recentpopularlog in

kme : exploit   18

Shoulder Surfing a Malicious PDF Author | Didier Stevens
What's "incremental updates"? Like Track Changes for PDFs? How is that a good thing?
pdf  malware  exploit 
november 2019 by kme
Firefox exploit found in the wild | Mozilla Security Blog
The vulnerability comes from the interaction of the mechanism that enforces JavaScript context separation (the “same origin policy”) and Firefox’s PDF Viewer. Mozilla products that don’t contain the PDF Viewer, such as Firefox for Android, are not vulnerable. The vulnerability does not enable the execution of arbitrary code but the exploit was able to inject a JavaScript payload into the local file context. This allowed it to search for and upload potentially sensitive local files.

The files it was looking for were surprisingly developer focused for an exploit launched on a general audience news site, though of course we don’t know where else the malicious ad might have been deployed. On Windows the exploit looked for subversion, s3browser, and Filezilla configurations files, .purple and Psi+ account information, and site configuration files from eight different popular FTP clients. On Linux the exploit goes after the usual global configuration files like /etc/passwd, and then in all the user directories it can access it looks for .bash_history, .mysql_history, .pgsql_history, .ssh configuration files and keys, configuration files for remina, Filezilla, and Psi+, text files with “pass” and “access” in the names, and any shell scripts. Mac users are not targeted by this particular exploit but would not be immune should someone create a different payload. [Update: we’ve now seen variants that do have a Mac section, looking for much the same kinds of files as on Linux.]
firefox  exploit  pdf 
november 2015 by kme
Popular Security Software Came Under Relentless NSA and GCHQ Attacks - The Intercept
Kaspersky has repeatedly denied the insinuations and accusations. In a recent blog post, responding to a Bloomberg article, he complained that his company was being subjected to “sensationalist … conspiracy theories,” sarcastically noting that “for some reason they forgot our reports” on an array of malware that trace back to Russian developers.

He continued, “It’s very hard for a company with Russian roots to become successful in the U.S., European and other markets. Nobody trusts us — by default.”
privacy  security  antivirus  exploit  reverseengineering 
july 2015 by kme
The ARDAgent security hole: What you need to know | Macworld
If you don’t use an anti-virus program, there’s a relatively simple method to temporarily plug this hole all on your own. (But please have a current backup before proceeding). Navigate to /System -> Library -> CoreServices -> RemoteManagement, and Control-click on ARDAgent. In the contextual menu that appears, select Compress ARDAgent (in 10.5; in 10.4, I believe it will say Create Archive of ARDAgent). This will create a zip file of ARDAgent on your Desktop (as you don’t have rights to modify the original folder).

Next, drag ARDAgent to the trash can, provide your admin password when asked, then empty the trash. Finally, drag the zipped version of ARDAgent into the RemoteManagement folder, again providing your password when asked. (This last bit is optional; you can keep the file wherever you like, but I find it easier to store it where I know it belongs.)

When Apple releases a security update to patch this hole, expand the zip archive before running Software Update—so that Software Update will find the full application to patch. Note that this solution will prevent anyone from using Apple Remote Desktop to control your Mac. If you’re in such an environment where someone needs access to Apple Remote Desktop—say, in a business or in a school—you’ll need to speak to your administrators about their preferred solution to this problem.

It doesn't help that there's a permissions "inconsistency" on the ARDagent binary (also SUID) that Disk Utility balks on, which "you can safely ignore":
mac  osx  remoteaccess  remotedesktop  exploit  ardagent  ard 
october 2014 by kme

Copy this bookmark:

to read