Monday, June 29, 2015

ZERO day fix for Adobe Flash Player

Adobe systems has released an out-of-cycle security patch to fix critical zero-day flaw in a Flash plugin that could allow remote code execution on a compromised system. According to advisory, this critical issue is covered in CVE-2015-3113 and affects Flash Player and earlier versions on Windows and Mac, and version and earlier releases on Linux. Adobe credits FireEye security researchers for finding it which was exploited in a phishing campaign. IE for Windows 7 and earlier along with Firefox on Windows XP are considered prime targets. However, Chrome users has not found with such attacks. Company urges users to apply the patch on earliest basis. <more>

HP releases unpatched IE exploit code

Although Microsoft paid a huge amount of $125,000 for finding Address Space Layout Randomisation (ASLR) vulnerability in Internet Explorer 11 to HP's Zero Day Initiative. Company still not eager to release the security patch to address the flaw. After Microsoft refusal, HP has decided to publish Proof-of-Concept code that could be used to exploit the vulnerability. According to HP, they are concerned about users and wanted to inform about the issue and then it's users call whatever they feel appropriate, where as, Microsoft believes that flaw does not affect the default configuration of IE, so there is no need to apply any fix for it. <more>

Tuesday, June 23, 2015

0-day identified in Apple OSX and iOS

Security researchers have spotted 0-day vulnerabilities targeting Apple operating systems, i.e., Mac OS X and iOS. The impact of the issue could allow an intruder to steal sensitive information that can aid further attacks later on. The security flaws presented in a joint research paper entitled 'Unauthorized Cross-App Resource Access on Mac OS X and iOS' by Indiana University's Xiaolong Bai, XiaoFeng Wang and Tongxin Li, with Peking University's Kai Chen and the Georgia Institute of Technology's Xiaojing Liao. The flaw named XARA given by security researchers, target major cross-app resource sharing mechanisms such as keychain and communication channels that includes WebSocket and Scheme - are not properly protected by both the OS and the apps using them and allows attackers to gain knowledge of sensitive user information through a malicious program. Similarly, sandbox mechanism is not reliable enough and can be exploited through malicious app - gaining full access to other apps' directories (called containers). <more>

Samsung Galaxy flaw affects 600M users globally

Most widely used smartphone Samsung Galaxy is feeling the heat these days as approx 600 million Samsung phones may be vulnerable to a serious security flaw. According to security researcher Ryan Welton from NowSecure, it allows hackers to stealthy monitor the camera and microphone, read incoming and outgoing text messages, and install malformed apps on the vulnerable smartphones. The issue exists in the update mechanism of SwiftKey - Smart prediction technology for easier mobile typing, available on the Samsung Galaxy S6, S5, and several other Galaxy models. Actually Samsung hasn't specify a mechanism to encrypt the executable files that could leverage attackers to modify upstream traffic during updates downloading. The intruder sitting on the same Wi-Fi network can replace the actual file with a malicious one. The demo of exploit is presented last Tuesday at the Blackhat security conference in London. <more>

Thursday, June 18, 2015

Critical Updates for Windows and Internet Explorer

A light Patch Tuesday for June has been released by Microsoft that contains security patches for just two 'CRITICAL' and eight 'important' rated vulnerabilities. Critical security updates target Windows and Internet Explorer. Critical issue that affects the Windows operating system is due to an error in the media player that allows remote code execution on the compromised machines. Similarly, IE gets a huge list of memory corruption flaws that allow remote code execution if a user views a specially crafted webpage. The 'important' rated updates plugs security flaws in Windows, Exchange Server and Office allowing intruders to gain elevated privileges or remote code execution depending on the scenario and attack vectors. There is also a minor tweaking about the removal of Windows 10 update reminders after critics last month compared them to adware. Company has reconsidered its policy and remove the reminders. <more>

Kaspersky a victim of a spohisticated cyber-attack

Kaspersky Lab revealed last wednesday that a very sophisticated cyber-attack named Duqu penetrated some of its internal systems by exploiting a zero-day flaw in the Windows Kernel. This APT attack is operating since 2012 that shows how sophisticated Duqu is - even a security giant Kaspersky is unable to figure out its presence for such a long period. A new version dubbed Duqu 2 arised in 2014 and continue its operations in 2015 as well targeting western countries, the Middle East and Asia. According to security researchers initial attempts started in Asia-Pacific region via spear-phishing emails. Several modules have been identified to perform a 'pass the hash' attack target the local network. Duqu 2 uses various strategies to spread on the network. It is confirmed by Kaspersky engineers that the attack was carried out by installing Microsoft Windows Installer Packages (MSI) and then launching it remotely to other hosts. <more>

Tuesday, June 9, 2015

Facebook focuses on message security

Facebook is fully aware about users privacy that's why company has added support for OpenPGP keys used in its email messaging to secure users from cyber criminals. Facebook inform users about this feature used to improve the privacy of email content by rolling out an experimental new feature that allows users to add OpenPGP public keys to their profile. GNU Privacy Guard implementation of OpenPGP is available for Windows, Mac OS and Linux users and performs encryption on emails sent from Facebook to their email accounts. This feature is currently available in desktop machines, but Facebook is committed to make it available for mobile platforms. <more>

Microsoft Windows gets SSH support

Redmond is finally planning to support SSH in Windows and their boffins will take participation in the OpenSSH project. SSH is being widely used by Unix and Linux systems for years to remotely connect to system, but Microsoft has never given SSH by default. As SSH becomes the default standard for secure remote logins, this put onus on Microsoft as its users wanted to have default support for SSH and at last company has given a green signal. "A popular request the PowerShell team has received is to use Secure Shell protocol and Shell session (aka SSH) to interoperate between Windows and Linux - both Linux connecting to and managing Windows via SSH and, vice versa, Windows connecting to and managing Linux via SSH. Thus, the combination of PowerShell and SSH will deliver a robust and secure solution to automate and to remotely manage Linux and Windows systems," Angel Calvo, a group software engineering manager on  Microsoft's PowerShell team said. <more>

Friday, June 5, 2015

iPhone crashes with just a text message

Few days back there was a news regarding iPhone crashes with a specially crafted text. Apple quickly released a workaround for iPhones, iPads and the Apple Watch, also advises the use of Siri can mitigate problems caused by the simple text attack. Company will provide the proper patch to rectify this security flaw once for all but meanwhile Apple urges users to apply workaround to keep them safe. According to firm this issue is quite similar to what they faced in the iMessage so patch will be released soon. This issue was pointed out by Reddit and Twitter users causing iOS-based devices to crash or locking the user out of the messaging application. <more>

Facebook launches new security checkup tool

Facebook rolls out a new feature called Security Check-up that will boost the security of user's account. Facebook is usually a prime target for hackers due to its popularity and widely usage so proper mechanism are in placed by the company to secure user profiles. The Check-up will pop up over the top of the site, prompting users to explore new options in order to increase security. Users prefer to connect to Facebook with its mobile app and on most occasions they have not logged out properly. In case of any mishap like your phone stolen or lost then your facebook account if not properly logged out would a tricky situation for you. To avoid such instances Facebook gives the opportunity to receive login alerts to show the computers logged into different Facebook services. <more>