Although it will not come as a surprise, there seems to be yet another bug in Adobe’s flash player that allows for an attacker to potentially take control of a system by forcing a crash of the application. According to TrendMicro, CVE 2015-5123 is a critical bug in the latest version of Flash player for Linux, Windows, and OSX operating systems. Adobe has already released a customer advisory stating they are already aware of this flaw being exploited in the wild.
Over the weekend there was a lot of talk about how Windows in particular is vulnerable to a flaw that is linked to SMB. This flaw could allow someone to grab user information by forcing a redirect to a malicious server using the SMB protocol. The way it works is pretty simple; if you give someone a URL that begins with the work “file” then Windows (and some other systems) will think that you want to use SMB to connect to a file share. If the server that the link (URL) points to uses even basic authentication then you can try and tempt a user to put in their own credentials and grab them during the exchange.
Privacy on the internet is a hard thing to achieve. For starters there are tons of companies that are very interested in what you do and where you go online so they can get you to buy things. On top of that there are the spying eyes of the government watching to make sure you are not a bad guy and storing all of this data in massive warehouses. This mass data collection seems to exist in every single device we own; from laptops to phone to smart TVs. It is enough to make someone paranoid, or at least to look for some form of privacy when connected to the internet.
The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?
When you are a sysadmin there is nothing like waking up to not one, but two troubling bits of news. The first one centers on a new and fun Zero-Day vulnerability that affects just about every version of windows that Microsoft still supports. Dubbed Sandworm by iSight, the security firm that discovered it this bug exploits yet another flawed internal mechanism in Microsoft’s OS.
A day after we published an article on how deficient most developers are when it comes to properly planning for security we are hearing about a new bug that infects one of the core components of an operating system. Dubbed Bash or Shellshock this new flaw affects the shell in an OS. The shell in an OS is what allows you to interact with systems. When you run an application it will often run code through the shell to give you the desired result.
The P0wn2Own competition is getting s sibling. Now we are not talking about the competition sponsored by Google or even Microsoft. We are talking about a knockdown drag out competition to hammer the (lack of) security in residential and SOHO routers. The competition will be called SOHOpelessly Broken and will kick off at DEF CON 22 this year. Interestingly enough it is sponsored by the Electronic Frontier Foundation (EFF) and Independent Security Evaluators (ISE).
We talk a lot about security on DecryptedTech and with good reason, there are a ton of threats out there and this list just keeps getting longer. This is why we tend to get annoyed with large corporations when they either skimp on security or botch the job. This is apparently the case in with eBay owned PayPal. For a while PayPal has been highlighting their 2FA (Two Factor Authentication) as a great way to protect your financial data and it is… unless you screw up the implementation.
passwords stolen thanks to a BMC chip with a fairly serious Universal Plug-n-Play feature. According to security researcher Zachary Wikholm, there is s a flaw in the IPMI BIOS on the WPCM450 BMC (Baseboard Management Controller) that Supermicro uses on their boards (with the exception of very newest ones).
Microsoft is joining the ranks of Symantec and McAfee in a very special group. This is a group of companies whose anti-malware products can be/have been attacked directly. According to a security update Microsoft says that a specifically crafted file can stop the service from working until manually removed.