QEMU 'vmstate_xhci_event' Field Memory Corruption Vulnerability
Oracle Java SE CVE-2014-6476 Remote Security Vulnerability
[security bulletin] HPSBUX03087 SSRT101413 rev.2 - HP-UX CIFS Server (Samba), Remote Denial of Service (DoS), Execution of Arbitrary Code, Unauthorized Access
Aurich Lawson

In early 2013, researchers exposed some unsettling risks stemming from Android-based password managers. In a paper titled "Hey, You, Get Off of My Clipboard," they documented how passwords managed by 21 of the most popular such apps could be accessed by any other app on an Android device, even those with extremely low-level privileges. They suggested several measures to help fix the problem.

Almost two years later, the threat remains viable in at least some, if not all, of the apps originally analyzed. An app recently made available on Google Play, for instance, has no trouble divining the passwords managed by LastPass, one of the leading managers on the market, as well as the lesser-known KeePassDroid. With additional work, it's likely that the proof-of-concept ClipCaster app would work seamlessly against many other managers, too, said Xiao Bao Clark, the Australia-based programmer who developed it. While ClipCaster does nothing more than display the plaintext of passwords that LastPass and KeePassDroid funnel through Android handsets, a malicious app with only network privileges could send the credentials to an attacker without the user having any idea what was happening.

"Besides the insecurity of it, what annoyed me was that I was never told any of this while I was signing up or setting up the LastPass app," Clark wrote in an e-mail. "Instead, I got the strong impression from LastPass that everything was very secure, and I needn't worry about any of it. If they at least told users the security issues using these features brings, then the users themselves could decide on their own trade-off between usability and security. Not mentioning it at all strikes me as disingenuous."

Read 12 remaining paragraphs | Comments


Target’s massive data breach, in which criminals were able to drop malware onto point-of-sale systems and compromise at least 40 million credit and debit cards, is now the subject of a federal lawsuit by banks who issued those cards. And Target is arguing in court today that those claims should be thrown out, Bloomberg reports—because the company claims it had no obligation to protect the banks from damages.

The suit has been brought by five banks—First Federal Savings, Village Bank, Umpqua Bank, Mutual Bank, and Louisiana’s CSE Federal Credit Union. As a group, the banks are claiming losses because the breach exceeded $5 million. The lawsuit is playing out as representatives from financial organizations, including the US’ two major credit union industry associations, are pressing Congress to take action to hold retailers more accountable for payment data breaches and to bring them under the same privacy standards as financial institutions with regard to financial data.

Major retailer data breaches over the past year, including the ones at Target and Home Depot, have caused banks and credit unions to have to reissue hundreds of millions of payment cards. The Home Depot breach, first reported in September, was revealed last week to have exposed 53 million customer e-mail addresses, as well as 56 million payment cards.

Read 2 remaining paragraphs | Comments

Adobe Flash Player and AIR CVE-2014-0589 Unspecified Heap Based Buffer Overflow Vulnerability
Adobe Flash Player and AIR CVE-2014-0588 Use After Free Remote Code Execution Vulnerability
Adobe Flash Player and AIR CVE-2014-0581 Memory Corruption Vulnerability
[ MDVSA-2014:224 ] krb5
[ MDVSA-2014:221 ] php-smarty
[ MDVSA-2014:220 ] qemu
[ MDVSA-2014:223 ] wireshark
[ MDVSA-2014:222 ] libvirt
[security bulletin] HPSBHF03052 rev.2 - HP Network Products running OpenSSL, Multiple Remote Vulnerabilities
[ MDVSA-2014:218 ] asterisk
Google Chrome CVE-2014-7909 Information Disclosure Vulnerability
Google Chrome CVE-2014-7910 Multiple Security Vulnerabilities
Google Chrome CVE-2014-7907 Use After Free Remote Code Execution Vulnerability
AST-2014-017: <font size="3" style="font-size: 12pt">Permission escalation through ConfBridge actions/dialplan functions</font>
AST-2014-016: Remote Crash Vulnerability in PJSIP channel driver
AST-2014-018: AMI permission escalation through DB dialplan function
Multiple SQL Injection in SP Client Document Manager plugin
AST-2014-014: High call load may result in hung channels in ConfBridge.
Internet Storm Center Infocon Status