Archive | September, 2010

inspathx – Tool For Finding Path Disclosure Vulnerabilities

Find your website's Achilles' Heel


inspathx is a tool that uses local source tree to make requests to the URL and searches for path inclusion (Full Path Disclosure) error messages. It’s a very common problem in PHP web applications that crops up a lot.

PHP Web application developers sometimes fail to add safety checks against authentications, file inclusion etc and are prone to reveal possible sensitive information when those applications URLs are directly requested. Sometimes, it’s a clue to Local File Inclusion (LFI) vulnerability. For open-source applications, source code can be downloaded and checked to find such information.

This script will do this job.

  1. First you have to download source archived file of your desired OSS.
  2. Second, extract it.
  3. Third, feed its path to inspath

inspathx accepts the following arguments:

  • -d or –dir argument as source directory (of application)
  • -u or –url arguement as the target base URL (like http://victim.com)
  • -t or –threads argument as the number of threads concurrently to run (default is 10)

You can download inspathx via SVN here:

Or read more here.


Posted in: Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Web Hacking | Add a Comment
Recent in Hacking Tools:
- Unicorn – PowerShell Downgrade Attack
- Wfuzz – Web Application Brute Forcer
- wildpwn – UNIX Wildcard Attack Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,977,464 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,417,465 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 678,495 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


JailBreaking AppleTV Running on iOS 4.1 – iPad/iPhone 4 Jailbreak Soon?

Find your website's Achilles' Heel


Posts about the latest Jailbreak exploit/software for the new Apple devices are always pretty popular and this looks like it might turn out to be pretty interesting.

It seems like at the moment the latest iOS update has been cracked for iPod Touch and earlier iPhones (3GS) but there’s no working Jailbreak at the moment for the newly released iPhone 4 – something to do with the baseband I think. I’m not super familiar with Apple stuff though so do correct me if I’m wrong.

The note about this exploit comes at the bottom of this post:

SHAttered iPod touch 4G

The latest Apple TV isn’t even in people’s hands and its already close to being jailbroken, according to members of a hacker group that has a track record of successfully freeing iDevices from the artificial shackles of Steve Jobs & Co.

According to a post on Monday on the iPhone Dev Team Blog, members were able to crack the customized iOS firmware shortly after its release on Monday on an Apple download site. The release came the same day Apple began shipping the $99 device.

The download, which allows users to restore Apple TVs to their original factory settings, confirms rumors that Jobs’s “hobby” does in fact run iOS. More importantly, it gave iPhone Dev Team members an opportunity to run it through an in-development iOS 4.1 hacking tool they developed called SHAtter. They quickly extracted the cryptographic key used to lock down the Apple TV firmware, which is the first step in finding a reliable jailbreak.

The funny thing is AppleTV device hasn’t even shipped out yet and it’s already been jailbroken, they have also confirmed that it’s running on a version of iOS. This might be interesting for development of an iPhone 4 jailbreak.

Jailbreaks are a pretty hot topic at the moment with the iPhone 4 slowly releasing around the World after having been out commercially in the US for a couple of months now. It could set things up for a whole new slew of applications to come out too, imagine a hacked AppleTV with a custom iOS firmware or something else running on it (Android/MeeGo) hooked up via HDMI to your LCD/Plasma TV – now that’d be sweet!

It’s unclear exactly what could be done with a jailbroken Apple TV. Compared with other iDevices, it has a paltry amount of storage space. And, of course, there’s still the prospect that Apple will make last-minute changes to Apple TVs that patch the vulnerability SHatter exploits.

But as we’ve reckoned before, the mini USB port included with the Apple TV opens the door to running unauthorized code loaded on a patchstick. That in turn might allow users to run iPhone and iPad apps or add amenities such as SSH access, a USB-supported hard drive or even the ability to stream shows from Hulu.

All of that is in the future. With Monday’s commencement of Apple TV shipments, it won’t take long for us to find out.

The shipping starts next week and I’m pretty sure Apple is going to be doing something about this, so we’ll find out about the future of this neat hack pretty soon. We’ll also see if a spin-off iPhone 4 jailbreak comes out of this.

You can find direct download links for the AppleTV firmware files here:

AppleTV Firmware Download Locations

Source: The Register


Posted in: Apple, Exploits/Vulnerabilities, Hardware Hacking

Tags: , , , , , , , , , , ,

Posted in: Apple, Exploits/Vulnerabilities, Hardware Hacking | Add a Comment
Recent in Apple:
- FBI Backed Off Apple In iPhone Cracking Case
- Mac OS X Ransomware KeRanger Is Linux Encoder Trojan
- XcodeGhost iOS Trojan Infected Over 4000 Apps

Related Posts:

Most Read in Apple:
- KisMAC – Free WiFi Stumbler/Scanner for Mac OS X - 82,965 views
- Apple Struggling With Security & Malware - 24,130 views
- Java Based Cross Platform Malware Trojan (Mac/Linux/Windows) - 15,904 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


TA-Mapper v1.1 – Time and Attack Mapper – Effort Estimator For Pen-Testing

Your website & network are Hackable


We wrote about this tool back in January 2009 when it was first released, recently v1.1 has become available for download.

Time and Attack Mapper (alternatively known as TA-Mapper) is an effort estimator tool for blackbox security assessment (or Penetration Testing) of applications. This tool provides more accurate estimation when compared to rough estimation. Penetration testers who always have hard time explaining/justifying the efforts charged (or quoted) to their customers can find this tool handy by able to calculate efforts with greater accuracy required for application penetration testing.

What’s new in v1.1?

  1. The “Optimise Effort” options is provided for advance correction/optimisation of effort. It allows users to further optimise the efforts by considering automation component as a part of test approach.
  2. Report can be generated both in HTML and MS Excel format (More report options may come up in the later release)

Bug Fixes

  • Few cosmetic bug fixes including few functional issues
  • Fixed the _silly_ custom values settings followed by auto-update of total efforts

You can download TA-Mapper v1.1 here:

TA-Mapper%20v1.1.zip

Or read more here.


Posted in: General Hacking, Security Software

Tags: , , , , , , , , , ,

Posted in: General Hacking, Security Software | Add a Comment
Recent in General Hacking:
- BADLOCK – Are ‘Branded’ Exploits Going Too Far?
- Dradis – Reporting Platform For IT Security Professionals
- Kid Gets Arrested For Building A Clock – World Goes NUTS

Related Posts:

Most Read in General Hacking:
- 10 Best Security Live CD Distros (Pen-Test, Forensics & Recovery) - 1,169,038 views
- Hack Tools/Exploits - 624,270 views
- Password Cracking with Rainbowcrack and Rainbow Tables - 433,413 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Microsoft Warns Of ASP.Net Vulnerability In The Wild – Cryptographic Padding Attack

Your website & network are Hackable


There seems to be a fairly serious attack being exploited in the wild that targets vulnerable ASP.Net web applications, so far there is a temporary fix but no official announcement on when a patch will be issued. The next scheduled patches should be pushed out on October 12th.

If you had set up your server to the ‘best standards’ you shouldn’t be vulnerable to this anyway as the data in your config files should be encrypted, but honestly..how many people really take such precautions?

As the exploit is being used in the wild, I’d say not many.

Attackers have begun exploiting a recently disclosed vulnerability in Microsoft web-development applications that opens password files and other sensitive data to interception and tampering.

The vulnerability in the way ASP.Net apps encrypt data was disclosed last week at the Ekoparty Conference in Argentina. Microsoft on Friday issued a temporary fix for the so-called “cryptographic padding attack,” which allows attackers to decrypt protected files by sending vulnerable systems large numbers of corrupted requests.

Now, Microsoft security pros say they are seeing “limited attacks” in the wild and warned that they can be used to read and tamper with a system’s most sensitive configuration files.

“There is a combination of attacks that was publicly demonstrated that can leak the contents of your web.config file, including any sensitive, unencrypted, information in the file,” Microsoft’s Scott Guthrie wrote on Monday night. “You should apply the workaround to block the padding oracle attack in its initial stage of the attack.” (He went on to say sensitive data within web.config files should also be encrypted.)

It’s actually another fairly complex and interesting example of a side channel attack. The last time we reported on this kind of attack was when Website Auto-complete Leaked Data Even Over Encrypted Link.

This is certainly not a straight forward attack and I wouldn’t expect to be seeing widespread hacks using this technique, but skilled attackers could leverage this when doing focused attacks on certain organisations or web properties.

Microsoft personnel also warned about ASP.Net applications that store passwords, database connection strings or other sensitive data in the ViewState object. Because such objects are accessible to the outside, the Microsoft apps automatically encrypt its contents.

But by bombarding a vulnerable server with large amounts of corrupted data and then carefully analyzing the error messages that result, attackers can deduce the key used to encrypt the files. The side-channel attack can be used to convert virtually any file of the attacker’s choosing.

The temporary fix involves reconfiguring applications so that all error messages are mapped to a single error page that prevents the attacker from distinguishing among different types of errors A script to identify the oracles that needlessly reveal important cryptographic clues is here.

Thai Duong, one of the researchers who disclosed the vulnerability last week, said here that simply turning off custom error messages was not enough to ward off exploits because attackers can still measure the different amounts of time required for certain errors to be returned.

Details from the ASP.Net Blog including the workaround are available here:

Important: ASP.NET Security Vulnerability

There’s also a FAQ for the vulnerability here:

Frequently Asked Questions about the ASP.NET Security Vulnerability

More technical details about the nature of the attack are on the technet blog here:

Understanding the ASP.NET Vulnerability

Source: The Register


Posted in: Exploits/Vulnerabilities, Web Hacking, Windows Hacking

Tags: , , , , , , , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Web Hacking, Windows Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Intel Hidden Management Engine – x86 Security Risk?
- TeamViewer Hacked? It Certainly Looks Like It
- Serious ImageMagick Zero-Day Vulnerabilities – ImageTragick?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,713 views
- AJAX: Is your application secure enough? - 120,083 views
- eEye Launches 0-Day Exploit Tracker - 85,535 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


wifite – Mass Wifi WEP/WPA Key Cracking Tool

Your website & network are Hackable


wifite is created to to attack multiple WEP and WPA encrypted networks at the same time. This tool is customizable to be automated with only a few arguments and can be trusted to run without supervision.

Features

  • sorts targets by power (in dB); cracks closest access points first
  • all WPA handshakes are backed up (to wifite.py’s working directory)
  • mid-attack options: stop during attack with Ctrl+C to use (continue, move onto next target, skip to cracking, exit)
  • numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc)
  • very customizable settings (timeouts, packets/sec, etc)
  • SKA support (untested)
  • finds devices in monitor mode; if none are found, prompts for selection
  • all passwords saved to log.txt
  • switching WEP attacks does not reset IVS
  • displays session summary at exit; shows any cracked keys

You can download wifite here:

wifite.py

Or read more here.


Posted in: Hacking Tools, Password Cracking, Wireless Hacking

Tags: , , , , , , , , , , , , , , , , , , , , ,

Posted in: Hacking Tools, Password Cracking, Wireless Hacking | Add a Comment
Recent in Hacking Tools:
- Unicorn – PowerShell Downgrade Attack
- Wfuzz – Web Application Brute Forcer
- wildpwn – UNIX Wildcard Attack Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,977,464 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,417,465 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 678,495 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Twitter onMouseOver XSS Exploit Causes Chaos

Find your website's Achilles' Heel


The big news yesterday was an epic XSS flaw on Twitter that sent the micro-blogging service into chaos. They actually made an announcement during the hack that users should stay off the web-site and use 3rd party services through the API (Software such as Tweetdeck, Seesmic, Gravity etc).

They posted an update on the status blog pretty fast that the XSS had been identified and they were in the midst of patching it.

Hackers have exploited a flaw in Twitter, which results in pop-ups and third-party websites being opened despite users simply hovering over links with their mouse.

Hundred of Twitter users, including Sarah Brown – wife of the former Labour Prime Minister Gordon Brown – have fallen victim to the attack. In some cases the third-party websites that are open are pornographic. The malicious links contain Javascript code, called onMouseOver, which allows users to redirected, even if they haven’t clicked on the link.

Graham Cluely from security firm Sophos said in a blog that at present the flaw is being exploited for “fun and games” although “there is obviously the potential for cybercriminals to redirect users to third-party websites containing malicious code, or for spam advertising pop-ups to be displayed”.

Cluley advised Twitter users to avoid using the Twitter website and instead rely on a third-party client such as Tweetdeck to access the service.

Most ‘attacks’ were pretty harmless with users just having fun with the bug, there were some pretty dodgy incidents though involving shocks sites (goatse or tubgirl anyone?) and hardcore porn sites.

There’s also a good write-up on the Sophos blog here with screen-shots:

Twitter ‘onmouseover’ security flaw widely exploited

A full post on the issue from Twitter is available here:

All about the “onMouseOver” incident

I like how they are responsible about such things and don’t try to hide them. If you are on Twitter and you want the latest updates about such matters you should follow the @safety account.

Source: Network World


Posted in: Exploits/Vulnerabilities, Malware, Web Hacking

Tags: , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, Malware, Web Hacking | Add a Comment
Recent in Exploits/Vulnerabilities:
- Intel Hidden Management Engine – x86 Security Risk?
- TeamViewer Hacked? It Certainly Looks Like It
- Serious ImageMagick Zero-Day Vulnerabilities – ImageTragick?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,713 views
- AJAX: Is your application secure enough? - 120,083 views
- eEye Launches 0-Day Exploit Tracker - 85,535 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Havij – Advanced Automated SQL Injection Tool

Find your website's Achilles' Heel


Havij is an automated SQL Injection tool that helps penetration testers to find and exploit SQL Injection vulnerabilities on a web page.

It can take advantage of a vulnerable web application. By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

The power of Havij that makes it different from similar tools is its injection methods. The success rate is more than 95% at injection vulnerable targets using Havij.

The user friendly GUI (Graphical User Interface) of Havij and automated settings and detections makes it easy to use for everyone even amateur users.


Havij - SQL Injection Tool

There is a free version available and also a more fully-featured commercial edition available here.

You can download Havij v1.12 Free Edition here:

Havij1.12Free.rar

Or read more here.


Posted in: Database Hacking, Hacking Tools, Web Hacking

Tags: , , , , , , , , , , , , , , ,

Posted in: Database Hacking, Hacking Tools, Web Hacking | Add a Comment
Recent in Database Hacking:
- Onapsis Bizploit v1.50 – SAP Penetration Testing Framework
- OAT – Oracle Auditing Tools For Database Security
- ODAT (Oracle Database Attacking Tool) – Test Oracle Database Security

Related Posts:

Most Read in Database Hacking:
- Pangolin – Automatic SQL Injection Tool - 76,368 views
- bsqlbf 1.1 – Blind SQL Injection Tool - 54,381 views
- SQLBrute – SQL Injection Brute Force Tool - 40,914 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Interpol Chief Ronald K. Noble Has Facebook Identity Stolen

Your website & network are Hackable


Just goes to show you can jack anyone, including one of those most powerful people in the policing world. It’s not really a technical security issue but still it shows online identity theft isn’t really difficult.

That’s one difference between Twitter and Facebook, even though Twitter is only a micro-blogging service and doesn’t really store much data about an individual it has the ability to ‘Verify’ an account and stop impostors gaining any kind of weight. Example here (aplusk) – note the Verified badge at the top of the profile.

Now I find this a little odd because Facebook doesn’t have this ability even though they store infinitely more personal information.

He’s one of the most powerful people in world policing, but on Facebook Interpol chief Ronald K. Noble is just as vulnerable to identity theft as anyone else.

At last week’s inagural Interpol Information Security Conference in Hong Kong, secretary general Noble revealed that criminals had set up two accounts impersonating him on the networking site during this summer’s high-profile global dragnet, ‘Operation Infra-Red’. The fraud was discovered only recently by Interpol’s Security Incident Response Team. “One of the impersonators was using this profile to obtain information on fugitives targeted during our recent Operation Infra Red,” Noble told delegates.

Operation Infra-Red, which took place between May and July of this year, was a global, Interpol-led operation to crack down on named criminal fugitives accused of murder, paedophilia, fraud, corruption, drug trafficking and money laundering, who had fled national jurisdictions. The operation led to 130 arrests.

It seems like the bogus accounts were used for some pretty nefarious activities such as gathering information on fugitives targeted during the recent Operation Infra-Red. As per usual, the criminals are always one step ahead and it seems like they came up with another way to fish for information.

It just goes to show what can be done when you think outside the box.

Noble is not believed to have had a professional profile on Facebook although his organisation does.

“Cybercrime is emerging as a very concrete threat. Considering the anonymity of cyberspace, it may in fact be one of the most dangerous criminal threats we will ever face,” Noble was quoted as saying.

Although Facebook itself wasn’t compromised in any way, the example cited by the Interpol head hinges on the ease with which the criminals were able to forge his identity without challenge. This is a problem both Facebook, and that other giant of social media, Twitter, have been grappling with.

Even for non-VIPs using real accounts, Facebook is a controversial place to put certain types of data. Last week, a study found that many US SMEs had suffered security problems they blamed on employee interest in the site.

It’s something that needs to be looked at but I honestly can’t think of any way Facebook themselves could address this as the platform isn’t built in a way that can prevent such bogus accounts. Plus the fact Facebook is constantly pushing for less and less privacy.

In business terms the more data they collect the more they are worth, and the more open the platform is the more users they will attract.

With the new wave of social media and all these sharing platforms it’s something that needs to be considered.

Source: Network World


Posted in: Privacy, Web Hacking

Tags: , , , , , , ,

Posted in: Privacy, Web Hacking | Add a Comment
Recent in Privacy:
- BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records
- Recon-ng – Web Reconnaissance Framework
- IPGeoLocation – Retrieve IP Geolocation Information

Related Posts:

Most Read in Privacy:
- Browse Anonymously at Work or School – Bypass Firewall & Proxy - 180,072 views
- Hacking Still Can’t Outdo Stupidity for Data Leaks - 125,393 views
- Anonymous Connections Over the Internet – Using Socks Chains Proxy Proxies - 122,588 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


CUPP – Common User Passwords Profiler – Automated Password Profiling Tool

Your website & network are Hackable


A while back we had Wyd – Automated Password Profiling Tool but the guys at remote-exploit seem to have superseded this with CUPP.

There are other similar options too – The Associative Word List Generator (AWLG) and also RSMangler – Keyword Based Wordlist Generator For Bruteforcing.

People spend a lot of time preparing for effective dictionary attack. Common User Passwords Profiler (CUPP) is made to simplify this attack method that is often used as last resort in penetration testing and forensic crime investigations. A weak password might be very short or only use alphanumeric characters, making decryption simple. A weak password can also be one that is easily guessed by someone profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.

Going through different combinations and algorithms, CUPP can predict specific target passwords by exploiting human vulnerabilities. In password creation, as in many aspects of life, everybody tends to the original solution, but thanks to human nature, we all tend to originality in the same way, leading to almost absolute predictability.

You can download CUPP v3.1 here:

cupp-3.1.tar.gz

Or read more here.


Posted in: Hacking Tools, Password Cracking

Tags: , , , , , , , , , ,

Posted in: Hacking Tools, Password Cracking | Add a Comment
Recent in Hacking Tools:
- Unicorn – PowerShell Downgrade Attack
- Wfuzz – Web Application Brute Forcer
- wildpwn – UNIX Wildcard Attack Tool

Related Posts:

Most Read in Hacking Tools:
- Top 15 Security/Hacking Tools & Utilities - 1,977,464 views
- Brutus Password Cracker – Download brutus-aet2.zip AET2 - 1,417,465 views
- wwwhack 1.9 – Download wwwhack19.zip Web Hacking Tool - 678,495 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95


Critical Zero Day Abobe Flash Flaw Puts Android Phones At Risk

Your website & network are Hackable


Adobe hasn’t been having the best of luck recently with a string of serious PDF exploits in their Reader software and now in less than a week two critical flaws in Flash.

This is a pretty serious flaw and sadly proves Steve Jobs right for not supporting Flash on the iPhone and Ipad. A new twist is that this vulnerability extends to mobile platforms such as Android due to the full support for flash. It also effects desktop systems across the board (Windows, Mac, Linux & Solaris).

Adobe revealed a critical zero day flaw in Adobe Flash–the second in less than a week. The vulnerability extends even to Adobe Flash on the Android mobile OS, supporting at least one of the reasons laid out by Steve Jobs for not allowing Flash on the iPhone and iPad.

An Adobe spokesperson contacted me and shared that, “A critical vulnerability exists in Adobe Flash Player 10.1.82.76 and earlier versions for Windows, Macintosh, Linux, Solaris and Android operating systems. This vulnerability also affects Adobe Reader 9.3.4 for Windows, Macintosh and UNIX, and Adobe Acrobat 9.3.4 and earlier versions for Windows and Macintosh.”

In a nutshell, the critical flaw could be exploited to crash the affected system, or may even allow an attacker to gain access and control it to execute additional malicious software. There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player, but Adobe is not aware of any attacks exploiting it against Adobe Reader or Acrobat thus far.

The Adobe spokesperson explained, “Adobe is actively sharing information about this vulnerability (and vulnerabilities in general) with partners in the security community to enable them to quickly develop detection and quarantine methods to protect users until a patch is available. As always, Adobe recommends that users follow security best practices by keeping their anti-malware software and definitions up to date.”

There are reports of this vulnerability being exploited in the wild, but I haven’t really seen any details of it so far. It’s an interesting point regarding smart-phones and I wonder how Android developers might look at addressing this kind of issue and safeguarding the phones in the future.

A sandbox method might be a good idea, and from what I know of Android you don’t have root privileges by default anyway. We’ll have to see if Android makes any announcements regarding this or comes out with any kind of plan for future safeguards.

Those best practices are long established among the traditional desktop computing platforms, but users running Adobe Flash on Android smartphones may be left wondering exactly which “best practices” will protect them. Smartphones have grown into palm-based portable computers–with processing power and storage space significant enough to be a worthy target–but smartphone security is not as evolved as its desktop and notebook counterparts.

As Microsoft has improved its software development processes and implemented new security controls in the Windows operating system and other applications, attackers have looked elsewhere to find the chinks in the armor. Adobe has emerged as the virtually ubiquitous low-hanging fruit–with security practices that are not as mature as Microsoft’s, and software with potentially exploitable weaknesses available on pretty much every platform out there.

The iPhone and iPad stand uniquely apart from other smartphone and tablet platforms thanks to Apple’s very public rejection of Adobe Flash for iOS. While the real reasons probably have more to do with iAd and wanting to exert tighter control over the developer community, security is also a concern that has been cited. Zero day flaws like this one, which potentially impact Android smartphones running Adobe Flash, seem to illustrate the wisdom of that choice.

You can read the security advisory from Adobe here – Security Advisory for Flash Player, the fix has not been issued as yet but they do state they are working on it so expect a flash update soon.

It’ll be interesting to see what comes of this and how fast Adobe can push a patch out.

Source: Network World


Posted in: Exploits/Vulnerabilities, General News

Tags: , , , , , , , , , , , ,

Posted in: Exploits/Vulnerabilities, General News | Add a Comment
Recent in Exploits/Vulnerabilities:
- Intel Hidden Management Engine – x86 Security Risk?
- TeamViewer Hacked? It Certainly Looks Like It
- Serious ImageMagick Zero-Day Vulnerabilities – ImageTragick?

Related Posts:

Most Read in Exploits/Vulnerabilities:
- Learn to use Metasploit – Tutorials, Docs & Videos - 234,713 views
- AJAX: Is your application secure enough? - 120,083 views
- eEye Launches 0-Day Exploit Tracker - 85,535 views

Malwarebytes Anti-Exploit Premium | 1 Year 1 PC for $24.95