Security Alerts & News
by Tymoteusz A. Góral

History
#1894 Facebook’s ImageTragick story
"I want to believe that all of you know about ImageMagick and its Tragick. This issue was found in the end of the April, 2016 and due to many processing plugins depends on the ImageMagick library this issue has a huge impact. Since there were evidences that information about this issue was available not only for researchers, who discovered it and ImageMagick’s development team, but also for others, on the 3rd of May, 2016 the information (without PoC) was disclosed. Many of researchers got this low-hanging fruit while discovering applications which were not updated in time. But for some unknowable reason i was not among them. "
#1893 Router vulnerabilities disclosed in July remain unpatched
Details on serious vulnerabilities in a number of routers freely distributed by a major Thai ISP were published on Monday after private disclosures made to the vendors in July went unanswered.

Researcher Pedro Ribeiro of Agile Information Security found accessible admin accounts and command injection vulnerabilities in ZyXel and Billion routers distributed by TrueOnline, Thailand’s largest broadband company.

Ribeiro said he disclosed the vulnerabilities through Beyond Security’s SecuriTeam Secure Disclosure Program, which contacted the affected vendors last July. Ribeiro published a proof of concept exploit yesterday as well.
#1892 Secret tokens found hard-coded in hundreds of Android apps
A security research firm has found hundreds of Android apps that are leaking sensitive secret keys and tokens, which could be used and abused by hackers.

Fallible, a Delaware-based security firm, spent the past few months reverse engineering thousands of apps to discover security issues, such as leaky secret keys. These keys often belong to third-party services to help app integration, but if leaked could be used to manipulate or abuse the services.
#1891 Vulnerabilities leave iTunes, App Store open to script injection
Apple is reportedly aware of and is in the middle of fixing a pair of vulnerabilities that exist in iTunes and the App Store. If exploited, researchers claim an attacker could inject malicious script into the application side of the vulnerable module or function.

Vulnerability Lab’s Benjamin Kunz Mejri disclosed the vulnerabilities on Monday, explaining the issues can be jointly exploited via iTunes and the App Store’s iOS “Notify” function.

Apple implemented the function in September, in the weeks leading up to the release of the game Super Mario Run. The function takes information from the device, such iCloud credentials or devicename values, to alert users when a soon-to-launch application debuts.
#1890 It’s shockingly easy to hijack a Samsung SmartCam camera
Smart cameras marketed under the Samsung brand name are vulnerable to attacks that allow hackers to gain full control, a status that allows the viewing of what are supposed to be private video feeds, researchers said.

The remote code-execution vulnerability has been confirmed in the Samsung SmartCam SNH-1011, but the researchers said they suspect other models in the same product line are also susceptible. The flaw allows attackers to inject commands into a Web interface built into the devices. The bug resides in PHP code responsible for updating a video monitoring system known as iWatch. It stems from the failure to properly filter malicious input included in the name of uploaded files. As a result, attackers who know the IP address of a vulnerable camera can exploit the vulnerability to inject commands that are executed with unfettered root privileges.
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12