Blogs

Android browser vulnerable to Cross Application Scripting

http://www.h-online.com/security/news/item/Android-browser-vulnerable-
to-Cross-Application-Scripting-1317645.html

"IBM researchers have found that it is possible for third party
applications to inject JavaScript code into instances of the Android
browser. According to a paper published by the researchers, the
vulnerability exists in Android 2.3.4 and 3.1 and is believed to exist
in earlier versions.

Chrome 13.0.782.107 Released

http://googlechromereleases.blogspot.com/2011/08/stable-channel-
update.html

Google released a new version of the Chrome browser for Windows, Mac,
and Linux which introduces many new features and addresses 30 unique
CVEs (14 rated "high", 9 "medium", and 7 "low").

"Thanks again to all the security researchers we work with. There are
$17,000 of rewards in this patch, which is possibly the best haul yet."

Chrome 13.0.782.107 Released

http://googlechromereleases.blogspot.com/2011/08/stable-channel-
update.html

Google released a new version of the Chrome browser for Windows, Mac,
and Linux which introduces many new features and addresses 30 unique
CVEs (14 rated "high", 9 "medium", and 7 "low").

"Thanks again to all the security researchers we work with. There are
$17,000 of rewards in this patch, which is possibly the best haul yet."

Unpatched iPhones/iPads secure connections not so secure

http://nakedsecurity.sophos.com/2011/07/26/unpatched-iphonesipads-
secure-connections-not-so-secure/

Apple released an update for iOS devices that addresses a major
vulnerability with insecure SSL/TLS connections and x509 certificate
handling. Programs currently exist in the wild that can easily hijack a
purportedly "secure" connection from an afflicted device.

VMSA-2011-0010: Third Party Updates for Service Console packages glibc and dhcp

http://www.vmware.com/security/advisories/VMSA-2011-0010.html

"The DHCP client daemon, dhclient, does not properly sanatize certain
options in DHCP server replies. An attacker could send a specially
crafted DHCP server reply, that is saved on the client system and
evaluated by a process that assumes the option is trusted. This could
lead to arbitrary code execution with the privileges of the evaluating
process."

Pages