Hackin9

Adobe released a new Flash Player update to fix the latest 0-day vulnerabilities.

Flash Player v 19.0.0.226
Flash Player ESR v 18.0.0.255

To update, visit https://get.adobe.com/flashplayer/

--
Alex Stanford - GIAC GWEB GSEC,
Research Operations Manager,
SANS Internet Storm Center
/in/alexstanford

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
 

Full Disclosure: Infosec Industry Still Fighting Over Vulnerability Reporting
OpenDNS Blog (blog)
One of the fundamental tensions in the information security industry has been the competing philosophies between vendors and the independent research community when it comes to vulnerability disclosure. Generally, researchers and vendors are driven by ...

 

(credit: Dsimic)

A handful of app distributors are putting hundreds of millions of Android users at risk by bundling powerful root exploits with their wares, computer scientists have found. The researchers presented a paper on Thursday that shows how the exploits—which legitimate developers openly use to give Android phones added functionality—can be easily reverse-engineered and surreptitiously incorporated into malicious apps that bypass crucial Android security measures.

Development outfits with names including Root Genius, 360 Root, IRoot, and King Root provide apps that "root" Android phones so they can overcome limitations imposed by carriers or manufacturers. To do this, the root providers collectively package hundreds of exploits that target specific hardware devices running specific versions of Android. Their code often includes state-of-the-art implementations of already known exploits such as TowelRoot (also known as futex), PingPong root, and Gingerbreak. Usually, such exploits are blocked by Android antivirus apps. But thanks to improvements made by the root providers, the professionally developed exploits are rarely detected. Even worse, many of the off-the-shelf exploits target undocumented Android security flaws.

It took just one month of part-time work for the computer scientists to reverse engineer 167 exploits from a single provider so they could be reused by any app of their choosing. Ultimately, the researchers concluded that the providers, by providing a wide array of highly customized exploits that are easy to reverse engineer and hard to detect, are putting the entire Android user base at increased risk.

Read 6 remaining paragraphs | Comments

 
 
Events Made Easy WordPress plugin CSRF + Persistent XSS
 
ERPSCAN Research Advisory [ERPSCAN-15-017] SAP NetWeaver J2EE DAS service - Unauthorized Access
 
[ISecAuditors Security Advisories] URL Open Redirect in Google generic TLD and ccTLD
 
Qualys Security Advisory - LibreSSL (CVE-2015-5333 and CVE-2015-5334)
 
[security bulletin] HPSBOV03503 rev.1 - HP OpenVMS CSWS_JAVA running Tomcat, Multiple Remote Vulnerabilities
 
APPLE-SA-2015-10-15-1 Keynote 6.6, Pages 5.6, Numbers 3.6, and iWork for iOS 2.6
 
Internet Storm Center Infocon Status