[securityaffairs] Hacking Google server using a malicious XML is possible

A Team of researchers discovered a critical XML External Entity (XXE) vulnerability on Google server that allows an attacker to access any internal file.

[securityaffairs] Critical flaw in Yahoo allows Hacker to delete 1.5M records

Vulnerability in Yahoo allowed Egyptian hacker to delete more than 1 million and half records from Yahoo database. Yahoo immediately fixed it.

[infosecurity-magazine] Apple Issues Critical Vulnerability Patch for the Majority of its Devices

Apple released security patches Friday for iPhone 4 and later, iPhone 3GS, iPod Touch (4th and 5th generations) and iPad 2 and later. This is a serious vulnerability, and users are advised to patch as soon as possible.

[fireeye] Background Monitoring on Non-Jailbroken iOS 7 Devices — and a Mitigation

Background monitoring mobile applications has become a hot topic on mobile devices. Existing reports show that such monitoring can be conducted on jailbroken iOS devices. FireEye mobile security researchers have discovered such vulnerability, and found approaches to bypass Apple's app review process effectively and exploit non-jailbroken iOS 7 successfully. We have been collaborating with Apple on this issue.

[thehackernews] Magento vulnerability allows an attacker to create administrative user

It seems you cannot go a day without hearing about someone or some group hacking a website or stealing credit card and other sensitive data from e-commerce sites.

The Market of E-commerce is at its boom, and that provides even more opportunities to hackers. There are many readymade e-commerce platforms available on the Internet, that are easy to install and easy to manage at no extra cost and 'Magento' is one of the most popular out of them.

[sucuri] Joomla JomSocial Remote Code Execution Vulnerability

By Daniel Cid on February 10, 2014 . 0 Comments

The JomSocial team just released an update that fixes a very serious remote code execution vulnerability that affects any JomSocial version older than 3.1.0.4. From their hot-fix update:

[utsandiego] Attack shows vulnerability of power grid

By U-T San Diego Editorial Board 5 P.M.FEB. 8, 2014

A sophisticated, previously undisclosed early-morning attack on a Pacific Gas and Electric substation in the Silicon Valley last April should serve as a wake-up call about the vulnerability of U.S. electricity-transmission systems.

[securelist] CVE-2014-0497 – a 0-day vulnerability

CVE-2014-0497 – a 0-day vulnerability

Vyacheslav Zakorzhevsky
Kaspersky Lab Expert
Posted February 05, 15:15  GMT
Tags: Adobe Flash, Malware Technologies, Vulnerabilities and exploits, Zero-day vulnerabilities

0.5

 

A short while ago, we came across a set of similar SWF exploits and were unable to determine which vulnerability they exploited.

We reported this to Adobe and it turned out that these ITW exploits targeted a 0-day vulnerability. Today, Adobe released a patch for the vulnerability.

This post provides a technical analysis of the exploits and payload that we discovered.

All in all, we discovered a total of 11 exploits, which work on the following versions of Adobe Flash Player:

11.3.372.94
11.3.375.10
11.3.376.12
11.3.377.15
11.3.378.5
11.3.379.14
11.6.602.167
11.6.602.180
11.7.700.169
11.7.700.202
11.7.700.224