Displaying items by tag: Exploits

Google pushed out a n Out-of-band patch for Chrome due to a high-severity on Friday (March 25th, 2022). The patch was pushed out quickly as the vulnerability, tracked as CVE-2022-1096 is being actively exploited in the wild. CVE-2022-1096 is a type confusion vulnerability that exists in the JavaScript Engine used by Chrome and was reported to Google by an Anonymous researcher last week.

A shell for me, a shell for you, a shell for everybody in the room. If you have not heard about Log4J and the associated vulnerabilities in versions between 2.0 and 2.16 you might have not been near a computer in quite a while. This Remote Code Execution vulnerability that has several CVEs (common vulnerabilities and exploits) associated with it is commonly lumped into the term Log4Shell. Log4J itself is a Java based Apache logging framework that is in widespread usage in many applications. The list of impacted applications is not, and may never be, known. Many vendors have release complex mitigation steps and patches, but many devices are not getting patched (nothing surprising here). This has allowed this vulnerability to become quickly weaponized and used in targeted attacks.

A newly released CVE (common vulnerabilities and exposures) CVE-2021-4034 for Linux has identified a vulnerability in PolKit’s (formerly PolicyKit) pkexe that exists in very major release of Linux. The vulnerability known as PwnKit can be exploited to gain full root on a target system. The flaw, according to researchers has also been present for more than 12 years.

It seems that the stars might finally align to remove one of the largest security holes in the history of… well history itself. Oracle is announcing that it is finally getting rid of the Java Browser Plug-in… sometime. According to a blog post on the Oracle page they are aware that most (if not all) browsers are already blocking plug-ins like the one in the Java Runtime Environment. These are for security, stability and performance, and really should have been done a long time ago. Over the last few years the Java browser plug-in (along with Flash) has been the vector of choice for many web-based attacks.

The world lives in fear of zero-day exploits although the average person does not even know it. A zero-day exploit is a bug or a flaw that has not been discovered by the developers yet, but is known to someone outside. This can be good guys, bad guys or other, but it is still a flaw that can be used to do harm to a computer system and no one has a patch for it yet. When the good guys (security researchers) know about them they work with companies to patch them. When the bad guys know about these things get very ugly indeed. But what happens if someone knows about one (or a bunch of them) and does not tell anyone at all?

Network and application security are big deals and big business these days. It seems that a day does not pass that you hear about a new breach, exploit, hack or something. This sad state has prompted a few companies to actually look outside their organizations for help and offer bug bounties to individual researchers that find holes in applications and hardware. These bounties can be quite the incentive to get people to tear into your application looking for exploits, but even more important than rewards is having a clear method to report problems and a team that actually responds to them when they are found.

We talk a lot about security on DecryptedTech and with good reason, there are a ton of threats out there and this list just keeps getting longer. This is why we tend to get annoyed with large corporations when they either skimp on security or botch the job. This is apparently the case in with eBay owned PayPal. For a while PayPal has been highlighting their 2FA (Two Factor Authentication) as a great way to protect your financial data and it is… unless you screw up the implementation.

After last week experts from Gibson Security found security holes in the application Snapchat, on the internet appeared web page under a name SnapchatDB! where there is allegedly database with usernames of Snapchat users and their associated phone numbers.

Kaspersky Lab experts noticed a security flaw related to Apple's Safari browser, or to be more precise, its storage of passwords and user ID information.

About a month ago we reported on an statement by the FTC in regards to a security flaw in certain models of TRENDNet IP cameras. The statement was a “what he said” move considering that all of the items they talked about have already been done by TRENDNet. We also noted that the FTC was less concerned about the actual presence of flaws than they were with a product being labeled as secure when it was not. At the time of the statement we remarked that the flaws found in TREDNNet products were very common in embedded devices. In fact we recently reported that a similar flaw exists in many residential firewalls and routers. It seems that companies building products with an embedded OS just do not know how to keep things secure.