Home > Uncategorized > Security News #0x1C. How about some Java?

Security News #0x1C. How about some Java?

  • There is an unpatched flaw in Java 7 (up through Java 7 Update 6) out there (CVE 2012-4681). Today, Metasploit released a fully functional exploit. The Metasploit module was reverse engineered from malware circulating in the wild; the folks at FireEye have some additional information on at least some of the original malware. Demos of the now working exploit against both Ubtuntu 12.04 and Windows 7 are available.
  • Mat Honan was the victim of a massive hack that disrupted his Twitter account, GMail account and resulted in the loss of all of his personal data on his iPhone, iPad and Mac. An outline of the attackers process is available.
  • Metasploit has a new Windows privilege escalation exploit. This one relies on a flaw in how Windows parses file names that include spaces. You may want to check out this related blog post.
  • Metasploit also added a module to exploit CVE 2012-1535, a flaw in Adobe Flash Player before 11.3.300.271. Details of the exploit are available. Apparently, it is being exploited in the wild.
  • Don’t know what you want to do after you exploit a box? Ask mubix!
  • I have never liked the idea of password hints, and I routinely leave them blank on any machine or account that asks for them. Well, it appears that this is a good idea as these hints can be harvested as part of an attack.
  • Claudio Guarnieri has a nice piece analyzing what appears to be FinFisher malware.
  • Adobe continues to roll out patches for Flash Player, now updating to 11.4.402.265.
  • Apache has also rolled out a new version, fixing two holes in 2.4.3, including a potential XSS hole.
  • Here is a nice piece that shows how various browsers store password data.
  • Here is a nice post of some simple Windows tools, like the use of F7 in a command prompt to get a list of executed commands or the use of findstr as a Windows version of grep.
  • DNI has some suggestions on how to secure WordPress installations.
  • Talk about obfuscating JavaScript! Patricio Pallandino wrote a script to convert JavaScript to combinations of ()[]{}!+ characters.
  • Are you looking for memory images for a forensics class? Raytheon has some.
Advertisements
Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: