62 vulns fixed in Google Chrome 40

Google rolled out latest version of Chrome 40, addresses 62 security flaws. Chrome 40 is available on Windows, Mac and Linux platforms. According to advisory, most of the vulnerabilities are rated HIGH – SSL 3.0 has also been completely disabled to avoid any security issues arising from Heartbleed and POODLE attacks, so that users can enjoy risk-free surfing over the web. Google bug bounty program is quite popular in the security arena, as thousands of dollars are rewarded to security researchers. A researcher identified as ‘yangdingning’ got $9,000 for reporting two memory corruption vulnerabilities in ICU. Another researcher Collin Payne revealed use-after-free flaw in the IndexedDB is rewarded $4,500. Besides this, use-after-free issues in WebAudio, DOM, FFmpeg, Speech, Views are patched in the latest version. Chrome 40 also patched several memory corruption flaws in V8, Fonts. <more>

Oracle January patch update fixes 169 flaws

In January’s Critical Patch Update (CPU), Oracle released fixes for 169 security vulnerabilities covering various products. Oracle Database, Oracle Fusion Middleware components, Oracle Applications (eBusiness in particular), Oracle Sun Systems Products Suite, and Java SE get fixes for high severity security flaws. CVE-2014-6567 is the most severe one that targets Oracle Database and allows attackers to compromise the vulnerable server. According to Common Vulnerability Scoring System (CVSS), a score of 9.0 has been assigned to this issue. Oracle Fusion Middleware vulnerabilities are also patched and the most severe among them gets a CVSS score of 9.3. Oracle CPU contains 19 security fixes for Java. 10 security fixes for Oracle E-Business Suite are also covered in the latest CPU. <more>

January Patch Tuesday is all about WINDOWS

Microsoft’s first Patch Tuesday for 2015 contains eight security bulletins where ONE is rated as CRITICAL and rest are rated as IMPORTANT. The critical bulletin MS15-002 addresses a security flaw in the Windows Telnet Service that allows attacker to make unauthorized changes to a device. Although Telnet service is disabled by default, but it still poses a high risk to vulnerable systems. Other important rated bulletins address issues related to privileges escalation, security bypass of built-in features and DoS attacks. Microsoft also patched a vulnerability that is disclosed by google in the first week of January. Google is criticized by security experts the way it releases the vulnerability without having a security patch at the moment. <more>

Firefox 35 patches CRITICAL flaws

Last Tuesday, Mozilla rolled out Firefox 35 addressing various vulnerabilities along with some new features. Out of NINE flaws, THREE of them are rated CRITICAL by the company. One critical security flaw is related to Gecko Media Plugin (GMP) sandbox escape targeting windows platform – addressed under CVE-2014-8643, Mozilla credits MWR Labs researcher Nils for the vulnerability. GMP is used to host h.264 video playback using the OpenH264. Second critical vulnerability was reported by researcher Mitchell Harper – related to read-after-free in WebRTC and covered under (CVE-2014-8641). CVE-2014-8634 and CVE-2014-8635 also addresses critical security flaws in the browser engine, identified by Mozilla developers. <more>

Apple iCloud vulnerabilty PATCHED!!

Apple recently patched a security vulnerability that allows intruder to break into any account using iDict hacking tool – launched on New Year’s Day used to exploit a flaw in Apple’s security via brute force attack. Pr0x13 is the creator of iDict hacking tool who claims to be a founder of this security bypass issue for passwords, security questions, and even two-factor authentication. Apple responded promptly to shut down the tool so that intruder would not be able to penetrate other users account. <more>

Twitter unleashes ‘AnomalyDetection’ tool

Twitter released a tool to detect anomalies called ‘AnomalyDetection’ tool. The tool is released as open source so that developers can make change according to their needs. Twitter is using this tool for quite sometime to detect anomalies like certain surge in users tweets due to some incident, major sporting events and special occasions. From security perspective this tool can help in identifying activities linked with bots and spam. ‘AnomalyDetection’ is a package for R and is available on GitHub. According to Trend Micro, 5.8% of tweets is malicious that contains links to malware, spam, phishing pages and other security threats. So one can hope that with the release of this tool will help a lot in figuring out malicious tweets. <more>

Exploit for Windows 8.1 unpatched security flaw

Google security researcher Forshaw published an exploit for an unpatched security flaw targeting Windows 8.1 machines. Forshaw defended his move for publishing the exploit as he has waited for 90 days after reporting to vendor about the flaw. Since then Microsoft has not come with a patch so he has every right to publish it publicly. Exploit is posted  on Google’s security research site revealing full information about the vulnerability and its execution. A privilege escalation vulnerability occurs in the ‘ahcache.sys/NtApphelpCacheControl’ allowing attackers to execute arbitrary code on the vulnerable system. <more>

Apple first auto-patch for NTP flaw

For the first time, Apple has released an auto update to fix a critical security flaw that targets the Network Time Protocol in Mac OS X clock systems. The reason for releasing auto update is due to easily exploited by attackers remotely. According to National Institute of Standards and Technology, it is covered under CVE-2014-9295 that allows remote attackers to execute arbitrary code or cause a buffer overflow. The patch is available for OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.5 and OS X Yosemite v10.10.1. <more>

Xbox and Playstation goes offline on Christmas Day

Due to ongoing controversy with the latest release film “The Interview”, Sony PlayStation and Microsoft Xbox live faced disruption in services that believe to be a cyber attack. Service disruption extends to the second day after Christmas that means users are unable to play games and access entertainment channels during the outage. Both the companies are fully aware of the issue and pass on the information on their respective websites. Lizard Squad is behind the DDOS attack and claim the responsibility on the twitter. <more>

‘mailx’ security fix for various Linux flavors

‘mailx’ used for sending and receiving mail – widely used in several Linux distributions get the patch for two security flaws. Both the vulnerabilities occur due to improper parsing of email addresses and rated as “moderate”. CVE-2014-7844 covers the execution of arbitrary shell commands locally, whereas CVE-2004-2771 fixes the execution of arbitrary commands by leveraging the fact that mailx interprets shell meta-characters in certain email addresses. BSD mailx and Heirloom mailx implementations are vulnerable to these issues affecting Red Hat Enterprise Linux, CentOS, Debian, Ubuntu, and possibly other distributions. Users are advised to apply the updates on earliest basis. CVE-2004-2771 is almost a decade old vulnerability. <more>