Hackin9

InfoSec News

IT hiring in 2013 will focus on jobs involving cloud computing, mobile technology and business intelligence, said staffing professionals.
 
Vendor earnings, market research reports and the International CES in Las Vegas this week highlighted the hardware arena, which appears to be a tale of two sectors with very different fates: PCs and mobile devices.
 
The International CES is packed to the rafters with the latest in shiny, often expensive high-tech gadgets, so it's no surprise that theft is a problem for companies exhibiting at the show.
 
The International CES is packed to the rafters with the latest in shiny, often expensive high-tech gadgets, so it's no surprise that theft is a problem for companies exhibiting at the show.
 

BankInfoSecurity.com

VanRoekel on Infosec and Sequestration
BankInfoSecurity.com
VanRoekel on Infosec and Sequestration. Federal CIO Says Smart Spending Should Keep Gov't IT Secure. By Eric Chabrow, January 14, 2013. Send Email. Tweet Like LinkedIn share. "Cybersecurity is in everything we do in government so we can't say ...

and more »
 
Starting with Java 8, to be released in September, the development team behind the widely used programming language plans to release a new version of Java every two years -- and stick to that schedule.
 
Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.
 
Though U.S. officials blamed Iran for an ongoing stream of distributed denial of service attacks against major U.S. banks, security experts say there's not enough evidence yet to assign blame.
 
RETIRED: Adobe Acrobat and Reader APSB13-02 Multiple Security Vulnerabilities
 
Despite a major push by rival Lenovo, Hewlett-Packard has held onto its position as the top seller of PCs worldwide, according to IDC.
 
A long-running legal dispute between Marin County, California, Deloitte Consulting and SAP over a troubled software project has concluded in a legal settlement this week that will reportedly net the county far less money than it had sought.
 
Want to send a message directly to Facebook founder Mark Zuckerberg? It might cost you $100, if you don't want it to wind up in his spam folder.
 
Dell SecureWorks is bringing security vulnerability management services to its cloud customers, along with its Global Threat Intelligence Service.

Add to digg Add to StumbleUpon Add to del.icio.us Add to Google
 
Microsoft and a respected researcher disagreed this week about whether a bug in Windows RT is actually a security vulnerability that should be patched.
 
Kanex's $60 MySpot aims to let you easily create a secure Wi-Fi network in a hotel room or any other location where you have an ethernet port that provides automatically assigned IP addresses. This seems like a marvelous idea, but the MySpot doesn't quite live up to the promise on scrutiny.
 
PCs were upstaged by tablets, smartphones and TVs at this year's International CES show, with some companies maintaining a smaller presence or holding back product announcements for a later date.
 
Internet users should consider disabling Java in their browsers because of an exploit that can allow remote attackers to execute code on a vulnerable system, the U.S. Computer Emergency Readiness Team (US-CERT) recommended late Thursday.
 
Adobe Acrobat and Reader CVE-2013-0613 Remote Integer Overflow Vulnerability
 
Adobe Acrobat and Reader CVE-2013-0609 Remote Integer Overflow Vulnerability
 

Windows IT Pro

The Winners and Losers of 2012 in Infosec and Technology
Windows IT Pro
Loser-Facebook: Leaving behind their disastrous IPO, Facebook continued to struggle with their privacy policies. And then, there's the various frauds making the rounds about how to protect your personal information. Those are urban legends, people.

 
In this edition: the offensive uses of plain text, proof of concepts for the lulz, 29C3 videos, payload-enabled cats, and Inception opens up Windows 8


 
Re: Wordpress gallery-3.8.3 plugin Arbitrary File Read Vulnerability
 
[security bulletin] HPSBMU02838 SSRT100789 rev.1 - HP Serviceguard on Linux, Remote Denial of Service (DoS)
 
[SE-2012-01] 'Fix' for Issue 32 exploited by new Java 0-day code
 
A built-in PDF viewer component based on JavaScript and HTML5 Web technologies has been added to the beta version of Firefox 19, Mozilla said Friday.
 
Oracle is preparing to release 86 patches for security vulnerabilities in a wide span of its products, including 18 for MySQL database flaws.
 
Apache CloudStack CVE-2012-5616 Local Information Disclosure Vulnerability
 
WeBid 'validate.php' Multiple SQL Injection Vulnerabilities
 

The Chrome team over at Google have been busy, and V24 of their Chrome browser has been released.

V24 brings both new functionality with the introduction of Math MLand an update to the flash version but also more importantly a significant number of bug fixes.




Reference

Rating

CVE

Description





162494

High

CVE-2012-5145

Use-after-free in SVG layout.



165622

High

CVE-2012-5146

Same origin policy bypass with malformed URL



165864

High

CVE-2012-5147

Use-after-free in DOM handling



167122

Medium

CVE-2012-5148

Missing filename sanitization in hyphenation support



166795

High

CVE-2012-5149

Integer overflow in audio IPC handling



165601

High

CVE-2012-5150

Use-after-free when seeking video



165538

High

CVE-2012-5151

Integer overflow in PDF JavaScript



165430

Medium

CVE-2012-5152

Out-of-bounds read when seeking video



164565

High

CVE-2012-5153

Out-of-bounds stack access in v8



164490

Low

CVE-2012-5154

Integer overflow in shared memory allocation



163208

Medium

CVE-2012-5155

Missing Mac sandbox for worker processes



162778

High

CVE-2012-5156

Use-after-free in PDF fields




162776 /162156


Medium

CVE-2012-5157

Out-of-bounds reads in PDF image handling



162153

High

CVE-2013-0828

Bad cast in PDF root handling



162114

high

CVE-2013-0829

Corruption of database metadata leading to incorrect file access



162066

Low

CVE-2013-0830

Missing NUL termination in IPC



161836

Low

CVE-2013-0831

Possible path traversal from extension process



160380

Medium

CVE-2013-0832

Use-after-free with printing



154485

Medium

CVE-2013-0833

Out-of-bounds read with printing



154283

Medium

CVE-2013-0834

Out-of-bounds read with glyph handling



152921

Low

CVE-2013-0835

Browser crash with geolocation



150545

High

CVE-2013-0836

Crash in v8 garbage collection



145363

Medium

CVE-2013-0837

Crash in extension tab handling



143859

Low

CVE-2013-0838

Tighten permissions on shared memory segments




For more details, and the credits to the vulnerabilities please see:

http://googlechromereleases.blogspot.com/2013/01/stable-channel-update.html



http://code.google.com/p/chromium/issues/detail?id=152430

Steve


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Nokia's Xpress browser redirects any data traffic through the company's servers – even encrypted traffic. Nokia has confirmed that the data is decrypted in the process, but emphasised that it is secure regardless


 
Revenue at Infosys grew in the fourth quarter, but profit fell as a result of a wage rise and investments in newer businesses.
 
Oracle Java Runtime Environment Unspecified Remote Code Execution Vulnerability
 

Well, hot on the heals of Microsoft Patch Tuesday as we now know comes Adobe Patch Tuesday.

Guy has already kindly alerted us to the Cold Fusion vulnerability announced in apsa13-01 but we also need to highlight apsa13-02 which was also released on the 8th.

This covers a huge number of CVEs (27 if you need to know) and most of which could lead to code execution using a variety of techniques including use-after-free, integer, heap and stack over flows.

However, as we know other PDF readers are available and Foxitis quiet often what security minded people have installed. However there is also announced this week an as yet un-patched vulnerability discovered by Andrea Micalizzii inFoxit Reader 5.x, and Foxit Reader 2.x Plugin for which the exploit code is publicly available. This has reportedly been tested against versionFoxit Reader 5.4.4.1128 which is what is available for download as of today.


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 
Big Data is clearly a disruptive technology, but using it successfully is as much art as it is science. The key is integrating Big Data with traditional BI to create a data ecosystem that allows you to generate new insights while executing on what you already know.
 
Ericsson has agreed to transfer 1,922 patents and 263 patent applications to Unwired Planet in return for a share in ongoing revenue from the patents.
 
Drupal Subuser Module Cross Site Request Forgery and Access Security Bypass Vulnerabilities
 
KnFTPd 'FEAT' Command Remote Denial Of Service Vulnerability
 
Simple Machines Forum 'scheduled' Parameter Cross Site Scripting Vulnerability
 
IrfanView Bitmap File Remote Heap Based Buffer Overflow Vulnerability
 
IPv6, the next version of the Internet Protocol, could make life easier and battery life longer for electronics-addicted consumers.
 
Wikimedia Foundation, the host of the Wikipedia online encyclopedia, is launching next week a global online travel guide called Wikivoyage.
 
Microsoft's Windows 8 OS failed to provide a spark to PC sales during last year's fourth quarter, with worldwide unit shipments falling by 6.4 percent compared to the same quarter in 2011, according to research by IDC released on Thursday.
 
Apple CEO Tim Cook expects China to become the company's largest market, surpassing the U.S.
 
Google on Thursday upgraded Chrome, improving the browser's start-up performance and patching two dozen security vulnerabilities.
 
There isn't a shortage of rare earth metals in the ground, but one country, China, has managed to dominate about 95% of the market. It not only mines the metals, but has built a supply chain to produce them.
 
Inspired by the release of ever larger and more detailed sets of municipal data, citizen-developers are writing apps to ease every aspect of city living, from preschools to parking meters.
 
A last-minute move by the U.S. Senate to renew a controversial wiretapping law, days before it was set to expire on Dec. 31, has dismayed privacy advocates, rights groups and lawmakers who have long opposed the measure.
 
There isn't a shortage rare earth metals in the ground. But one country, China, has managed to dominate about 95% of the market. It not only mines rare earths, but it has built a supply chain to produce them.
 
The latest Chrome stable release closes 25 security vulnerabilities, adds support for using MathML to represent mathematical notation on web sites, and has expanded support for datalists


 
Foxit Reader, a PDF viewer application often used as an alternative to the more popular Adobe Reader, contains a critical vulnerability in its browser plug-in component that can be exploited by attackers to execute arbitrary code on computers.
 

Posted by InfoSec News on Jan 11

http://www.csoonline.com/article/726103/segregated-healthcare-networks-rarely-work-expert-says

By Taylor Armerding
CSO
January 09, 2013

There are ways for healthcare organizations to protect the electronic
health records (EHR) of their patients. But a segregated network for EHR
is generally not one of them, says Martin Fisher, director of
information security for Atlanta-based Wellstar Health System.

Fisher disputes a recommendation for...
 

Posted by InfoSec News on Jan 11

http://www.telegraph.co.uk/finance/newsbysector/industry/mining/9794806/Hackers-break-into-Bumi-chairmans-computer.html

The Telegraph
11 January 2013

Samin Tan’s email account was “specifically targeted in a sophisticated
and persistent attack” to retrieve sensitive documents, a seven-page
report by a private security company claims, according to a newspaper.

One member of Bumi’s board subsequently received some of the documents
by...
 

Posted by InfoSec News on Jan 11

http://www.bankinfosecurity.com/global-payments-breach-tab-94-million-a-5415

By Information Security Media Group
January 10, 2013

Global Payments Inc. says the data breach it revealed in April 2012 has
cost the company $93.9 million.

In a Jan. 8 quarterly report, the Atlanta-based payments processor says
expenses associated with the breach, estimated by Global to have
affected 1.5 million payment cards in North America, related mainly to...
 

Posted by InfoSec News on Jan 11

http://arstechnica.com/security/2013/01/hack-turns-the-cisco-phone-on-your-desk-into-a-remote-bugging-device/

By Dan Goodin
Ars Technica
Jan 10 2013

Internet phones sold by Cisco Systems are vulnerable to stealthy hacks
that turn them into remote bugging devices that eavesdrop on private
calls and nearby conversations.

The networking giant warned of the vulnerability on Wednesday, almost
two weeks after a security expert demonstrated how...
 

Posted by InfoSec News on Jan 11

http://www.informationweek.com/security/attacks/bank-attacker-iran-ties-questioned-by-se/240146001

By Mathew J. Schwartz
InformationWeek.com
January 10, 2013

If Iran is masterminding the online attacks against U.S. banks, where's
the hard evidence?

Numerous current and former U.S. officials have accused the Iranian
government of sponsoring the distributed denial-of-service (DDoS)
attacks, which began in September and recently...
 
RETIRED: Mozilla Firefox/Thunderbird/SeaMonkey MFSA 2013-01 through -20 Multiple Vulnerabilities
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0763 Use After Free Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0761 Use After Free Memory Corruption Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0757 Security Bypass Vulnerability
 
Mozilla Firefox/Thunderbird/SeaMonkey CVE-2013-0771 Heap Buffer Overflow Vulnerability
 
Internet Storm Center Infocon Status