In a talk originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.
Today marks the last Microsoft patch Tuesday of 2009, and Microsoft has released patches to six bulletins: MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183) MS09-072 – Cumulative Security Update for Internet Explorer (976325) MS09-069 – Vulnerability [...]
This morning a security researcher identified that he was able to carry out a successful SQL Injection attack against donate.barackobama.com, the official campaign donation site of current President Barack Obama, and gain access to credentials such as user names and passwords for persons who have donated to the Obama campaign, as well as administrative user credentials. On his blog he goes on to postulate the further attack possibilities with admin access such as web site defacement, uploading phpshells, and so forth. The problem is that the researcher Unu didn’t find an SQL injection site on donate.barackobama.com, he found one on a calendar application at Roosevelt University. In the process of finding out how that would be possible, a real web site vulnerability on the Obama web site reveals itself.
Microsoft is recommending setting the kill bit for an ActiveX control object, MPEG2TuneRequest, to avoid an in the wild zero day exploit that allows for remote code execution when a web site containing the exploit is browsed by a user with Internet Explorer.