Skip to content

Gotham Security Daily Threat Alerts

by on January 7, 2015

January 6, Securityweek – (International) Researchers find several UEFI vulnerabilities. The Computer Emergency Response Team Coordination Center (CERT/CC) released three advisories for vulnerabilities in the Unified Extensible Firmware Interface (UEFI) identified by researchers at Bromium and MITRE Corporation. Two vulnerabilities could be exploited by a local, authenticated attacker to bypass security functions and the third is a buffer overflow vulnerability. Source

January 6, The Register – (International) HTTPS can be set as your super-cookie. A researcher demonstrated that the HTTP Strict Transport Security (HSTS) mechanism in HTTPS can be used by a malicious Web site to track which Web sites a user has visited due to HSTS creating a unique identifier to remember preferences for HTTPS sites. HSTS identifiers can be cleared in the Chrome, Firefox, and Opera browsers, are not used in Internet Explorer, but cannot be cleared in the Safari browser and syncs with the iCloud service as well. Source

January 6, Softpedia – (International) Custom greeting card seller Moonpig fixes security blunder 17 months after responsible disclosure. Greeting card seller Moonpig closed a vulnerability in its Android app that was first reported to the company in August 2013 and could have allowed an attacker to change the customer ID and access customer names, email addresses, dates of birth, addresses, order histories, and the last four digits of payment card numbers. Source

 

From → Security

Comments are closed.

%d bloggers like this: