Monthly Archives: October 2014

HIGH RISK Windows bug exploited in the wild

Except for Windows Server 2003 all remaining versions of Microsoft Windows are susceptible to 0-day flaw found in the OLE (Object Linking and Embedding) technology that allows remote code execution on the victim’s machine. OLE is used in the Microsoft Office applications to create and edit data in multiple formats. The company is also aware of targeted attacks which can be exploited by using PowerPoint documents. Due to this, Microsoft has come up with a workaround dubbed ‘Fix it’. Microsoft gives credit to cyber security researchers Drew Hintz, Shane Huntley, and Matty Pellegrino of the Google Security Team and Haifei Li and Bing Sun of the McAfee Security Team for finding and analyzing the vulnerability. Company also urged users to perform double-check before opening Office documents especially PowerPoint documents. <more>

Google supports 2FA security mechanism for USB

In order to secure user accounts, Google is providing additional support to physical USB through two-factor authentication mechanism. Google has already implemented 2FA verification mechanism for their accounts which ask for user to provide input one-time-use codes received via text message or generated through mobile application. According to Google Security product manager, USB uses security key which starts after verifying the legitimacy of Google website. The Security Key only works with Chrome version 38 and later that uses Universal 2nd Factor (U2F) developed by the FIDO Alliance. <more>

Microsoft Patch Tuesday for October ’14

In October’s Patch Tuesday, Microsoft has rolled out eight security bulletins covering 24 security vulnerabilities across Windows, .Net Framework and Internet Explorer (IE). The update also cover a bug which reportedly targets NATO machines. The advisory contains three security bulletins declared as CRITICAL i.e., MS14-056 addresses Internet Explorer, MS14-057 addresses .NET Framework and MS14-058 addresses Microsoft Windows kernel mode driver. According to cyber security researcher from FireEye, two 0-day vulnerabilities targeting Windows Machines used by some major corporations are being exploited by cyber criminals. One of the patches addresses Sandworm cyberattack that allows remote code execution on Microsoft Windows Server 2008 and Windows Server 2012. Other five remaining updates are rated as IMPORTANT covering issues in ASP.NET MVC, Windows OLE and Microsoft office applications. <more>

Oracle Critical Patch Update fixes 155 vulns

This month is quite busy for system admins as there are plenty of security updates available due to Microsoft Patch Tuesday along with Adobe, Firefox, OpenSSL and now Oracle has released 155 security vulnerabilities in its quarterly update. The CPU addresses 25 bugs related to Oracle Java SE, 24 fixes for security flaws in Oracle MySQL, 31 fixes for Oracle Database Server in which only two could be remotely exploited without authentication. Besides this, 15 security fixes for Oracle Sun Systems, Oracle Fusion Middleware gets 18 fixes and 10 fixes for flaws in Oracle E-Business Suite. Oracle PeopleSoft Products and Oracle Supply Chain Products Suite also get 5 fixes each. The CPU contains 7 fixes for Oracle Virtualization while 2 fixes for Oracle Communications Applications. <more>

Google Chrome 38 gets HUGE patch this month

Google released the latest version of Chrome browser fixing almost around 159 security vulnerabilities. It’s usually not often that Google addresses too many security patches simultaneously. Out of 159 bugs, 113 fixes related to minor vulnerabilities. Google also patched multiple high-risk vulnerabilities and one highly critical flaw in the V8 engine and IPC that brings $27,000 bug bounty reward for a researcher Juri Aedla that allows attackers to bypass sandbox and execute arbitrary code. <more>

PayPal flaw leverages access to blocked accounts

Global payment service provider PayPal is exposed to security threat that allows intruders to gain access to blocked accounts without providing further security information. The issue resides in the mobile API responsible for filtering of account access restrictions. Benjamin Kunz Mejri from Vulnerability Laboratory discovered the vulnerability and reported to Paypal in March 2013. The vulnerable application is based on iOS used by iPhone and iPad unable to check properly for restriction flags that would stop access to victim’s account. Although the reported version was 4.6.0, but cyber security researcher believes that latest version is also prone to this issue. <more>

Joomla CRITICAL vulnerability PATCHED!!

Joomla, a widely used content management system (CMS) gets new security update which rectifies issues present in the previously released security patch. Earlier Joomla versions 3.3.5, 3.2.6 and 2.5.26 were rolled out to patch remote file inclusion and denial-of-service (DoS) attack. But later on, Joomla developer requested users to halt their systems patching as they found some errors in the earlier released patch. On Wednesday, Joomla released new versions 3.3.6, 3.2.7 and 2.5.27. Extension Manager should be used by those users who updated the earlier released patch, as they will not be able to get it through normal update. <more>

TRIPLE rewards in Google Chrome bug bounties

Bug bounties play a huge role in finding out security threats that make vendor applications more stable and at the same time researchers get monetary benefits, so we can say it’s a win-win situation for everyone. Google has also realized the importance and thus increased the payment of bug bounty program. According to Google, the company has stretched the maximum payment limit to $15000 for finding a bug that means it is almost triple the payment which was earlier $500-to-$5,000 per bug. Google claims that over 700 security flaws have already been fixed through bug bounty programs. Company has also amend its submission policy in order to ease out submit process for cyber security researchers. This will give researcher an option to submit the vulnerability in the first step and provide the exploit later on. <more>