End-of-Shift report
Timeframe: Donnerstag 21-08-2014 18:00 − Freitag 22-08-2014 18:00
Handler: Robert Waldner
Co-Handler: n/a
Lua vararg functions buffer overflow
Lua is vulnerable to a buffer overflow, caused by improper bounds checking by vararg functions. By sending an overly long string argument, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
http://xforce.iss.net/xforce/xfdb/95390
Researchers create privacy wrapper for Android Web apps
Users can wrap Facebook and other apps to better control their privacy and security, according to researchers from North Carolina State University.
http://feeds.arstechnica.com/~r/arstechnica/security/~3/mQ5PZ77i084/
Malicious app can get past Android WITHOUT PERMISSIONS
Be careful what you install, say boffins. Again. Researchers presenting at Usenix have lifted the lid on yet another Android vulnerability: the way apps use memory can be exploited to leak private information with a success rate between 82 and 92 per cent of the time.
http://go.theregister.com/feed/www.theregister.co.uk/2014/08/22/malicious_app_can_get_past_android_without_permissions/
Security Advisory - Remote Security Bypass Vulnerability on Huawei Android Devices
SA No: Huawei-SA-20140821-Android
Android version 4.1.1 - 4.4.2 is prone to a remote security bypass vulnerability (CVE-2013-6272):
A vulnerability in the Android system allows an attacker to initiate or terminate arbitrary calls without the call_phone permission.
After investigation we confirm that some Huawei smartphone and tablet products are affected.
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-363101.htm
RTFM 0day in iOS apps: G+, Gmail, FB Messenger, etc.
Normal people spend their nights watching movies, reading articles, socializing or (yes, I know its odd) sleeping. I spend my nights reading RFCs and pentesting various applications/services.
http://algorithm.dk/posts/rtfm-0day-in-ios-apps-g-gmail-fb-messenger-etc
PHP 5.5.16 is released
The PHP Development Team announces the immediate availability of PHP 5.5.16. This release fixes several bugs against PHP 5.5.15 and resolves CVE-2014-3538, CVE-2014-3587, CVE-2014-2497, CVE-2014-5120 and CVE-2014-3597. All PHP users are encouraged to upgrade to this new version.
http://php.net/archive/2014.php