Surviving the Week – 04/27/2012

Decline in web application vulnerabilities?

Interesting article and kind of funny.  No responsibility is taken for
the problem.  One of the reasons for this disparity is that applications are built on new
technologies that web scanning solutions don’t yet scan – the application scanner vendor community isn’t keeping up with those change to web frameworks., Web application scan assessments don’t all all have to be manual

Distribution of FlashBack

Hilarious that a web vuln was the entry point for the first worm on the Macs, but it makes sense and goes to highlight how critical web security is!

Guide to AppSec vol. 2

Another AppSec info piece was posted as the next part, part 2, of a series of articles aimed at CISOs.  It is a CISO’s Guide to Application Security, and is a primer on AppSec best practices.

There are some staggering statistics included in this post.

  • 90% of companies have been breached at least once over the past 12 months.
  • 54% of attacks on large organizations exploit web application vulnerabilities.
  • The cost of a single data breach are average at $194 per compromised record or an average of $5.5M per incident.
  • Companies spend just 0.3% of what they pay for software to ensure that it is secure.

Mobile Device Application Stores, love them and fear them.

Researchers have identified a bug in the TreasonSMS app for iPhone that can enable attacks to potentially gain full control over the iPhone.  This app allows users to send SMS messages directly from their desktop machines by using their iPhone as a relay proxy.  The application contains such vulnerabilities as a file include and a HTML inject bug.  These could allow the remote attacker to include a malicious persistent script and have it execute on the application-side of the phone.

These vulnerability findings were not intentional, but there are some sleeper apps in which vulnerabilities are intentional.
If you are in an organization, you are competing with the BYOD initiative where users are wanting to bring their own mobile devices onto the company network.  How do you assess what applications are allowed on these mobile devices?  How do you achieve due diligence?
The next version of NTOSpider can help you and your organization with evaluating mobile applications

Think you’ve got what it takes to beat Anonymous?

Did that get your attention?  Here’s some info for those that are ready to take on the global hacker games, compete at CyberLympics 2012.  The CyberLympics World Finals are scheduled for 29 -31 October, 2012 at the Hacker Halted Conference in Miami. For more information about CyberLympics or to register, visit:

New Version of WordPress Fixes Security Bugs

This week on 4/20, a new version of wordpress 3.3.2 has been released. This version has some major security issues fixed including a pair of XSS bugs, a fix for a privilege escalation vulnerability that can crop up in some circumstances when a site administrator could deactivate network-wide plugins when running a WordPress network.

CVE-2012-0158 Exploit in the Wild

Malicious code is exploiting a vulnerability in Microsoft Office which infects a users machine when a user opens a file using Microsoft Office. As classic attacks, these files are usually distributed by email and a user gets infected by simply opening the file. Following link describes it in detail how victim gets affected.
Microsoft has released patch for these vulnerability. Do Patch your system

XSS in jQuery

jQuery is one of the most common library for developing ajax based application. jQuery is a library for the JavaScript programmers, which simplifies the development of web 2.0 applications. jQuery library simplifies the process of traversal of HTML DOM tree.
jQuery 1.7.2 (recent build) and older have been found vulnerable to a cross site scripting vulnerability. Do test your application with NTOSpider to test for possible cross site scripting vulnerability.

About Dan Kuykendall 169 Articles
Connect with Dan on Google+

Be the first to comment

Leave a Reply

Your email address will not be published.