Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned

Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned Only Safari Survived 

Couple of months ago we have talked about 'Pwn2Own 2013' hacking contest sponsored by HP TippingPoint, ZDI and Google where the most famous and widely used browsers have to face challenges. Now the result of this long awaited security competition has came which is showing that the entire browser security landscape can change in a single day, as browsers thought to be secure are proven to be otherwise. Of the Big Four browsers, only Apple's Safari has so far survived the onslaught of the browser-breakers where Chrome, Internet Explorer 10 and Firefox all fell to the mercy of the hackers. Not only browsers but also three other popular applications that is Adobe Reader, Flash Player and yet again Java fallen victim to hackers at 'Pwn2Own'. And for Java it was a true disaster as Java fell three times, though under the contest rules, only the first attacker was due to win the $20,000 prize. Vupen, a renowned security research firm based in France, cracked both Firefox and Internet Explorer. It roughly explained the attack in a tweet, “We’ve pwned Firefox using a use-after-free and a brand new technique to bypass ASLR/DEP on Win7 without the need of any ROP.” This bug hint leads them winning $100,000 for finding a huge hole. Again in a tweet, Security firm Vupen explained “We’ve pwned MS Surface Pro with two IE10 zero-days to achieve a full Windows 8 compromise with sandbox bypass.” Lastly, U.K.-based security firm MWR Labs cracked Chrome and also gained full control of the operating system, this time Windows 7. It also “demonstrated a full sandbox bypass exploit.” The company explained in a blog post that it found a zero-day in Chrome “running on a modern Windows-based laptop.” It was able to exploit the vulnerability by performing a very similar attack to what took down Facebook, Microsoft, and a number of other well-known companies: It had the laptop visit a malicious website. 

Now lets take look at the final score board of Pwn2Own 2013:

Wednesday:
1:30 - Java (James Forshaw) PWNED
2:30 - Java (Joshua Drake) PWNED
3:30 - IE 10 (VUPEN Security) PWNED
4:30 - Chrome (Nils & Jon) PWNED
5:30 - Firefox (VUPEN Security) PWNED
5:31 - Java (VUPEN Security) PWNED

Thursday:
12pm - Flash (VUPEN Security) PWNED
1pm - Adobe Reader (George Hotz) PWNED
2pm - Java (Ben Murphy via proxy) PWNED

The total damage to the prize fund comes out at a whopping $480k. With HP's announcement that everyone will get paid for each attack, the prize monies will be divvied up as follows:-

1. James Forshaw: Java = $20K
2. Joshua Drake: Java = $20k
3. VUPEN Security: IE10 + Firefox + Java + Flash = $250k
4. Nils & Jon: Chrome = $100k
5. George Hotz: Adobe Reader = $70k
6. Ben Murphy: Java = $20k

As you all know that the main motive of these contest is to make applications, software more safe and secure while figuring out hidden vulnerabilities  Here also for Pwn2Own the security holes figured out by the above experts have already been submitted and taken carefully by those organization  along with that, the expected patch for the browsers have already been released. Those who are still using the older version of those above applications are requested to update their system. So, stay tuned with VOGH and be safe on the Internet. 

-Source (HP, Naked Security) 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwn2Own 2013 Result: Chrome, Firefox, IE, Adobe Reader, Flash & Java Owned"https://www.voiceofgreyhat.com/2013/03/Pwn2Own-2013-Result.html</a>

Pwn2Own 2013 -Hack Major Browser, Adobe Reader, Flash or Java & Earn in Million Dollars

Pwn2Own 2013 -Hack Major Web-browser, Adobe Reader, Flash or Java & Earn in Million Dollars 

Since the last two years the Pwn2Own hacker contest has become an important fixture in the world of testing the security of software applications, operating systems and hardware devices. In last two years we have seen several hackers, security professionals have expressed their enthusiasm and joined Pwn2Own where four major and widely browser's security get compromised, in order to make applications, software more safe and secure. Last year we have reported how different hackers across the globe taken part in Pwn2Own and successfully hacked Google Chrome, IE & Firefox, and earned millions of dollars. But the contest of this year has some more twist than before as, HP TippingPoint and Google, sponsor of Pwn2Own, has made clear that it is expanding the focus of the competition beyond browsers. Also, Pwn2own 2013 will include $560,000 in prize money for demonstrations of exploits in the major web browsers, Adobe Reader, Adobe Flash or Oracle Java. 

Contest Dates:-

The contest will take place the 6th, 7th, and 8th of March in Vancouver, British Columbia during the CanSecWest 2013 conference. DVLabs blog post will be updated as the contest plays out and get real-time updates by following either @thezdi or @Pwn2Own_Contest on Twitter or search for the hash tag #pwn2own.

Rules & Prizes:-

HP ZDI is offering more than half a million dollars (USD) in cash and prizes during the competition for vulnerabilities and exploitation techniques in the below categories. The first contestant to successfully compromise a selected target will win the prizes for the category.

• Web Browser
• Google Chrome on Windows 7 ($100,000)
• Microsoft Internet Explorer, either
• IE 10 on Windows 8 ($100,000), or
• IE 9 on Windows 7 ($75,000)
• Mozilla Firefox on Windows 7 ($60,000)
• Apple Safari on OS X Mountain Lion ($65,000)
• Web Browser Plug-ins using Internet Explorer 9 on Windows 7
• Adobe Reader XI ($70,000)
• Adobe Flash ($70,000)
• Oracle Java ($20,000)

The targets will be running on the latest, fully patched version of the Windows 7, 8, and OS X Mountain Lion. All targets will be installed in their default configurations, as this is how a majority of users will have them configured. As always, the vulnerabilities utilized in the attack must be unknown and not previously reported to the vendor. If a sandbox is present, a full sandbox escape is required to win. A given vulnerability may only be used once across all categories.

Upon successful demonstration of the exploit, the contestant will provide HP ZDI a fully functioning exploit and all the details of the vulnerability used in the attack. In the case that multiple vulnerabilities were exploited to gain code execution, details about all the vulnerabilities (memory corruption, infoleaks, escalations, etc.) leveraged and the sequence in which they are used must be provided to receive the prize money. The initial vulnerability utilized in the attack must be in the registered category.

Along with prize money, the contestant will receive the compromised laptop and 20,000 ZDI reward points* which immediately qualifies them for Silver standing. 

Full contest rules can be found at http://dvlabs.tippingpoint.com/Pwn2OwnContestRules.html, and may be changed at any time without notice.

Registration:-

Contestants are asked to pre-register by contacting ZDI via e-mail at zdi@hp.com. This will allow the organizer to ensure that they have the necessary resources in place to facilitate the attack. If more than one contestant registers for a given category, the order of the contestants will be drawn at random.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwn2Own 2013 -Hack Major Browser, Adobe Reader, Flash or Java & Earn in Million Dollars"https://www.voiceofgreyhat.com/2013/01/Pwn2Own-2013-Hack-and-Earn-in-Million.html</a>

Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)

Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)

The searching giant Google finally included the Do Not Track (DNT) option into its first stable version of the company's browser which is Google Chrome 23. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser.  Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. Also the Redmond based software giant drew some criticism recently for its decision to enable Do Not Track by default in IE 10. First it was Mozilla who proposed the Do Not Track mechanism, in Firefox in June 2011 when it released Firefox 5. The DNT option is disabled by default in Chrome and in order to turn it on, users need to go to the customization menu in the top right corner of the browser window. Then click on the Settings option in the left side and scroll down to open the Advanced Settings menu. Under the Privacy menu, check the box next to the "Send a 'Do Not Track' request with your browsing traffic" option. Once that option is enabled, the user will see a message explaining what the DNT system will do for them.

Not only DNT, with the release of Chrome 23, Google closes several security holes and promises to improve battery life for some users. For systems with dedicated graphics chips that support Chrome's GPU-accelerated video decoding, version 23 of the WebKit-based browser is said to significantly reduce power consumption. According to Google, batteries lasted on average 25% longer in its tests when GPU-accelerated video decoding was enabled compared to only using a system's CPU when streaming online videos. Version 23 of Chrome also addresses a total of 15 security vulnerabilities in the browser, 6 of which are rated as "high severity". These include high-risk use-after-free problems in video layout and in SVG filter handling, a integer bounds check issue in GPU command buffers and a memory corruption flaw in texture handling; a Mac-only problem related to wild writes in buggy graphics drivers has also been fixed. Eight medium-severity flaws including an integer overflow that could lead to an out-of-bounds read in WebP handling, and a low-risk have also been corrected. As part of its Chromium Security Vulnerability Rewards program, Google paid security researchers $9,000 for discovering and reporting these flaws. The update to Chrome also includes a new version of the Adobe Flash Player plugin which eliminates a number of critical vulnerabilities, all of which were discovered by the Google Security Team. Further information about the new features can be found in the release announcement, while a full list of security fixes is provided in a post on the Chrome Releases blog. Chrome 23.0.1271.64 is available to download for Windows, Mac OS X and Linux users. 

-Source (Google Chrome Blog, The-H & threatpost)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Chrome 23 Closes 15 Security Vulnerabilities, Promises Longer Battery Life & Added Do Not Track (DNT)"https://www.voiceofgreyhat.com/2012/11/Chrome23-With-Longer-Battery-Life-Do-Not-Track.html</a>

Adobe Patches Multiple Security Holes in Adobe Flash Player & AIR (CVE-2012-5274 to 5280)

Critical Buffer Overflow, Memory Corruption & Security bypass Vulnerability in Adobe Flash Player & AIR Patched

Adobe- American multinational computer software company has released new versions of its Flash Player to eliminate a number of critical vulnerabilities  in Flash Player that could lead to system crashes or remote attackers controlling computers running compromised software. All the flaws were discovered by members of the Google Security Team are associated with several CVE numbers; CVE-2012-5274, CVE-2012-5275, CVE-2012-5276, CVE-2012-5277, CVE-2012-5280 are buffer overflows, CVE-2012-5279 is a memory corruption issue and CVE-2012-5278 is a security bypass; all of which are listed as potentially allowing an attacker to inject malicious code into the system. Google said it will update Flash Player installed with Google Chrome, and Microsoft will do the same with Internet Explorer 10. In the security bulletin Adobe said that it has released security updates for Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh, Adobe Flash Player 11.2.202.243 and earlier versions for Linux, Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x. These updates address vulnerabilities that could cause a crash and potentially allow an attacker to take control of the affected system. 

Adobe recommends users update their product installations to the latest versions:-

• Users of Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh should update to Adobe Flash Player 11.5.502.110.
• Users of Adobe Flash Player 11.2.202.243 and earlier versions for Linux should update to Adobe Flash Player 11.2.202.251.
• Flash Player installed with Google Chrome will automatically be updated to the latest Google Chrome version, which will include Adobe Flash Player 11.5.31.2 for Windows, Macintosh and Linux.
• Flash Player installed with Internet Explorer 10 will automatically be updated to the latest Internet Explorer 10 version, which will include Adobe Flash Player 11.3.376.12 for Windows.
• Users of Adobe Flash Player 11.1.115.20 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.27.
• Users of Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.24.
• Users of Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (including AIR for iOS) and Android should update to Adobe AIR 3.5.0.600.

AFFECTED SOFTWARE VERSIONS:- 

• Adobe Flash Player 11.4.402.287 and earlier versions for Windows and Macintosh
• Adobe Flash Player 11.2.202.243 and earlier versions for Linux
• Adobe Flash Player 11.1.115.20 and earlier versions for Android 4.x
• Adobe Flash Player 11.1.111.19 and earlier versions for Android 3.x and 2.x
• Adobe AIR 3.4.0.2710 and earlier versions for Windows and Macintosh, SDK (includes AIR for iOS) and Android

To verify the version of Adobe Flash Player installed on your system, access the About Flash Player page, or right-click on content running in Flash Player and select "About Adobe (or Macromedia) Flash Player" from the menu. If you use multiple browsers, perform the check for each browser you have installed on your system. To verify the version of Adobe Flash Player for Android, go to Settings > Applications > Manage Applications > Adobe Flash Player x.x.  To verify the version of Adobe AIR installed on your system, follow the instructions in the Adobe AIR TechNote. Adobe also recommended its Adobe AIR users to update  to 3.5.0.600.
While talking about security patches in Adobe product, we want to give to reminder that just couple of weeks ago Adobe also plugged buffer overflow vulnerability in its Shockwave Player. Also in late September, Adobe disclosed that it had been attacked and hackers were using a valid Adobe certificate to sign two malicious utilities used most often in targeted attacks. Adobe revoked the certificate Oct. 4.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Patches Multiple Security Holes in Adobe Flash Player & AIR (CVE-2012-5274 to 5280)"https://www.voiceofgreyhat.com/2012/11/Adobe-Patches-Security-Holes-in-Flash-Player-AIR.html</a>

Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000

Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000

One of world's most popular web-browser Google Chrome has fallen victim at Pwnium 2 security contest which took place earlier on 10th October, at the Hack In The Box conference in Kuala Lumpur, Malaysia. A teenage hacker who goes by the pseudonym "Pinkie Pie" was successfully able to "fully exploit" Chrome, escaping the sandbox using only bugs within Chrome. The hack was done on a fully patched 64-bit Windows 7 system running the latest stable branch of Chrome. For his work, Pinkie Pie will receive the top prize of $60,000 from Google. 

This isn't the first time that "Pinkie Pie", also the name of a "My Little Pony - Friendship is Magic" character, has won money for exploiting Chrome. In March of this year, he was rewarded for vulnerabilities he used at Google's Pwnium contest, which took place during the Pwn2Own competition at CanSecWest, to break out of the browser's sandbox and execute code. In order to get his code to execute on the test system at the time, he had to combine a total of six vulnerabilities; the holes were later closed with the release of Chrome 18. Along with security specialist Sergey Glazunov, Pinkie Pie also won this year's Pwnie Award for the Best Client-Side Bug. What ever the full results of the Pwnium 2 competition will be announced during a talk by Google Software Engineer Chris Evans today that means, 11th October.

We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program. These bug bounty programs & such security contest indeed enhancing the security. 

-Source (The-H & SC Magazine)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Pwnium 2: Teenage Hacker Pinkie Pie Exploited Google Chrome & Earned $60,000"https://www.voiceofgreyhat.com/2012/10/Pwnium2-Pinkie-Pie-Exploited-Google-Chrome.html</a>

Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk

Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk

Just as Oracle is ramping up for the September 30 start of JavaOne 2012 in San Francisco yet again another critical Java vulnerability has been spotted in the wild.  The Polish security researcher Adam Gowdiak has found another vulnerability in Java that could allow an attacker to bypass the sandbox. This newly discovered security hole has effected all latest versions of Oracle Java SE software. According to Security Explorations researcher Adam Gowdiak, who sent the email to the Full Disclosure Seclist, this Java exploit affects “one billion users of Oracle Java SE software.” So far the researcher were able to successfully exploit the vulnerability and achieve a complete Java security sandbox bypass 

in the environment of Java SE 5, 6 and 7. Researcher could only claim such an impact with reference to Java 7 environment (the 

Apple QuickTime attack relying on Issues 15 and 22 is the only exception here). 

The following Java SE versions were verified to be vulnerable:

• Java SE 5 Update 22 (build 1.5.0_22-b03)
• Java SE 6 Update 35 (build 1.6.0_35-b10)
• Java SE 7 Update 7  (build 1.7.0_07-b10)

All tests were successfully conducted in the environment of a fully patched Windows 7 32-bit system and with the following web browser applications:

• Firefox 15.0.1
• Google Chrome 21.0.1180.89
• Internet Explorer 9.0.8112.16421 (update 9.0.10)
• Opera 12.02 (build 1578)
• Safari 5.1.7 (7534.57.2)

So far there are no reports that the vulnerability is being exploited for attacks. Oracle has not said whether or when it will close the vulnerability. Here we want to remind the very recent history, when several zero day vulnerability was found in all the version of java, which was added on BlackHole Exploit kit. Later Oracle released a patch to close the security hole. 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Researcher Figure-out Yet Another Java Hole That Puts 1 Billion Users at Risk"https://www.voiceofgreyhat.com/2012/09/Researcher-Figureout-Yet-Another-Java-Hole.html</a>

Google Added Do Not Track (DNT) Facility in Chrome (User Privacy Implemented)

Google Added Do Not Track (DNT) Facility in Chrome Web-Browser (User Privacy Implemented)

Few months ago Microsoft made Do Not Track (DNT) facility available by default in Internet Explorer 10. So here comes the turn for Chrome. In February internet giant Google has agreed with the White House's Consumer Privacy Bill and here comes the result. Google has implemented the Do Not Track (DNT) header in its Chrome web browser, while promising to respect DNT headers set by visitors to its web site. 

First it was Mozilla who proposed the Do Not Track mechanism, later it has been garnered support from all major browser makers and a majority of the technology industry. 

Users who want to take advantage of the new DNT capabilities in Chrome will have to install the latest "bleeding edge" developer build in the form of the Chrome Canary branch. However, this version is not recommended for use in production environments. Users who are running a stable version of the browser will have to wait some months for the feature to arrive in the mainstream version.

"Do Not Track" is a tool that allows browser users to restrict advertisers from collecting information about their online Web activities. It has the backing of the U.S. Federal Trade Commission. Browsers with "Do Not Track" turned on don't block cookies but send a message to advertisers that the user does not want to be tracked. Companies voluntarily decide whether to comply with "Do Not Track," much as they currently decide whether to comply with the "Do Not Call" registry. Microsoft's announcement that it would turn on "Do Not Track" by default in IE10 angered advertisers. "The Digital Advertising Alliance, a coalition that counts Microsoft as a member, said that the decision ran counter to the industry's agreement with the White House announced earlier this year to honor 'do not track' as long as it is not a default setting," many international standards bodies.

-Source (The-H)

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Added Do Not Track (DNT) Facility in Chrome (User Privacy Implemented)"https://www.voiceofgreyhat.com/2012/09/Google-Added-Do-Not-Track-DNT-Facility-in-Chrome.html</a>

Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome

Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome

Few days ago we got the result of Microsoft hosted Blue Hat Security contest, where Microsoft awarded a bunch of hackers and gave away an amount of  $260,000. Immediately after this event, Internet giant Google   has upped the ante in its industry-leading cash-for-security-bugs program with hefty bonuses and a hacking contest that will award up to $2 million worth of prizes to people who successfully exploit its Chrome browser. In the official Chromium blog, Google has announced the plan for Pwnium 2. According to a blog post by Chris Evans, Software Engineer at Google- Pwnium 2 will be held on Oct 10th, 2012 at the Hack In The Box 10 year anniversary conference in Kuala Lumpur, Malaysia.

This time, Google be sponsoring up to $2 million worth of rewards at the following reward levels:

• $60,000: “Full Chrome exploit”: Chrome / Win7 local OS user account persistence using only bugs in Chrome itself. 
• $50,000: “Partial Chrome exploit”: Chrome / Win7 local OS user account persistence using at least one bug in Chrome itself, plus other bugs. For example, a WebKit bug combined with a Windows kernel bug. 
• $40,000: “Non-Chrome exploit”: Flash / Windows / other. Chrome / Win7 local OS user account persistence that does not use bugs in Chrome. For example, bugs in one or more of Flash, Windows or a driver. 
• $Panel decision: “Incomplete exploit”: An exploit that is not reliable, or an incomplete exploit chain. For example, code execution inside the sandbox but no sandbox escape; or a working sandbox escape in isolation. For Pwnium 2, we want to reward people who get “part way” as we could definitely learn from this work. Our rewards panel will judge any such works as generously as we can. 

Exploits should be demonstrated against the latest stable version of Chrome. Chrome and the underlying operating system and drivers will be fully patched and running on an Acer Aspire V5-571-6869 laptop (which we’ll be giving away to the best entry.) Exploits should be served from a password-authenticated and HTTPS Google property, such as App Engine. The bugs used must be novel i.e. not known to us or fixed on trunk. Please document the exploit. 

We also like to give you reminder that earlier in this year Google had increased vulnerability bounties in Anniversary of Vulnerability Reward Programbe. Also PayPal, Facebook & many other has already started this paid bug bounty program.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Announced 'Pwnium 2' & Increased Prize Money $2m To Exploit Chrome"https://www.voiceofgreyhat.com/2012/08/Google-Announced-Pwnium2-Increased-Priz-Money.html</a>

Adobe Plugged Newly Found Zero-day Hole In Flash Player

Adobe Plugged Newly Found Zero-day Hole In Flash Player

Adobe warned that hackers are exploiting a critical vulnerability in its popular Flash Player program, and issued an emergency update to patch the bug. The vulnerability allows an attacker to crash the player or take control of an affected system. Adobe says that there are reports of this vulnerability being exploited in the wild as part of targeted email-based attacks which trick the user into clicking on a malicious file. Adobe released security updates for Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux, Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x. These updates address an object confusion vulnerability (CVE-2012-0779) that could cause the application to crash and potentially allow an attacker to take control of the affected system.
There are reports that the vulnerability is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious file delivered in an email message. The exploit targets Flash Player on Internet Explorer for Windows only. 

Affected Software Version :- 

• Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux operating systems
• Adobe Flash Player 11.1.115.7 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and 2.x

Adobe recommends users of Adobe Flash Player 11.2.202.233 and earlier versions for Windows, Macintosh and Linux update to Adobe Flash Player 11.2.202.235. Flash Player installed with Google Chrome was updated automatically, so no user action is required. Users of Adobe Flash Player 11.1.115.7 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.8. Users of Adobe Flash Player 11.1.111.8 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.9. For detailed information and to see the security bulletin of Adobe click here.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Plugged Newly Found Zero-day Hole In Flash Player"https://www.voiceofgreyhat.com/2012/05/adobe-plugged-newly-found-zero-day-hole.html</a>

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist

In the official blog post Mozilla confirmed that they have blacklisted unpatched versions of the Java plug-in from Firefox on Windows in order to protect its users from attacks that exploit known vulnerabilities in those versions. "The February 2012 update to the Java Development Kit (JDK) and Java Runtime Environment (JRE) included a patch to correct a critical vulnerability that can permit the loading of arbitrary code on an end-user’s computer. This vulnerability—present in the older versions of the JDK and JRE—is actively being exploited, and is a potential risk to users. To mitigate this risk, we have added affected versions of the Java plugin for Windows (Version 6 Update 30 and below as well as Version 7 Update 2 and below) to Firefox’s blocklist. A blocklist entry for the Java plugin on OS X may be added at a future date. Mozilla strongly encourages anyone who requires the JDK and JRE to update to the current version as soon as possible on all platforms. Affected versions of the Java plugin will be disabled unless a user makes an explicit choice to keep it enabled at the time they are notified of the block being applied."- Said Mozilla
Unlike Google's Chrome browser, which has a feature specifically aimed at disabling outdated plug-ins, Firefox relies on Mozilla developers deciding which plug-ins pose a risk to users. However, users retain the choice of preventing those plug-ins from being disabled. The Firefox blocklist has rarely been used to disable plug-ins from big software vendors like Oracle, but precedents do exist. In October 2009, Mozilla decided to add Microsoft's Windows Presentation Foundation (WPF) plug-in to the Firefox blocklist after Microsoft revealed that it had a vulnerability.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Mozilla Put Older & Vulnerable Versions of Java Into Firefox Blocklist"https://www.voiceofgreyhat.com/2012/04/mozilla-put-older-vulnerable-versions.html</a>

Internet Explorer & Firefox Also Became Victim To Hackers At Pwn2Own

Internet Explorer (IE 9) & Firefox 10.0.2 Also Became Victim To Hackers At Pwn2Own

At Pwn2Own contest the web-browsers are getting hacked in a series. First it was the turn of Google Chrome where Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Then the time came for Microsoft's Internet Explorer. A team from a French security firm managed to hack IE 9 on a fully patched Windows 7 SP1 machine. The group from Paris-based Vupen Security brought down IE9 running on Windows 7 by exploiting a pair of previously-unknown "zero-day" bugs that bypassed the operating system's defensive technologies to execute attack code, allowing that code to escape from IE's "Protected Mode," the browser's limited-rights anti-exploit system. They managed to bypass the browser's DEP and ASLR protection with a 0-day heap overflow vulnerability, and then used a separate memory corruption bug to break out of its Protected Mode, which is effectively a sandbox. According to VUPEN founder Chaouki Bekrar, these particular flows have existed in previous incarnations of the browser - all the way back to IE 6 - and will very likely work on the upcoming IE 10.

Then the turn of Firefox came. Mozilla’s Firefox is the latest browser to fall victim to hackers at this year’s Pwn2Own hacker contest. Two researchers working together – Willem Pinckaers and Vincenzo Iozzo — exploited a single zero-day vulnerability in the latest Firefox 10.0.2 on a fully patched Windows 7 SP1 PC to cart off a $30,000 cash prize.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Internet Explorer & Firefox Also Became Victim To Hackers At Pwn2Own"https://www.voiceofgreyhat.com/2012/03/internet-explorer-firefox-also-became.html</a>

After Google Chrome Hack Sergey Glazunov Earnd $60,000 At Pwnium Contest

Sergey Glazunov, A Security Researcher Earn $60,000 At Pwnium After Google Chrome Hack

Sergey Glazunov, a Russian security researcher has earned $60,000 by demonstrating how he could waltz past the security sandbox in Google's Chrome browser to run unauthorized code on fully-patched Windows 7 computers. Glazunov discovered a remote code execution vulnerability in Chrome, that could be used by malicious hackers and cyber criminals to install and run code on innocent users' computers, just by them visiting a website. Glazunov, who is no stranger to reporting bugs in Chrome, won his substantial reward as part of the Pwnium competition run by Google at the CanSecWest conference in downtown Vancouver.
Senior Vice President of Google Chrome and Apps, Sundar Pichai, confirmed the successful hack on his Google+ page. Now that the hack is known throughout the developer world, Pichai understandably said, “Congrats to long-time Chromium contributor Sergey Glazunov who just submitted our first Pwnium entry. Looks like it qualifies as a “Full Chrome” exploit, qualifying for a $60k reward. We’re working fast on a fix that we’ll push via auto-update. This is exciting; we launched Pwnium this year to encourage the security community to submit exploits for us to help make the web safer. We look forward to any additional submissions to make Chrome even stronger for our users.”

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">After Google Chrome Hack Sergey Glazunov Earnd $60,000 At Pwnium Contest"https://www.voiceofgreyhat.com/2012/03/after-google-chrome-hack-sergey.html</a>

Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)

Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)

The search giant Google is offering a huge amount (total $1 million) of reward for those who will successfully hack the Google Chrome browser at the Pwn2Own Hacker Contest taking place next week (7 March, 2012). Google will reward those successful contestants at Pwn2Own with prices of $60,000, $40,000 and $20,000 – depending on the severity of the exploits that are demonstrated on a Windows 7 machine running the browser. The Prizes will be awarded on a first-come-first-serve basis, until the entire $1 million has been claimed.

Chrome is currently the only web browser eligible for entry into Pwn2Own that has never been successfully hacked. Contestants often note the difficulty of bypassing Google’s security sandbox as a reason for this. “While we’re proud of Chrome’s leading track record in past competitions, the fact is that not receiving exploits means that it’s harder to learn and improve,” said Chris Evans and Justin Schuh, members of the Google Chrome security team. “To maximize our chances of receiving exploits this year, we’ve upped the ante. We will directly sponsor up to $1 million worth of rewards.”

Additional information can be found on the Chromium official blog.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Offers $1 Million For Hackers To Exploit Chrome (Pwnium: Rewards For Exploits)"https://www.voiceofgreyhat.com/2012/02/google-offers-1-million-for-hackers-to.html</a>

Zero-Day Vulnerability In Flash Patched By Adobe

Zero-Day Vulnerability In Flash Patched By Adobe 

Yet another Zero day vulnerability found in Adobe Flash Player. Earlier hackers found zero-day exploit in flash player which can allow an attacker to hack you web-cam remotely later Adobe patched that. Before releasing Flash Player 11 Adobe issued new privacy policy and security update but now it seems that those are of zero use. 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x. These vulnerabilities could cause a crash and potentially allow an attacker to take control of the affected system.

Affected Version:- 

• Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems

• Adobe Flash Player 11.1.112.61 and earlier versions for Android 4.x, and Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and 2.x

Later Adobe confirmed that and immediately released a patch to close the security hole. Through this security release Adobe also resolves a universal cross-site scripting vulnerability that could be used to take actions on a user's behalf on any website or webmail provider, if the user visits a malicious website. There are reports that this vulnerability (CVE-2012-0767) is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message (Internet Explorer on Windows only). Google's Chrome Web browser, which directly integrates Flash into its software (unlike competing browsers) also received an update to reflect Adobe's patch update. 

Recommendation From Adobe:-

Adobe recommends users of Adobe Flash Player 11.1.102.55 and earlier versions for Windows, Macintosh, Linux and Solaris update to Adobe Flash Player 11.1.102.62. Users of Adobe Flash Player 11.1.112.61 and earlier versions on Android 4.x devices should update to Adobe Flash Player 11.1.115.6. Users of Adobe Flash Player 11.1.111.5 and earlier versions for Android 3.x and earlier versions should update to Flash Player 11.1.111.6. For further details click here.

Earlier in 2011 another Flash Player bug found in Blackberry OS & later fixed by the developer and also last year adobe closes serious security hole in Acrobat 9X & Adobe Reader.

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Zero-Day Vulnerability In Flash Patched By Adobe"https://www.voiceofgreyhat.com/2012/02/zero-day-vulnerability-in-flash-patched.html</a>

Opera 11.60 Codenamed "Tunny" Released & Major Security Holes Fixed

Opera 11.60 Final Version code named "Tunny" has been released by Opera Software. Opera 11.60 boasts three major new features, including revamped Address Bar, browser engine and mail client. Opera, which runs on Windows, Mac and Linux, has long been regarded as a pioneer when it comes to the web browser -- it was the first to introduce tabbed browsing, for example, and is still the only major browser to also include a mail client.

The Address Bar has been revamped to provide an experience similar to rival browsers such as Google Chrome and Mozilla Firefox in providing helpful suggestions as the user starts typing into the Address field. Version 11.60 also introduces a new shortcut, courtesy of a clickable star, to the Address Bar that makes it quick and easy to add the current web page to your Speed Dial or bookmarks menu.

Opera 11.60′s most visible new features are in the mail client’s extensive redesign, which Opera claims brings it in line with the browser’s "featherweight design aesthetic" The layout is cleaner, and messages are now grouped together by date, with options for grouping them by unread or pinned status, or not at all. Messages can also be pinned via a single click, with the pinning mapped to the IMAP \Flagged feature, ensuring compatibility with other IMAP clients, including Gmail’s Starred message status. The Mail toolbars have been simplified and redesigned icons coupled with easier access to the settings dialog (click the new Wrench button) provide weight to Opera’s claim that this makes the client easier to navigate and more intuitive to use. 

In this release opera updated addresses a vulnerability affecting some two- and three-letter top-level domains (TLD) that could allow cookies to be set for the TLD itself; these cookies could then be read by other sites using that TLD. A problem related to a weakness in the SSL v3.0 and TLS 1.0 specifications which could be used for eavesdropping attacks against some applications, and a cross-domain information leakage problem in the JavaScript "in" operator, have also been fixed.

In addition to the security fixes, Opera 11.60 has a new HTML engine that should, according to its developers, improve loading time for a majority of web sites, including pages using Secure Sockets Layer (SSL) encryption technology. Other changes include a completely revamped built-in mail client (M2) that's said to be easier to setup and use, and improvements to the address (URL) field to allow users to quickly add their favourite sites to the browser's Speed Dial.

To Download Opera 11.60 For Windows, Linux, Mac, BSD & Solaris Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Opera 11.60 Codenamed "Tunny" Released & Major Security Holes Fixed"https://www.voiceofgreyhat.com/2011/12/opera-1160-codenamed-tunny-released.html</a>

Google Chrome Security Hole 15 Patched

Vulnerability found in the last release of one of the most popular web-browser Google Chrome 15.0.874.121. The vulnerability contains to address a high-risk out-of-bounds write vulnerability in the V8 JavaScript engine. As part of its Chromium Security Rewards programme, Google paid security researcher Christian Holler $1,000 for discovering and reporting the hole. Additional details of the vulnerability are being withheld until "a majority of users are up-to-date with the fix". The maintenance and security update to the WebKit-based browser also upgrades the V8 engine to version 3.5.10.24 and fixes a regression related to SVG in iframes.

To Download Google Chrome For Linux, Windows & Mac Click 

Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google Chrome Security Hole 15 Patched"https://www.voiceofgreyhat.com/2011/11/google-chrome-security-hole-15-patched.html</a>

Chrome 16 Beta With Sync Capabilities

Google chrome beta 16 arrives with adds support for syncing multiple accounts and lots of new features also the web-store get updated. chrome 16 is mainly based on WebKit-based browser's Beta channel. The new beta, version 16.0.912.21, expands Chrome's sync capabilities by adding support for syncing multiple browser profiles.
With Chrome 16, additional users can now sign into a shared computer and access their own data, such as bookmarks, apps and extensions, to personalise their experience. The feature can be found under Options (Preferences on Mac) > Personal Stuff > "Add new user". Once a new user has been added, a "fresh instance" of the browser will open with all of that user's data, and a badge in the upper left corner will show which account is currently in use. Users can switch between accounts by clicking on the badge.
Google Software Engineer Miranda Callahan points out that the new feature "isn't intended to secure your data against other people using your computer, since all it takes is a couple of clicks to switch between users", noting that users are advised to "protect your data from being seen by others, please use the built-in user accounts in your operating system of choice".

Further update and latest can be found on the official google chrome blog.
 
To download Google Chrome for Windows, Linux and Mac Click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Chrome 16 Beta With Sync Capabilities"https://www.voiceofgreyhat.com/2011/11/chrome-16-beta-with-sync-capabilities.html</a>

Google TV Update For Android 3.1 (Honeycomb)

Google announced on its Google TV blog Friday that the platform will be upgraded to Android 3.1 (otherwise known as Honeycomb) for Sony devices Sunday, with the Logitech Revue set-top box getting its upgrade "soon thereafter." What will you get with this software upgrade to Android? Google says it's "much simpler." Its customization capabilities will go a long way toward alleviating the awkwardness of its first iteration, which Google admits was "not perfect."
And the addition of the Android Market will open up a variety of applications, with the promise of more -- perhaps thousands more -- on the way. One welcome improvement will be an easier ability to search across all the TV shows at your disposal. With this update, Google's trying to answer that age-old question, "What's on?" If Google can pull that off, it could be a powerful thing indeed. The company says it has learned from its mistakes with the first version of Google TV and is "committed to find the best way to discover and engage with the high-quality entertainment on your television." So does that mean Google TV will be able to find all the shows from whichever cable or satellite provider you're subscribing to, or from the web via all of the apps within Google TV, such as Netflix, Amazon Instant Video, and HBO Go? Maybe. Of course, Google plans to improve Google TV's search across YouTube, its own video streaming service.
In the blog post, Google also hinted at future software updates (Ice Cream Sandwich, anyone?) and new devices "on new chipsets from multiple hardware partners." Hey, this is getting interesting.
We'll have to reserve judgment until we can install this software update on our Logitech Revue box, but for now, clearly this update has great potential. It makes perfect sense for Google -- purveyor of Android, the Chrome browser, YouTube and by the way, the world's search expert -- to leverage these powerful capabilities in its TV set-top. The hurdle Google needs to navigate is not so much a technical or software one, but a matter of negotiating and arm-twisting of content providers. Will the company gain cooperation from TV networks and movie studios, allowing their content to be searchable on the Google TV platform? That's the key to Google TV's success.

• To see the google TV blog post click Here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Google TV Update For Android 3.1 (Honeycomb)"https://www.voiceofgreyhat.com/2011/11/google-tv-update-for-android-31.html</a>

Firefox with Bing By Microsoft & Mozilla

Mozilla has teamed with Microsoft to bring more Bing to Firefox. Mozilla and Bing are pleased to make available Firefox with Bing, a customized version of Firefox that sets Bing as the default search engine in the search box and AwesomeBar and makes Bing.com the default home page.  (Existing Firefox users can also make these changes by installing the Bing Search for Firefox Add-on)

Of course, any user of Firefox can go into the browser's settings and make those changes themselves if they want, and there is even a "Bing Search for Firefox" add-on that will do the same. But many users don't mess with their settings too much, which is why Google (the usual default for Firefox) is the most widely used search engine among Firefox users. Google competes with Bing on the search side and Google's Chrome browser competes with Firefox. Microsoft, of course, makes a Firefox rival in Internet Explorer. Mozilla, in a blog post, said that "nearly 20 customized versions of Firefox" are available from its partners, including Bing, Yahoo (which now uses Bing to power its search as well), Twitter and Yandex.

To Download firefox with Bing here

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Firefox with Bing By Microsoft & Mozilla"https://www.voiceofgreyhat.com/2011/10/firefox-with-bing-by-microsoft-mozilla.html</a>

Adobe Flash Zero-day Exploit Which Allowing Others To Use Your Webcam Has Been Patched

A Stanford University student recently discovered a security flaw with Adobe’s Flash Player that allowed malicious users to activate your webcam and microphone without your knowledge. They could then tap into the video and audio to watch and listen to your every move. OK, that sounded a lot less sensationalist in my head. Unfortunately, up until a few days ago, this exploit very much existed and Adobe was working feverishly on a fix. Feross Aboukhadijeh, the aforementioned Stanford student, wrote about the flaw on October 18.
According to Feross Aboukhadijeh:-

"I discovered a vulnerability in Adobe Flash that allows any website to turn on your webcam and microphone without your knowledge or consent to spy on you. It works in all versions of Adobe Flash that I tested. I’ve confirmed that it works in the Firefox and Safari for Mac browsers. Use one of those if you check out the live demo. There’s a weird CSS opacity bug in most other browsers (Chrome for Mac and most browsers on Windows/Linux)."

Video Demo:-

Later Adobe issued a critical update for its Flash Player software. The patch fixes six security vulnerabilities, at least one of which is a zero-day vulnerability being actively exploited in the wild. The details of the Adobe security bulletin explain, "This update resolves a universal cross-site scripting issue that could be used to take actions on a user's behalf on any website or webmail provider if the user visits a malicious website (CVE-2011-2444)," adding, 

"Note: There are reports that this issue is being exploited in the wild in active targeted attacks designed to trick the user into clicking on a malicious link delivered in an email message."
The zero-day bug fixed today is similar to a flaw in Flash that was patched in June. Coincidentally, both the June vulnerability, and this one patched today were reported to Adobe by Google.

To download the Patch and more about Adobe Security Bulletin Click Here 

SHARE OUR NEWS DIRECTLY ON SOCIAL NETWORKS:-
<a href=">Adobe Flash Zero-day Exploit Which Allowing Others To Use Your Webcam Has Been Patched"https://www.voiceofgreyhat.com/2011/10/adobe-flash-zero-day-exploit-which.html</a>