Monthly Archives: January 2015

‘glibc’ CRITICAL flaw affecting Linux systems

Linux users are on a high risk due to a security flaw in a core library component that is used by almost all Linux distributions. This critical vulnerability allows remote attackers to execute arbitrary code due to a buffer overflow in the glibc (GNU C) library. Shell access to the machine can be taken by sending a malformed message to an email application. Security researchers from Qualys identified the issue and claim that this issue has been there for the last 14 years. glibc 2.17 and 2.18 eradicated this issue. But still several Linux distributions has not implemented yet. Affected OS are Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7; and Ubuntu 12.04. <more>

BlackPhone text message security flaw!

Fully secured BlackPhone is vulnerable to remote code execution vulnerability due to an error in the SilentText secure messaging application. The flaw is quite critical as it allows intruders to decrypt messages, read contact information, collect location data and even execute malicious code on the phone. Security researcher Mark Dowd from Azimuth Security has identified this flaw that targets SilentText. Company has responded promptly and released the patch so that users can update the firmware to avoid any mishap. <more>

62 vulns fixed in Google Chrome 40

Google rolled out latest version of Chrome 40, addresses 62 security flaws. Chrome 40 is available on Windows, Mac and Linux platforms. According to advisory, most of the vulnerabilities are rated HIGH – SSL 3.0 has also been completely disabled to avoid any security issues arising from Heartbleed and POODLE attacks, so that users can enjoy risk-free surfing over the web. Google bug bounty program is quite popular in the security arena, as thousands of dollars are rewarded to security researchers. A researcher identified as ‘yangdingning’ got $9,000 for reporting two memory corruption vulnerabilities in ICU. Another researcher Collin Payne revealed use-after-free flaw in the IndexedDB is rewarded $4,500. Besides this, use-after-free issues in WebAudio, DOM, FFmpeg, Speech, Views are patched in the latest version. Chrome 40 also patched several memory corruption flaws in V8, Fonts. <more>

Oracle January patch update fixes 169 flaws

In January’s Critical Patch Update (CPU), Oracle released fixes for 169 security vulnerabilities covering various products. Oracle Database, Oracle Fusion Middleware components, Oracle Applications (eBusiness in particular), Oracle Sun Systems Products Suite, and Java SE get fixes for high severity security flaws. CVE-2014-6567 is the most severe one that targets Oracle Database and allows attackers to compromise the vulnerable server. According to Common Vulnerability Scoring System (CVSS), a score of 9.0 has been assigned to this issue. Oracle Fusion Middleware vulnerabilities are also patched and the most severe among them gets a CVSS score of 9.3. Oracle CPU contains 19 security fixes for Java. 10 security fixes for Oracle E-Business Suite are also covered in the latest CPU. <more>

January Patch Tuesday is all about WINDOWS

Microsoft’s first Patch Tuesday for 2015 contains eight security bulletins where ONE is rated as CRITICAL and rest are rated as IMPORTANT. The critical bulletin MS15-002 addresses a security flaw in the Windows Telnet Service that allows attacker to make unauthorized changes to a device. Although Telnet service is disabled by default, but it still poses a high risk to vulnerable systems. Other important rated bulletins address issues related to privileges escalation, security bypass of built-in features and DoS attacks. Microsoft also patched a vulnerability that is disclosed by google in the first week of January. Google is criticized by security experts the way it releases the vulnerability without having a security patch at the moment. <more>

Firefox 35 patches CRITICAL flaws

Last Tuesday, Mozilla rolled out Firefox 35 addressing various vulnerabilities along with some new features. Out of NINE flaws, THREE of them are rated CRITICAL by the company. One critical security flaw is related to Gecko Media Plugin (GMP) sandbox escape targeting windows platform – addressed under CVE-2014-8643, Mozilla credits MWR Labs researcher Nils for the vulnerability. GMP is used to host h.264 video playback using the OpenH264. Second critical vulnerability was reported by researcher Mitchell Harper – related to read-after-free in WebRTC and covered under (CVE-2014-8641). CVE-2014-8634 and CVE-2014-8635 also addresses critical security flaws in the browser engine, identified by Mozilla developers. <more>

Apple iCloud vulnerabilty PATCHED!!

Apple recently patched a security vulnerability that allows intruder to break into any account using iDict hacking tool – launched on New Year’s Day used to exploit a flaw in Apple’s security via brute force attack. Pr0x13 is the creator of iDict hacking tool who claims to be a founder of this security bypass issue for passwords, security questions, and even two-factor authentication. Apple responded promptly to shut down the tool so that intruder would not be able to penetrate other users account. <more>

Twitter unleashes ‘AnomalyDetection’ tool

Twitter released a tool to detect anomalies called ‘AnomalyDetection’ tool. The tool is released as open source so that developers can make change according to their needs. Twitter is using this tool for quite sometime to detect anomalies like certain surge in users tweets due to some incident, major sporting events and special occasions. From security perspective this tool can help in identifying activities linked with bots and spam. ‘AnomalyDetection’ is a package for R and is available on GitHub. According to Trend Micro, 5.8% of tweets is malicious that contains links to malware, spam, phishing pages and other security threats. So one can hope that with the release of this tool will help a lot in figuring out malicious tweets. <more>

Exploit for Windows 8.1 unpatched security flaw

Google security researcher Forshaw published an exploit for an unpatched security flaw targeting Windows 8.1 machines. Forshaw defended his move for publishing the exploit as he has waited for 90 days after reporting to vendor about the flaw. Since then Microsoft has not come with a patch so he has every right to publish it publicly. Exploit is posted  on Google’s security research site revealing full information about the vulnerability and its execution. A privilege escalation vulnerability occurs in the ‘ahcache.sys/NtApphelpCacheControl’ allowing attackers to execute arbitrary code on the vulnerable system. <more>