Zero Day Initiative Advisory 12-018 - This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Symantec PCAnywhere. Authentication is not required to exploit this vulnerability. The flaw exists within the awhost32 component which is used when handling incoming connections. This process listens on TCP port 5631. When handling an authentication request the process copies the user supplied username unsafely to a fixed-length buffer of size 0x108. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM account.

The WBR-1310 suffers from an authentication bypass vulnerability that can be exploited by remote attackers to change administrative settings. Note that this vulnerability can be exploited via CSRF even if remote administration is disabled.

Multiple vulnerabilities have been reported in Internet Explorer, which can be exploited by malicious people to disclose potentially sensitive information or to compromise a user's system.

Drupal (http://drupal.org) is a robust content management system (CMS) written in PHP and MySQL. The Drupal Embedded Media Field module (http://drupal.org/project/emfield) "will create fields for content types that can be used to display video, image, and audio files from various third party providers" Unfortunately the Embedded Media Field module contains a vulnerability that could allow arbitrary file upload and potentially code execution. The proof of concept and patch detailed below only cover the upload of an image directly to the server, but a remotely sourced image could also be used to exploit this vulnerability.

CiscoWorks Common Services for both Oracle Solaris and Microsoft Windows contains a vulnerability that could allow a remote unauthenticated attacker to execute arbitrary code on a host device with privileges of a system administrator. Cisco has released free software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. Mitigations that limit the attack surface of this vulnerability are available.

Microsoft made available today a patch for the recently discovered hole in their ASP.NET framework.

Researchers detailed last week at ekoparty Security Conference their findings on a flaw in Microsoft's popular framework.

First reported in December 2009, the bug has been fixed on all major browsers but Microsoft's.

The malware spreads through removable drives even if AutoPlay is disabled, installs rootkit on the computer.

False 'Verified by Visa' and 'MasterCard SecureCode' pages harvest customers' personal data.

The infamous worm is back, disguised as a Flash update purportedly needed for viewing a video distributed through direct messages on Facebook.

Users of Apple's music and applications store are seeing their accounts being hacked for buying shady applications in mass.

Internet Explorer and Windows Media Player contribute to making Windows XP's Help and Support Center vulnerable to remote attacks.

It has been reported that a flaw in AT&T's servers has allowed some white hat hackers to access network IDs and email addresses associated with iPad devices.

A security firm has discovered that several free Mac software Web sites are hosting spyware-bearing downloadable applications.

Symantec has detected a server holding 17GB of stolen user credentials for online games, gathered and verified with Trojans.

Microsoft has released a security advisory concerning a bug related to the Aero desktop theme on Windows 7 and Windows Server 2008.

Once again, the world's top social networking Web site is in hot water for vulnerabilities allowing people to access personal information about users without their consent.

Another malware distribution campaign uses social engineering to spread a Trojan horse.

Researchers at Matousec have revealed that out of 34 tested security products, none has been able to prevent their proof of concept attack.

They can do wonderful products and they can be real pain. I hate being in the position of saying to my customer the provider I used to publish their software does not provide the requested option, specially when it comes to simple statistics. When you publish an iOS app on the App Store, it is impossible to know the number of app downloads before the last 26 weeks.

Openness is loved by android users, but the idea spreads fast into the Malware coders mind. The DroidDream app recently took Google by surprise: the app simply wipes off your phone, takes your data.

Gardien Virtuel is a leading company in the IT security field. Why choose Gardien Virtuel? * Expertise: Gardien Virtuel [...]

Founded in 2005, Wiseleap Solutions Inc.'s mission consists in providing companies with the information necessary to make cri [...]

IT-Ration Consulting inc has been a NetSuite Partner since 2005 and helps your enterprise grow by aligning your Information T [...]