39 Android Flaws Fixed in Major Security Patch

Google’s latest patch for their Android operating system is one of the biggest security patches ever released for the OS. This monthly security update covers 39 vulnerabilities that had been found, of which 15 were of the highest rating, critical, which mean they could be used to lead to total compromisation of a device. This patch, which is part of the latest firmware image for Android devices rolled out to Nexus devices starting on Monday, with the update to be added to the Android Open Source Project during the next 24 hours.

One of the vulnerabilities that were included in this patch is one that Google was alerted to just two weeks ago, which has already been employed by a publicly available rooting application. With the tracking tag of CVE-2015-1805, this flaw was originally in the Linux kernel until April 2014, but until recently it wasn’t known that Android was also affected.

As many as nine critical remote code execution flaws were patched in Android’s media codec, media server, and Stagefright library. Of these, five were rated as high impact, including one privilege escalation vulnerability and four information disclosure issues. Critical flaws were also patched in the Android kernel, the Dynamic Host Configuration Protocol client, Qualcomm Performance module and the Qualcomm RF modules.

Aside from CVE-2015-1805’s use in a rooting application, there is no known exploitation of the other vulnerabilities fixed in this patch according to a security advisory from Google. As a result of the large number of high-impact and critical flaws fixed in this patch, it is highly recommended that any updates to Android 6 offered by manufacturers are installed before attacks that make use of them are released into the wild.

Report Suggests High Pressure CPU Coolers Can Damage Skylake Processors

Intel’s latest architecture requires a new LGA 1151 socket and features an enhanced pin count. Additionally, the CPUs are built on a 14nm manufacturing process. Some of you might remember that Skylake retail samples do not ship with a stock heatsink which raised concerns about temperatures. Thankfully, Skylake is very efficient with improved thermal dissipation. Here we can see the difference in size between Intel’s official Skylake heatsink and the previous generation.

However, according to PCGamesHardware.de, CPU coolers exhibiting high pressure mounts could damage the 1151 socket and Skylake CPUs. One theory suggests this is due to Skylake’s reduced thickness which makes the CPU flex under pressure due to a lack of mechanical stability. Therefore, any cooler which adopts a hefty clamping force is capable of pushing the CPU into the socket and damaging both the motherboard and CPU pins.

This is clearly a very worrying turn of events, and PCGamesHardware contacted a number of cooler manufacturers to see clarification. Here’s is a complete rundown of the replies:

Scythe:

“The company Scythe EU GmbH announces that on several coolers from its portfolio, a change of the mounting system for Skylake / plinth is made ​​1151stAll coolers are in fact generally compatible with Skylake sockets, but it can in some cases result in damage to CPU and motherboard when the PC is exposed to stronger shocks (eg shipping or relocation). To prevent this, the pressure was reduced by an adjustment of the screw set. We will send the new set of screws you also like to charge. Please send your request via email tosupport@scythe.com or use the contact form on our website(http://www.scythe-eu.com/support/technische-anfragen.html).”

Noctua:

“Our SecuFirm2 mounting systems are subjected to prior to the release of new platforms an extensive compatibility testing. It could be determined with reference to the Intel LGA1151 platform (“Skylake”) no problems. Also on the part of our customers and our specialist resellers and system integration partners we have no reports of any problems. Our SecuFirm2 mounting systems access (with the exception of some more compact models of the L-series) for generating the necessary contact pressure on coil springs back, which allow a certain degree of flexibility both in terms of tolerances in the height as well as the case of vibrations or other forces. Compared with conventional spring-less installation systems where pressure is produced exclusively by the deformation of the mounting brackets, so can reduce the mechanical load on the CPU, and motherboard socket and any damage can be prevented by excessive force.”

EKWB:

“All EK Water Blocks EK-Supremacy Series CPU Water Blocks – Including the latest -MX and -EVO variants – are fully Complying with Intel Socket imposed H3 (LGA-1151) Mechanical force limitation. The clamping force, created by our PreciseMount spring loaded mounting mechanism, is well within the allowed mechanical limitations. The design of PreciseMount itself Prevents over-tightening and damage to mechnical Possible Either socket or the CPU packaging.

Older generation of (physically) compatible LGA-1151 Water Blocks with classic, undefined clamping ForceType mouting mechanism such as Supreme LTX – requires special attention When attaching the water block. As a result the use of search Waterblocks is not recommended with the LGA-1151 socket CPUs.”

Today, we received a statement from ARCTIC about their CPU cooler range and the effect it has on Skylake CPUs and 1151 motherboards:

ARCTIC:

“With this official statement we would like to assure that ARCTIC coolers are not affected by these problems and thus fully Skylake compatible. All ARCTIC CPU Coolers complies concerning the released sockets with the mechanical specification from Intel. With our coolers there are no problems on Intel CPUs of the 6th generation (Skylake) for LGA 1151. Depending on the parcel service drop heights of over 2 m can not be excluded. Therefore we recommend regardless of the CPU used to carefully evaluate the dispatch and the packaging used and to possibly mount larger and heavier CPU coolers by the end user.”

While this is far from ideal and illustrates a major flaw in Intel’s production, cooler manufacturers should be able to complete thorough testing and judge the probability of damage occurring. Thankfully, many have released statements pretty quickly, and it remains to be seen how much force is actually needed to cause damage. Currently, it seems like the issue is only effecting coolers with a very heavy mount point. As a result, there’s no need to panic but this is something which needs clarification from Intel and further research.

Do you use a hefty air cooler or water cooling setup?

Steam Refund Flaw Used to Get Rocket League And Portal 2 For Free

The Steam controller adopts a rather unusual design and incorporates dual trackpads as well as haptic feedback. Initially, Valve sent a batch of Steam controller samples to developers and consumers who pre-ordered during the “Get It Early” scheme. The retail release in the UK is scheduled for November 10th and priced at £39.99. Valve launched an incentive to encourage users to purchase and bundled, for free, Rocket League and Portal 2 with the standard package.

However, we’ve been informed by a reader that the Steam refund policy easily allows you to return the controller and keep both games. Obviously, this isn’t something I would recommend doing on a huge scale as Valve will obviously respond to abuse of the Steam Refund policy. Although, it’s great to see Valve accepting the controller isn’t for everyone and allows consumers to keep both games as a gesture of good will.

Despite Valve’s brand loyalty, their customer service has a fairly shoddy reputation and even bested by Origin due to the ‘Great Game Guarantee’ policy. Thankfully, things have improved in the last few months and customers could easily get a refund for the terrible port of Batman: Arkham Knight without any issues. It will be interesting to see if Valve ends this promotion if too many people end up returning the controller. Graphics cards often contain promotional codes, and if you return the card without a fault developing, it’s possible for the retailer to deduct a certain amount.

Facebook Revoked Internship for Exposing Privacy Loophole

Facebook has axed a Harvard student called Aran Khanna, who was about to start an internship after he publicly exposed a privacy flaw within Facebook Messenger. Khanna discovered each message contained data pinpointing the sender’s location and created an app allow users to track their friends’ whereabouts. Instead of keeping this private, he decided to upload the “Marauders Map” as a public plugin on the Google Store.

According to Technology Science, Facebook became irate and demanded the tool to be removed instantly. Supposedly, the company felt embarrassed and believed publishing any flaw in public wasn’t in-line with their code of conduct. Despite this clear warning, Khanna was told his internship offer had been withdrawn only hours before he was due to fly to Facebook’s Headquarters. While this does seem a little harsh, Facebook are adamant that Khanna refused to remove the software. Matt Steinfeld, Policy Communications and Public Affairs at Facebook told Boston.com:

“Despite being asked repeatedly to remove the code, the creator of this tool left it up.”

It’s difficult to judge who to believe, but one piece of evidence collaborates Facebook’s story. Currently, you can still download the App via the Google Chrome Store and add it as an extension. However, judging by the latest reviews, it seems Facebook has fixed the location loophole. Many companies offer financial incentives to find privacy coding errors meaning this was an unfair, albeit understandable dismissal. The moral of the story is, don’t show up the company you want to work for in public.

Thank you Boston.com for providing us with this information.

Microsoft Hurries Out Emergency Windows Patch

Microsoft has broken their trend of releasing hotfixes on the second Tuesday of every month to release a vital “out of band” security patch. The critical flaw entitled MS15-078 is a vulnerability in the Microsoft Font Driver which allows Remote Code execution. In basic terms, this means any webpage or document containing embedded OpenType fonts could become a major security risk. Microsoft explained the situation and why it’s imperative to enable automatic updates or download the patch:

“An attacker who successfully exploited this vulnerability could take complete control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”

“There are multiple ways an attacker could exploit this vulnerability, such as by convincing a user to open a specially crafted document, or by convincing a user to visit an untrusted webpage that contains embedded OpenType fonts. The update addresses the vulnerability by correcting how the Windows Adobe Type Manager Library handles OpenType fonts.”

“When this security bulletin was issued, Microsoft had information to indicate that this vulnerability was public but did not have any information to indicate this vulnerability had been used to attack customers. Our analysis has shown that exploit code could be created in such a way that an attacker could consistently exploit this vulnerability.”

All Windows users are advised to update as a matter of urgency to keep their system secure. However, Windows XP customers cannot access this fix due to the lack of support for that particular operating system. Microsoft believes this security hole could lead to a huge influx of malware. Once the update has finished installing, a reboot will be required. This couldn’t have come at a worse time for Microsoft with the pending launch of Windows 10. The Redmond-based company needs to establish their latest products as an extremely secure platform to make users more inclined to upgrade.

Thank you The Register for providing us with this information.

Adobe Flash Vulnerability Patch Released

Adobe has released a recent patch to address a critical vulnerability that could possibly allow an attacker to take control of the affected system. Adobe acknowledged that this flaw is being actively exploited in the wild via limited targeted attacks, the known affected systems are those using internet explorer for the windows 7 operating system also including Firefox on windows xp. according to the patch details Adobe states the following software can be potentially impacted:

  • Adobe Flash Player 18.0.0.161 and earlier versions for Windows and Macintosh
  • Adobe Flash Player Extended Support Release version 13.0.0.292 and earlier 13.x versions for Windows and Macintosh
  • Adobe Flash Player 11.2.202.466 and earlier 11.x versions for Linux

The company advises updating to the latest version of flash in order to prevent the risk of exploitation, but at this point the users should good look at how important flash is to their regular internet use.

This recent flaw was uncovered through the help of a FireEye security researchers. a Singapore based FireEye team discovered the flaw in June when they detected a phishing campaign exploiting CVE-2015-3113. ”The attackers’ e-mails included links to compromised Web servers that served benign content or the malicious Adobe Flash Player file that exploits CVE-2015-3113.”

Do you think there is a risk using Flash player with the likelihood of these dangers? have you updated your flash?

Thank you artstechnica for providing us with this information.

This Is Why New Software Comes With Old Flaws

You are probably wondering why we hear that legacy flaws are still present in new software. Well, the answer is simple. Developers have a habit of reusing old code for most of their projects and the code is not reviewed for all potential flaws, but rather the approach tends to be similar to the slang ‘if it works, then don’t try to fix it’.

This does not mean that developers are lazy. The approach is favourable even by top-notch programmers because of the tight deadlines they have to meet, so time will always be above everything else when shipping new software.

However, this comes at a hefty price. While we hear of many hacking incidents, only a few of them are complex enough to break even the most impenetrable systems. Most of them were done by exploiting the already ‘implanted’ flaws in all software products. Everything except the operating systems can be deemed ‘hackable’ by most people with some knowledge of hacking.

The flaws go so deep that even some government departments are at high risk. Security analyst found out that some software in government departments is still based on older programming languages. But is this the future of programming? Of course not.

Security analysts in the field say that the problems with legacy flaws may likely increase, but they don’t have to. The real problem is that, by focusing exclusively on shoving new software on the market, companies forget about security completely. A better approach here is to split project development into two major components, development and testing, which could work in parallel. This way, a lot of bugs could be fixed and major security bugs flagged before the software hits the market.

Thank you CNET for providing us with this information

Image courtesy of nikopik

iOS Flaw Makes it Easier than Ever to Steal Your Apple ID

Apple’s iOS is widely recognised as one of the most secure mobile operating systems on the market today but is that really true? Well, maybe it is, but what I can tell you for sure is that nothing is unhackable in today’s world.

A security researcher claimed that it is now easier than ever to get hold of any iPhone or iPad user’s Apple ID account with a simple HTML injection. The security specialist claims to have built a tool that would allow just about anyone to make use of a well-known flaw in an Apple’s iOS Mail app and trick the user into giving his or her Apple ID credentials.

The tool mentioned above is said to create an HTML popup that mimics Apple’s own popup that asks you to re-enter your Apple ID credentials. As a regular iPhone user, you are likely to be so used to it that you won’t notice the difference and just type in your credentials as usual.

Once you tap OK on the popup, the credentials are sent to the hacker’s remote server. This likely puts everyone using an iPhone or iPad at risk, so do take care and remember that the Apple ID prompt appears only when you perform an action that requires your authorisation and not just out of the blue.

The issue is said to have been filed and acknowledged by Apple, but no fix has been released just yet. So how worried are you? Will you think twice before entering your Apple ID credentials?

Thank you BGR for providing us with this information

D-LINK Issues Apology to Consumers for Cloud Routing Loophole

Today, D-link has issued an apology to the users of 17 of their routers due to a coding loophole which has allowed hackers to get access to sensitive information such as banking details and passwords. This is estimated to affect roughly 300 million users worldwide. This particular hack has been a lot easier to implement as all the hacker has to do is change a few router parameters to gain access to everything you do online.

D-Link has now formally issued an apology and has released firmware updates which aim to fix said security issue. A security expert, Liujian Hao stated “If in the background of targeted hacking software is installed, we can easily hijack these appliances connected to the router traffic to analyze the bank account passwords and other privacy.”

The 17 models in question:

● DAP-1522 (B1)
● DIR-629 (A1)
● DIR-300 (B1)
● DIR-600 (B1)
● DIR-815 (B1)
● DIR-816L (A1)
● DIR-817LW (B1)
● DIR-818LW (A1)
● DIR-820LW (B1)
● DIR-850L (A1)
● DIR-850L (B1)
● DIR-860L (A1)
● DIR-860L (B1)
● DIR-865L (A1)
● DIR-868L (A1)
● DIR-880L (A1)
● DIR-890L (A1)

We recommend anyone using D-Link products to check the router list and update all passwords and information, just to be safe.

Thank you to Firenews for providing us with this information

Credentials May Become Compromised via Old Windows Vulnerability from the ’90s

Nobody wants their private information shared on the internet, but we live in an era where everything that’s connected to the internet may eventually become public. This is the case of an old Windows vulnerability from the ’90s, which still poses a security threat according to security specialists.

Brian Wallace, a security researcher from Cylance, has been reported to have found a new way to exploit a vulnerability that was previously found in 1997. He stated that the flaw can be used on any Windows OS-powered device, may it be a tablet, PC, server or laptop, and can be used to potentially exploit and compromise around 31 programs.

The vulnerability that goes by the name of Redirect to SMB is said to be exploited by intercepting communication with a Web server using the man-in-the-middle approach. This in turn redirects all traffic to the malicious SMB server, which supposedly collects sensitive information such as usernames, passwords, credit card information or other things users type in.

There are some limitations to the technique though, as Wallace pointed out. The attacker needs to be on the same network as his victims and the attack can easily be prevented by blocking outbound traffic to the 139 and 445 TCP ports. But let’s be honest, who is going to do that? I mean most people don’t even change their default router credentials, let alone go into its settings and block traffic to specific ports.

Microsoft is said to have not made an official statement regarding the matter, but Wallace’s findings have been revealed at the Computer Emergency Readiness Team at Carnegie Melon University. With all this snooping around that’s been going on lately, how secure do you feel? Or is that even a matter of concern at this point?

Thank you PCWorld for providing us with this information

Image courtesy of High Performance Laptops

Researcher Found Flaw Which Could Have Been Used to Erase Every Video on YouTube

Software developer Kamil Hismatullin has discovered a security flaw in YouTube that apparently granted him the power to delete any video he wanted. This means that he had the power to delete each and every video on the website, but don’t be alarmed, he had no desire to do so.

The developer reported the flaw to Google and apparently collected $5000 through the company’s Vulnerability Research Grants that launched back in January. For those unaware, the program offers anyone who finds significant vulnerabilities in specific applications a reward as an incentive for researchers to find and reports bugs and security flaws, having Google quickly swiping in and fixing them.

Hismatullin is said to have been offered $1337 back in February to dig into YouTube Creator Studio and after just six or seven hours, he found “a logical bug that let me delete any video on YouTube with just one following request.”

“Although it was an early Saturday’s morning in SF when I reported issue, Google sec team replied very fast, since this vuln could create utter havoc in a matter of minutes in the bad hands who can used this vulnerability to extort people or simply disrupt YouTube by deleting massive amounts of videos in a very short period of time,” he wrote. “It was fixed in several hours, Google rewarded me $5k and luckily no Bieber videos were harmed :D”

A Google representative has confirmed what Hismatullin reported, having the exploit be one of or even the most destructive one found so far on the streaming giant’s website. Can you imagine a world where you go to YouTube and all of a sudden you are greeted with 0 videos on the entire webpage?

Thank you PCGamer for providing us with this information

‘Thunderstrike’ Fixed in OS X 10.10.2

‘Thunderstrike’, a vulnerability for Macs with a Thunderbolt port, will be patched in the next version of OS X Yosemite. The vulnerability allowed an attacker to swap a Mac’s boot firmware with software of their own via the Thunderbolt port. The new update, released to developers last week, fixes this issue.

The flaw was deemed to be quite significant, with potential for an attacker to pretty much take whatever they wanted from a target machine. However, there have been no examples of this exploit being implemented in the wild – most probably due to the fact it would require an attacker to have physical access to the machine.

The exploit is notable as one of the first of its kind to effect Macs, with many speculating whether the Mac platform and OS X would now be subject to more vulnerabilities like this thanks to their increased popularity.

The update, which includes the fix, should be rolled out to end users in the coming weeks, although that may be sooner considering the urgency required to fix this flaw.

Source: iMore

Canon Printer Hacked to Play Doom

Security flaws can be demonstrated in many ways, and usually it is pretty boring to watch and read about. Not so this time, as Michael Jordon shows us how to play Doom on a Canon Pixma wireless printer. Using a security flaw in the printers web administration-interface, he was able to run doom on the printers very own LED display.

Like it is with so many connected smart devices, these printers lack the most basic forms of security out of the box. While it does use a simple encryption, there is no pre-setup passwords and it is a plain login method that is used. Normally the worst someone could do after hacking your printer, would be to print thousands of test pages until the ink cartridges become empty. Not so in this case, as this is a lot worse. Michael Jordon learned that he not only could update the firmware at will, he could even tell the printer what location to get the firmware from.

This flaw has big potential, if one were to build a custom firmware and sneak it onto a device with the security flaw. Not only would it allow the hacker to spy on anything that is printed and otherwise going on inside the network, he could further use it as a bridge and gateway to infect other systems on the network

“If you can play Doom on a printer, you can do a lot more nasty things,” Jordon said while Canon provided the following statement regarding the issue:

“We thank Context for bringing this issue to our attention; we take any potential security vulnerability very seriously. At Canon we work hard at securing all of our products, however with diverse and ever-changing security threats we welcome input from others to ensure our customers are as well protected as possible.

We intend to provide a fix as quickly as is feasible. All PIXMA products launching from now onwards will have a username/password added to the PIXMA web interface, and models launched from the second half of 2013 onwards will also receive this update, models launched prior to this time are unaffected. This action will resolve the issue uncovered by Context.”

If you’d like to see a video of Jordon playing Doom on the printer display, you can follow this link to the MP4 file. The display might not support all the colours of the game, but there is no doubt about what game it is.

Thank you Contextis for providing us with this information

Images and video courtesy of Contextis

Android’s “Fake ID” Issue Could Allow Hackers to Steal Data from Millions of Devices

A security company by the name of Bluebox Security has been throwing warning out there in regards to a major flaw in Android operating systems that would potentially allow hackers to steal sensitive information from millions of devices without the user noticing it.

The company stated that the most affected users would be the ones owning an old Android handset that stopped receiving software updates. However, Android users should note that not all Android users are affected by the flaw at hand.

The “Fake ID” vulnerability, as Bluebox describes it, consists of the way the Android operating system processes the digital signature identities attached to apps from various vendors. The OS is said to be configured to automatically accept Adobe apps for example, or other vendors including the device management outfit 3LM. In addition, some apps bearing the latter vendor signatures can automatically plug into other apps in ways other apps cannot.

What is more worrying is that since Android 2.1, the Android package installer is said not to have properly checked the identity certificates, therefore apps claiming to come from trusted vendors could eventually end up being from another ‘vendor’.

“For example, an attacker can create a new digital identity certificate, forge a claim that the identity certificate was issued by Adobe Systems, and sign an application with a certificate chain that contains a malicious identity certificate and the Adobe Systems certificate. Upon installation, the Android package installer will not verify the claim of the malicious identity certificate, and create a package signature that contains… both certificates. This, in turn, tricks the certificate-checking code in the webview plugin manager (who explicitly checks the chain for the Adobe certificate) and allows the application to be granted the special webview plugin privilege given to Adobe Systems – leading to a sandbox escape and insertion of malicious code, in the form of a webview plugin, into other applications.” a Bluebox expert stated.

This way, hackers could have easily impersonate a 3LM signature and allow malware to take control of many devices, functions and apps, including Google Wallet features. Bluebox is stated to have notified Google of the security breach back in April.

However, up until now, Motorola is stated to have rolled out a patch for some of its devices. The experts say that there is no recorded breach of security using the above technique. Even so, a good practice is to only allow app installations from trusted sources and be weary of schemes that try to install specific ‘dodgy’ applications.

Thank you Gigaom for providing us with this information
Image courtesy of Gigaom

Adobe Released Critical Flash Update for Windows and Mac

On Tuesday, Adobe released a critical update for their Flash player. This patch is designed to mend a security flaw which may enable hackers to gain access to your computer through popular websites such as eBay, Tumblr, Twitter and Instagram.

This update (Version 14.0.0.145) has been pushed to Windows, Mac and Linux operating systems and as according to the security blogger Michele Spagnuolo, the patched flaw may have let hackers steal cookies that authenticate users on thousands of websites.

Adobe’s security bulletin read:

“These updates address vulnerabilities that could potentially allow an attacker to take control of the affected system. Adobe recommends users update their product installations to the latest versions.”

Spagnuolo also commented that many of the targeted websites have worked to fix the error from their side of the fence, alongside Adobe fixing their issues.

For those of you with Google Chrome or Microsoft Internet Explorer on Windows 8, you will receive this update automatically. If you wish to update your version manually, you can do so by the Adobe Flash Player Download Centre. Adobe has also issued the highest level of threat rating to this flaw and advised all users to promptly update their versions.

Microsoft are working on security issues of their own, as cnet has pointed out:

“Microsoft also issued several critical security updates on Tuesday, which patch 29 vulnerabilities in Windows and Internet Explorer.”

We haven’t seen any reports of this security flaw being used to full effect yet, but I’m sure we will report when or if it happens.

Image courtesy of Tech Audible

Heartbleed Bug Still a Vulnerability on Over 300,000 Servers

The OpenSSL security flaw known as Heartbleed has been one of the most chilling news stories in the tech world over the last few months and it’s not surprising considering an estimated two-thirds of the world’s servers are reliant on the OpenSSL platform to operate. Now even though things have died down a little and the bug seems to be in the past, the truth is that Heartbleed is still as much of a concern as it was a couple of months ago.

Robert Graham, a security researcher and blogger on Errata Security has discovered that over 300,000 servers are still open to attack – that’s still half of those originally discovered when the bug was exposed by one of Google’s engineers. The search into how many servers are still open is easy conducted by scanning the internet on port 443 and seeing how many servers respond to the scan. Those that do not respond have been patched, but port 443 is only one of the ports affected.

When the Heartbleed vulnerability was announced, we found 600k systems vulnerable. A month later, we found that half had been patched, and only 300k were vulnerable. Last night, now slightly over two months after Heartbleed, we scanned again, and found 300k (309,197) still vulnerable. This is done by simply scanning on port 443, I haven’t check other ports.

Of the originally estimated 600,000 servers that were vulnerable, the 300k that have attended to the flaw are predominantly the major names around the world so this means that the huge number of servers that are still open, and may continue to be for a number of years, belong to much smaller sites that either don’t know about the problem, or simply don’t care.

How long Heartbleed will continue to be a threat to security is an unknown entity. Until each and every single server around the world has been patched or replaced as part of routing upgrades, it is impossible to state when the bug will be extinct. All I can urge server owners to do is to check that they have their systems patched and secure. It is not just the integrity of your business that could be at stake, but also the personal information of anyone that uses your server.

Source: The Verge

GitHub Launches Bug Bounty Program, Calls All ‘Bounty Hunters’ For A Challenge and Cash!

GitHub has launched its GitHub Bug Bounty, a program aimed to help security researchers in finding bugs and flaws in system. The company is reportedly willing to pay between $100 and $5,000 for each security vulnerability discovered and responsibly disclosed by hackers.

Only the GitHub API, GitHub Gist, and GitHub.com. GitHub are available for the above mentioned program, but the company says its other Web properties and applications are not part of the program though vulnerabilities found “may receive a cash reward at our discretion.”, as they pointed out.

The amount of money given for bugs and flaws is said to be “based on actual risk and potential impact to our users.” Meaning, the bigger the potential scope and the bigger the severity of the issue, the larger the payout.

“If you find a reflected XSS that is only possible in Opera, which is 60% of our traffic, will earn a much larger reward.” GitHub gave as an example.

Even spotting a very low-level bug is worth disclosing for the extra cash. Not only are you getting paid for your hard work, but you’re making the Web safer in the long-run. Bug bounty programs are becoming more and more popular because they work. The damages caused by exploited bugs are much greater than simply paying security researchers for finding them first.

Thank you TheNextWeb for providing us with this information
Image courtesy of GitHub

D-Link To Patches Router Back-Door Vulnerability

A patch has finally been released by D-Link for a serious security vulnerability in selected models of router, following the discovery of an easily accessed back-door to the router menu.

It was first discovered by researcher Craif Heffner back in October, where Heffner saw the ‘xmlset_roodkcableoj28840ybtide’ which contains the backwards plain-text string ‘edit by 04882 joel backdoor’, as your browser’s user agent bypassed the router’s requirement for a username and password to access the configuration menu. Pretty scary as well as intriguing at the same time.

D-Link has admitted that the discovery was real but defended the practice stating that it was used by technical service engineers to retrieve router information in cases where the routers’ firmware crashed.

“The so-called back-door was implemented in these six older products as a failsafe for D-Link technical repair service to retrieve router settings for customers in case of firmware crashes that would result in lost configuration information,” a company spokesperson claimed via email at the time. ‘Nonetheless, the new firmware updates will respectively revoke any failsafe opportunity.”

Users who still run the affected routers, which are models DIR-100, DIR-120, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, DI-624S, and TM-G5240, it is a relief to know that the company has finally released updated firmware files which remove the hard-coded back-door. D-Link reportedly promised a released date close to the end of October, but apparently hit something of a last-minute delay.

There are rumors that the DIR-615 model is also vulnerable to the flaw, but the rumor has been denied by D-Link with no firmware update planned for that device. Though users of the latter model should be cautions nonetheless.

Thank you Bit-Tech for providing us with this information