For well over a decade our focus at ionCube has been on PHP security but recently with the release of ionCube24 we have been looking into different kinds of vulnerabilities. This post has a few of the interesting issues we have found this week.
A selection of this week’s more interesting vulnerability disclosures and cyber security news.
Is the wonder of the IoT truly valid?
- Popular Home Automation System Backdoored Via Unpatched Flaw (Dark Reading) –
- The Internet of things is great until it blows up your house (The Register) –
- CVE-2015-2247 – Unspecified vulnerability in Boosted Boards skateboards allows physically proximate attackers to modify skateboard movement, cause human injury, or cause physical damage via vectors related to an _injection attack_ that blocks and hijacks a Bluetooth signal.
- CVE-2013-4866 – The LIXIL Corporation My SATIS Genius Toilet application for Android has a hardcoded Bluetooth PIN, which allows physically proximate attackers to trigger physical resource consumption (water or heat) or user discomfort.
An amazing bit of vulnerability analysis!
Can’t believe the lax password security, in a school of all places where you expect the kids to try it
- Florida teen charged with felony after hacking teachers account to change desktop background – all teacher’s passwords were (are?) their last names (Reddit) –
That was unfortunate of them
Staggering that so many faults were not picked up on during commissioning
Such a well used embedded database makes you wonder how wide spread this will be
Scary report on the the threats we are vulnerable to
One we could catch using ionCube24
The issues with these routers never seem to go away
Point of sale systems are a quick way for the crims to score.
- FighterPOS malware strikes over 100 terminals in Brazil, captures info for 22K cards (SC Magazine) –
Such a popular platform has luckily been patched
Insider attacks are a huge risk many ignore as this shows
This router hit again
- SEC Consult SA-20150410-0 :: Unauthenticated Local File Disclosure in multiple TP-LINK products (CVE-2015-3035)
Blogged last week about this one. Its going to be a game changer for many and then no excuse for it not to be in place.
Wondered at all the SSH traffic? This is the kind of thing which providers are looking at
A (small) win against ransomware
Here we are again with yet another round of issues with Flash. Should we not just abandon it and go with HTML5?
- CVE-2015-0346 – Double free vulnerability in Adobe Flash Player before 188.8.131.521 and 14.x through 17.x before 184.108.40.206 on Windows and OS X and before 220.127.116.117 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0359.
A week of large patching
This maybe from the USA but I’ve seen something simliar here in the UK in the past week. Watch out!
A bit of disruption to the world of Minecraft? Here are a few views on this issue.
- Just-released Minecraft exploit makes it easy to crash game servers (ArsTechnica) –
- Public exploit crashes Minecraft servers (The Register) –
- Server-crashing Minecraft exploit published after game maker failed to act (ZDNet) –
- The Minecraft Server – a lesson on why to not roll out your own data formats and responsible disclosure (Reddit) –
Such a simple approach to bypass security
A week of large patching
Cant see this going wrong, can you? Nope. Not in any way….
This is quite a nasty one
Will this really work?
Complete bypass! Ouch!