#1337day Joomla Component com_contushdvideoshare – Arbitrary File Download Vulnerability [#0day #Exploit]

#1337day Cisco Ironport Appliances Privilege Escalation Exploit [remote #exploits #0day #Exploit]

Apple readies fix for Thunderstrike bootkit exploit in next OS X release

A fix for the Thunderstrike proof-of-concept bootkit attack has made its way into a beta version of Apple's OS X, according to a just-published report. The new fix may indicate that a patch isn't far from general release.

The exploit was dubbed Thunderstrike because it spreads through maliciously modified peripheral devices connected to a Mac's Thunderbolt interface. When plugged into a Mac that's booting up, the device injects what's known as an option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions. Once a Mac is infected, the malicious firmware can survive hard drive reformats and OS reinstallations. And since Thunderstrike replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected systems.

Earlier this month, Thunderstrike creator Trammell Hudson said that only the latest versions of Mac Mini's and iMac Retina 5ks were largely immune to the exploit but that Apple engineers were in the process of developing a fix for the rest of the Mac product line. According to a report published Friday by iMore, the patch has been spotted in the latest beta of OS X 10.10.2, the next version of Yosemite.

Read 6 remaining paragraphs | Comments

#1337day ManageEngine ServiceDesk 9.0 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day ManageEngine ServiceDesk Plus 9.0 Privilege Escalation Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day ManageEngine ServiceDesk 9.0 User Enumeration Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day ferretCMS 1.0.4-alpha Cross Site Scripting / SQL Injection Vulnerabilities [#0day #Exploit]

#1337day ecommerceMajor SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day libpng 1.6.15 Heap Overflow Exploit CVE-2015-0973 [remote #exploits #0day #Exploit]

Aspiring Singer Arrested in Israel on Suspicion of Hacking Madonna

Aspiring Singer Arrested in Israel on Suspicion of Hacking Madonna

The specific hackers behind the Sony breach and data leaks may never be identified or arrested. But authorities say they have caught a hacker behind another high-profile breach: the intrusion into computers owned by Madonna, which resulted in leaks of her songs before their scheduled release. The Israeli suspect, 39-year-old Adi Lederman, was arrested in […]

The post Aspiring Singer Arrested in Israel on Suspicion of Hacking Madonna appeared first on WIRED.

Silk Road 2.0 deputy arrested after 6-month attack on Tor

Brian Richard Farrell, aka " DoctorClu", was arrested last week. A search warrant shows that the drug market's kingpins were unmasked after a 6-month assault on Tor.

Adobe issues emergency fix for Flash zero-day

Crooks are reportedly using a new Flash vulnerability called CVE-2015-0310. Adobe has a fix already, so grab it while it's hot!

#1337day Facebook Linkshim Bypass Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

Google drops three OS X 0days on Apple

Don't look now, but Google's Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple's OS X platform.

In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.

Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.

Read 1 remaining paragraphs | Comments

[dos] – Crystal Player 1.99 – Memory Corruption Vulnerability

Crystal Player 1.99 - Memory Corruption Vulnerability

Internet attack could shut down US gas stations

A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.

The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.

“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”

Read 10 remaining paragraphs | Comments

Diverse White Hat Community Leads To Diverse Vuln Disclosures

Researchers at Penn State find that courting new bug hunters is just as important as rewarding seasoned ones.

#1337day Symantec SDCS:SA Multiple Vulnerabilities [remote #exploits #Vulnerabilities #0day #Exploit]

#1337day Arris VAP2500 Command Execution Exploit [remote #exploits #0day #Exploit]

As 0days get meaner, Google defenses increasingly outpace Microsoft

It's the type of bug that could have visited a world of hurt on a sizable number of people using Google Apps to manage business e-mail and calendars. A cross-site scripting (XSS) flaw in https://admin.google.com/ made it possible for attackers to force Google Apps admins to execute just about any request on that subdomain. Forced actions included creating new users with "super admin" rights, removing two-factor authentication and other security controls from existing accounts and modifying domain settings so e-mail is redirected to addresses controlled by the attacker.

But instead of causing disaster for businesses using Google Apps or generating headlines of an alarming new zero-day vulnerability, the bug was privately reported to Google on September 1 and fixed 17 days later. In exchange for the report, Google paid application security engineer Brett Buerhaus $5,000.

The speed and lack of fuss contrasts sharply with vulnerability travails that have recently visited Microsoft. Twice this month, the software company has been shamed when Project Zero, the vulnerability research team sponsored by Google, has publicly reported unfixed bugs that threaten the security of Windows users.

Read 4 remaining paragraphs | Comments

NSA Report: How To Defend Against Destructive Malware

In the wake of the Sony breach, spy agency's Information Assurance Directorate (IAD) arm provides best practices to mitigate damage of data annihilation attacks.

Yes, 123456 is the most common password, but here’s why that’s misleading

I recently worked with SplashData to compile its 2014 Worst Passwords List, and yes, 123456 tops the list. In the data set of 3.3 million passwords I used for SplashData, almost 20,000 of those were in fact 123456. But how often do you genuinely see people using that, or the second most common password, password, in real life? Are people still really that careless with their passwords?

While 123456 is absolutely the most common password, that statistic is a bit misleading. Although 0.6 percent of all users on my list used it, it’s important to remember that 99.4 percent of the users on my list didn’t. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased. In 2011, my analysis showed that 8.5 percent had the passwords password or 123456, but this year that number has gone down to less than one percent. This is huge.

The fact is that the top passwords are always going to be the top passwords, it’s just that the percentage of users actually using those will—at least we hope—continually get smaller. This year, for example, a hacker using the top 10 password list would statistically be able to guess 16 out of 1,000 passwords.

Read 26 remaining paragraphs | Comments

If you use either of these WordPress themes update them now

Older versions of the Platform and PageLines WordPress themes contain privilege escalation vulnerabilities that could allow attackers to take over the website using them.

#1337day CAS Server 3.5.2 LDAP Authentication Bypass Vulnerability CVE-2015-1169 [remote #exploits #Vulnerability #0day #Exploit]

#1337day CAS Server 3.5.2 LDAP Authentication Bypass Vulnerability [remote #exploits #Vulnerability #0day #Exploit]

President’s Plan To Crack Down On Hacking Could Hurt Good Hackers

Security experts critical of President Obama's new proposed cybersecurity legislation.

Attack for Flash 0day goes live in popular exploit kit

If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits.

Prolific exploit sleuth Kafeine uncovered the addition to Angler, an exploit kit available in underground forums. The zero-day vulnerability was confirmed by Malwarebytes. Malwarebytes researcher Jérôme Segura said one attack he observed used the new exploit to install a distribution botnet known as Bedep.

Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.

Read on Ars Technica | Comments

Bitcoin Exchange Operator Sentenced to 4 Years for Silk Road Transactions

Bitcoin Exchange Operator Sentenced to 4 Years for Silk Road Transactions

A Bitcoin exchange operator who pled guilty to supplying $1 million in digital currency to people buying drugs on Silk Road was sentenced to four years in prison Tuesday. Robert Faiella, who used the name BTCking online, had been arrested last year and charged with conspiracy to commit money laundering and operating an unlicensed money […]

The post Bitcoin Exchange Operator Sentenced to 4 Years for Silk Road Transactions appeared first on WIRED.

#1337day AVM FRITZ!Box Firmware Signature Bypass Vulnerability CVE-2014-8872 [webapps #exploits #Vulnerability #0day #Exploit]

#1337day articleFR CMS 3.0.5 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day articleFR CMS 3.0.5 Arbitrary File Upload Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]

#1337day Exif Pilot 4.7.2 Buffer Overflow Exploit [remote #exploits #0day #Exploit]

Did feds mount a sustained attack on Tor to decloak crime suspects?

Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.

In a search warrant affidavit filed earlier this month, a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:

From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.

The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.

The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials. For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

Read 4 remaining paragraphs | Comments

Adobe Investigating New Flash Zero-Day Spotted In Crimeware Kit

Researcher Kafeine's 0day discovery confirmed by Malwarebytes.

Big bag of fixes: Oracle’s Critical Patches for Jan 2015 close 160 holes, 93 remotely exploitable

Big bag of fixes! Oracle's Critical Patches for Jan 2015 fix 160 holes in 48 products, with 93 of those vulnerabilities remotely exploitable.