, the Middle East and Asia. According to security researchers initial attempts started in Asia-Pacific region via spear-phishing emails. Several modules have been identified to perform a 'pass the hash' attack target the local network. Duqu 2 uses various strategies to spread on the network. It is confirmed by Kaspersky engineers that the attack was carried out by installing Microsoft Windows Installer Packages (MSI) and then launching it remotely to other hosts. <more>

Tuesday, June 9, 2015

Facebook focuses on message security

Facebook is fully aware about users privacy that's why company has added support for OpenPGP keys used in its email messaging to secure users from cyber criminals. Facebook inform users about this feature used to improve the privacy of email content by rolling out an experimental new feature that allows users to add OpenPGP public keys to their profile. GNU Privacy Guard implementation of OpenPGP is available for Windows, Mac OS and Linux users and performs encryption on emails sent from Facebook to their email accounts. This feature is currently available in desktop machines, but Facebook is committed to make it available for mobile platforms. <more>

Microsoft Windows gets SSH support

Redmond is finally planning to support SSH in Windows and their boffins will take participation in the OpenSSH project. SSH is being widely used by Unix and Linux systems for years to remotely connect to system, but Microsoft has never given SSH by default. As SSH becomes the default standard for secure remote logins, this put onus on Microsoft as its users wanted to have default support for SSH and at last company has given a green signal. "A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux - both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH. Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and to remotely manage Linux and Windows systems," Angel Calvo, a group software engineering manager on  Microsoft's PowerShell team said. <more>

Friday, June 5, 2015

iPhone crashes with just a text message

Few days back there was a news regarding iPhone crashes with a specially crafted text. Apple quickly released a workaround for iPhones, iPads and the Apple Watch, also advises the use of Siri can mitigate problems caused by the simple text attack. Company will provide the proper patch to rectify this security flaw once for all but meanwhile Apple urges users to apply workaround to keep them safe. According to firm this issue is quite similar to what they faced in the iMessage so patch will be released soon. This issue was pointed out by Reddit and Twitter users causing iOS-based devices to crash or locking the user out of the messaging application. <more>

Facebook launches new security checkup tool

Facebook rolls out a new feature called Security Check-up that will boost the security of user's account. Facebook is usually a prime target for hackers due to its popularity and widely usage so proper mechanism are in placed by the company to secure user profiles. The Check-up will pop up over the top of the site, prompting users to explore new options in order to increase security. Users prefer to connect to Facebook with its mobile app and on most occasions they have not logged out properly. In case of any mishap like your phone stolen or lost then your facebook account if not properly logged out would a tricky situation for you. To avoid such instances Facebook gives the opportunity to receive login alerts to show the computers logged into different Facebook services. <more>

Tuesday, May 26, 2015

Google Chrome 43 fixes 37 vulns

Google released Chrome 43 that provides patches for 37 security flaws along with numerous improvements across different components of the browser. Google is quite famous for its bug bounty program and this time is no exception as company has given around $40,000 to security researchers. Google awarded the highest amount of $16,337 to an anonymous researcher who has found a CRITICAL vulnerability in the sandbox escape and addressed under CVE-2015-1252. Another anonymous researcher is also given $7,500 for finding high severity cross-origin bypass in DOM covered under CVE-2015-1253. Armin Razmdjou of Rawsec was awarded $3,000 for revealing a cross-origin bypass in Editing covered under CVE-2015-1254. Similarly, Khalil Zhani reported use-after-free issues affecting WebAudio and WebRTC. A reward of $3,000 to Atte Kettunen of OUSPG for a high severity use-after-free flaw in SVG and a medium rated security flaw in PDFium. Besides this, Chrome 43 also come up with a new feature called "Upgrade Insecure Requests" content security policy (CSP) - used to automatically upgrade HTTP requests to HTTPS before they get the response by the browser. <more>

FIRST EVER Security update for Apple Watch

Apple rolled out the first security update for its recently launched Apple Watch that uses an iOS-based operating system. Company releases patches for 13 security flaws targeting kernel, Secure Transport, FontParser, the Foundation framework, IOHIDFamily and IOAcceleratorFamily components. According to advisory, security flaw in the FontParser allows execution of arbitrary code via malformed font, while Foundation framework is prone to XML External Entity (XXE) vulnerability due to improper handling of XML files in the NSXMLParser. The OHIDFamily and IOAcceleratorFamily components could allow malicious applications to disclose kernel memory layout. Rest of the issues are related to Kernel. Apple Watch OS 1.0.1 also fixes the FREAK vulnerability that allows an MitM attacker to intercept the encrypted data and force it to use weak encryption to aid further attacks. This security update targets Apple Watch, Apple Watch Sport and Apple Watch Edition. <more>

Tuesday, May 19, 2015

13 Bulletins for last PATCH Tuesday

Recently Microsoft official statement reveals that from now onwards users will get the security patch as soon as it is available. So this might the last Patch Tuesday and brings 13 security bulletins where three are rated as CRITICAL and remaining ten are rated as IMPORTANT. Critical bulletins include MS15-043 targets Internet Explorer that patches 22 CVEs. Second critical bulletin MS15-044 addresses Font Drivers issue in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Microsoft Lync, and Microsoft Silverlight; MS15-045 is the third critical bulletin resolves the Windows Journal issue in Microsoft Windows. All critical bulletins allow remote code execution on the vulnerable system. Rest of the bulletins are related to address elevation of privileges and information disclosure issues. <more>

Huge PATCHES for Adobe products

Along with Microsoft Patch Tuesday, Adobe systems has also released security updates covering 52 vulnerabilities in Flash, Reader and Acrobat. According to advisory the updates fix 18 vulnerabilities in Flash player 34 flaws in Adobe Reader and Acrobat. Fixes are issued for Windows, Mac and Linux platforms that allow intruders to take complete control over the vulnerable system. APSB15-09 updates cover Adobe Flash Player and earlier, and earlier 13.x versions, and earlier 11.x versions, AIR Desktop Runtime and earlier versions as well as AIR SDK and SDK & Compiler and earlier versions. Similarly APSB15-10 provides security patches for Adobe Reader XI (11.0.10) and earlier 11.x versions, Reader X (10.1.13) and earlier 10.x versions, Acrobat XI (11.0.10) and earlier 11.x versions, as well as Acrobat X (10.1.13) and earlier 10.x versions. Adobe urges users to apply updates on earliest basis. <more>

Tuesday, May 12, 2015

Apple Safari gets NEW security fixes

On Wednesday, Apple rolled out a new version of Safari web browser fixing five security flaws found in the WebKit browser engine. The fixes address flaws in Safari versions 8.0.6, 7.1.6 and 6.2.6. Three out of Five fixes are related to memory corruption flaws that could allow intruders to execute arbitrary code or cause the vulnerable browsers to crash unexpectedly. According to advisory, these security flaws are covered under CVE-2015-1152, CVE-2015-1153 and CVE-2015-1154 - can be exploited by enticing victim to visit malicious website. Security researcher Joe Vennix of Rapid7 found a security flaw in the WebKit History component covered under CVE-2015-1155 - allows access to the information from an unprivileged source, related to a same-origin policy issue. <more>

Unpatched SAP apps pose security risks

Onapsis, a security firm famous for finding out security flaws in SAP applications revealed that cybercriminals usually use pivoting, portal attacks and database warehousing techniques to take control of SAP systems at the application layer. Onapsis Research Labs indicates in the assessment report which was conducted recently and declares that almost 95 percent of ERP implementations involving SAP applications are vulnerable due to lacking in proper patching results in high risk to security breaches. According to Mariano Nunez, CEO and co-founder of Onapsis, CISO should have greater visibility into their SAP applications so that they can figure out risks and provide mitigation accordingly. CISOs should also be able to detect new attack vectors and user behavior anomalies as being indicators of exploiting SAP implementations. <more>

Tuesday, April 28, 2015


Widely used open-source content management system WordPress version 4.1.2 gets a critical fix for a security flaw that allows attackers to conduct XSS attacks. Site admins are notified about the latest release and urge to apply the update on earliest basis. Website operators who have enabled auto-update feature dont need to do anything as their sites are already updated - so just chill. WordPress warns in a blog post that sites using WordPress versions 4.1.1 and earlier can be compromised due to cross site scripting flaw and advised them to update immediately. Besides this, there is another XSS issue that affects WordPress versions 3.9 and later that has been patched as well. WordPress alerts users that it could aid intruders to launch a social engineering attack. WordPress 4.1.2 also patches an SQL injection flaw for plugins that allows user to upload arbitrary files with invalid file names. <more>

Fingerprints cloning in Samsung Galaxy S5

RSA conference is being held in San Francisco, where security researchers from FireEye revealed a security flaw related to the fingerprint sensor embedded in the Samsung Galaxy S5 and other smartphones running Android - allows cybercriminals to make duplicate user's fingerprints. According to Tao Wei and Yulong Zhang from FireEye, although mobile manufacturers have taken numerous steps to ensure the integrity and confidentiality of biometric systems, but still there is a possibility to clone users' fingerprint which can aid further attacks. This would give opportunity to hacker to get user-level access and run a program as root to steal information from the affected Android phones. In the case of Samsung Galaxy S5, all you need is to have system-level access. Android 5.0 Lollipop or above are unaffected to this issue. Samsung has not yet provided any details regarding updates for users. <more>

Tuesday, April 21, 2015

Oracle Critical Patch Update for April fixes 98 flaws

14th April, Oracle has released its quarterly critical patch update covering around 98 security flaws targeting different product lines. According to advisory, 14 security fixes for vulnerabilities in Oracle Java SE which are remotely exploitable without authentication. This patches set contains last fix for Java 7 applications as company has decided to shut the door for Java 7 support. Apart from Java, this update fixes 17 vulnerabilities in Oracle Fusion Middleware, 8 vulnerabilities are addressed in Oracle Sun Systems Product Suite, 26 MySQL bugs are patched, 4 issues are fixed in Database server, Oracle Supply Chain Products Suite gets the update for 7 vulnerabilities. <more>

11 security bulletins in MS Patch Tuesday

Last Tuesday, Microsoft released 11 security bulletins for Windows, Office and Internet Explorer where four bulletins are rated 'CRITICAL'. Most of the IE vulnerabilities are related to memory corruption issues that allow remote code execution. Besides this ASLR bypass issue is also found in IE. Security flaws affecting Word 2007, Word 2010, Office 2010 and Office Web Apps Server 2010 are also addressed in this Patch Tuesday. Microsoft Windows also get critical fixes for HTTP.sys and Microsoft Graphics Component. 'Important' rated Bulletins cover privileges escalation, security bypass, information disclosure and Denial-of-Service (DoS) affecting SharePoint, AD federation services, all versions of .Net and Hyper-V. <more>

Tuesday, April 14, 2015

Security update for Apple OS X and iOS

Apple addresses numerous fixes for OS X and iOS along with some additional features. OS X 10.10.3 security update covers 79 vulnerabilities where 21 of those flaws are related to OS X PHP port. Six other flaws are related to OpenSSL and nine security flaws for Apache. There was a flaw in the Nvidia OS X kernel driver which has been patched in the latest update. Similarly, there are updates for 58 vulnerabilities in iOS 8.3 - 24 security issues target Safari's WebKit engine, one update for phishing issue while two are related to XSS issue. iOS 8.3 update addresses 21 remote code vulnerabilities. There are patches available for iOS kernel to rectify eight security flaws that could allow attackers to cause a denial of service, remote code execution with escalated privileges. Apple urged users to migrate to 10.10.3 on earliest basis as there is locally exploited root escalation bug found in the OS X 10.8.5 and 10.9.5 which are not covered in this security update that means un-patched. <more>

Over 1M sites affected by WordPress Plugin flaw

WP-Super-Cache plug-in for WordPress responsible for generating static html files from dynamic WordPress blog. Recently security researchers from Sucuri identified cross-site scripting (XSS) vulnerability that allows an intruder to take complete control of the website. Over 1 million websites are using this plugin that means it's a huge risk for everyone. Fortunately, WP-Super-Cache developers addresses this security flaw with a release of new version 1.4.4. Sysadmins should update the vulnerable plugin on earliest basis otherwise attackers can take the advantage via malformed query and add malicious scripts to the cached files published by the component. Sucuri gives CVSS score 8.0 to this issue that means it can be done with ease. There is a high possibility that attacker could add new admin account and install backdoors on the vulnerable website. <more>

Wednesday, April 8, 2015

New Firefox 37 rectifies security flaws

Latest version of open-source web browser Mozilla Firefox 37 is available for download and eliminates several critical security flaws present in prior versions. Not only security fixes this time but also Firefox gets a new feature 'OneCRL' which is responsible for improved revocation of invalid certificates used for validating and securing the connection to an authorized host. According to company's classification - a CRITICAL flaw is the one that allows arbitrary code execution without human intervention. Critical fixes cover under CVE-2015-0803, CVE-2015-0804 and CVE-2015-0813 - all are related to use-after-free issues allowing users to execute arbitrary code or crash vulnerable application. Two memory corruption errors are also reported by Abhishek Arya of Google Chrome Security Team and covered under CVE-2015-0805 and CVE-2015-0806 related to 2D graphics rendering. Besides security updates, OneCRL gives the developer an opportunity to update the list of revoked certificates without pushing a new Firefox update. <more>

LESS Admin rights result LESS Microsoft flaws

UK security firm Avecto states that if you want to mitigate critical vulnerabilities in Microsoft applications. All you need is just to remove admin rights from users. Exploitation requires admin privileges for almost 97% of Windows flaws; 99.5% of Internet Explorer and 95% of Office applications. Avecto did in-depth analysis of Microsoft security updates and found 92% of vulnerabilities in 2013 which can be mitigated by revoking admin rights - Similarly in 2014, it surges to 97%. According to Avecto's European VP, Paul Kenyon, companies can get rid of security woes by just breaking down the admin rights so that most of the users are unable to do installation. <more>

Tuesday, March 31, 2015

Windows Server 2003 expires biggest security concern

On 14th July, Microsoft will halt its support operations for Windows 2003 server. This will eventually make a huge impact as security concerns are looming that what will going to happen once the official support is over. Many organizations are still far behind for migration to the latest server platform. Recently a survey has been conducted by Bit9+Carbon Black that reveals quite alarming situation for enterprises. After the deadline expires, organizations will have to pay $600 per server for extended support - so no more free security updates in Patch Tuesday. Bit9+Carbon Black report revealed that one in three enterprises running Windows Server 2003, i.e., 9 million machines still running the outdated OS, an estimated 2.7 million servers will remain at high risk. <more>

FIFTY PERCENT of Android users are vulnerable

Palo Alto Networks security researchers claims that almost 50% Android users are vulnerable to Installer Hijacking that puts devices to malware infection. Researcher Zhi Xu stated in a threat advisory that devices running Android 4.3 and below are all affected by this security flaw and allows an intruder to make modification or replacing a normal application with a malware to meet attacker's objective. The whole process is being done without users consent, so it's a bit scary for many android users. But the good thing about this, only applications downloaded from third-party app stores are susceptible to this. Android users are urged to follow the basic security tip, i.e., Always download apps from trusted google play store. <more>

Tuesday, March 17, 2015

March Patch Tuesday brings 14 bulletins

Microsoft released MEGA Patch Tuesday for March addressing 14 security bulletins covering Windows, Internet Explorer and Office. Among all, 5 bulletins rated as 'CRITICAL'. Surprisingly, FREAK vulnerability rated as 'Important' contrast to its rating as a high-profile security flaw. Almost all versions of Windows are vulnerable to FREAK issue that allows intruders to intercept and decrypt HTTPS connections between vulnerable clients and servers. High risk updates target Internet Explorer, Windows, Windows VBScript Scripting Engine, Windows Adobe Font Driver and Microsoft Server in Office. Internet Explorer bulletin mostly addresses memory corruption issues along with two privilege escalation flaws. Medium risk updates patch security flaws in Remote Desktop Protocol, Windows Photo Decoder Component, Windows Task Scheduler, Windows NETLOGON, Microsoft Exchange Server, PNG Processing and Windows Kernel. <more>

Beware Facebook-Login sites!!

A tool unleashed by Egor Homakov, a researcher with security firm Sakurity, allows intruders to hijack Facebook Login accounts used by websites to log-in on third-party sites using their Facebook accounts, by generating URLs or you can say through phishing attacks. The tool named 'Reconnect', exploits cross-site request forgery (CSRF) vulnerability found in Facebook Login. After Facebook denial to fix this issue, as there are some compatibility issues that could hamper other website services, Homakov disclosed it publicly on his blog. <more>

Thursday, March 12, 2015

SAP applications vulnerable to CRITICAL flaws

Critical vulnerabilities in SAP business applications are identified by Onapsis. Five security advisories have been released targeting business intelligence solution SAP BusinessObjects and the database management system SAP HANA (High-Performance Analytic Appliance). Four of them affects SAP BusinessObjects Edge 4.0. The first vulnerability covers under CVE-2015-2073 that allows attackers to read files on the BusinessObjects File Repository Server (FRS) due to an error in the Common Object Request Broker Architecture (CORBA) listener. Second vulnerability is quite similar to previous one with the exception that allows overwrite files on the File Repository Server (CVE-2015-2074). Third security flaw (CVE-2015-2076) is related to authorization issues that allow attackers to retrieve audit events from a remote BusinessObjects service by using CORBA. While the fourth vulnerability (CVE-2015-2075) allows removing events waiting in the auditee queue. <more>

Latest Google Chrome fixes 51 flaws

Google has released latest version of web browser Chrome 41.0.2272.76 fixing around 51 security flaws. Among these, 13 vulnerabilities are rated 'Critical' while 6 considered medium-severity vulnerabilities. Flaws related to out-of bounds write exists in media and skia filters whereas out-of bounds read exists in PDFium and vpxdecoder. Use-after-free flaws exist in v8 bindings, DOM, gif decoder, web databases and service workers. Similarly, type confusion error exists in v8 bindings and an integer overflow in the WebGL implementation. Google has made a lot of efforts to secure chrome browser by rewarding around $52,000 to various security researchers. Moreover, Google also announced last week that single-day Pwnium competition is changed into a year-round program. The reward has also been increased with no definite limit and the company calls it "infinity million." <more>

Wednesday, March 4, 2015

Firefox 36 released with HTTP/2 support

Mozilla released Firefox version 36 providing security fixes for several flaws along with the support of a new HTTP/2 protocol. HTTP/2 is the enhancement of HTTP 1.1 protocol used over the web since 1999. According to Mozilla, HTTP/2 enables users to have faster more scalable and more responsive web. Firefox 36 is using 2,048-bit encryption certificates instead of 1,024-bit root certificates which were used in the earlier versions. Besides this, Mozilla has released 17 security advisories where 3 advisories i.e., MSFA-2014-83, MSFA-2014-87 and MSFA-2014-88 are rated as 'CRITICAL'. <more>

Samba CRITICAL security flaw Patched!!

Samba - a widely used application for file and print sharing between computers running on Windows, Unix or Linux are vulnerable to remote code execution as an administrator and rates as HIGH severity flaw. According to Red Hat Product Security team, CVE-2015-0240 covers this issue that occurs due to an error in the smbd file server daemon. An attacker can trigger via specially-crafted packets to the Samba server, thus results in execution of arbitrary code with root privileges. Samba versions 3.5.0 to 4.2.0rc4 are prone to this flaw so users are advised to apply the latest version i.e, 4.1.17, 4.0.25, and 3.6.25. Samba team credits Richard van Eeden of Microsoft Vulnerability Research for identifying the security flaw and also providing the fix. <more>

Thursday, February 26, 2015

HSTS support for Internet Explorer

Last Tuesday, Microsoft provides a new security feature with HSTS for its web browser Internet Explorer. HSTS stands for HTTP Strict Transport Security that provides secure browsing over the internet. HSTS aids users to protect from MitM attacks that can remove TLS out of communications with a server. According to Microsoft, it works with the IE running on Windows 10 platform. There are two methods used by HSTS for securing connections. One way allows that websites can register to be hard-coded by IE and other browsers to redirect HTTP traffic to HTTPS while the other way, sites not on the preloaded list can enable HSTS via the Strict-Transport-Security HTTP header. <more>

Google's new scanner for cloud platform

Google rolled out a security scanner to reveal security vulnerabilities found in Google App Engine Web applications. Security is still a major worry for most of the IT professionals. The scanner looks into the application also checking all the links and apply multiple scenarios to test the application. Google Security Engineering Manager, Rob Mann told that scanner cannot be used with App Engine Managed VMs, Google Compute Engine or any other resources. Although the scanner has some limitation, but still it aids software developers to look for security flaws that might affect the application. Company also recommends a manual security review by a Web app security professional as scanners don't provide guarantee against security flaws. <more>

Thursday, February 19, 2015

Facebook launches ThreatExchange for sharing threat information

Social media giant Facebook has launched a new platform for sharing security threat information called 'ThreatExchange'. It's a good opportunity for organizations to share their threat information so that they can counter the breach altogether. Although many vendors shared the information through private channels, but it is limited due to multiple constraints as there is no formal platform that can provide organization to share their experiences which would be helpful to organization that could be victims of such familiar breaches later. <more>

High risk Group Policy flaw PATCHED in Windows

February's Patch Tuesday addresses a critical vulnerability related to Group Policy that made Windows machines at high risk. Group policy is highly used in corporate networks as it is a feature that provides utility for organizations to centrally manage Windows systems, applications, and user settings in Active Directory environments. This decade-old security flaw was identified by JAS Global Advisors and simMachines that has occurred due to a design flaw in the Group Policy. Microsoft addresses this vulnerability under MS15-014 security bulletin. <more>

Tuesday, February 10, 2015

Adobe Flash Player out-of-band update

Adobe rolls out latest version of Flash Player rectifying around 18 security flaws, among them a patch for 0-day exploit as well. This security update is an out-of-cycle update as Adobe normally releases security patches with Microsoft Patch Tuesday. The 0-day issue covers under CVE-2015-0313, a security flaw using an exploit kit a drop a malware on the victims machine through malvertising campaigns. Adobe advisory addresses FOUR use-after-free issues, SIX memory corruption issues, TWO type confusion issues, TWO heap buffer overflow, THREE null pointer deference and a buffer overflow. Most of the vulnerabilities allow remote execution of arbitrary code except in such cases where there is a null pointer deference that crashes the vulnerable application. Security updates are released for Windows, Linux and Macintosh OS X platforms. <more>

0-day in the Fancybox-for-WordPress Plugin

WordPress - the most popular open-source blogging tool and a content management system (CMS) is under attacked by hackers that targets Fancybox plugin used in WordPress. Security researchers from Sucuri issued an alert regarding the affected plugin that allows attackers to inject a malformed iframe into websites. FancyBox is used for exhibit images, HTML content and multimedia that mounts on top of Web pages. It is one of the most widely used WordPress plugins - around 600,000 times has been downloaded from the official website. According to Sucuri researchers, it's a high risk vulnerability that allows malware to be loaded on the affected website that uses that out-dated plugin. It is in user's interest to apply the security update on earliest basis. <more>

Friday, February 6, 2015

'glibc' CRITICAL flaw affecting Linux systems

Linux users are on a high risk due to a security flaw in a core library component that is used by almost all Linux distributions. This critical vulnerability allows remote attackers to execute arbitrary code due to a buffer overflow in the glibc (GNU C) library. Shell access to the machine can be taken by sending a malformed message to an email application. Security researchers from Qualys identified the issue and claim that this issue has been there for the last 14 years. glibc 2.17 and 2.18 eradicated this issue. But still several Linux distributions has not implemented yet. Affected OS are Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7; and Ubuntu 12.04. <more>

BlackPhone Text Message Security flaw!!

Fully secured BlackPhone is vulnerable to remote code execution vulnerability due to an error in the SilentText secure messaging application. The flaw is quite critical as it allows intruders to decrypt messages, read contact information, collect location data and even execute malicious code on the phone. Security researcher Mark Dowd from Azimuth Security has identified this flaw that targets SilentText. Company has responded promptly and released the patch so that users can update the firmware to avoid any mishap. <more>

Friday, January 30, 2015

Oracle January patch update fixes 169 flaws

In January's Critical Patch Update (CPU), Oracle released fixes for 169 security vulnerabilities covering various products. Oracle Database, Oracle Fusion Middleware components, Oracle Applications (eBusiness in particular), Oracle Sun Systems Products Suite, and Java SE get fixes for high severity security flaws. CVE-2014-6567 is the most severe one that targets Oracle Database and allows attackers to compromise the vulnerable server. According to Common Vulnerability Scoring System (CVSS), a score of 9.0 has been assigned to this issue. Oracle Fusion Middleware vulnerabilities are also patched and the most severe among them gets a CVSS score of 9.3. Oracle CPU contains 19 security fixes for Java. 10 security fixes for Oracle E-Business Suite are also covered in the latest CPU. <more>

62 vulns fixed in Google Chrome 40

Google rolled out latest version of Chrome 40, addresses 62 security flaws. Chrome 40 is available on Windows, Mac and Linux platforms. According to advisory, most of the vulnerabilities are rated HIGH - SSL 3.0 has also been completely disabled to avoid any security issues arising from Heartbleed and POODLE attacks, so that users can enjoy risk-free surfing over the web. Google bug bounty program is quite popular in the security arena, as thousands of dollars are rewarded to security researchers. A researcher identified as 'yangdingning' got $9,000 for reporting two memory corruption vulnerabilities in ICU. Another researcher Collin Payne revealed use-after-free flaw in the IndexedDB is rewarded $4,500. Besides this, use-after-free issues in WebAudio, DOM, FFmpeg, Speech, Views are patched in the latest version. Chrome 40 also patched several memory corruption flaws in V8, Fonts. <more>

Wednesday, January 21, 2015

January Patch Tuesday is all about WINDOWS

Microsoft's first Patch Tuesday for 2015 contains eight security bulletins where ONE is rated as CRITICAL and rest are rated as IMPORTANT. The critical bulletin MS15-002 addresses a security flaw in the Windows Telnet Service that allows attacker to make unauthorized changes to a device. Although Telnet service is disabled by default, but it still poses a high risk to vulnerable systems. Other important rated bulletins address issues related to privileges escalation, security bypass of built-in features and DoS attacks. Microsoft also patched a vulnerability that is disclosed by google in the first week of January. Google is criticized by security experts the way it releases the vulnerability without having a security patch at the moment. <more>

Firefox 35 patches CRITICAL flaws

Last Tuesday, Mozilla rolled out Firefox 35 addressing various vulnerabilities along with some new features. Out of NINE flaws, THREE of them are rated CRITICAL by the company. One critical security flaw is related to Gecko Media Plugin (GMP) sandbox escape targeting windows platform - addressed under CVE-2014-8643, Mozilla credits MWR Labs researcher Nils for the vulnerability. GMP is used to host h.264 video playback using the OpenH264. Second critical vulnerability was reported by researcher Mitchell Harper - related to read-after-free in WebRTC and covered under (CVE-2014-8641). CVE-2014-8634 and CVE-2014-8635 also addresses critical security flaws in the browser engine, identified by Mozilla developers. <more>

Tuesday, January 13, 2015

Apple iCloud vulnerabilty PATCHED!!

Apple recently patched a security vulnerability that allows intruder to break into any account using iDict hacking tool - launched on New Year's Day used to exploit a flaw in Apple's security via brute force attack. Pr0x13 is the creator of iDict hacking tool who claims to be a founder of this security bypass issue for passwords, security questions, and even two-factor authentication. Apple responded promptly to shut down the tool so that intruder would not be able to penetrate other users account. <more>

Twitter unleashes 'AnomalyDetection' tool

Twitter released a tool to detect anomalies called 'AnomalyDetection' tool. The tool is released as open source so that developers can make change according to their needs. Twitter is using this tool for quite sometime to detect anomalies like certain surge in users tweets due to some incident, major sporting events and special occasions. From security perspective this tool can help in identifying activities linked with bots and spam. AnomalyDetection is a package for R and is available on GitHub. According to Trend Micro, 5.8% of tweets is malicious that contains links to malware, spam, phishing pages and other security threats. So one can hope that with the release of this tool will help a lot in figuring out malicious tweets. <more>

Friday, January 9, 2015

Exploit for Windows 8.1 unpatched security flaw

Google security researcher Forshaw published an exploit for an unpatched security flaw targeting Windows 8.1 machines. Forshaw defended his move for publishing the exploit as he has waited for 90 days after reporting to vendor about the flaw. Since then Microsoft has not come with a patch so he has every right to publish it publicly. Exploit is posted  on Google's security research site revealing full information about the vulnerability and its execution. <more>

Friday, January 2, 2015

Apple first auto-patch for NTP flaw

For the first time, Apple has released an auto update to fix a critical security flaw that targets the Network Time Protocol in Mac OS X clock systems. The reason for releasing auto update is due to easily exploited by attackers remotely. According to National Institute of Standards and Technology, it is covered under CVE-2014-9295 that allows remote attackers to execute arbitrary code or cause a buffer overflow. The patch is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 and OS X Yosemite v10.10.1. <more>

Xbox and Playstation goes offline on Christmas Day

Due to ongoing controversy with the latest release film "The Interview", Sony PlayStation and Microsoft Xbox live faced disruption in services that believe to be a cyber attack. Service disruption extends to the second day after Christmas that means users are unable to play games and access entertainment channels during the outage. Both the companies are fully aware of the issue and pass on the information on their respective websites. Lizard Squad is behind the DDOS attack and claim the responsibility on the twitter. <more>