Security News #0x36: One week, Two Java 0-days.
- Last week we mentioned a Linux privilege escalation (CVE 2013-0871). Well there is another Linux privilege escalation out there; this one is CVE 2013-1763. This time the problem is in Linux kernels prior to 3.7.10 (including e.g. Ubuntu 12.04), in one of the core networking components. Worse yet, there are at least two different exploits out there. Exploit-db has one, but you can get them both from Security Focus.
- By correctly manipulating the clock, you can bypass subsequent password checks when using sudo.
- Mark Baggett has a wonderful demonstration of a file hiding technique on Windows that is well worth a look. Catch the video over at PaulDotCom.
- Unallocated space is holding an Arduino night next week in Severn, MD.
- Ars Technica reports on a new method to bypass the iOS passcodes that prevent unauthorized users from gaining access to your iPhone.
- While I am mentioning Ars Technica, they also report on MiniDuke, a new piece of sophisticated malware. You may want to see the Securelist discussion as well.
- Wired has a discussion on some of the different Stuxnet versions that have been identified.
- The website http://icanhazip.com/ simply returns your public IP address.
- Yes, there are more Java 0-days out there. Actually, there were two zero-days this past week. Of course these are in the wild. Symantec reports that these latest attacks may be related to the recent attack on Bit9; you may also be interested in Brian Krebs’ take.