Pwn2Own 2017 , virtual machine escape

Virtual machine escape fetches $105,000 at Pwn2Own hacking contest [updated]
https://arstechnica.com/security/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

Microsoft Edge used to escape VMware Workstation at Pwn2Own 2017
http://www.zdnet.com/article/microsoft-edge-used-to-escape-vmware-workstation-at-pwn2own-2017/

Pwn2Own hacking contest ends with two virtual machine escapes
http://www.pcworld.com/article/3182816/security/pwn2own-hacking-contest-ends-with-two-virtual-machine-escapes.html

Pwn2Own虛擬機逃逸競賽，中國兩團隊攻陷VMware
http://www.ithome.com.tw/news/112909

在 Pwn2Own 2017
研究人員成功的完成了 virtual machine escape
可見虛擬機不是絕對安全的

Off-Path TCP Exploits , TCP 安全漏洞

Off-Path TCP Exploits: Global Rate Limit Considered Dangerous
http://www.cs.ucr.edu/~zhiyunq/pub/sec16_TCP_pure_offpath.pdf
(  http://goo.gl/Rzc587  )

Use the internet? This Linux flaw could open you up to attack
http://www.pcworld.com/article/3106180/security/use-the-internet-this-linux-flaw-could-open-you-up-to-attack.html
(  http://goo.gl/XIR8mP  )

Study Highlights Serious Security Threat to Many Internet Users
https://ucrtoday.ucr.edu/39030
(  https://goo.gl/JdKQST  )

Linux爆核心漏洞，讓駭客能攔截未加密流量
http://www.ithome.com.tw/news/107739
(  http://goo.gl/I06mXW  )


2012 年開始出現的安全漏洞
影響之後的 Linux 核心(v3.6 及之後的版本)

此一研究報告已公佈在網路
希望此一漏洞不要造成之後的資安問題

Ubuntu Forums 被入侵 用戶資料被竊

ubuntu 網站
Notice of security breach on Ubuntu Forums
https://insights.ubuntu.com/2016/07/15/notice-of-security-breach-on-ubuntu-forums/
(  https://goo.gl/5xcN1r  )

Tom's Hardware 網站
Ubuntu Forums Hacked, But Passwords Were Not Compromised
http://www.tomshardware.com/news/ubuntu-forums-hacked-password-safe,32260.html
(  http://goo.gl/vkYYj3  )

Pc World 網站
Flaw in vBulletin add-on leads to Ubuntu Forums database breach
http://www.pcworld.com/article/3095902/security/flaw-in-vbulletin-add-on-leads-to-ubuntu-forums-database-breach.html
(  http://goo.gl/RdeF6s  )

Canonical 上週五確認
Ubuntu Forums 被入侵
用戶資料被竊

Ubuntu Forums 使用 vBulletin
add-on 並未即時更新以修正安全漏洞
使得入侵者有機可乘

Internet 上使用 vBulletin 的網站超過 10 萬個
2013 年時
有一眾使用 vBulletin 的網站被入侵
包含了 vBulletin.com , MacRumors.com
和 Ubuntu Forums

Linux Mint 被駭

Beware of hacked ISOs if you downloaded Linux Mint on February 20th!
http://blog.linuxmint.com/?p=2994

Linux Mint website hacked, ISO downloads replaced with backdoored operating system
http://www.pcworld.com/article/3035682/security/hackers-planted-a-backdoor-inside-a-compromised-version-of-linux-mint.html

Linux Mint 傳出被駭的消息

後續發展值得關注

Unpatched Android Flaws

Source 消息來源 :

Tom's Hardware 網站
What Google's Unpatched Android Flaws Mean for You
http://www.tomsguide.com/us/google-android-flaws,news-20360.html

使用 Android 4.4 KitKat 以上的版本才安全

以後購買智慧型手機和平板時
要考慮此機型是否能夠升級到最新版的 Android

Adobe updated its Flash Player

Adobe updated its Flash Player

Source (消息來源) :

ZDNet
Microsoft, Adobe release patches
July 9, 2013 -- 18:06 GMT
http://www.zdnet.com/microsoft-adobe-release-patches-7000017841/

Skype flaw allows Android lock screen to be cracked

Skype flaw allows Android lock screen to be cracked

Source (消息來源) :

TechHive
Skype flaw allows Android lock screen to be cracked
Jul 7, 2013 11:00 AM
http://www.techhive.com/article/2043765/skype-flaw-allows-android-lock-screen-to-be-cracked.html

Facebook bug exposed personal data of six million users

Facebook bug exposed personal data of six million users

Source (消息來源) :

PCWorld
Facebook's recent leak offers a lesson for users who share
Jun 30, 2013 8:45 AM
http://www.pcworld.com/article/2043331/facebooks-recent-leak-offers-a-lesson-for-users-who-share.html

TechHive
Facebook security bug exposes 6 million users' contact info
Jun 21, 2013 2:54 PM
http://www.techhive.com/article/2042717/facebook-security-bug-exposes-6-million-users-contact-info.html

ZDNet
Norton: Android app skips consent, gives Facebook servers user phone numbers
June 29, 2013 -- 02:26 GMT
http://www.zdnet.com/norton-android-app-skips-consent-gives-facebook-servers-user-phone-numbers-7000017475/
+
Firm: Facebook 'bug' worse than reported; non-users also affected
June 26, 2013 -- 13:05 GMT
http://www.zdnet.com/firm-facebook-bug-worse-than-reported-non-users-also-affected-7000017318/
+
Firm: Facebook's shadow profiles are 'frightening' dossiers on everyone
June 24, 2013 -- 10:31 GMT
http://www.zdnet.com/firm-facebooks-shadow-profiles-are-frightening-dossiers-on-everyone-7000017199/
+
Anger mounts after Facebook's 'shadow profiles' leak in bug
June 23, 2013 -- 01:54 GMT
http://www.zdnet.com/anger-mounts-after-facebooks-shadow-profiles-leak-in-bug-7000017167/
+
Facebook bug exposed personal data of six million accounts
June 21, 2013 -- 21:30 GMT
http://www.zdnet.com/facebook-bug-exposed-personal-data-of-six-million-accounts-7000017164/

Vulnerability in Android

Vulnerability in Android


Source :

PCWorld
Alternative fixes released for Android 'master key' vulnerability
Jul 16, 2013 9:15 PM
http://www.pcworld.com/article/2044513/alternative-fixes-released-for-android-master-key-vulnerability.html
+
Researchers find another Android attack that can get past signature checks
Jul 11, 2013 11:05 AM
http://www.pcworld.com/article/2044136/researchers-find-another-android-attack-that-can-get-past-signature-checks.html
+
Newly uncovered Android exploit could put millions at risk
Jul 9, 2013 7:11 AM
http://www.pcworld.com/article/2043901/proofofconcept-exploit-available-for-android-app-signature-check-vulnerability.html
+
Vulnerability allows attackers to modify Android apps without breaking their signatures
Jul 3, 2013 8:50 AM
http://www.pcworld.com/article/2043610/vulnerability-allows-attackers-to-modify-android-apps-without-breaking-their-signatures.html

ZDNet
Third-party app released to fix Bluebox Security Android hole
July 17, 2013 -- 19:38 GMT
http://www.zdnet.com/third-party-app-released-to-fix-bluebox-security-android-hole-7000018208/
+
Android should embrace a Windows-style security update model
July 15, 2013 -- 11:41 GMT
http://www.zdnet.com/android-should-embrace-a-windows-style-security-update-model-7000018029/
+
Android OEMs slow to roll out Bluebox Security patch
July 12, 2013 -- 21:58 GMT
http://www.zdnet.com/android-oems-slow-to-roll-out-bluebox-security-patch-7000018012/
+
Proof of concept for Android flaw found, patches start rolling out
July 10, 2013 -- 02:57 GMT
http://www.zdnet.com/proof-of-concept-for-android-flaw-found-patches-start-rolling-out-7000017859/
+
Google releases fix to OEMs for Blue Security Android security hole
July 8, 2013 -- 19:10 GMT
http://www.zdnet.com/google-releases-fix-to-oems-for-blue-security-android-security-hole-7000017782/
+
Security firm claims 99 percent of Android apps open to takeover
July 4, 2013 -- 06:46 GMT
http://www.zdnet.com/security-firm-claims-99-percent-of-android-apps-open-to-takeover-7000017672/

New vulnerability in Java

New vulnerability in Java

Source (消息來源) :
New vulnerability in Java 7 opens door to 10-year-old attack, researchers say
Jul 18, 2013 12:20 PM
http://www.pcworld.com/article/2044670/new-vulnerability-found-in-java-7-opens-door-to-10yearold-attack-researchers-say.html
+
Alleged Java flaw raises doubts on Oracle's security stance
July 19, 2013 -- 03:25 GMT (20:25 PDT)
http://www.zdnet.com/alleged-java-flaw-raises-doubts-on-oracles-security-stance-7000018281/

Oracle's July patch release includes 89 fixes

Oracle's July patch release includes 89 fixes

Source :
Oracle's July patch release includes 27 fixes for remote exploits
Jul 16, 2013 6:20 PM
http://www.pcworld.com/article/2044510/oracles-july-patch-release-includes-27-fixes-for-remote-exploits.html

new Java update : Java 7 Update 25 (Java 7u25)

Java 7 Update 25 (Java 7u25)

Source (消息來源) :
PCWorld
Java update patches 40 security issues
http://www.pcworld.com/article/2042403/java-7-update-25-fixes-40-security-issues-turns-on-certificate-revocation-checking.html
+
ZDNet
Oracle releases latest round of Java security patches
http://www.zdnet.com/oracle-releases-latest-round-of-java-security-patches-7000017002/

Adobe releases critical security updates for Reader, Flash Player and ColdFusion ; Adobe 更新 ColdFusion, Reader 和 Flash

Source (消息來源) :
http://www.adobe.com/support/security/bulletins/apsb13-14.html
http://www.adobe.com/support/security/bulletins/apsb13-15.html
+
Adobe releases critical security updates for Reader, Flash Player and ColdFusion
http://www.pcworld.com/article/2038725/adobe-releases-critical-security-updates-for-reader-flash-player-and-coldfusion.html
+
Adobe unleases critical patches for ColdFusion, Reader and Flash
http://www.zdnet.com/adobe-unleases-critical-patches-for-coldfusion-reader-and-flash-7000015414/


Users of Flash Player for Windows and Macintosh should update to Flash Player 11.7.700.202,
while users of Flash Player for Linux should update to Flash Player 11.2.202.285

使用 Windows 和 Macintosh : flash 更新到 11.7.700.202
使用 Linux : flash 更新到 11.2.202.285

Flash 更新了

Flash 更新了

消息來源 :

ZDNet :
Adobe patches Flash, Shockwave and ColdFusion
http://www.zdnet.com/adobe-patches-flash-shockwave-and-coldfusion-7000013792/

Java 更新了

Java 更新了

消息來源 :

Oracle :
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html

PCWorld :
Java 7 Update 21 to fix bugs, change applet warning messages
http://www.pcworld.com/article/2034738/java-7-update-21-to-fix-bugs-change-applet-warning-messages.html
+
Oracle shipping 128 patches for apps, database and middleware
http://www.pcworld.com/article/2034729/oracle-shipping-128-patches-for-apps-database-and-middleware.html

Cnet :
Oracle preps 128 security patches; Java gets 42
http://news.cnet.com/8301-1009_3-57579845-83/oracle-preps-128-security-patches-
java-gets-42/

ZDNet :
Oracle to release 128 security patches, hundreds of products affected
http://www.zdnet.com/oracle-to-release-128-security-patches-hundreds-of-products-affected-7000014082/

Adobe 修正 Adobe Flash 安全漏洞

Adobe 於2月底修正 Adobe Flash 安全漏洞
目前沒有再傳出安全漏洞的消息

消息來源 :

http://www.pcworld.com/article/2029475/third-times-the-charm-adobe-patches-even-more-critical-reader-vulnerabilities.html
Third time's the charm? Adobe patches even more critical Flash vulnerabilities
Daniel Ionescu @danielionescu
Feb 27, 2013 7:35 AM

http://news.cnet.com/8301-1009_3-57571468-83/adobe-issues-emergency-patch-for-zero-day-flash-vulnerabilities/
Adobe issues emergency patch for zero-day Flash vulnerabilities
by Steven Musil
February 26, 2013 3:51 PM PST

http://www.zdnet.com/adobe-issues-another-patch-for-flash-vulnerabilities-7000011872/
Adobe issues another patch for Flash vulnerabilities
By Ellyne Phneah | February 27, 2013 -- 02:24 GMT (18:24 PST)

Java 仍有安全漏洞 ( Java 7, Update 17 + Java 6, Update 43 )

根據下面的消息來源
Java 目前的最新版本 Java 7, Update 17 和 Java 6, Update 43
仍然有安全漏洞


消息來源 :

1. PC World

http://www.pcworld.com/article/2030778/researchers-javas-security-problems-unlikely-to-be-resolved-soon.html
Researchers: Java's security problems unlikely to be resolved soon
Lucian Constantin, IDG News Service
Mar 14, 2013 5:05 AM

http://www.pcworld.com/article/2030086/cybercriminals-using-digitally-signed-java-exploits-to-trick-users.html
Cybercriminals using digitally signed Java exploits to trick users
Lucian Constantin, IDG News Service
Mar 5, 2013 12:15 PM

http://www.pcworld.com/article/2030067/five-new-flaws-found-in-the-latest-version-of-java.html
Five new flaws found in the latest version of Java
By Antone Gonsalves, CSO
Mar 5, 2013 7:41 AM

http://www.pcworld.com/article/2030056/oracle-releases-emergency-fix-for-java-zeroday-exploit.html
Oracle releases emergency fix for Java zero-day exploit
Lucian Constantin, IDG News Service
Mar 4, 2013 4:25 PM

http://www.pcworld.com/article/2029987/latest-java-zero-day-exploit-is-linked-to-bit9-hacker-attack.html
Latest Java zero-day exploit is linked to Bit9 hacker attack
Lucian Constantin, IDG News Service
Mar 4, 2013 8:20 AM

http://www.pcworld.com/article/2029741/another-java-flaw-exploited-security-researchers-warn.html
Another Java flaw exploited, security researchers warn
Lucian Constantin, IDG News Service
Mar 1, 2013 6:45 AM

http://www.pcworld.com/article/2028788/oracle-releases-new-java-fixes-speeds-up-patching-cycle.html
Oracle releases new Java fixes, speeds up patching cycle
Lucian Constantin, IDG News Service
Feb 20, 2013 6:22 AM

2. ZDNet

http://www.zdnet.com/oracle-rushes-out-last-minute-patch-for-vulnerabilities-7000012118/
Oracle rushes out last-minute patch for vulnerabilities
By Michael Lee | March 5, 2013 -- 03:33 GMT (19:33 PST)

http://www.zdnet.com/java-zero-day-malware-was-signed-with-certificates-stolen-from-security-vendor-7000012079/
Java zero-day malware 'was signed with certificates stolen from security vendor'
By Liam Tung | March 4, 2013 -- 11:37 GMT (03:37 PST)

http://www.zdnet.com/oracle-investigating-after-two-more-java-7-zero-day-flaws-found-7000011965/
Oracle investigating after two more Java 7 zero-day flaws found
By Zack Whittaker for Zero Day | February 28, 2013 -- 16:36 GMT (08:36 PST)

3. Cnet

http://news.cnet.com/8301-1009_3-57572496-83/oracle-issues-emergency-java-update-to-patch-vulnerabilities/
Oracle issues emergency Java update to patch vulnerabilities
by Dara Kerr
March 4, 2013 7:22 PM PST

http://news.cnet.com/8301-1009_3-57572168-83/more-java-based-malware-plagues-the-cross-platform-runtime/
More Java-based malware plagues the cross-platform runtime
by Topher Kessler
March 1, 2013 3:32 PM PST

4. ITHome

http://www.ithome.com.tw/itadm/article.php?c=79160
兩次更新徒勞無功，Java再爆嚴重漏洞
文/楊智傑 2013-03-10

http://www.ithome.com.tw/itadm/article.php?c=79091
甲骨文緊急修補上周發現的Java漏洞
文/陳曉莉 (編譯) 2013-03-05

Java 有安全漏洞 ( 5，6，7 都有 )

消息來源 :
-->

http://news.cnet.com/8301-1009_3-57520532-83/new-java-flaw-could-hit-1-billion-users/

http://www.pcworld.com/article/2010607/windows-pcs-and-macs-at-risk-of-another-zero-day-java-bug.html

http://blogs.computerworld.com/malware-and-vulnerabilities/21056/another-critical-java-vulnerability-puts-1-billion-users-risk

http://seclists.org/fulldisclosure/2012/Sep/170

http://www.security-explorations.com/en/SE-2012-01-status.html

資安專家又發現 Java 有安全漏洞了

Java  5 , 6 , 7 都有

目前 Oracle 還沒有修正此漏洞