Skip to content

Gotham Security Daily Threat Alerts

by on April 9, 2014

April 5, Softpedia – (International) DDoS attack enabled by persistent XSS vulnerability on top video content provider’s site. Incapsula reported that they mitigated an application layer distributed denial of service (DDoS) attack against a client which utilized a cross-site scripting (XSS) vulnerability in a popular video content provider’s Web site. Malicious JavaScript code was injected into a tag associated with users’ profiles, which executed whenever a legitimate user accessed the page Source: http://news.softpedia.com/news/DDOS-Attack-Enabled-by-Persistent-XSS-Vulnerability-on-Top-Video-Content-Provider-s-Site-436029.shtml

April 4, Softpedia – (International) Upatre downloader distributed via banking-themed spam campaign. Researchers at Trend Micro detected a spam campaign using banking-themed emails to distribute the Upatre downloader, which in a sample downloaded the Zeus trojan and the Necurs security-disabling malware. Source: http://news.softpedia.com/news/Upatre-Downloader-Distributed-via-Banking-Themed-Spam-Campaign-435975.shtml

April 4, The Register – (International) Five-year-old discovers Xbox password bug, hacks dad’s Live account. A San Diego boy identified and reported a vulnerability in Microsoft’s Xbox Live service that can allow access to a user’s account by repeatedly entering ‘space’ characters and then hitting ‘submit’ when prompted for a password. Microsoft closed the vulnerability after it was reported. Source: http://www.theregister.co.uk/2014/04/04/five_year_olds_xbox_live_password_hack/

April 4, Softpedia – (International) 85% of links spotted in cyberattacks in 2013 led to compromised legitimate sites. Websense Security Labs released their 2014 Threat Report, detailing threats and trends during the past year. The report found that 85 percent of malicious links in email and Web attacks were directed at legitimate sites that were compromised by attackers, among other findings. Source: http://news.softpedia.com/news/85-of-Links-Spotted-in-Cyberattacks-in-2013-Led-to-Compromised-Legitimate-Sites-435939.shtml

April 7, OpenSSL Security Advisory TLS heartbeat read overrun (CVE-2014-0160) A missing bounds check in the handling of the TLS heartbeat extension can be used to reveal up to 64k of memory to a connected client or server. Only 1.0.1 and 1.0.2-beta releases of OpenSSL are affected including 1.0.1f and 1.0.2-beta1. Thanks for Neel Mehta of Google Security for discovering this bug and to Adam Langley <agl@chromium.org> and Bodo Moeller <bmoeller@acm.org> for preparing the fix. Affected users should upgrade to OpenSSL 1.0.1g. Users unable to immediately upgrade can alternatively recompile OpenSSL with -DOPENSSL_NO_HEARTBEATS. 1.0.2 will be fixed in 1.0.2-beta2. http://www.kb.cert.org/vuls/id/720951

 

 

From → Security

Comments are closed.

%d bloggers like this: