#1337day Joomla Component com_contushdvideoshare – Arbitrary File Download Vulnerability [#0day #Exploit]
A fix for the Thunderstrike proof-of-concept bootkit attack has made its way into a beta version of Apple's OS X, according to a just-published report. The new fix may indicate that a patch isn't far from general release.
The exploit was dubbed Thunderstrike because it spreads through maliciously modified peripheral devices connected to a Mac's Thunderbolt interface. When plugged into a Mac that's booting up, the device injects what's known as an option ROM into the extensible firmware interface (EFI), the firmware responsible for starting a Mac's system management mode and enabling other low-level functions. Once a Mac is infected, the malicious firmware can survive hard drive reformats and OS reinstallations. And since Thunderstrike replaces the digital signature Apple uses to ensure only authorized firmware runs on Macs, there are few viable ways to disinfect infected systems.
Earlier this month, Thunderstrike creator Trammell Hudson said that only the latest versions of Mac Mini's and iMac Retina 5ks were largely immune to the exploit but that Apple engineers were in the process of developing a fix for the rest of the Mac product line. According to a report published Friday by iMore, the patch has been spotted in the latest beta of OS X 10.10.2, the next version of Yosemite.
#1337day ManageEngine ServiceDesk 9.0 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
#1337day ManageEngine ServiceDesk Plus 9.0 Privilege Escalation Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
#1337day ManageEngine ServiceDesk 9.0 User Enumeration Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
#1337day ferretCMS 1.0.4-alpha Cross Site Scripting / SQL Injection Vulnerabilities [#0day #Exploit]
#1337day ecommerceMajor SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
The specific hackers behind the Sony breach and data leaks may never be identified or arrested. But authorities say they have caught a hacker behind another high-profile breach: the intrusion into computers owned by Madonna, which resulted in leaks of her songs before their scheduled release. The Israeli suspect, 39-year-old Adi Lederman, was arrested in […]
The post Aspiring Singer Arrested in Israel on Suspicion of Hacking Madonna appeared first on WIRED.
Don't look now, but Google's Project Zero vulnerability research program may have dropped more zero-day vulnerabilities—this time on Apple's OS X platform.
In the past two days, Project Zero has disclosed OS X vulnerabilities here, here, and here. At first glance, none of them appear to be highly critical, since all three appear to require the attacker to already have some access to a targeted machine. What's more, the first vulnerability, the one involving the "networkd 'effective_audit_token' XPC," may already have been mitigated in OS X Yosemite, but if so the Google advisory doesn't make this explicit and Apple doesn't publicly discuss security matters with reporters.
Still, the exploits could be combined with a separate attack to elevate lower-level privileges and gain control over vulnerable Macs. And since the disclosures contain proof-of-concept exploit code, they provide enough technical detail for experienced hackers to write malicious attacks that target the previously unknown vulnerabilities. The security flaws were privately reported to Apple on October 20, October 21, and October 23, 2014. All three advisories appear to have been published after the expiration of the 90-day grace period Project Zero gives developers before making reports public.
A device used to monitor the gasoline levels at refueling stations across the United States—known as an automated tank gauge or ATG—could be remotely accessed by online attackers, manipulated to cause alerts, and even set to shut down the flow of fuel, according to research to be published on Thursday.
The security weakness—identified by Jack Chadowitz, a former process control engineer and founder of control-system monitoring service BostonBase—could theoretically affect the devices at many of the approximately 115,000 fueling stations in the United States, but only a small fraction of those systems—about 5,300—appear to be vulnerable to an Internet attack, according to security firm Rapid7, which conducted a scan for such devices on January 10. While automated tank gauges are typically accessed to monitor fuel inventories, so as to know when to order gasoline, attackers could also access the settings, Chadowitz said.
“One could change the calibration and make the tank report full or empty,” he told Ars. “If you report the tank is full, no one is going to order fuel.”
#1337day Symantec SDCS:SA Multiple Vulnerabilities [remote #exploits #Vulnerabilities #0day #Exploit]
It's the type of bug that could have visited a world of hurt on a sizable number of people using Google Apps to manage business e-mail and calendars. A cross-site scripting (XSS) flaw in https://admin.google.com/ made it possible for attackers to force Google Apps admins to execute just about any request on that subdomain. Forced actions included creating new users with "super admin" rights, removing two-factor authentication and other security controls from existing accounts and modifying domain settings so e-mail is redirected to addresses controlled by the attacker.
But instead of causing disaster for businesses using Google Apps or generating headlines of an alarming new zero-day vulnerability, the bug was privately reported to Google on September 1 and fixed 17 days later. In exchange for the report, Google paid application security engineer Brett Buerhaus $5,000.
The speed and lack of fuss contrasts sharply with vulnerability travails that have recently visited Microsoft. Twice this month, the software company has been shamed when Project Zero, the vulnerability research team sponsored by Google, has publicly reported unfixed bugs that threaten the security of Windows users.
I recently worked with SplashData to compile its 2014 Worst Passwords List, and yes, 123456 tops the list. In the data set of 3.3 million passwords I used for SplashData, almost 20,000 of those were in fact 123456. But how often do you genuinely see people using that, or the second most common password, password, in real life? Are people still really that careless with their passwords?
While 123456 is absolutely the most common password, that statistic is a bit misleading. Although 0.6 percent of all users on my list used it, it’s important to remember that 99.4 percent of the users on my list didn’t. What is noteworthy here is that while the top passwords are still the top passwords, the number of people using those passwords has dramatically decreased. In 2011, my analysis showed that 8.5 percent had the passwords password or 123456, but this year that number has gone down to less than one percent. This is huge.
The fact is that the top passwords are always going to be the top passwords, it’s just that the percentage of users actually using those will—at least we hope—continually get smaller. This year, for example, a hacker using the top 10 password list would statistically be able to guess 16 out of 1,000 passwords.
#1337day CAS Server 3.5.2 LDAP Authentication Bypass Vulnerability CVE-2015-1169 [remote #exploits #Vulnerability #0day #Exploit]
#1337day CAS Server 3.5.2 LDAP Authentication Bypass Vulnerability [remote #exploits #Vulnerability #0day #Exploit]
If you've been meaning to disable Adobe Flash, now might be a good time. Attacks exploiting a critical vulnerability in the latest version of the animation software have been added to a popular exploitation kit, researchers confirmed. Attackers often buy the kits to spare the hassle of writing their own weaponized exploits.
Prolific exploit sleuth Kafeine uncovered the addition to Angler, an exploit kit available in underground forums. The zero-day vulnerability was confirmed by Malwarebytes. Malwarebytes researcher Jérôme Segura said one attack he observed used the new exploit to install a distribution botnet known as Bedep.
Adobe officials say only that they're investigating the reports. Until there's a patch, it makes sense to minimize use of Flash when possible. AV software from Malwarebytes and others can also block Angler attacks.
A Bitcoin exchange operator who pled guilty to supplying $1 million in digital currency to people buying drugs on Silk Road was sentenced to four years in prison Tuesday. Robert Faiella, who used the name BTCking online, had been arrested last year and charged with conspiracy to commit money laundering and operating an unlicensed money […]
The post Bitcoin Exchange Operator Sentenced to 4 Years for Silk Road Transactions appeared first on WIRED.
#1337day AVM FRITZ!Box Firmware Signature Bypass Vulnerability CVE-2014-8872 [webapps #exploits #Vulnerability #0day #Exploit]
#1337day articleFR CMS 3.0.5 SQL Injection Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
#1337day articleFR CMS 3.0.5 Arbitrary File Upload Vulnerability [webapps #exploits #Vulnerability #0day #Exploit]
Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.
In a search warrant affidavit filed earlier this month, a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:
From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.
The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.
The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials. For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users. The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.