Ruby on Rails Patches DoS, Remote Execution Flaws
Web app framework Ruby on Rails patched two security flaws this week in the open source framework that could have led to denial of service attacks and remote execution vulnerabilities.
Vulnerabilities
Adobe Investigating Reports of Reader Zero-Day Exploit
UPDATE-Attackers are using malicious PDFs posing as an application for an international travel visa to exploit a zero-day vulnerability in Adobe Reader and Acrobat, a researcher at FireEye told Threatpost today. The exploit is the first to escape the sandbox included in Reader X and above.
Deja Vu: Another Adobe Flash Player Security Update Released
What’s better than one Flash Player update a week? Why two, of course.Adobe released its regularly scheduled security updates today, including another set of fixes for its ubiquitous Flash Player, less than a week after an emergency patch took care of two zero-day vulnerabilities being exploited in the wild.
Cybercriminals tested the water in 2012 with malnets — collections of domains, servers and websites designed to deliver malware -– and appear poised to target mobile devices even more so in 2013, according to a new report released yesterday.
Week one of the Mega cloud storage service bug bounty is in the books and at least three payouts have been made. Controversial entrepreneur and MegaUpload founder Kim Dotcom made the challenge last week offering a €10,000 reward to anyone who could break the encryption protecting the service.
Dennis Fisher talks with Ryan Naraine, the founding editor of Threatpost, about the Security Analyst Summit in San Juan, the reason why so many talks at security conferences sound the same and why surprise talks are so valuable.
Exploits targeting two previously unreported flaws in Flash Player prompted Adobe to release an emergency patch yesterday. One of the attacks is targeting aerospace and other manufacturing companies, and is being delivered via infected Microsoft Office documents. The other is being carried out over the Web targeting Firefox and Safari on Mac OS X.
Every year it seems that security-related news advances further from its roots in national security circles, IT departments, and the antivirus industry into the mainstream consciousness. From July to the end of year was no exception. However, despite a handful of flashy security stories, F-Secure claims that the second half of 2012 was really about things that rarely (if ever) come up in local and national news: botnets, ZeroAccess in particular, Java and other Web exploits, and the ubiquitous Zeus banking Trojan.
A combination of vulnerabilities in D-Link’s DIR-300 and DIR-600 routers could allow an attacker to inject arbitrary shell commands and ultimately compromise the device, according to German security researcher Michael Messner who publicly disclosed the flaw on his personal blog Monday.
As frequently targeted, high-value companies continue fortifying their defenses, FireEye researchers claim that attackers are increasingly setting their sights on the affiliated but not-as-well-protected third-party organizations that do business with them.
