Phone hacking ruined the lives of celebrities, and – in at least one case – almost drove a victim to suicide.
The post The human cost of phone hacking appeared first on We Live Security.
Monthly Archives: March 2015
Dropbox Patches Remotely Exploitable Vulnerability in SDK
Developers at Dropbox recently fixed a remotely exploitable vulnerability in the Android SDK version of the app that enabled attackers to connect applications on some devices to a Dropbox account without the user’s consent.
[CVE-2015-1530]An integer overflow in Android media could be exploited to get media_server permission
Posted by Guang Gong on Mar 11
#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1530
# Product: Android
# Vendor: Google
# Subject: An integer overflow in Android media could be exploited to get
media_server permission
# Effect: Gain privileges or cause a denial of service
#…
Community Gallery – Srored Corss-Site Scripting vulnerability
Posted by ITAS Team on Mar 11
#Vulnerability title: Community Gallery – Srored Corss-Site Scripting
vulnerability
#Product: Community Gallery
#Vendor: https://www.woltlab.com
#Affected version: Community Gallery 2.0 before 12/10/2014
#Download link:
https://www.woltlab.com/purchase/?products[]=com.woltlab.gallery
#Fixed version: Community Gallery 2.0 after 12/26/2014
#CVE ID: CVE-2015-2275
#Author: Pham Kien Cuong (cuong.k.pham () itas vn) & ITAS Team (www.itas.vn)…
Vulnerability in the Dropbox SDK for Android (CVE-2014-8889)
Posted by Roee Hay on Mar 11
Hi,
We have recently discovered a vulnerability in the Dropbox SDK for Android.
This vulnerability may enable theft of sensitive information from apps that
use the vulnerable Dropbox SDK both locally by malware and also remotely by
using drive-by exploitation techniques.
The vulnerability is identified as CVE-2014-8889.
We had privately reported the issue to the Dropbox team which soon provided
a fix with version 1.6.2 of the SDK.
More…
Capstone disassembly engine 3.0.2 is out!
Posted by Nguyen Anh Quynh on Mar 11
Greetings,
We are pleased to announce version 3.0.2 of Capstone disassembly framework!
This stable release brings some important bugfixes for X86, Arm, Mips &
Cython binding. All users are encouraged to upgrade.
Further information is available at
http://capstone-engine.org/Version-3.0.2.html
Thanks,
Quynh
[CVE-2015-1474]Integer overflow leading to heap corruption while unflattening GraphicBuffer
Posted by Guang Gong on Mar 11
#############################################################################
#
# QIHU 360 SOFTWARE CO. LIMITED http://www.360safe.com/
#
#############################################################################
#
# CVE ID: CVE-2015-1474
# Product: Android
# Vendor: Google
# Subject: Integer overflow leading to heap corruption while unflattening
GraphicBuffer
# Effect: Gain privileges or cause a denial of service
# Author: Guang…
SA-CONTRIB-2015-077 – OG tabs – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-077
- Project: OG tabs (third-party module)
- Version: 7.x
- Date: 2015-March-11
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
OG Tabs modules provides a secondary menu with links to nodes of the same OG group.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes posted in an Organic Groups group.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- OG Tabs 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed OG tabs module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the OG Tabs module for Drupal 7.x, upgrade to OG Tabs 7.x-1.1
Also see the OG tabs project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Adam Sanchez the module maintainer
Coordinated by
- Rick Manelius of the Drupal Security Team
- Aaron Ott provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Avast hacks devices at Mobile World Congress
The Avast Mobile Security team demonstrated how easy it is to hack smartphones and tablets at the Mobile World Congress.
The sleekest smartphones, the coolest wearable devices, and the best in mobile security were debuted at the Mobile World Congress in Barcelona last week. But it was hacking user’s devices at the Avast booth that had the journalist’s buzzing.
Hacking unsecured Wi-Fi is easy enough for any IT college student
Filip Chytry, a mobile malware researcher that you are familiar with if you visit our blog, set up a wireless hotspot in the Avast booth that allowed visitors to track the online activity of any device that connects.
“The site will let Avast capture passwords, messages and other information people type on the websites, and Chytry can even create dead ringers for Gmail or Facebook sign-in screens – – down to the little green padlock icon that indicates a secure connection…,” reported Bloomberg Business in The Easiest Way to Get Hacked: Use Phone at Phone Show.
The hacking demonstration illustrated what Avast found out during a global Wi-Fi hacking experiment conducted right before MWC.
“The study found that people around the world overwhelmingly prefer to connect to unsecured and unprotected Wi-Fi networks instead of password-protected networks,“ wrote Help Net Security in Global experiment exposes the dangers of using Wi-Fi hotspots.
Most people connect to a completely unsecured public Wi-Fi hotspot without a second thought.
Security experts from Avast traveled to 9 cities on 3 continents, and found that Wi-Fi users in Asia are the most prone to attacks. Chicago and London are the most vulnerable in the USA and Europe. Avast’s spokesperson Marina Ziegler told E&T Engineering and Technology magazine, “…in London we found that 54 per cent of routers were weakly encrypted and easily accessible to hackers.”
“That means that if a hacker walks into a pub, he can access the router’s settings and for example reroute the traffic via another malicious server,” said Chytry. “That’s very easy. Every IT college student can do that.”
SA-CONTRIB-2015-076 – Image Title – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-076
- Project: Image Title (third-party module)
- Version: 7.x
- Date: 2015-March-11
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
Image Title module allows you to upload an image and use it as a node title.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must allowed to create/edit nodes.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance
with Drupal Security Team processes.
Versions affected
- Image Title 7.x-1.x versions prior to 7.x-1.1
Drupal core is not affected. If you do not use the contributed Image Title module,
there is nothing you need to do.
Solution
Install the latest version:
- If you use the Image Title module for Drupal 7.x, upgrade to Image Title 7.x-1.1
Also see the Image Title project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
- Deepak Singh the module maintainer
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: