Security News #0x0E

• There is a new vulnerability in Adobe Flash prior to 11.2.202.233. The issue, CVE-2012-0779, is apparently currently being exploited in targeted attacks through e-mail on Windows systems.
• Last week we mentioned CVE-2012-1823, the PHP CGI vulnerability.
  • Exploits for that flaw are now well publicized; exploit-db has code, Eric Romang has a video demo of the metasploit module in use, and TrustWave SpiderLabs has an example.
  • The folks at Dis9 have a post on an nmap script to check for vulnerable targets.
  • Threatpost has the news of an updated patch to solve the problem.
• WebGoat is a deliberately insecure web application for folks to learn how to attack web sites. A new version (5.4) was released at the end of April.
• Did you know you can use metasploit to run programs entirely from memory so that they do not touch the disk?
• While metasploit is on our mind, here is an exploit from last month for Firefox 7, 8 (≤ 8.01).
• CharmSec is a meetup of information security professionals in Baltimore. The next meeting is Thursday, May 31.
• Speaking of local meetings, you might also be interested in Unllocated Space in Severn, MD. They are holding a mini-con on May 19, and are looking for speakers.