Action follows fix for yet another critical security issue in web technology
Following a fix issued on Friday that appeared to plug the latest in a string of critical security issues plaguing Adobe's Flash, the aging web animation technology, Apple has again moved to block any version of Flash that is not the latest for the current and recent versions of OS X. Machines not running Flash version 220.127.116.11 (or 18.104.22.168 for older systems) will receive a message about a "blocked plug-in" or "Flash Security Alert" and be unable to use Flash until they update to the current version.
Exploit targets professional-industry users through phishing emails
Adobe on Wednesday has released an emergency patch for its Flash Player browser plug-in due to a critical flaw that is being actively exploited in the wild. Flash Player 22.214.171.124 and earlier for Windows and Macintosh systems are affected by the issue, as is version 126.96.36.1996 for Linux 11.x versions. The attack, called APT3 for the China-based organization from which it originates, uses spam "phishing" emails targeted at industry professionals to gain credentials used to steal intellectual property data.
Conditions needed to make exploit work are untenable, but possible
A new vulnerability -- albeit one that is extremely unlikely to happen "in the wild" -- has been discovered by security researcher Pedro Vilaca, where a flaw in pre-2014 Macs could conceivably allow an attacker access to a portion of OS X that has access to the Mac's Open Firmware and EFI (what PC users might call the BIOS of the machine) and possibly exploit other vulnerabilities to perhaps overwrite it with malicious firmware.
Versions of WordPress from 3.0 up to 3.9.2 were discovered to contain a security vulnerability through the comment features on the site, making a large number of installs and servers vulnerable to attack. The bug was discovered by Jouko Pynnonen of the Finnish IT company Klikki Oy, indicating that the bug went unchecked for more than four years since it was introduced with version 3.0 in June 2010.
Security firms says malvertising hit sites such as Java, DeviantArt and Photobucket
A "malvertising" campaign made the rounds last week hitting at least eight high-profile websites according to security firm Fox-IT. The firma noticed that the sites were redirecting their visits to other places, allowing it to discover that sites were using vulnerabilities in software like Java and Flash to inject malicious programs. The purpose of the "malvertising" was to infect machines with botnet malware involved in boosting advertisement clicks.
Sony pulls PSP game to stop more PS Vita hacks
Sony has removed Super Collapse 3 from the Playstation Store after the title was found to be vulnerable to a PS Vita exploit. The company removed the game from the store 24 hours after the exploit was noted on the Wololo.net blog, weeks after the same vulnerability was discovered in Motorstorm and Everybody's Tennis.
Skype for Android contains serious vulnerability
Users of Skype for Android have been left vulnerable to a code exploit that allows a hacker to access a user's personal information. The proof of concept exploit uncovered by Android Police would allow a hacker to deploy a rogue app in the Android Market that, once downloaded, would allow access to a Skype userís full name, date of birth, city/state/country, home phone, office phone, cell phone, email addresses, bio and other details. The vulnerability appears to be the result of left over files that contain improper permissions, which allows anyone or any app to read them.
@Comex strikes again with new exploit
Renowned iOS hacker @Comex has posted photographic proof that he has already jailbroken the just-launched Apple iPad 2. According to @Comexís Twitter feed, previously used iOS exploits were locked down and he had to use a new exploit to get around the new measures. The details of the hack have not yet been made public, although he is already working towards releasing the hack for the public.
Mac OS X Trojan found
Multiple variants of a new 'Trojan Horse', designed to allow a malicious user complete remote access to a Mac OS X system have been discovered in the wild earlier this week according to makers of Mac anti-spyware and anti-virus solutions SecureMac. Dubbed 'Applescript.THT Trojan' and disguised as an application bundle called 'AStht_v06' (3.1MB in size), the malware seemingly originated, and is distributed via a 'hacker' website, as well as Limewire and iChat. Post system infiltration, the malicious script can reportedly "log keystrokes, take pictures with the built-in Apple iSight camera, take screenshots, and turn on file sharing". A 'copy cat' program based on the OS X Remote Management exploit was discovered earlier this week.
Apple's recent QuickTime 7.4.5 release includes exploit prevention mechanisms designed to block attacks from hackers, according to a recent report from eWeek. QuickTime for Windows Vista now features ASLR (address space layout randomization), technology that randomly arranges key data addresses to prevent developers of malware from predicting targets. ASLR is already used by Mac OS X Leopard to reduce the effectiveness of exploit attempts.
Code crashes iPhone 1.1.4
A new exploit has surfaced for the iPhone's Safari browser that, while drawing parallels to an earlier issue, requires no user input to function. According to iPhone World, the vulnerability is triggered by previously conceived code that has been refined in the above manner. The issue affects firmware version 1.1.4 iPhones, and presumably previous versions. Safari on the Mac and PC were also affected by this vulnerability, but it was recently fixed in Safari 3.1, released today.
New iPhone 1.1.2 unlock
An iPhone hacker has discovered a new way to unlock Apple's iPhone firmware version 1.1.2 without the need to downgrade to a prior firmware revision and then re-upgrade after unlocking the device. The unlock technique relies on a bug that allows hackers to erase the contents of memory within a range of specific addresses, coupled with a second bug that allows users to copy data before validation occurs.
iPhone DoS surfaces
An exploit for Apple's iPhone has surfaced that can crash the device when unsuspecting users visit a maliciously crafted Web page. SecurityFocus notes that successful attacks cause a kernel panic, crashing the iPhone which could ultimately lead to remote code execution. The firm states that iPhone firmware version 1.1.2 and 1.1.3 are both affected, and suggest that other versions may also be vulnerable.
QuickTime 7.2 exploit
Symantec has notified DeepSight customers that a bug in QuickTime's Real Time Streaming protocol can lead towards the execution of malicious code on any computer running QuickTime 7.2 or later, and that a working proof-of-concept set of code being circulated on the internet. Computerworld reports that the bug was originally posted on milw0rm.com, and that the exploit code had worked when tested against Windows XP and later in Vista. Mac OS X 10.4 Tiger and 10.5 Leopard are said to be vulnerable as well, but took considerably more time for researches to craft a reliable, working exploit.