Security experts are investigating an Egyptian hacker who goes by the name “Virus_Hima”, who released screenshots of potential flaws in Yahoo’s website. This has been done before by the hacker, whose intentions may or may not be good.
One of the flaws identified by this hacker included the ability to access a full backup of one of Yahoo’s domains. The other problems included a cross-site scripting (XSS) and SQL injection vulnerability, according to a PasteBin.com post “Yahoo data leak by Virus_Hima“.
Some of his previous work included Adobe, where he released a batch of more than 200 email addresses obtained from a database belonging to them. Adobe shut down Connectusers.com as a result, which is the Connect Web conferencing service.
Without his “good intentions”, it appears that he also has shut down the claim that he sold a $700 XSS vulnerability in the black market. He claims to be a former blackhat, and that his intentions are good as a vulnerability researcher. However, he was spotted in his PasteBin.com post to be taking shots at security reporter Brian Krebs, calling his site “Krebsonshitz” when it clearly is “Krebs on Security”. Krebs reported about the hacker back when the XSS vulnerability was being sold.
Here’s a small update to yesterday’s Patch Tuesday. Microsoft seemed to have only two critical fixes…
The first patch, MS12-061, applies to Microsoft Visual Studio Team Foundation Server. The other update, MS12-062, fixes a flaw in Microsoft Systems Management Server 2003 and Microsoft System Center Configuration Manager 2007.
Note to system administrators: Microsoft is urging you to test out the following update: KB2661254, which is an update to help mitigate the risks associated with the Flame malware. It won’t be released until October. But, it is available for testing purposes. It is best ot thicken your SSL certifications.
- September 2012 Patch Tuesday Update (ibm.com)
- Microsoft says “No!” to insecure certificate practices (nakedsecurity.sophos.com)
Do not envy the life of a Web app. It’s a brutal, public existence filled with attacks from all sides. In fact, a new report by Imperva sheds some light on this sad life, showing that a typical Web app is attacked once every three days and some are targeted as many as 2,700 times in a given year.
Web apps are lots of fun for attackers because they’re publicly accessible and take all kinds of interesting inputs. Attackers can take their time, throwing whatever data they choose at a given app and then see what happens to break. To determine what this attack landscape looks like, Imperva monitored 50 Web applications for six months, looking at the kinds of attacks each one endured and pulling out trends.
One of the more interesting findings was that the typical Web app can expect to be attacked every third day and that some of the applications are under attack as often as 292 days per year. There are likely to be multiple attack incidents on any given day, as well. The average attack that Imperva observed lasted a little less than eight minutes and the longest went on for about 80 minutes.
- Cyber-Attacks Constantly Hit Web Apps Hard, Fast: Imperva Study (eweek.com)
- Web apps experience 2,700+ attacks per year (net-security.org)
- Web applications are attacked one out of three days, report says (pcadvisor.co.uk)
The Mozilla Foundation has released updates for the following products to address multiple vulnerabilities:
- Firefox 14
- Firefox ESR 10.0.6
- Thunderbird 14
- Thunderbird ESR 10.0.6
- SeaMonkey 2.11
These vulnerabilities may allow an attacker to execute arbitrary code, cause a denial-of-service condition, disclose sensitive information, operate with elevated privileges, bypass security restrictions, or perform a cross-site scripting attack.
US-CERT encourages users and administrators to review the Mozilla Foundation Advisory for Firefox 14, Firefox ESR 10.0.6, Thunderbird 14, Thunderbird ESR 10.0.6, and SeaMonkey 2.11 and apply any necessary updates to help mitigate the risk.
BOUNTY HUNTERS: PayPal is offering sweeter deals!!
PayPal Chief Information Security Officer, Michael Barrett said on the PayPal Blog:
Today I’m pleased to announce that we have updated our original bug reporting process into a paid “bug bounty” program. The experience from other companies such as Facebook, Google, Mozilla, Samsung and others who have implemented similar programs has been very positive. I originally had reservations about the idea of paying researchers for bug reports, but I am happy to admit that the data has shown me to be wrong – it’s clearly an effective way to increase researchers attention on Internet-based services and therefore find more potential issues.
The bug reporting program has many different steps:
- Bug reports are submitted by researchers.
- The report is then categorized by the following criteria: A. Cross-site scripting (XSS), B. Cross Site Request Forgery (CSRF), C. SQL injection, D. Authentication bypass.
- Severity and priority is determined.
- Researcher is paid in their PayPal account.
See more information, if needed, on the PayPal Blog.