Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Googlewhere the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website.
Now lets take look at the final score board of Pwn2Own 2013:
The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-
As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet.
Pwn2Own 2013 -Hack Major Web-browser, Adobe Reader, Flash or Java & Earn in Million Dollars
Since the last two years the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In last two years we have seen several hackers, security professionals have expressed their enthusiasm and joined Pwn2Own where four major and widely browser's security get compromised, in order to make applications, software more safe and secure. Last year we have reported how different hackers across the globe taken part in Pwn2Own and successfully hacked Google Chrome, IE & Firefox, and earned millions of dollars. But the contest of this year has some more twist than before as, HP TippingPoint and Google, sponsor of Pwn2Own, has made clear that it is expanding the focus of the competition beyond browsers. Also, Pwn2own 2013 will include $560,000 in prize money for demonstrations of exploits in the major web browsers, Adobe Reader, Adobe Flashor Oracle Java.
Contest Dates:-
The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. DVLabs blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.
Rules & Prizes:-
HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.
Web Browser
Google Chrome on Windows 7 ($100,000)
Microsoft Internet Explorer, either
IE 10 on Windows 8 ($100,000), or
IE 9 on Windows 7 ($75,000)
Mozilla Firefox on Windows 7 ($60,000)
Apple Safari on OS X Mountain Lion ($65,000)
Web Browser Plug-ins using Internet Explorer 9 on Windows 7
Adobe Reader XI ($70,000)
Adobe Flash ($70,000)
Oracle Java ($20,000)
The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.
Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.
Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing.
Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow the organizer to ensure that they have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.
'Dockster' A New Mac Malware Targeting Apple Users Found on Dalai Lama Related Website
Researcher at F-Secure blog has identified that A new piece of malicious software targeted at Apple users has been found on a website dedicated to the Dalai Lama. According to blog post by F-Secure -the website related to Dalai Lama is fully compromised and is pushing new Mac malware, called Dockster, using a Java-based exploit. Dockster tries to infect computers by exploiting a vulnerability in Java, CVE-2012-0507. The vulnerability is the same one used by the Flashback malware, which first appeared around September 2011 and infected as many as 600,000 computers via a drive-by download. Flashback was used to fraudulently click on advertisements in order to generate illicit revenue in a type of scam known as click fraud. Apple patched the vulnerability in Java in early April and then undertook a series of steps to remove the frequently targeted application from Macs. Apple stopped bundling Java in the 10.7 version of its Lion operation system, which continued with the company's Mountain Lion release. In October, Apple removed older Java browser plug-ins in a software update.
But still the matter of relief is that current versions of OS X are not vulnerable; users who have disabled the Java browser plug-in are also not vulnerable. F-Secure researcher Sean Sullivan said Dockster is “a basic backdoor with file download and keylogger capabilities.” Meanwhile F-Secure’s Sullivan, also said that the Dalai Lama’s site is also serving a Windows-based exploit for CVE-2012-4681, the Agent.AXMO Trojan. The Trojan exploits a Java vulnerability that allows remote code execution using a malicious applet that is capable of bypassing the Java SecurityManager.
While talking about Mac malware, then you must remember that earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten"targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal information. In the very decent past we have seen a trojan named 'BackDoor.Wirenet.1' apparently providing its masters with a backdoor into infected systems. It is also capable of stealing passwords stored in browsers like Chrome, Chromium,Firefox and Opera. For any kind of cyber updates and infose news, stay tuned with VOGH.
Egyptian Hackers Selling Zero-day Exploit of Yahoo MailFor $700
Those people who wander in many underground hackers community, knows very well that several unethical equipment such as Botnet, Zero-day exploit, black hole exploit kit, malware, undisclosed vulnerabilities and so on were sold there for different prices. Those products were generally priced between $5-$500, but today I will talk about an expensive product, which listed itself top on the black market. I am talking about a new cross-site scripting exploit that enables attackers to steal cookies and access Yahoo email accounts. According to the blog post of Krebs on Security -A zero-day vulnerability in yahoo.com that lets attackers hijack Yahoo! email accounts and redirect users to malicious Web sites offers a fascinating glimpse into the underground market for large-scale exploits. The exploit, being sold for $700 by an Egyptian hacker on an exclusive cybercrime forum, targets a “cross-site scripting” (XSS) weakness in yahoo.com that lets attackers steal cookies from Yahoo! Webmail users. Such a flaw would let attackers send or read email from the victim’s account. In a typical XSS attack, an attacker sends a malicious link to an unsuspecting user; if the user clicks the link, the script is executed, and can access cookies, session tokens or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page. The hacker posted the following video to demonstrate the exploit for potential buyers.
“I’m selling Yahoo stored xss that steal Yahoo emails cookies and works on ALL browsers,” wrote the vendor of this exploit, using the hacker handle ‘TheHell.’ “And you don’t need to bypass IE or Chrome xss filter as it do that itself because it’s stored xss. Prices around for such exploit is $1,100 – $1,500, while I offer it here for $700. Will sell only to trusted people cuz I don’t want it to be patched soon!” -said the hacker.
In response Ramses Martinez, director of security at Yahoo!, said the challenge now is working out the exact yahoo.com URL that triggers the exploit, which is difficult to discern from watching the video. “Fixing it is easy, most XSS are corrected by simple code change,” Martinez said. “Once we figure out the offending URL we can have new code deployed in a few hours at most.”
Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life& Added Do Not Track (DNT)
The searching giant Google finally included the Do Not Track (DNT) option into its first stable version of the company's browser which is Google Chrome 23. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser. Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. Also the Redmond based software giant drew some criticism recently for its decision to enable Do Not Track by default in IE 10. First it was Mozilla who proposed the Do Not Track mechanism, in Firefox in June 2011 when it released Firefox 5. The DNT option is disabled by default in Chrome and in order to turn it on, users need to go to the customization menu in the top right corner of the browser window. Then click on the Settings option in the left side and scroll down to open the Advanced Settings menu. Under the Privacy menu, check the box next to the "Send a 'Do Not Track' request with your browsing traffic" option. Once that option is enabled, the user will see a message explaining what the DNT system will do for them.
Not only DNT, with the release of Chrome 23, Google closes several security holes and promises to improve battery life for some users. For systems with dedicated graphics chips that support Chrome's GPU-accelerated video decoding, version 23 of the WebKit-based browser is said to significantly reduce power consumption. According to Google, batteries lasted on average 25% longer in its tests when GPU-accelerated video decoding was enabled compared to only using a system's CPU when streaming online videos. Version 23 of Chrome also addresses a total of 15 security vulnerabilities in the browser, 6 of which are rated as "high severity". These include high-risk use-after-free problems in video layout and in SVG filter handling, a integer bounds check issue in GPU command buffers and a memory corruption flaw in texture handling; a Mac-only problem related to wild writes in buggy graphics drivers has also been fixed. Eight medium-severity flaws including an integer overflow that could lead to an out-of-bounds read in WebP handling, and a low-risk have also been corrected. As part of its Chromium Security Vulnerability Rewards program, Google paid security researchers $9,000 for discovering and reporting these flaws. The update to Chrome also includes a new version of the Adobe Flash Player plugin which eliminates a number of critical vulnerabilities, all of which were discovered by the Google Security Team. Further information about the new features can be found in the release announcement, while a full list of security fixes is provided in a post on the Chrome Releases blog. Chrome 23.0.1271.64 is available to download for Windows, Mac OS X and Linux users.
Critical Buffer Overflow, Memory Corruption & Security bypass Vulnerability in Adobe Flash Player & AIR Patched
Adobe- American multinational computer software company has released new versions of its Flash Player to eliminate a number of critical vulnerabilities in Flash Player that could lead to system crashes or remote attackers controlling computers running compromised software. All the flaws were discovered by members of the Google Security Team are associated with several CVE numbers; CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280 are buffer overflows, CVE-2012-5279 is a memory corruption issue and CVE-2012-5278 is a security bypass; all of which are listed as potentially allowing an attacker to inject malicious code into the system. Google said it will update Flash Player installed with Google Chrome, and Microsoft will do the same with Internet Explorer 10. In the security bulletin Adobe said that it has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system.
Adobe recommends users update their product installations to the latest versions:-
Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110.
Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251.
Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux.
Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows.
Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27.
Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24.
Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600.
AFFECTED SOFTWARE VERSIONS:-
Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh
Adobe Flash Player 11.2.202.243 and earlier versions for Linux
Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x
Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x
Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android
To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x. To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. Adobe also recommended its Adobe AIR users to update to 3.5.0.600.
While talking about security patches in Adobe product, we want to give to reminder that just couple of weeks ago Adobe also plugged buffer overflow vulnerability in its Shockwave Player. Also in late September, Adobe disclosed that it had been attacked and hackers were using a valid Adobe certificate to sign two malicious utilities used most often in targeted attacks. Adobe revoked the certificate Oct. 4.
Pwnium 2:Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000
One of world's most popular web-browser Google Chrome has fallen victim at Pwnium 2 security contest which took place earlier on 10th October, at the Hack In The Box conference in Kuala Lumpur, Malaysia. A teenage hacker who goes by the pseudonym "Pinkie Pie" was successfully able to "fully exploit" Chrome, escaping the sandbox using only bugs within Chrome. The hack was done on a fully patched 64-bit Windows 7 system running the latest stable branch of Chrome. For his work, Pinkie Pie will receive the top prize of $60,000 from Google.
This isn't the first time that "Pinkie Pie", also the name of a "My Little Pony - Friendship is Magic" character, has won money for exploiting Chrome. In March of this year, he was rewarded for vulnerabilities he used at Google's Pwnium contest, which took place during the Pwn2Own competition at CanSecWest, to break out of the browser's sandbox and execute code. In order to get his code to execute on the test system at the time, he had to combine a total of six vulnerabilities; the holes were later closed with the release of Chrome 18. Along with security specialist Sergey Glazunov, Pinkie Pie also won this year's Pwnie Award for the Best Client-Side Bug. What ever the full results of the Pwnium 2 competition will be announced during a talk by Google Software Engineer Chris Evans today that means, 11th October.
We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program. These bug bounty programs & such security contest indeed enhancing the security.
Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk
Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco yet again another critical Java vulnerability has been spotted in the wild. The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. This newly discovered security hole has effected all latest versions of Oracle Java SE software. According to Security Explorations researcher Adam Gowdiak, who sent the
email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.” So far the researcher were able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass
in the environment of Java SE 5, 6 and 7. Researcher could only claim such an impact with reference to Java 7 environment (the
Apple QuickTime attack relying on Issues 15 and 22 is the only exception here).
The following Java SE versions were verified to be vulnerable:
Java SE 5 Update 22 (build 1.5.0_22-b03)
Java SE 6 Update 35 (build 1.6.0_35-b10)
Java SE 7 Update 7 (build 1.7.0_07-b10)
All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:
Firefox 15.0.1
Google Chrome 21.0.1180.89
Internet Explorer 9.0.8112.16421 (update 9.0.10)
Opera 12.02 (build 1578)
Safari 5.1.7 (7534.57.2)
So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. Here we want to remind the very recent history, when several zero day vulnerability was found in all the version of java, which was added on BlackHole Exploit kit. Later Oracle released a patch to close the security hole.
Google Added Do Not Track (DNT) Facility in Chrome Web-Browser (User Privacy Implemented)
Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. So here comes the turn for Chrome. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser, while promising to respect DNT headers set by visitors to its web site.
First it was Mozilla who proposed the Do Not Track mechanism, later it has been garnered support from all major browser makers and a majority of the technology industry.
Users who want to take advantage of the new DNT capabilities in Chrome will have to install the latest "bleeding edge" developer build in the form of the Chrome Canary branch. However, this version is not recommended for use in production environments. Users who are running a stable version of the browser will have to wait some months for the feature to arrive in the mainstream version.
"Do Not Track" is a tool that allows browser users to restrict advertisers from collecting information about their online Web activities. It has the backing of the U.S. Federal Trade Commission. Browsers with "Do Not Track" turned on don't block cookies but send a message to advertisers that the user does not want to be tracked. Companies voluntarily decide whether to comply with "Do Not Track," much as they currently decide whether to comply with the "Do Not Call" registry. Microsoft's announcement that it would turn on "Do Not Track" by default in IE10 angered advertisers. "The Digital Advertising Alliance, a coalition that counts Microsoft as a member, said that the decision ran counter to the industry's agreement with the White House announced earlier this year to honor 'do not track' as long as it is not a default setting," many international standards bodies.
'BackDoor.Wirenet.1' Trojan Stealing Passwords From Mac & Linux Based Systems
A Russian Anti Virus software company named 'Dr Web' has spotted a piece of malware that unusually targeting Macs and Linux-based systems is causing a world of trouble for those in its path. The newly found mlaware dubbed 'BackDoor.Wirenet.1' apparently providing its masters with a backdoor into infected systems. It is also capable of stealing passwords stored in browsers like Chrome, Chromium, Firefox and Opera. Furthermore, it’s also able to obtain passwords from popular applications including SeaMonkey,Pidgin and Thunderbird. Even if you don’t use any of the above mentioned software, you’re still in danger as a keylogger is bundled in the payload. Wirenet.1 installs itself into the user's home directory using the name WIFIADAPT.
There are some steps that can be taken right away if you think you could be infected. Dr. Web is quick to point out that their anti-virus software will keep you protected. Another option is to simply disable communication with the control server used by the code’s author. In this case, blocking communication with IP address 212.7.208.65 should do the trick.
Earlier also Mac users faced such attacks when mac Trojan OSX.SabPub was spreading through Java exploits In 2011 we have also seen OSX/Revir-B trojan was installed behind a PDF, and giving hackers remote access to MAC computers, not only Revier-B also Linux Tsunami trojan Called "Kaiten"targeted Mac OS users in 2011. Also another malware named "Devil Robber" which was also make MAC users victim while stealing their personal information.
0-day Vulnerability Found in Java Spotted in the Wild
Yet another 0-day vulnerability found by FireEye's Malware Intelligence Lab that affects all the latest version of Java , including the current Java 7 update 6, are also vulnerable to the hole that is already being exploited in the wild. With the publication of a vulnerability notice by the US-CERT and warnings from the German BSI (Federal Office for Information Security), the best advice for all users is to disable Java applets in their browsers on all operating systems. The vulnerability can be exploited when a user visits a specially crafted web site and can be used to infect a system with malware. Thecode to exploitthe problem is already available on the internet, making its use for infecting systems very likely. There is no patch available for the flaw so it is essential that users disable the Java plugins used by their browsers. Instructions for the various browsers can be found below:
Several security firms have already declared that, this newly found Java exploit had been added to Blackhole, a popular hacker's tool that bundles numerous exploits and tries each in turn until it finds one that will work against a personal computer. "Exploit code for the Java vulnerabilities has been added to the most prevalent exploit kit out there, Blackhole," said Websense in a short post on its company blog. The addition of the exploit to Blackhole was cited by FireEye researcher Atif Mushtaq in a similar blog entry yesterday as the basis for a spike in attacks. "After seeing the reliability of this attack, I have no doubt in my mind that within hours the casualties will be in the thousands," said Mushtaq.
Google Announced 'Pwnium 2'& Increased Prize Money$2m To Exploit Chrome
Few days ago we got the result of Microsoft hosted Blue Hat Security contest, where Microsoft awarded a bunch of hackers and gave away an amount of $260,000. Immediately after this event, Internet giant Google has upped the ante in its industry-leading cash-for-security-bugs program with hefty bonuses and a hacking contest that will award up to $2 million worth of prizes to people who successfully exploit its Chrome browser. In the official Chromium blog, Google has announced the plan for Pwnium 2. According to a blog post by Chris Evans, Software Engineer at Google- Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia.
This time, Google be sponsoring up to $2 million worth of rewards at the following reward levels:
$60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself.
$50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug.
$40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver.
$Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can.
Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which we’ll be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known to us or fixed on trunk. Please document the exploit.
We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program.
Adobe Plugged Newly Found Zero-day Hole In Flash Player
Adobe warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug. The vulnerability allows an attacker to crash the player or take control of an affected system. Adobe says that there are reports of this vulnerability being exploited in the wild as part of targeted email-based attacks which trick the user into clicking on a malicious file. Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only.
Affected Software Version :-
Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux operating systems
Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x
Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Flash Player installed with Google Chrome was updated automatically, so no user action is required. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9. For detailed information and to see the security bulletin of Adobe click here.
Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist
In the official blog post Mozilla confirmed that they have blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. "The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer. This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms. Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied."- Said Mozilla
Unlike Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled. The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.
Internet Explorer (IE 9) & Firefox10.0.2 Also Became Victim To Hackers At Pwn2Own
At Pwn2Own contest the web-browsers are getting hacked in a series. First it was the turn of Google Chrome where Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Then the time came for Microsoft's Internet Explorer. A team from a French security firm managed to hack IE 9 on a fully patched Windows 7 SP1 machine. The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system. They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode, which is effectively a sandbox. According to VUPEN founder Chaouki Bekrar, these particular flows have existed in previous incarnations of the browser - all the way back to IE 6 - and will very likely work on the upcoming IE 10.
Then the turn of Firefox came. Mozilla’s Firefox is the latest browser to fall victim to hackers at this year’s Pwn2Own hacker contest. Two researchers working together – Willem Pinckaers and Vincenzo Iozzo — exploited a single zero-day vulnerability in the latest Firefox 10.0.2 on a fully patched Windows 7 SP1 PC to cart off a $30,000 cash prize.
Sergey Glazunov, A Security Researcher Earn $60,000 At Pwnium After Google Chrome Hack
Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Glazunov discovered a remote code execution vulnerability in Chrome, that could be used by malicious hackers and cyber criminals to install and run code on innocent users' computers, just by them visiting a website. Glazunov, who is no stranger to reporting bugs in Chrome, won his substantial reward as part of the Pwnium competition run by Google at the CanSecWest conference in downtown Vancouver.
Senior Vice President of Google Chrome and Apps, Sundar Pichai, confirmed the successful hack on his Google+ page. Now that the hack is known throughout the developer world, Pichai understandably said, “Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”
Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)
The search giant Google is offering a huge amount (total $1 million) of reward for those who will successfully hack the Google Chrome browser at the Pwn2Own Hacker Contest taking place next week (7 March, 2012). Google will reward those successful contestants at Pwn2Own with prices of $60,000, $40,000 and $20,000 – depending on the severity of the exploits that are demonstrated on a Windows 7 machine running the browser. The Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed.
Chrome is currently the only web browser eligible for entry into Pwn2Own that has never been successfully hacked. Contestants often note the difficulty of bypassing Google’s security sandbox as a reason for this. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team. “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”
Additional information can be found on the Chromium official blog.
Yet another Zero day vulnerability found in Adobe Flash Player. Earlier hackers found zero-day exploit in flash player which can allow an attacker to hack you web-cam remotely later Adobe patched that. Before releasing Flash Player 11 Adobe issued new privacy policy and security update but now it seems that those are of zero use. 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.
Affected Version:-
Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems
Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x
Later Adobe confirmed that and immediately released a patch to close the security hole. Through this security release Adobe also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Google's Chrome Web browser, which directly integrates Flash into its software (unlike competing browsers) also received an update to reflect Adobe's patch update.
Recommendation From Adobe:-
Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6. For further details click here.
Earlier in 2011 another Flash Player bug found in Blackberry OS & later fixed by the developer and also last year adobe closes serious security hole in Acrobat 9X & Adobe Reader.
