SQL Injection Vulnerability Affected All Versions of Ruby on Rails

SQL Injection Vulnerability Affected All Versions of Ruby on Rails (CVE-2012-5664)

Developers at Ruby on Rails are warning its users regarding a Sql Injection flaws which has affected all the current version of Ruby on Rails web framework. While exploiting the vulnerability an attacker can inject and even execute malicious codes into the web application. "Due to the way dynamic finders in Active Record extract options from method parameters, a method parameter can mistakenly be used as a scope. Carefully crafted requests can use the scope to inject arbitrary SQL," explained the Rails framework's developers. As soon as this vulnerability has been spotted in the wild, the maintainers of Ruby on Rails have released new versions that addresses the flaw, versions 3.2.10, 3.1.9 and 3.0.18. In their advisory Ruby on Rails team recommends that users running affected versions, which is essentially anyone using Ruby on Rails, upgrade immediately to one of the fixed versions mentioned earlier. "We're sorry to drop a release like this so close to the holidays but regrettably the exploit has already been publicly disclosed and we don't feel we can delay the release," Rails developer concluded. 

The original problem was disclosed on the Phenoelit blog in late December where the author applied the technique to extract user credentials from a Ruby on Rails system, circumventing the authlogic authentication framework. While talking about the vulnerability discloser of Ruby on Rails, we would like to remind you that, this is not the first time, earlier in 2012 a Russian security researcher named Homakov has found that Github has succumbed to a public key vulnerability in Ruby on Rails which is allowing a normal user to gain administrator access into the popular Rails Git.

Brief About Ruby on Rails:- Ruby on Rails, often shortened to Rails, is an open source full-stack web application framework for the Ruby programming language. Ruby on Rails runs on the general-purpose programming language Ruby, which predates it by more than a decade. Rails is a full-stack framework, meaning that it gives the web developer the ability to gather information from the web server, talk to or query the database, and render templates out of the box. As a result, Rails features a routing system that is independent of the web server. Ruby on Rails emphasizes the use of well-known software engineering patterns and principles, such as Active record pattern, Convention over Configuration, Don't Repeat Yourself and Model-View-Controller.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">SQL Injection Vulnerability Affected All Versions of Ruby on Rails"https://www.voiceofgreyhat.com/2013/01/SQL-Injection-Vulnerability-in-Ruby-on-Rails.html?m=0</a>

Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel

Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel

Serious security hole has been discovered in Samsung smartphones. According to a member of XDA-Developer forum named 'alephzain' the vulnerability exists in the Samsung Galaxy S III, Galaxy S II and Galaxy Note II along with several other Samsung devices. As per sources the vulnerability is marked as "severe". This vulnerability could provide a malicious way for remotely downloaded apps to read user data, brick phones and perform other malicious activities. In other words, this hole could allow a malicious app free reign over your smartphone’s memory, and basically take complete control of your device. Prepare tin foil hats. Another XDA-Developer user, supercurio says Samsung has been notified of the security hole, but had not yet acknowledged the issue. That is until this morning when Samsung dropped word to Android Central that they are “currently in the process of conducting an internal review” in reference to the security hole. Supercurio says the potential exists for millions of devices to be in harms way, especially those with Exynos 4210 and 4412 processors that use Samsung code. Another XDA user, Entropy512 adds “this exploit changes things — there is a no root exploit that can be used by an app straight from the market, in the background, with little to no user intervention.” 

While talking about security holes in Samsung phones, then we would like to remind you that few moths ago, researcher have unveiled several android based handsets including Samsung Galaxy S3, S2 were vulnerable to 'remote wipe' hack.   

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Samsung Galaxy S III, S II & Note II Vulnerable to Inject Malicious Code Directly into Kernel"https://www.voiceofgreyhat.com/2012/12/Samsung-Galaxy-Vulnerable-Inject-Malicious-Code.html?m=0</a>

Microsoft Fixes & Apologizes Embarrassing 'Big Boobs' String (0xB16B00B5) From Linux Code

Microsoft Fixes & Apologizes Embarrassing 'Big Boobs' String (0xB16B00B5) From Linux Code

Buried in the software that connects the Linux kernel to Microsoft‘s HyperV virtualization program was the following code string: '0xB16B00B5'. The string was spotted by programmer Paolo Bonzini, who posted about his discovery to the Linux Kernel mailing list saying “Somone (sic) was trying to be funny, I guess”.

The string was used every time the Microsoft program ran a virtual version of Linux. Linux developer Dr Matthew Garrett is upset by what he sees as “straightforward childish humour”. He points out that previously Microsoft used the string 0x0B00B135 (or “BOOBIES” to non-programmers) in a previously submitted piece of code. Dr Garrett points out that the string may be used to connect Linux system to Microsoft’s Azure cloud platform, making the problem even tougher to fix. “So, full marks, Microsoft,” says Dr Garrett. “You’ve managed to make the kernel more offensive to half the population and you’ve made it awkward for us to rectify it”. Microsoft was made aware of the code quickly issued an apologetic statement, saying “We thank the community for reporting this issue and apologize for the offensive string. We have submitted a patch to fix this issue and the change will be published in a future release of the kernel.”  The software giant then immediately issued a patch that corrected the string. In early June, Microsoft suffered another embarrassment over '"vulgar" language used during a song and dance routine at a company conference.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Microsoft Fixes & Apologizes Embarrassing 'Big Boobs' String (0xB16B00B5) From Linux Code"https://www.voiceofgreyhat.com/2012/07/MicrosoftFixeBigBoobString0xB16B00B5.html?m=0</a>

Reverse Engineered Source Code of Skype Allegedly Stolen & Exposed

Reverse Engineered Source Code of Skype Allegedly Stolen & Exposed 

After VMWare & Norton's Symantec now another big fish -Skype get caught among the list of those whose source code has been allegedly stolen. An Anonymous affiliated hacker named "57UN" also known as 'Stun' claims to have stolen the source code which he made public. From this leak several fact come in front, according to the hacker the Federal Authorities uses skype for surveillance, in his twitter the hacker said - "Oh and the FBI uses #Skype as a surveillance tool?! #Lulz?! Privacy my ass! Wake up people!..." He added "#Skype & privacy?! Yeah! Did you know that #Microsoft works with each and every government, for instance in #Tunisia!..." 

In his release on Pastebay Stun said- 

"AFTER MICROSOFT ACQUIRING SKYPE FOR 8.5 BILLION DOLLARS AND PROCEEDING TO ADD BACK DOORS FOR GOVERNMENT TO THE PROGRAM, THE SOFTWARE HAS BEEN HACKED AND IT'S SOURCE CODE RELEASED

Skype1.4_binaries

http://thepiratebay.se/torrent/6442887

SkypeKit_sdk+runtimes_370_412.zip

skypekit binaries for Windows and x86_Linux + SDK

http://thepiratebay.se/torrent/7190651/

skype55_59_deobfuscated_binaries (Windows)

http://thepiratebay.se/torrent/7238404/

http://twitter.com/57UN

#Anonymous #Antisec #PoliceState #SecurityState #OpenSource ..."

However, experts state that the source code published by the hacker is actually the one leaked some time ago by a researcher who reverse engineered the Windows binaries. According to security researcher Janne Ahlberg “I managed to get a copy of the file ‘skype55_59_deobfuscated’ from May. It is not Skype source code, but a reverse engineered version of the Windows binaries. The tool used in reverse engineering seems to be IDA disassembler/debugger” 

So far 3 torrent files being released which include a reversed engineered copy of the skype protocol, the source development kit(sdk) and needed runtime and de-obfuscated, unpacked Skype 5.5 and 5.9 binaries for Windows. 

-Source (Softpedia) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Reverse Engineered Source Code of Skype Allegedly Stolen & Exposed"https://www.voiceofgreyhat.com/2012/07/SkypeSourceCodeLeaked.html?m=0</a>