Microsoft Releases EMET 5.0 Exploit Mitigation Tool

The latest version of Microsoft’s freely available stopgap against zero-day exploits was released today with two new exploit mitigations and a batch of new configuration options. The update to Microsoft’s Enhanced Mitigation Experience Tool kit, or EMET, comes six months after a technical preview...

PHP Advanced Transfer Manager 1.30 Multiple Directory Traversal Vulnerabilities

No description provided by source. source: http://www.securityfocus.com/bid/14883/info PHP Advanced Transfer Manager is prone to multiple directory traversal vulnerabilities. These issues are due to a failure in the application to properly sanitize user-supplied input. Exploitation of any of thes...

Adobe to Patch Vulnerable Flash Player in Shockwave

It’s bad enough that the Flash runtime bundled with Adobe’s Shockwave player is deficient in security patches going back to January 2013, but what’s worse is that the increased attack surface provided by Shockwave might make it easier to exploit. And, in the bargain, Adobe has known about the iss...

Localize: Numerous open ports/services

Looks like you have numerous open ports that also show service versions. An attacker can leverage this information when trying an attack. Ports should be filtered and banners should be removed/generalized. nmap -sV www.localize.io Starting Nmap 6.40-2 http://nmap.org at 2014-04-18 11:08 PDT Stats...

Microsoft EMET 5.0 Technical Preview Released

SAN FRANCISCO – Enterprises beat up by wave after wave of Java exploits and calls to disable the platform may soon have some relief in sight. Microsoft’s free Enhanced Mitigation Experience Toolkit will soon have a new feature that allows users to configure where plug-ins, especially those target...

Bit9 has done the report found a large number of“critical”Java vulnerability-vulnerability warning-the black bar safety net

Bit9 has done recently for Java and its vulnerabilities conducted in-depth research, the results found that nearly half of the enterprises installed two or more versions of Java. Java in the enterprise environment is very General, enterprises usually do not delete the old version, which increases...

[Drozer] The Leading Security Testing Framework for Android.

drozer enables you to search for security vulnerabilities in apps and devices by assuming the role of an app and interacting with the Dalvik VM, other apps’ IPC endpoints and the underlying OS. drozer provides tools to help you use and share public Android exploits. It helps you to deploy a droze...

Honeynet Project Researchers Build ICS Honeypot

Industrial control system and SCADA honeypots have been tried before with relative success. While those systems were enticing to hackers who hammered away on them, they were also complicated, required real ICS and SCADA gear, and weren’t publicly available. Two researchers from Norway and Denmark...

Schneider Electric MiCOM S1 Studio Improper Authorization Vulnerability

Overview This advisory provides mitigation details for a vulnerability affecting the Schneider Electric MiCOM S1 Studio Software. Independent researcher Michael Toecker of Digital Bond has identified an improper authorization vulnerability in the MiCOM S1 Studio Software using the Microsoft Attac...

Microsoft Releases Attack Surface Analyzer Tool

Microsoft has released a public version of its internal Attack Surface Analyzer tool, which helps organizations identify changes to a system’s attack surface as new applications are added. The tool has been in beta for a few months, but this is the first official release. The Attack Surface...

Thinking About Software Security Holistically

While assessing software systems of all types a few common mistakes regularly come up. These aren’t mistakes that lead directly to vulnerabilities, but mistakes in how some software companies think about security, that can lead to invalid assumptions, and ultimately which can allow real security...

GE Proficy Historian Web Administrator XSS

Overview ICS-CERT originally released Advisory ICSA-11-243-02P on the US-CERT secure Portal on August 31, 2011. ICS-CERT has received a report from independent security researchers Billy Rios and Terry McCorkle concerning multiple cross-site scripting XSS vulnerabilities in the GE Intelligent...

Source Code is the New Hacker Currency !

Source Code is the New Hacker Currency ! No doubt you've been paying attention to the data breaches pile up lately... but have you noticed a trend? If you wade through the hype and hyperbole, dig into the details of the most prolific intrusions in recent history you'll notice one thing that shine...

Football Website Manager 1.1 - SQL Injection / Multiple HTML Injection Vulnerabilities

source: https://www.securityfocus.com/bid/47593/info Football Website Manager is prone to an SQL-injection vulnerability and multiple HTML-injection vulnerabilities because it fails to sufficiently sanitize user-supplied input. An attacker may leverage these issues to compromise the application,...

New Adobe Under Zero-Day Attack !

Adobe today released an advisory to warn about a remote code execution vulnerability in Flash Player, which also affects Adobe Reader and Acrobat. This critical vulnerability has been assigned CVE-2011-0609. Currently seen attacks work through a malicious SWF file which is embedded inside an Exce...

Security a Concern as HTML5 Gains Traction

From animated logos to Web videos for hip, independent bands, HTML5 is getting buzz and gaining traction. But concerns about the security of features in the new version of the Web’s lingua franca persist. Every technology innovation has its coming out party, and Google Inc.’s recent “dancing ball...

I Have Only One Security Prediction for 2010

Instead of the usual top ten lists that are all-too-common with predictions for the new year, I have just one: 2010 will be the year of desktop applications handling untrusted data in sandboxed processes, and it will be about time. Since the release of Windows XP SP2, there have been significantl...

NFS Server Superfluous

The remote NFS server is not exporting any shares. Running an unused service unnecessarily increases the attack surface of the remote host. C Tenable Network Security, Inc. Get the export list of the remote host and warns the user if a NFS share is exported to the world. include 'compat.inc' ;...

Microsoft Says Google Chrome Frame is IE Security Risk

Google’s decision to introduce a plug-in that runs Google Chrome inside Microsoft’s Internet Explorer isn’t sitting well with the folks at Redmond. The Google Chrome Frame, which is presented as a seamless way to bring Google Chrome’s open web technologies and speedy JavaScript engine to Internet...

Vulnerabilities and Attack Surface

From CERT Will Dormann Two recent US-CERT Vulnerability Notes cert.org describe similar issues in the Adobe Reader and Foxit Reader PDF viewing applications. The vulnerabilities, that both applications failed to properly handle JPEG2000 JPX data streams, were discovered as part of our Vulnerabili...