Home Tags Webpage

Tag: webpage

Sony continues to lock PS4 players out of cross-platform play

But Sony exec says there's no "profound philosophical stance" against the feature.

A full-stack developer is full of something, alright

Find someone who calls himself a “full-stack developerrdquo; and smack him right across the face for being a liar or terrible. (Umm, donrsquo;t really do this: Violence is wrong.)Irsquo;ve not run the numbers, but I estimate that less than 1 percent of the developer population can make an adequate-looking webpage and a fully optimized data storage layer, let alone business logic. Just because you made everything JavaScript doesnrsquo;t solve that fundamental problem. Most papers on quantum physics are in English; I speak English but Irsquo;m not automatically a quantum physicist.

As one developer I know put it, thatrsquo;s “boss-logic.”[ InfoWorldrsquo;s quick guide: Digital Transformation and the Agile Enterprise. | Download InfoWorldrsquo;s essential guide to microservices and learn how to create modern web and mobile applications that scale. ] The truth is that most of the applications we do in business are simple.

Theyrsquo;re basic CRUD applications: Take some form data, shove in a database, display it later or possibly do a basic kind of report thing. Maybe there is a little bit of workflow, but probably not much.

They donrsquo;t even have to look that great. Wersquo;re all “full-stack developersrdquo; for that stuff.To read this article in full or to leave a comment, please click here

Meet PINLogger, the drive-by exploit that steals smartphone PINs

Sensors in phones running both iOS and Android reveal all kinds of sensitive info.

Old Windows malware may have tampered with 132 Android apps

More than 130 Android apps on the Google Play store have been found to contain malicious coding, possibly because the developers were using infected computers, according to security researchers.The 132 apps were found generating hidden iframes, or a...

Breaking The Weakest Link Of The Strongest Chain

Around July last year, more than a 100 Israeli servicemen were hit by a cunning threat actor.

The attack compromised their devices and exfiltrated data to the attackers’ C&C.
In addition, the compromised devices were pushed Trojan updates.

The operation remains active at the time of writing this post.

RHSA-2017:0190-1: Critical: firefox security update

An update for firefox is now available for Red Hat Enterprise Linux 5, Red HatEnterprise Linux 6, and Red Hat Enterprise Linux 7.Red Hat Product Security has rated this update as having a security impact ofCritical. A Common Vulnerability Scoring System (CVSS) base score, which gives adetailed severity rating, is available for each vulnerability from the CVElink(s) in the References section. Mozilla Firefox is an open source web browser.This update upgrades Firefox to version 45.7.0 ESR.Security Fix(es):* Multiple flaws were found in the processing of malformed web content. A webpage containing malicious content could cause Firefox to crash or, potentially,execute arbitrary code with the privileges of the user running Firefox.(CVE-2017-5373, CVE-2017-5375, CVE-2017-5376, CVE-2017-5378, CVE-2017-5380,CVE-2017-5383, CVE-2017-5386, CVE-2017-5390, CVE-2017-5396)Red Hat would like to thank the Mozilla project for reporting these issues.Upstream acknowledges Jann Horn, Muneaki Nishimura, Nils, Armin Razmjou,Christian Holler, Gary Kwong, André Bargull, Jan de Mooij, Tom Schuster, andOriol, Rh0, Nicolas Grégoire, and Jerri Rice as the original reporters. Red Hat Enterprise Linux (v. 5 server) SRPMS: firefox-45.7.0-1.el5_11.src.rpm     MD5: 2b1dec6ead6378170de4bc8a7684043fSHA-256: e76106926213b88f14d6e1032bc6cf7a443dd36c20fe860eac94e526c49baa61   IA-32: firefox-45.7.0-1.el5_11.i386.rpm     MD5: ec834a3d41b6149891d5fcc29dbb4019SHA-256: 60dacc641e98b617aefff4cea75e5c87c58fe379cd9a5ae3bdce6b2cff0a744d firefox-debuginfo-45.7.0-1.el5_11.i386.rpm     MD5: 58b8ddf14b04d58a69d9a8559d6c640eSHA-256: d544789304de861b6491d64e4cda052eeda4b3e67727bf275a2f4e51cdfa8632   PPC: firefox-45.7.0-1.el5_11.ppc64.rpm     MD5: 8b25ba172ad088253983c0df0bcf17c5SHA-256: 36389c08ccb8e1362dde937e65ea12326228ce32c552eeeeaddedf83b10cca00 firefox-debuginfo-45.7.0-1.el5_11.ppc64.rpm     MD5: b85a6bc7bec3d6d863f8bfdaa4710f72SHA-256: 83f4042c1f550793634cf60a0dfeae96451562accb1aa3d8997d63975c6493ec   s390x: firefox-45.7.0-1.el5_11.s390x.rpm     MD5: adcf2bbf86d194fa27d53fcdf69a2546SHA-256: 5303f6b6d26a3194eae69ae23139ae3d6c678355ad8118464ea93c18c40b9420 firefox-debuginfo-45.7.0-1.el5_11.s390x.rpm     MD5: 82103fbf027df425402f65f9aa04683bSHA-256: a3235e409b16349d799fab84aa7c58edb0320c10cacaff413b38fda47bbfce76   x86_64: firefox-45.7.0-1.el5_11.i386.rpm     MD5: ec834a3d41b6149891d5fcc29dbb4019SHA-256: 60dacc641e98b617aefff4cea75e5c87c58fe379cd9a5ae3bdce6b2cff0a744d firefox-45.7.0-1.el5_11.x86_64.rpm     MD5: 6d04b3beec9bd3c885f60507668393caSHA-256: 3fc61aa258633191a6fdb97a601f5cffbdf8d782c2809bda3e80f3156359a3e0 firefox-debuginfo-45.7.0-1.el5_11.i386.rpm     MD5: 58b8ddf14b04d58a69d9a8559d6c640eSHA-256: d544789304de861b6491d64e4cda052eeda4b3e67727bf275a2f4e51cdfa8632 firefox-debuginfo-45.7.0-1.el5_11.x86_64.rpm     MD5: 7e0442cef583cf3eafe949a7bdc65c62SHA-256: 82358fd4a0f3c6b532f65410dc5c075c82d6708cad49f6bedc31d6512d8312ea   Red Hat Enterprise Linux Desktop (v. 5 client) SRPMS: firefox-45.7.0-1.el5_11.src.rpm     MD5: 2b1dec6ead6378170de4bc8a7684043fSHA-256: e76106926213b88f14d6e1032bc6cf7a443dd36c20fe860eac94e526c49baa61   IA-32: firefox-45.7.0-1.el5_11.i386.rpm     MD5: ec834a3d41b6149891d5fcc29dbb4019SHA-256: 60dacc641e98b617aefff4cea75e5c87c58fe379cd9a5ae3bdce6b2cff0a744d firefox-debuginfo-45.7.0-1.el5_11.i386.rpm     MD5: 58b8ddf14b04d58a69d9a8559d6c640eSHA-256: d544789304de861b6491d64e4cda052eeda4b3e67727bf275a2f4e51cdfa8632   x86_64: firefox-45.7.0-1.el5_11.i386.rpm     MD5: ec834a3d41b6149891d5fcc29dbb4019SHA-256: 60dacc641e98b617aefff4cea75e5c87c58fe379cd9a5ae3bdce6b2cff0a744d firefox-45.7.0-1.el5_11.x86_64.rpm     MD5: 6d04b3beec9bd3c885f60507668393caSHA-256: 3fc61aa258633191a6fdb97a601f5cffbdf8d782c2809bda3e80f3156359a3e0 firefox-debuginfo-45.7.0-1.el5_11.i386.rpm     MD5: 58b8ddf14b04d58a69d9a8559d6c640eSHA-256: d544789304de861b6491d64e4cda052eeda4b3e67727bf275a2f4e51cdfa8632 firefox-debuginfo-45.7.0-1.el5_11.x86_64.rpm     MD5: 7e0442cef583cf3eafe949a7bdc65c62SHA-256: 82358fd4a0f3c6b532f65410dc5c075c82d6708cad49f6bedc31d6512d8312ea   Red Hat Enterprise Linux Desktop (v. 6) SRPMS: firefox-45.7.0-1.el6_8.src.rpm     MD5: b2ea4596f2a8691e2cfbaad9171ba813SHA-256: 1e452af6d20a4ce0b75316fb040faa7144c6bc63214e6d8fb612fd47c2e4d47d   IA-32: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00   x86_64: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-45.7.0-1.el6_8.x86_64.rpm     MD5: 787c92bb87ac309cb73419a6b6344466SHA-256: 3d1138e5b8c522795a37908ad737ae7688a93861ab4c2f7294464758b1486f76 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00 firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm     MD5: 0d9ea1818ce93e6bee0c830c360c56cdSHA-256: 6c126b3470d298070da7a6f5f955aa36d1c6ba3252cd0ea05f17d722eb94b7b0   Red Hat Enterprise Linux Desktop (v. 7) SRPMS: firefox-45.7.0-1.el7_3.src.rpm     MD5: 1fd5dd8baf285bd69a349c75269d2d63SHA-256: 32f2c9602dfbd29b243c717ed65c72413911abc7c90fb9fd9c298b87dbbbdbe1   x86_64: firefox-45.7.0-1.el7_3.i686.rpm     MD5: 093621500570e2ed1fc3290697713d5cSHA-256: 042b611ca212fe22b6b99d95486fd0c15a8ce9abdda802dcc478804a658a6e86 firefox-45.7.0-1.el7_3.x86_64.rpm     MD5: a9d9528b1c92190adb5f994801c99d76SHA-256: cd21ad7f5a7a75449df379832e08f513424a1f87d6e9d7e977c2c58e7edb0e7d firefox-debuginfo-45.7.0-1.el7_3.i686.rpm     MD5: 4cb4d719145315c7883dbf685b13f8e2SHA-256: 7b19e89d7be73ac77683343f4bc251d98e66b6812c984621e48a18a8ffdc0a13 firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm     MD5: 43c4571a807ffd84f950256ea595e58dSHA-256: 16ef9346047b8142e15f3ef0b0201329fd372ea6b9e768c05ba4c33792a2a071   Red Hat Enterprise Linux HPC Node (v. 6) SRPMS: firefox-45.7.0-1.el6_8.src.rpm     MD5: b2ea4596f2a8691e2cfbaad9171ba813SHA-256: 1e452af6d20a4ce0b75316fb040faa7144c6bc63214e6d8fb612fd47c2e4d47d   x86_64: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-45.7.0-1.el6_8.x86_64.rpm     MD5: 787c92bb87ac309cb73419a6b6344466SHA-256: 3d1138e5b8c522795a37908ad737ae7688a93861ab4c2f7294464758b1486f76 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00 firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm     MD5: 0d9ea1818ce93e6bee0c830c360c56cdSHA-256: 6c126b3470d298070da7a6f5f955aa36d1c6ba3252cd0ea05f17d722eb94b7b0   Red Hat Enterprise Linux Server (v. 6) SRPMS: firefox-45.7.0-1.el6_8.src.rpm     MD5: b2ea4596f2a8691e2cfbaad9171ba813SHA-256: 1e452af6d20a4ce0b75316fb040faa7144c6bc63214e6d8fb612fd47c2e4d47d   IA-32: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00   PPC: firefox-45.7.0-1.el6_8.ppc64.rpm     MD5: 069e4d823d63aef85ba7ca2d517d1bf2SHA-256: 62d4942969861419d190e8eeaf4459212b004e81929cd8014000d788b6857942 firefox-debuginfo-45.7.0-1.el6_8.ppc64.rpm     MD5: da598e8f60df66a59c858f8c11724f9fSHA-256: c3d0e0be7ee2d1894f4f82cc79bd8c4952dafc55db3199d60fc5a5b904154eb7   s390x: firefox-45.7.0-1.el6_8.s390x.rpm     MD5: 4da0b635699941fcdf51d5b721aaaf5dSHA-256: e7162344260685a638e0dc6f6926e7c68c801216ed12ef9014cff2b9d0fc94bd firefox-debuginfo-45.7.0-1.el6_8.s390x.rpm     MD5: 586724a7fe10e97b0b20ddfa66e5100bSHA-256: 6172b8ed83851ba2adc69e9ec8191f9be4137f2e2b839773075cdb696fc73227   x86_64: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-45.7.0-1.el6_8.x86_64.rpm     MD5: 787c92bb87ac309cb73419a6b6344466SHA-256: 3d1138e5b8c522795a37908ad737ae7688a93861ab4c2f7294464758b1486f76 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00 firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm     MD5: 0d9ea1818ce93e6bee0c830c360c56cdSHA-256: 6c126b3470d298070da7a6f5f955aa36d1c6ba3252cd0ea05f17d722eb94b7b0   Red Hat Enterprise Linux Server (v. 7) SRPMS: firefox-45.7.0-1.el7_3.src.rpm     MD5: 1fd5dd8baf285bd69a349c75269d2d63SHA-256: 32f2c9602dfbd29b243c717ed65c72413911abc7c90fb9fd9c298b87dbbbdbe1   PPC: firefox-45.7.0-1.el7_3.ppc64.rpm     MD5: 84f58bd190215a79e84c57e657362164SHA-256: 8fd176f5ee79ec47777ca389793f5c985fb93e4e1c7df1bef980fb84e2cf25b1 firefox-debuginfo-45.7.0-1.el7_3.ppc64.rpm     MD5: 42ea902950f1abe079daa22a4f7e180fSHA-256: 98324d749df96c7269bc4f594b0358a6382026d5b33bb674e74186436171d81d   PPC64LE: firefox-45.7.0-1.el7_3.ppc64le.rpm     MD5: a26021d328466ae57dcb69b6036c3633SHA-256: 9bfa70ed36ccdac48b14280b06fcdd0a2fdc6689e3d280b9194635dac364572b firefox-debuginfo-45.7.0-1.el7_3.ppc64le.rpm     MD5: dfb22651c1cec514c1c8f846a02bd092SHA-256: ef981d61acb85dbd0cb8ef4bfb94db14ce220687d894cc463d52d1114246be3f   s390x: firefox-45.7.0-1.el7_3.s390x.rpm     MD5: 88229dd866fcfef6faa5c70238a1d43fSHA-256: f5bdb8710b8b5c355aef7f140c727ec5306409e9f746d5a9de23ec20467e5b6e firefox-debuginfo-45.7.0-1.el7_3.s390x.rpm     MD5: 5fd8d473955c6a0427670310b9e476d6SHA-256: 2e3883f704972ba8034b92986592c6e3b70fa5cdd17450cfbe6ed7db0b15d426   x86_64: firefox-45.7.0-1.el7_3.i686.rpm     MD5: 093621500570e2ed1fc3290697713d5cSHA-256: 042b611ca212fe22b6b99d95486fd0c15a8ce9abdda802dcc478804a658a6e86 firefox-45.7.0-1.el7_3.x86_64.rpm     MD5: a9d9528b1c92190adb5f994801c99d76SHA-256: cd21ad7f5a7a75449df379832e08f513424a1f87d6e9d7e977c2c58e7edb0e7d firefox-debuginfo-45.7.0-1.el7_3.i686.rpm     MD5: 4cb4d719145315c7883dbf685b13f8e2SHA-256: 7b19e89d7be73ac77683343f4bc251d98e66b6812c984621e48a18a8ffdc0a13 firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm     MD5: 43c4571a807ffd84f950256ea595e58dSHA-256: 16ef9346047b8142e15f3ef0b0201329fd372ea6b9e768c05ba4c33792a2a071   Red Hat Enterprise Linux Server TUS (v. 7.3) SRPMS: firefox-45.7.0-1.el7_3.src.rpm     MD5: 1fd5dd8baf285bd69a349c75269d2d63SHA-256: 32f2c9602dfbd29b243c717ed65c72413911abc7c90fb9fd9c298b87dbbbdbe1   x86_64: firefox-45.7.0-1.el7_3.i686.rpm     MD5: 093621500570e2ed1fc3290697713d5cSHA-256: 042b611ca212fe22b6b99d95486fd0c15a8ce9abdda802dcc478804a658a6e86 firefox-45.7.0-1.el7_3.x86_64.rpm     MD5: a9d9528b1c92190adb5f994801c99d76SHA-256: cd21ad7f5a7a75449df379832e08f513424a1f87d6e9d7e977c2c58e7edb0e7d firefox-debuginfo-45.7.0-1.el7_3.i686.rpm     MD5: 4cb4d719145315c7883dbf685b13f8e2SHA-256: 7b19e89d7be73ac77683343f4bc251d98e66b6812c984621e48a18a8ffdc0a13 firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm     MD5: 43c4571a807ffd84f950256ea595e58dSHA-256: 16ef9346047b8142e15f3ef0b0201329fd372ea6b9e768c05ba4c33792a2a071   Red Hat Enterprise Linux Workstation (v. 6) SRPMS: firefox-45.7.0-1.el6_8.src.rpm     MD5: b2ea4596f2a8691e2cfbaad9171ba813SHA-256: 1e452af6d20a4ce0b75316fb040faa7144c6bc63214e6d8fb612fd47c2e4d47d   IA-32: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00   x86_64: firefox-45.7.0-1.el6_8.i686.rpm     MD5: ee5356e13ab405f60c3ced7486255afdSHA-256: b6dac4a873a64d8d9d96505bfb263e2ee1af73ac67a624a208c4b1ee915e98b1 firefox-45.7.0-1.el6_8.x86_64.rpm     MD5: 787c92bb87ac309cb73419a6b6344466SHA-256: 3d1138e5b8c522795a37908ad737ae7688a93861ab4c2f7294464758b1486f76 firefox-debuginfo-45.7.0-1.el6_8.i686.rpm     MD5: 452a51627b460333aa05c30f421a559aSHA-256: 71a1d75e9826d8ed817931db1d5ffd261c9a34949070c3314d81a1de4cb70d00 firefox-debuginfo-45.7.0-1.el6_8.x86_64.rpm     MD5: 0d9ea1818ce93e6bee0c830c360c56cdSHA-256: 6c126b3470d298070da7a6f5f955aa36d1c6ba3252cd0ea05f17d722eb94b7b0   Red Hat Enterprise Linux Workstation (v. 7) SRPMS: firefox-45.7.0-1.el7_3.src.rpm     MD5: 1fd5dd8baf285bd69a349c75269d2d63SHA-256: 32f2c9602dfbd29b243c717ed65c72413911abc7c90fb9fd9c298b87dbbbdbe1   x86_64: firefox-45.7.0-1.el7_3.i686.rpm     MD5: 093621500570e2ed1fc3290697713d5cSHA-256: 042b611ca212fe22b6b99d95486fd0c15a8ce9abdda802dcc478804a658a6e86 firefox-45.7.0-1.el7_3.x86_64.rpm     MD5: a9d9528b1c92190adb5f994801c99d76SHA-256: cd21ad7f5a7a75449df379832e08f513424a1f87d6e9d7e977c2c58e7edb0e7d firefox-debuginfo-45.7.0-1.el7_3.i686.rpm     MD5: 4cb4d719145315c7883dbf685b13f8e2SHA-256: 7b19e89d7be73ac77683343f4bc251d98e66b6812c984621e48a18a8ffdc0a13 firefox-debuginfo-45.7.0-1.el7_3.x86_64.rpm     MD5: 43c4571a807ffd84f950256ea595e58dSHA-256: 16ef9346047b8142e15f3ef0b0201329fd372ea6b9e768c05ba4c33792a2a071   (The unlinked packages above are only available from the Red Hat Network) These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Widely used WebEx plugin for Chrome will execute attack code—patch now!

EnlargeTavis Ormandy reader comments 12 Share this story The Chrome browser extension for Cisco Systems WebEx communications and collaboration service was just updated to fix a vulnerability that leaves all 20 million users susceptible to drive-by attacks that can be carried out by just about any website they visit. A combination of factors makes the vulnerabilities among the most severe in recent memory.

First, WebEx is largely used in enterprise environments, which typically have the most to lose.
Second, once a vulnerable user visits a site, it's trivial for anyone with control of it to execute malicious code with little sign anything is amiss.

The vulnerability and the resulting patch were disclosed in a blog post published Monday by Tavis Ormandy, a researcher with Google's Project Zero security disclosure service. Martijn Grooten, a security researcher for Virus Bulletin, told Ars: If someone with malicious intentions (Tavis, as per Google's policy, disclosed this responsibly) had discovered this, it could have been a goldmine for exploit kits. Not only is 20 million users a large enough number to make it worthwhile in opportunistic attacks, I assume people running WebEx are more likely to be corporate users.
Imagine combining this with ransomware! All that's required for a malicious or compromised website to exploit the vulnerability is to host a file or other resource that contains the string "cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html" in its URL.

That's a "magic" pattern the WebEx service uses to remotely start a meeting on visiting computers that have the Chrome extension installed. Ormandy discovered that any visited website can invoke the command not just to begin a WebEx session, but to execute any code or command of the attacker's choice.

To make the exploit more stealthy, the string can be loaded into an HTML-based iframe tag, preventing the visitor from ever seeing it. While Monday's patch came a commendable two days after Ormandy privately reported the vulnerability, the researcher warned the patch may not adequately secure the Chrome extension from all types of code-execution exploits.

That's because the update still allows Cisco's webex.com website to invoke the magic pattern with no warning.
Should the site ever experience a cross-site scripting vulnerability—a vexingly common type of Web application bug that lets attackers inject scripts into Web pages—it might be possible to use it to once again exploit the WebEx extension flaw. Some critics also faulted the fix for providing a less-than-clear warning message when WebEx-enabled browsers visit sites that load the magic string.

The warning reads: "WebEx meeting launcher needs to launch a WebEx meeting on this site. WebEx meeting client will be launched if you accept this request." The message then gives users the option of clicking Cancel or OK. "This is a social engineering nightmare," Filippo Valsorda, a security researcher at content delivery network CloudFlare, told Ars. He provided this guide for protecting against the vulnerability. In an e-mail, independent cryptography and security researcher Aaron Zauner provided this technical analysis: The extension has its own sort-of-an API and passes JSON messages between the extension, the website where the WebEx session is supposed to happen (e.g is embedded into the website), and native browser code (i.e.Chrome).

As Tavis [Ormandy] notes, the extension passes a lot of properties about the session along, many of which seem security sensitive and may be able to allow for attack vectors. One of these properties seems to have its own scripting language (Tavis's words) and thus allows interaction with native code.

The extension ships (at least parts) of Microsoft's C runtime and thus gives an attacker the possibility to call C functionality by just passing JSON properties/objects.

An exploit may be a simple webpage with JavaScript code in it. Having the WebEx extension in chrome installed—an attacker may point the victim to such a website and run arbitrary code or start programs, delete files et cetera on the victim's computer. The critical update is made available in version 1.0.3 of the WebEx extension for Chrome.
It will be downloaded and run automatically, but given the severity, users should make sure it's installed immediately by clicking on the three vertical dots in the top rights of Chrome.

They should choose More Tools, Extensions, and view the information pertaining to WebEx.

To force WebEx to update right away, users can check the "Developer Mode" checkbox and click the "Update extensions now" button.

Cisco’s WebEx Chrome plugin will execute evil code, install malware via...

Just get rid of it – bin it now Malicious websites can remotely execute commands on Windows systems that have Cisco WebEx's Chrome extension installed.

About 20 million people actively use this broken software. All attackers need to know is a “magic URL” hidden within WebEx, Google Project Zero bug hunter Tavis Ormandy revealed on Monday. We think a secret "magic URL" is the nicest possible way of saying "backdoor," be it deliberate or accidental. Specifically, any URL request – such as a silent request for an invisible iframe on a page – that includes the string cwcsf-nativemsg-iframe-43c85c0d-d633-af5e-c056-32dc7efc570b.html opens up WebEx to remote-control execution. Ormandy clocked he could exploit this via Chrome's native messaging system to execute C library and Windows system calls. The Googler quickly produced a proof-of-concept webpage that pops open calc.exe on vulnerable machines that have Cisco's dodgy extension installed.

This demonstrates that a victim just has to browse a website that targets Cisco's plugin to come under attack and find their computer is infected with malware. “I noticed that [Cisco] ships a copy of the CRT (Microsoft's C Runtime, containing standard routines like printf, malloc, etc), so I tried calling the standard _wsystem() routine (like system(), but for WCHAR strings), like this,” wrote Ormandy, before throwing in this JavaScript: var msg = { GpcProductRoot: "WebEx", GpcMovingInSubdir: "Wanta", GpcProductVersion: "T30_MC", GpcUnpackName: "atgpcdec", GpcExtName: "atgpcext", GpcUnpackVersion: "27, 17, 2016, 501", GpcExtVersion: "3015, 0, 2016, 1117", GpcUrlRoot: "http://127.0.0.1/", GpcComponentName: btoa("MSVCR100.DLL"), GpcSuppressInstallation: btoa("True"), GpcFullPage: "True", GpcInitCall: btoa("_wsystem(ExploitShellCommand);"), ExploitShellCommand: btoa("calc.exe"), } “Unbelievably, that worked,” he added. There was a secret URL in WebEx that allowed any website to run arbitrary code. ¯\_(ツ)_/¯ https://t.co/sAqZrDN4ad — Tavis Ormandy (@taviso) January 23, 2017 And PRs wonder why we get uppity when we’re told to install weird extensions during press briefings - PDF + text is fine, thanks. https://t.co/whPRlSXnqX — The Register (@TheRegister) January 23, 2017 Cisco has rushed out WebEx version 1.0.3 to fix the issue, although crypto developer Filippo Valsorda says the patch is incomplete.

Given Cisco's devotion to programming standards, or lack thereof, just delete and forget about the crappy thing entirely. ® Sponsored: Customer Identity and Access Management

350,000 Twitter bot sleeper cell betrayed by love of Star Wars...

Computer researchers uncover yuuuge dormant army Computer boffins Juan Echeverria and Shi Zhou at University College London have chanced across a dormant Twitter botnet made up of more than 350,000 accounts with a fondness for quoting Star Wars novels. Twitter bots have been accused of warping the tone of the 2016 election. They also can be used for entertainment, marketing, spamming, manipulating Twitter's trending topics list and public opinion, trolling, fake followers, malware distribution, and data set pollution, among other things. In a recently published research paper, the two computer scientists recount how a random sampling of 1 per cent of English-speaking Twitter accounts – about 6 million accounts – led to their discovery. Pursuing an unrelated inquiry, the researchers were examining the geographic distribution of 20 million tweets with location tags in the dataset of 843 million tweets from the account sample, and they noticed an unusual distribution pattern. Some accounts followed the expected distribution pattern, which coincides with population centers in America and Europe. But another set of accounts showed random distribution within those areas, often resulting in tweets from unlikely places such as seas, deserts, and the Arctic. Blue dots at edge of box over Europe, barely visible after image compression, show Star Wars bots When the researchers manually examined the text of these tweets, they found the majority of them consisted of random excerpts from Star Wars novels, and that many of them started or ended with an incomplete word or included a randomly placed hashtag. For example: Luke's answer was to put on an extra burst of speed. There were only ten meters #separating them now. If he could cover t "This quote was from the book Star Wars: Choices of One, where Luke Skywalker is an important character," the paper explains. "We have found quotations from at least 11 Star Wars novels." The manual examination of data associated with 4,942 accounts resulted in the identification of 3,244 bots with consistent characteristics: Tweets only random Star Wars quotes. Uses hashtags associated with follower acquisition or prepended to random words. Never retweets or mentions other Twitter users. Each bot has made only 11 or fewer tweets since its inception. Each bot has between 10 and 31 friends. The bots choose only "Twitter for Windows Phone" as their source application. The bots' user ID numbers fall into a narrow range between 1.5 × 10^9 and 1.6 × 10^9. Given that set of bots, the researchers created a machine learning classifier to hunt for other accounts with similar characteristics. The algorithm identified 356,957 Star Wars bots. The researchers say they were lucky to have spotted the bots, which appear to have been designed to thwart automated detection methods. They note that being human helped make the discovery possible. "The fact that the bots tagged their tweets with random locations in North America and Europe was a [deliberate] effort to make their tweets look more real," the paper explains. "But this camouflage trick backfired – the faked locations when plotted on a map seemed completely abnormal. It's important to note that this anomaly could only be noticed by a human looking at the map, whereas a computer algorithm would have a hard time to realize the anomaly." Curiously, the Star Wars bots have been silent since 2013. The researchers observe that pre-aged bots can be sold for more than newly created bots on the black market, presumably because bot detection methods consider older accounts more likely to be reputable. Twitter declined to comment on the findings, which may be because the company was unaware of them until now. "We have not reported the accounts directly to Twitter (yet)," said Echeverria in an email to The Register. "We are waiting for the paper to be approved by the scientific journal to which it was submitted. We would also like to give researchers a chance to get the dataset by themselves before they are gone, this is why we have not reported to Twitter directly, but we will as soon as the paper gets accepted." Inspired by their success identifying the Star Wars botnet, Echeverria, a research student, and his faculty advisor, senior lecturer Shi Zhou, claim to have identified an even larger botnet numbering half a million accounts. "The larger botnet is part of a subsequent research paper, which is also under review," Echeverria said. "As soon as it gets approved, I will be able to disclose more information about it." Echeverria added that there's now a Twitter account named "@thatisabot" to make it easier for people to report bots to researchers. "Think of it as @spam but for researchers instead of Twitter," he said. "Furthermore, we have a webpage, www.thatisabot.com, which will (soon) also allow people to report bots to researchers." "Commander, tear this ship apart until you've found those plans and bring me the Ambassador. I want her alive!" ® Sponsored: Want to know more about Privileged Access Management? Visit The Register's hub

Can a DDoS attack on Whitehouse.gov be a valid protest?

When Donald Trump is inaugurated as the U.S. President on Friday, Juan Soberanis intends to protest the event—digitally. His San Francisco-based protest platform is calling on Americans to oppose Trump’s presidency by visiting the Whitehouse.gov site and overloading it with too much traffic.
In effect, he’s proposing a distributed denial-of-service attack, an illegal act under federal law.

But Soberanis doesn’t see it that way. “It’s the equivalent of someone marching on Washington, D.C,” he said on Monday. “Civil disobedience has been part of the American democratic process.” Soberanis’s call to action is raising eyebrows and highlights the isssue of whether DDoS attacks should be made a legitimate form of protest. Under the Computer Fraud and Abuse Act, sending a command to a protected computer with the intent to cause damage can be judged a criminal offense.

But that hasn’t stopped hacktivists and cyber criminals from using DDoS attacks to force websites offline.   In 2013, the U.S. charged 13 people affiliated with the hacktivist group Anonymous for launching DDoS attacks on government entities, trade groups and law firms.    Typically, hackers launch such attacks by using several servers, or huge numbers of infected PCs called botnets, to flood their targets with an overwhelming amount of traffic. Soberanis’s protest effort is simpler. He’s hoping that millions of individuals join his protest by visiting Whitehouse.gov and continually refreshing the page. “There’s nothing illegal,” he said. “We are just a large group of people, making a GET request,” he said, referring to the HTTP request method to access a webpage. Soberanis, who works as a software engineer, created his Protester.io platform about a month ago to encourage activism.
It currently has no funding, but the site managed to gain a bit of buzz last week.

The PR Newswire public-relations service circulated a press release from Protestor.io, only to retract it later after realizing the release was calling for a “take down” of Whitehouse.gov.    “There’s also been some detractors,” he said. “They support Trump and have a very different viewpoint.” Soberanis isn’t the first to argue that DDoSing can be a form of legitimate protest.

Briefly in 2013, a failed online petition was posted on the White House’s website about the same subject.
It argued that DDoSing a website was not a form of hacking, but a new way for protesting. “Instead of a group of people standing outside a building to occupy the area, they are having their computer occupy a website,” the petition said. Some agree and think that DDoS attacks, in certain scenarios, can work as a valid form of protest.   Laws like the Computer Fraud and Abuse Act are “over broad” and “chilling” political speech, said Molly Sauter, author of The Coming Swarm, a book that examines DDoS attacks used in activism. A DDoS attack on Whitehouse.gov—a site designed more for public relations than for operations – also wouldn’t disrupt any major government activities, Sauter said.

Taking it down could be seen as “more or less like protesting outside on the street,” she said. “Now, is that going to be successful?” she asked. “Frankly, it’s not likely that the Whitehouse.gov site wouldn’t have DDoS protection.” But others think a DDoS attack on the Whitehouse.gov is still a crime. Making it legal would open a can of worms, they say.   “If they can do this to Whitehouse.gov with impunity now, can they also do it to Exxon without worry of legal troubles?” said Mark Sauter (no relation to Molly Sauter), a former U.S.

Army officer who consults security and tech companies.  He questions why protestors like Soberanis are resorting to DDoS attacks when they can publish their own websites or speech against Trump.

Do web injections exist for Android?

Web injection attacks There’s an entire class of attacks that targets browsers – so-called Man-in-the-Browser (MITB) attacks. These attacks can be implemented using various means, including malicious DLLs, rogue extensions, or more complicated malicious code injected into pages in the browser by spoofing proxy servers or other ways. The purpose of an MITB attack may vary from relatively innocuous ad spoofing on social networks or popular websites to stealing money from user accounts – the latter is what happened in the Lurk case. A malicious app masquerades as a Kaspersky Lab product in an MITB attack Web injection is used in most cases when an MITB-class attack targets online banking. This type of web injection attack involves malicious code being injected into an online banking service webpage to intercept the one-time SMS message, harvest information about the user, spoof banking details, etc. For example, our Brazilian colleagues have long reported about barcode spoofing attacks performed when users print out Boletos – popular banking documents issued by banks and all kind of businesses in Brazil. Meanwhile, the prevalence of MITB attacks in Russia is decreasing – cybercriminals are opting for other methods and attack vectors to target banking clients. For the average cybercriminal, it is much easier to use readily available tools than develop and implement web injection tools. Despite this, we’re often asked if there are any web injection attacks for Android devices. This is our attempt to investigate and give as full an answer as possible. Web injection on Android Despite the term ‘inject’ being used in connection with mobile banking Trojans (and sometimes used by cybercriminals to refer to their data-stealing technologies), Android malware is a whole different world. In order to achieve the same goals pursued by web injection tools on computers, the creators of mobile Trojans use two completely different technologies: overlaying other apps with a phishing window, and redirecting the user from a banking web page to a specially crafted phishing page. Overlaying apps with phishing windows This is the most popular technology with cybercriminals and is used in practically all banking Trojans. 2013 was when we first encountered a piece of malware overlaying other apps with its phishing window – that was Trojan-Banker.AndroidOS.Svpeng. Today’s mobile banking Trojans most often overlay the Google Play Store app with their phishing window – this is done in order to steal the user’s bank card details. The Marcher malware Besides this, Trojans often overlay various social media and instant messaging apps and steal the passwords to them. The Acecard malware However, mobile banking Trojans typically target financial applications, mostly banking apps. Three methods of MITB attacks for mobile OS can be singled out: 1. A special Trojan window, crafted beforehand by cybercriminals, is used to overlay another app’s window. This method was used, for example, by the Acecard family of mobile banking Trojans. Acecard phishing windows 2. Apps are overlaid with a phishing web page located on a malicious server. This way, the cybercriminals can modify its contents any time they need to. This method is used by the Marcher family of banking Trojans. Marcher phishing page 3. A template page is downloaded from a malicious server, to which the icon and the name of the attacked application is added. This is how one of the Trojan-Banker.AndroidOS.Faketoken modifications manages to attack over 2,000 financial apps. FakeToken phishing page It should be noted that starting from Android 6, for the above attack method to work, the FakeToken Trojan has to request the privilege of displaying its window on top of other app windows. It’s not alone though: as new versions of Android are gaining popularity, a growing number of mobile banking Trojans are beginning to request such privileges. Redirecting the user from the bank’s page to a phishing page We were only able to identify the use of this technology in the Trojan-Banker.AndroidOS.Marcher family. The earliest versions of the Trojan that redirected the user to a phishing page are dated late April 2016, and the latest are from the first half of November 2016. Redirecting the user from a bank’s webpage to a phishing page works as follows. The Trojan subscribes to modify browser bookmarks, which includes changes in the current open page. This way the Trojan knows which webpage is currently open, and if it happens to be one of the targeted pages, the Trojan opens the corresponding phishing page in the same browser and redirects the user there. We were able to find over a hundred web pages belonging to financial organizations that were targeted by the Marcher family of Trojans. However, two points need to be raised: All new modifications of the Marcher Trojan that we were able to detect no longer use this technology. Those modifications that used this technology also used a method of overlaying other apps with their phishing window. Why then was the method of redirecting the user to a phishing page used by only one family of mobile banking Trojans, and why is this technology no longer used in newer modifications of the family? There are several reasons: In Android 6 and later versions, this technology no longer works, meaning the number of potential victims is decreasing every day. For example, around 30% of those using Kaspersky Lab’s mobile security solutions now use Android 6 or a later version; The technology only worked on a limited number of mobile browsers; The user can easily spot that they are being redirected to a phishing site and they may also notice that the URL of the webpage has changed. Attacks launched using root privileges With superuser privileges, Trojans can perform any attack, including real malicious injections into browsers. Although we were unable to find a single case of this happening, the following should be noted: Some modules of Backdoor.AndroidOS.Triada can substitute websites in certain browsers, using superuser privileges. All the attacks we found were launched with the purpose of making some money from advertising only, and did not result in the theft of banking information. The banking Trojan Trojan-Banker.AndroidOS.Tordow, using superuser privileges, can steal passwords saved in browsers, which may include passwords to financial websites. Conclusions We can state that, despite all the available technical capabilities, cybercriminals that target banks do not make use of malicious web injections in mobile browsers or injections in mobile apps. Sometimes they use these technologies to spoof adverts, but even then that requires highly sophisticated malicious software. So why do cybercriminals ignore the available opportunities? Most probably it is because of the diversity of mobile browsers and apps. Malware writers would have to adapt their creations to a long list of programs, which is rather costly, while simpler and more versatile attacks involving phishing windows do not require so much effort to target a larger number of users. Nonetheless, the Triada and Tordow examples suggest that similar attacks may well take place in the future as malware creators gain more expertise.

Netflix Phishing Campaign Targeted User Information, Credit Card Data

Researchers recently identified a phishing campaign set up to lure unsuspecting Netflix users into giving up their credentials and credit card data. The campaign – now defunct – started with an email informing users they needed to update their account details. From there, victims were brought to a legitimate looking Netflix login page where they were asked their email address and Netflix password. Not content with just getting users’ login credentials, the attacker then directs victims to another form where they’re told they need to update their billing information. Users are encouraged to enter their name, birthdate, address, and credit card information. The attacker perhaps overdid it by asking users to provide their social security number – something Netflix would never ask for – and users’ VBV (Verified by Visa) 3D Secure Code, a fairly new service that Visa uses in Europe and India but that hasn’t been deployed in the U.S. yet. While the pages mimic actual Netflix pages and even feature a yellow “secure server” lock, they’re completely fake. The campaign actually routes all of the information back to the attacker via a PHP mail utility, something that allows them to deploy the phishing kit across multiple websites. Mohammed Mohsin Dalla, a researcher with FireEye’s Threat Research team who uncovered the campaign, notes that until it was taken down, the campaign was adept at bypassing phishing filters. He claims the campaign used AES encryption to encode the content it served up, something that would have made it easy for it to evade detection. “By obfuscating the webpage, attackers try to deceive text-based classifiers and prevent them from inspecting webpage content,” Dalla wrote of the scam Monday, “this technique employs two files, a PHP and a JavaScript file that have functions to encrypt and decrypt input strings. The PHP file is used to encrypt the webpages at the server side… at the client side, the encrypted content is decoded using a defined function in the JavaScript file.” Phishing campaigns that target Netflix customers aren’t revolutionary but this one was different because of the way it evaded detection and served up its phishing pages. The pages, hosted on legitimate but compromised servers, didn’t appear to users if their DNS linked back to Google or PhishTank, an anti-phishing service that aggregates data on scams like this. In fact, according to FireEye, if a visitor from Google, Phishtank, or other sites like the Calyx Institute or Netflix itself visited the fake site, the campaign would ensure a “404 Not Found error” message would be displayed – making it less likely the scam would be discovered. Netflix phishing campaigns have become some of the more ubiquitous scams. A handful of phony invoice emails made the rounds in the UK earlier this summer trying to trick users into thinking they’d purchased a Netflix subscription and insist they hand over their credit card information. Another scam, one that was set on convincing Netflix users they needed to update their credit card data, made the rounds earlier last summer, in July. After entering their information, victims were told their account has been suspended and that they need to download “Netflix support software.” That software, at least according to the Knoxville, Tenn. Better Business Bureau, was “remote login software” that handed attackers the keys to victims’ computers.