Monthly Archives: October 2013

Google Anti DDoS Weapon – Project Shield

Google has begun testing a new distributed denial of service (DDoS) protection service, codenamed Project Shield, to help fight back against this growing cyber threat facing digital businesses. Google confirmed Project Shield is currently running on a trial basis and is open for use on an invite-only basis. “Project Shield is an initiative to expand Google’s own distributed denial of service (DDoS) mitigation capabilities to protect free expression online. The service is currently invite-only. We are accepting applications from websites serving news, human rights or elections-related content.” The service works using a variety of existing Google technologies, the firm explained: “Project Shield is a service that currently combines Google’s DDoS mitigation technologies and Page Speed Service (PSS) to allow individuals and organisations to better protect their websites by serving their content through Google’s own infrastructure, without having to move their hosting locations.” <more>

Oracle Quarterly Patch Update Fixes 127 Security Bugs

Oracle has released a whopper of a critical patch update for October, with 127 security fixes across several of the company’s products. Of these, 51 are fixes for Java SE, and all but one of those will allow remote exploitation of a computer without authentication. Oracle recommends the patch be applied as soon as possible, as many of the vulnerabilities cross product family lines, and its products are interdependent. However, the patch applies only to products whose licensees have premier support or extended support. 40 of the 51 Java vulnerabilities apply to client deployment of Java. Of these, one is exploitable only during the act of deploying Java clients; the rest apparently can be exploited on Java clients at other times. Eight of the Java flaws impact both client and server-side implementations. Of the remaining three, one applies to the Java Heap Analysis, and two apply to sites that run the Javadoc Tool as a Service. <more>

October’s Patch Tuesday fixes IE, Word and Excel vulns

The monthly security update, which also marked the 10th anniversary of Microsoft’s Patch Tuesday releases, included eight patches: four deemed “critical” and four ranked “important.”  In total, the patches addressed 28 vulnerabilities in the company’s products, including two zero-day flaws affecting Internet Explorer: CVE-2013-3893 and CVE-2013-3897. Security bulletin MS13-080 fixed both remote code execution bugs in IE, along with eight other privately reported bugs. <more>

vBulletin exploit in the wild

vBulletin CMS is under attack by cyber criminals which exploited the vulnerability that allows to create new administrative accounts. Back in August, users of versions in the 4.1+ and 5+ series were advised to delete the /install/ or /core/install/ directories (depending on version) as a workaround against the bug, but vBulletin didn’t advise of the impact of the problem. The vulnerability allows admin account injection using vulnerable PHP code. The author of the article, Barry Shteiman of Imperva, notes that the exploit code and technique were found on hacker forums, meaning that the exploit is in the wild. <more>

Google Chrome 30 fixes 50 security bugs

Google is out with its latest Chrome stable browser release, providing one of the highest security fix counts in the history of Google’s popular open source browser. The Chrome 30.0.1599.66 release, available for Windows, Mac and Linux, provides 50 security fixes. Google is paying security researchers a total of $19,000 in bug bounties for responsible disclosures about flaws that have been fixed in the new Chrome stable release. The Chrome 30 fix list is double the 25 flaws that Google fixed in the Chrome 29 stable update in August. Google paid out $6,174 in reward money for that release. <more>

Cisco IOS patched 10 DoS vulns

Cisco Systems issued 10 fixes for different flaws in its IOS software. While the manufacturer says hackers haven’t been exploiting these vulnerabilities as of yet, now that the information is in the public sphere it is definitely a possibility. But detailed instructions are online from Cisco that detail fixes or workarounds for the Network Time Protocol (NTP), the Internet Key Exchange protocol, the dynamic Host Configuration Protocol (DHCP), the Resource Reservation Protocol (RSVP), the virtual fragmentation reassembly (VFR) feature for IP version 6 (IPv6), the Zone-Based Firewall (ZBFW) component, the T1/E1 driver queue and the Network Address Translation (NAT) function for Domain Name System), and Point-to-Point Tunnelling Protocol (PPTP). The patches were issued on last Wednesday as part of Cisco’s ongoing program to release iOS security advisories on the fourth Wednesday of every March and September. Cisco recommends user to apply patches on earliest basis. <more>