Google released the latest build of its browser Tuesday, Chrome 41.0.2272.76, patching 51 different bugs and paying out over $50,000 in bounties.
Monthly Archives: March 2015
Generic DLL Injection From Shared Resource
This is a general-purpose module for exploiting conditions where a DLL can be loaded from an specified SMB share. This Metasploit module serves payloads as DLLs over an SMB service.
Mandriva Linux Security Advisory 2015-054
Mandriva Linux Security Advisory 2015-054 – Jan-Piet Mens discovered that the BIND DNS server would crash when processing an invalid DNSSEC key rollover, either due to an error on the zone operator’s part, or due to interference with network traffic by an attacker.
SA-CONTRIB-2015-073 – Trick Question – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-073
- Project: Trick Question (third-party module)
- Version: 6.x, 7.x
- Date: 2015-March-04
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The Trick Question is a CAPTCHA-type spam prevention module; a lightweight, compact and simple alternative to larger and more complex modules.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
The vulnerability is mitigated by the fact that an attacker must have the “Administer Trick Question” permission.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Trick Question 6.x-1.x versions prior to 6.x-1.5
- Trick Question 7.x-1.x versions prior to 7.x-1.5
Drupal core is not affected. If you do not use the contributed Trick Question module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Trick Question module for Drupal 6.x, upgrade to Trick Question 6.x-1.5
- If you use the Trick Question module for Drupal 7.x, upgrade to Trick Question 7.x-1.5
Also see the Trick Question project page.
Reported by
- Matt Vance provisional member of the Drupal Security Team
Fixed by
- Martin Joergensen the module maintainer
- Matt Vance provisional member of the Drupal Security Team
Coordinated by
- Matt Vance provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-072 – Commerce Ogone – Access bypass
- Advisory ID: DRUPAL-SA-CONTRIB-2015-072
- Project: Commerce Ogone (third-party module)
- Version: 7.x
- Date: 2015-March-04
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:None/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Access bypass
Description
This module enables you to use Ogone (Ingenico) as a payment method for Drupal Commerce.
Malicious users can trick Commerce Ogone into proceeding with the checkout process without actually going through the Ogone payment process, causing the order status to be set to checkout complete, even though no payment was processed.
The vulnerability is mitigated by the fact that the balance to be paid on affected orders remains the full amount, and no payment transaction is linked to the order.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Commerce Ogone 7.x-1.x versions prior to 7.x-1.5.
Drupal core is not affected. If you do not use the contributed Commerce Ogone module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Commerce Ogone module for Drupal 7.x, upgrade to Commerce Ogone 7.x-1.5
Also see the Commerce Ogone project page.
Reported by
Fixed by
- Mathieu Massebœuf
- Ivo Van Geertruyen of the Drupal Security Team and module co-maintainer
Coordinated by
- Klaus Purer of the Drupal Security Team
- Greg Knaddison of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
SA-CONTRIB-2015-071 – Simple Subscription – Cross Site Scripting (XSS)
- Advisory ID: DRUPAL-SA-CONTRIB-2015-071
- Project: Simple subscription (third-party module)
- Version: 6.x, 7.x
- Date: 2015-March-04
- Security risk: 13/25 ( Moderately Critical) AC:Basic/A:Admin/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
This module enables you to add a block to allow visitors to subscribe to a site’s newsletter.
The module failed to sanitize some block content, leading to a Cross Site Scripting (XSS) vulnerability.
This vulnerability is mitigated by the fact that an attacker must have a role with the permission “administer blocks”.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Simple Subscription 6.x-1.x versions prior to 6.x-1.1.
- Simple Subscription 7.x-1.x versions prior to 7.x-1.1.
Drupal core is not affected. If you do not use the contributed Simple Subscription module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Simple Subscription module for Drupal 6.x, upgrade to Simple Subscription 6.x-1.1
- If you use the Simple Subscription module in branch 7.x-1.x for Drupal 7.x, upgrade to Simple Subscription 7.x-1.1
- If you use the Simple Subscription module in branch 7.x-2.x for Drupal 7.x, there is nothing to do, this branch is secure
Also see the Simple Subscription project page.
Reported by
- Matt Vance provisional member of the Drupal Security Team
Fixed by
- Matt Vance provisional member of the Drupal Security Team
- SebCorbin the module maintainer
Coordinated by
- Michael Hess of the Drupal Security Team
- Matt Vance provisional member of the Drupal Security Team
- Aaron Ott provisional member of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
Generic Web Application DLL Injection
This is a general-purpose module for exploiting conditions where a HTTP request triggers a DLL load from an specified SMB share. This Metasploit module serves payloads as DLLs over an SMB service and allows an arbitrary HTTP URL to be called that would trigger the load of the DLL.
Cyber-criminals set their sights on drones
More and more cameras are watching us from the sky. And no, they don’t belong to the police or some intelligence agency, but to your neighbors. Unmanned aerial vehicles are becoming a more common sight, and there is no shortage of people wanting to fly their small camera-equipped drones to get the perfect shot.
Despite the many good uses of these flying machines (crop inspection, rescue missions, crime fighting, etc.), drones can also pose a security threat as they are difficult to detect and neutralize.
A few days ago, the U.S. Secret Service opened an investigation after finding a small recreational quad copter in the grounds of the White House. Despite the machine was operated by a government employee and not a criminal, the incident raised a lot of concerns as it came just four months after another incident in which an intruder managed to jump over the perimeter fence of the presidential mansion.
U.S. authorities (who have been using unmanned aircrafts in military operations for years now) are increasingly worried about the fact that drones could be used by criminals or terrorists to launch attacks with explosives or chemical weapons.
At the beginning, drones were restricted from flying near other aircrafts, airports or populated areas (in Spain, for example, drones must stay at least 8 kilometers (5 miles) away from an airport). However, the proliferation of domestic drone use is raising new concerns for privacy and security. Can small drones be used for small-scale espionage?
DJI Technology Co., the Chinese maker of the device that crashed on the lawn of the White House, and one of the leading makers of consumer drones in the world, has announced it has plans to change software on its drones to prevent them from flying over Washington. Additionally, the company also plans to disable its drones from crossing national borders after police discovered a DJI drone that apparently crashed while attempting to carry drugs into the U.S.
But, are drone manufactures taking enough measures to prevent cyber-criminals from manipulating their software? According to ‘The Wall Street Journal’, cyber-security experts have warned that drone no-fly zones are relatively simple for computer programmers to deactivate. “There’s more stuff that the industry can be doing as a whole to improve the overall security,” DJI spokesman Michael Perry said.
There are actually reasons to be concerned, as shown by the appearance of the first ever backdoor malware for drones: Maldrone. Security expert Rahul Sasi has discovered and exploited a ‘backdoor’ in Parrot AR, one of the most popular drone models. A backdoor malware can infiltrate target computers, appearing to be harmless, and take control of a drone by interacting with its sensors and serial ports. Rahul Sasi has even published a video proof-of-concept to demonstrate its efficiency.
“After the connection is established, we can interact with the software as well as the drivers/sensors of the drone directly. There is an existing AR drone piloting program. Our backdoors kill the autopilot and take control,” explained Sasi.
This security expert is not the only one concerned about the existence of security holes in drones. Hackron, a cyber-security congress recently held in Santa Cruz de Tenerife (Spain), challenged participants to hack into a drone, with a 200-euro prize for the winner.
What would happen if cyber-criminals set their sights on drones? Are drone manufacturers taking precautions? Although we’ll still have to wait before we can answer these questions, it seems clear that cyber-security risks are no longer just limited to computers and smartphones. In the case of cyber-criminals, the sky is not the limit…
The post Cyber-criminals set their sights on drones appeared first on MediaCenter Panda Security.
Our journey to over 100 million mobile downloads
Every company, big, small or start-up faces the question of what will be big four years from now. While there is no way of knowing for sure, we can learn a lot from what happened four years back.
The smartphone platform was coming to life but was fragmented across a number of platforms. How could we find out which of the platforms would grow to be the biggest?
At the end of 2009, beginning of 2010, we identified Android as the platform of the future despite a market share of only 4%. Needless to say, it was hard to explain to our finance and marketing departments.
It’s no secret that the market can give you signals about what the future may hold, you just need to know where to look.
When we watched vendors like HP, BlackBerry and Nokia dip in 2010, we noticed that Android and iOS were heading in the opposite direction. In Nov 2010, we knew we had to take action. We decided to step into the mobile market and announced acquisition of a small team of five people providing Android security. This is where our journey started.
But a bigger company acquiring a start-up does not mean the problem solved. We knew that Google ranked apps in the store via keywords so we knew that we needed to get to the top of the list. If you search for antivirus on Google, we are at the top.
A year later, we to noticed another important method to improve rankings – user ratings. If you want to achieve a number of downloads to really affect your business, you need a user rating of at least 4.4. So we invested in a team to ensure we could maintain this rating.
Today 137 apps have passed the 50 and 100m download milestones. Keywords and review ratings are no longer enough. We are a consumer company but we know our consumers needed to engage with our products.
Understanding user behaviour helps extend the lifetime of an app so we researched what functionality people wanted from an app. The result was a new app – Cleaner. Although the functionality was already in the antivirus app, downloads started to increase. We did the same for privacy and it also grew.
My advice would be “don’t stick to one app”. Add additional services and functionality to maintain growth.
We looked at adding value – could users register when they download? Terrible idea – we had a 40% drop when we introduced this because we failed to understand the consumer.
Before you ask for value from the user, make sure you can deliver value.
Of course, we removed this and returned to the original format.
These tactics helped us reach 100m downloads but that’s only half the story. Revenue is also crucial. In December 2014, we were ranked among the top 10 developers for generating app revenue (excluding games). In February, we reached number 5.
On our last earnings call, we announced 101m downloads. Keeping them is the next challenge. Now our whole roadmap of our company is around mobile.
Picture a connected home where each device has its own app. It would be impossible to manage such a large number of individual applications. That’s why we introduced AVG Zen.
In conclusion, if you want to know what is going to be the big thing, don’t look just at the newspapers but look at stock. Search for big shifts. They don’t happen very often but they are there.
Also, don’t just stick to data. It can help you to optimize, but really, the “next big thing” can be only be found in one place your imagination. You won’t find that in the data.
SA-CONTRIB-2015-070 – Mover – Cross Site Scripting (XSS) – Unsupported
- Advisory ID: DRUPAL-SA-CONTRIB-2015-070
- Project: Mover (third-party module)
- Version: 6.x
- Date: 2015-March-04
- Security risk: 14/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
The Mover modules provide the ability to move content between Drupal sites.
The module doesn’t sufficiently sanitize user supplied text in some pages, thereby exposing a Cross Site Scripting vulnerability.
This vulnerability is mitigated by the fact that an attacker must have permission to create/edit nodes.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Mover 6.x-1.0
Drupal core is not affected. If you do not use the contributed Mover module, there is nothing you need to do.
Solution
If you use the Mover module you should uninstall it.
Also see the Mover project page.
Reported by
- Pere Orga of the Drupal Security Team
Fixed by
Not applicable.
Coordinated by
- Pere Orga of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version: