bindings/core/v8/V8DOMWrapper.h in Blink, as used in Google Chrome before 45.0.2454.101, does not perform a rethrow action to propagate information about a cross-context exception, which allows remote attackers to bypass the Same Origin Policy via a crafted HTML document containing an IFRAME element.
Monthly Archives: October 2015
CVE-2015-1304
object-observe.js in Google V8, as used in Google Chrome before 45.0.2454.101, does not properly restrict method calls on access-checked objects, which allows remote attackers to bypass the Same Origin Policy via a (1) observe or (2) getNotifier call.
CVE-2015-4547
EMC RSA Web Threat Detection before 5.1 SP1 stores a cleartext AnnoDB password in a configuration file, which allows remote authenticated users to obtain sensitive information by reading this file.
CVE-2015-4548
EMC RSA Web Threat Detection before 5.1 SP1 allows local users to obtain root privileges by leveraging access to a service account and writing commands to a service configuration file.
CVE-2015-6263
The RADIUS client implementation in Cisco IOS 15.4(3)M2.2, when a shared RADIUS secret is configured, allows remote RADIUS servers to cause a denial of service (device reload) via malformed answers, aka Bug ID CSCuu59324.
Dream CMS 2.3.0 Cross Site Request Forgery
Dream CMS allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Related to the CSRF issue, an authenticated arbitrary PHP code execution exist. The vulnerability is caused due to the improper verification of uploaded files in ‘/files-manager-administration/add-file’ script via the ‘file’ POST parameter which allows of arbitrary files being uploaded in ‘/resource/filemanager/1/home/’ where the admin first needs to add the file extension in the allowed list (csrf’d). This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file and execute system commands. Version 2.3.0 is affected.
Caution! Your smartwatch could reveal what you’re doing on your computer
In case you didn’t know it, according to the latest report issued by the International Data Corporation, sales of smartwatches have increased by 200% during the first quarter of this year, resulting in over 11 million units sold.
Not only do these gadgets attract consumers, but they are also getting the attention of cybercriminals. We’ve already warned you on a few occasions of the vulnerabilities of smartwatches, but a group of investigators from the University of Illinois have just uncovered a new security risk posed by these devices. They have shown that it is possible to use them to detect the information that someone enters into a computer.
Knowing which letters are being keyed in by the owner of a smartwatch could help cybercriminals to discover passwords without needing direct access to your computer.
It also isn’t even necessary to alter any of the settings on the watch or modify it in any way, the American experts were able to do it using an application that they developed. The tool they used captures all of the information obtained by the different sensors that the device is connected to.
With information from the accelerometer and the gyroscope, the app registers the movement of the hands and fingers on the keyboard. What’s more, the investigators have used the special information to construct a 3D map.
They introduced the information into a software that analyzed the rhythm of the inputs. By using two algorithms they were able to know the exact key that was hit, which allowed them to guess the different letters.
One of them detected the exact moment that the user started to input information on the keyboard and created a temperature map which indicated the keys. The other received the resulting information and analyzed the pauses between inputs, allowing them to calculate the number of letter that were hit by the right hand – as the watch was worn on the left.
So, by using this new mathematical tool as a dictionary, they were able to guess the letters used by the person wearing the smartwatch. The tool is efficient but it still needs to be perfected as it can’t yet detect punctuation or other symbols on the keyboard.
The work of these investigators is included in the Motion Leaks Through Smartwatch Sensors project, financed by the National Science Foundation. “Sensor data from wearable devices will clearly be a double-edged sword,” said Associate Professor Romit Roy Choudhury, who is affiliated with the Coordinated Science Laboratory.
Although the devices allow for the monitoring of information related to health, they could also put at risk the security of private information. According to Choudhury, “the real aim is to know the quantity and nature of the information that can be gotten about individuals”.
In this case it was the investigators that developed the app, but they assure us that any cybercriminal could make a similar one and spread it via platforms such as iTunes or Google Play. Because of this, just like with smartphones, it’s advisable to verify where any app comes from before you download it to your smartwatch.
The post Caution! Your smartwatch could reveal what you’re doing on your computer appeared first on MediaCenter Panda Security.
CVE-2015-4929
IBM License Metric Tool 9 before 9.2.1.0 and Endpoint Manager for Software Use Analysis 9 before 9.2.1.0 allow remote authenticated users to bypass intended access restrictions and obtain sensitive information via a REST API request.
CVE-2015-5648
SQL injection vulnerability in list.php in phpRechnung before 1.6.5 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
CVE-2015-5654
Cross-site scripting (XSS) vulnerability in Dojo Toolkit before 1.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.