Category: Vulnerability

Turning an ATM into a Slot Machine

Turning an ATM into a Slot Machine

In a talk originally slated for last year before it was muffled by Juniper based on the concerns of “an affected ATM vendor”, Jack demonstrates what he calls jackpotting an ATM.

Microsoft’s Google Attack Patch?

Microsoft’s Google Attack Patch?

Noted journalist and friend of the blog George V. Hulme shared the picture below from CNBC, perhaps the most amusing way seen thus far of describing the patch for the ‘Aurora bug‘ that famously affected Google late last year.

Adobe util.printd Zero Day

Adobe util.printd Zero Day

A critical vulnerability was discovered early this week in Adobe Reader and Acrobat versions 9.2 and earlier which could allow attackers to gain control of the affected system, not even a week after Adobe released a critical update for its Flash Player on patch Tuesday last week. The attack uses a weakness in a function called util.printd along with a heap spray implemented with Javascript to attempt to inject shell code.

Six Bulletins in Last Patch Tuesday of 2009

Six Bulletins in Last Patch Tuesday of 2009

Today marks the last Microsoft patch Tuesday of 2009, and Microsoft has released patches to six bulletins: MS09-071 – Vulnerabilities in Internet Authentication Service Could Allow Remote Code Execution (974318) MS09-074 – Vulnerability in Microsoft Office Project Could Allow Remote Code Execution (967183) MS09-072 – Cumulative Security Update for Internet Explorer (976325) MS09-069 – Vulnerability […]

Pangolin screenshot supposedly demonstrating SQL Injection of Obama web site.

The Barack Obama Donations Site was Hacked…err, no it wasn’t.

This morning a security researcher identified that he was able to carry out a successful SQL Injection attack against donate.barackobama.com, the official campaign donation site of current President Barack Obama, and gain access to credentials such as user names and passwords for persons who have donated to the Obama campaign, as well as administrative user credentials. On his blog he goes on to postulate the further attack possibilities with admin access such as web site defacement, uploading phpshells, and so forth. The problem is that the researcher Unu didn’t find an SQL injection site on donate.barackobama.com, he found one on a calendar application at Roosevelt University. In the process of finding out how that would be possible, a real web site vulnerability on the Obama web site reveals itself.

Microsoft Video ActiveX Control Vulnerability

Microsoft Video ActiveX Control Vulnerability

Microsoft is recommending setting the kill bit for an ActiveX control object, MPEG2TuneRequest, to avoid an in the wild zero day exploit that allows for remote code execution when a web site containing the exploit is browsed by a user with Internet Explorer.