EDIT: seems to have been fixed in versions newer than v7.40

Leave a comment

EDIT: seems to have been fixed in versions newer than v7.40

Nasty bug in Skype (not lync/Skype for business)

“A security flaw in Skype’s updater process can allow an attacker to gain system-level privileges to a vulnerable computer.”

– The bug, if exploited, can escalate a local unprivileged user to the full “system” level rights — granting them access to every corner of the operating system.

Microsoft says that even though engineers “were able to reproduce the issue,” a fix will land “in a newer version of the product rather than a security update.”

#security #awareness #skype

http://www.zdnet.com/article/skype-cannot-fix-security-bug-without-a-massive-code-rewrite/

Running one of Western Digitals My-cloud products? -read this… and update your firmware.

1 Comment

Running one of Western Digitals My-cloud products? -read this… and update your firmware.

Affected My Cloud Firmware Versions and Models

Western Digital’s My Cloud and My Cloud Mirror firmware version 2.30.165 and earlier are affected by all above-reported vulnerabilities.

Affected device models include My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Metasploit modules for all the vulnerabilities have been released online.

#westerndigital #mycloud #security

Originally shared by The Hacker News

✓ Unrestricted File Upload (Shell as Root)

✓ Secret Hardcoded Root Backdoor Account

✓ CSRF, Command Injection, DoS

✓ NOT PATCHED Even 6 Months After Reporting

https://thehackernews.com/2018/01/western-digital-mycloud.html

Using LastPass? Then you’ll need this

Leave a comment

Using LastPass? Then you’ll need this

LastPass released an update to its browser extensions which they believe fixes the reported vulnerability in all browsers.

Most users will be updated automatically.

Please ensure you are running the latest version (4.1.44 or higher), which can always be downloaded at https://www.lastpass.com/.

#lastpass #security

https://blog.lastpass.com/2017/03/security-update-for-the-lastpass-extension.html/?utm_source=TWITTER&utm_medium=social&utm_term=Customer%20Serviced-tAnswering%20CS&utm_content=20170401d-t20170401002100

Soooo, have you enabled 2-factor authentication yet!?

4 Comments

Soooo, have you enabled 2-factor authentication yet!?

-or, are you using the same password everywhere?

This is what’s for sale at the darker side of the interwebz:

100,000 Yahoo accounts acquired from 2012 Last.FM data breach, for 0.0084 Bitcoins ($10.76).

Another 145,000 Yahoo accounts acquired from two separate data breaches – the 2013

Adobe data breach and the 2008 MySpace breach – for 0.0102 Bitcoins (USD 13.75).

500,000 Gmail accounts from the 2008 MySpace hack, the 2013 Tumblr breach, and the 2014 Bitcoin Security Forum breach for 0.0219 Bitcoins ($28.24).

Another 450,000 Gmail accounts for 0.0201 BTC (USD 25.76), which came from various other data breaches in Dropbox, Adobe, and others that took place between 2010 and 2016.

If you, for any reasons, are getting sweaty hands now, you may take a look at https://haveibeenpwned.com/ to see if you’re one of the lucky ones… -I’d never give my stuff away to a service like that, but there are people that do, and nothing bad has happened -yet, so…

#security #password #hacked

http://thehackernews.com/2017/03/gmail-yahoo-password-hack.html

:-) -yup, really not so bad as “everyone” first expected

Leave a comment

🙂 -yup, really not so bad as “everyone” first expected

#android #security #linux #vulnerability

Originally shared by Adrian Ludwig

On January 19th, 2016, Perception Point and Red Hat announced a security issue (CVE-2016-0728) in the mainline linux kernel that affects some Android devices. We have received some questions, so I want to quickly provide an update.

We have prepared a patch, which has been released to open source and provided to partners today. This patch will be required on all devices with a security patch level of March 1 2016 or greater.

In addition, since this issue was released without prior notice to the Android Security Team,  we are now investigating the claims made about the significance of this issue to the Android ecosystem.  We believe that the number of Android devices affected is significantly smaller than initially reported. 

We believe that no Nexus devices are vulnerable to exploitation by 3rd party applications.  Further, devices with Android 5.0 and above are protected, as the Android SELinux policy prevents 3rd party applications from reaching the affected code. Also, many devices running Android 4.4 and earlier do not contain the vulnerable code introduced in linux kernel 3.8, as those newer kernel versions not common on older Android devices.