Security Alerts & News
by Tymoteusz A. Góral

History
#2124 Polish authorities confirm hack of Bitcurex bitcoin exchange, launch investigation
Polish authorities in the town of Lodz have launched an official investigation into the closure of Bitcurex, a Bitcoin trading platform that launched in 2012, and closed earlier this year.

The timeline of events that led to Bitcurex's closure is complex and spans six months.
#2123 0day or feature? Privilege escalation / session hijacking all Windows versions
A privileged user, which can gain command execution with NT AUTHORITY/SYSTEM rights can hijack any currently logged in user's session, without any knowledge about his credentials.
Terminal Services session can be either in connected or disconnected state.
#2122 GitHub awards researcher $18,000 for remote code execution flaw discovery
GitHub has awarded a researcher $18,000 for disclosing a security flaw in GitHub Enterprise which could have lead to remote code execution.

According to independent German researcher Markus Fenske, the code repository awarded him the amount for disclosing a serious security vulnerability in GitHub Enterprise, an on-premise version of GitHub designed for businesses looking to collaborate on coding but retain strict control of permissions and access to projects.
#2121 Alert: Cisco IOS and IOS XE software Cluster Management Protocol remote code execution vulnerability
A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.
#2120 Virtual machine escape fetches $105,000 at Pwn2Own hacking contest
Contestants at this year's Pwn2Own hacking competition in Vancouver just pulled off an unusually impressive feat: they compromised Microsoft's heavily fortified Edge browser in a way that escapes a VMware Workstation virtual machine it runs in. The hack fetched a prize of $105,000, the highest awarded so far over the past three days.

According to a Friday morning tweet from the contest's organizers, members of Qihoo 360's security team carried out the hack by exploiting a heap overflow bug in Edge, a type confusion flaw in the Windows kernel and an uninitialized buffer vulnerability in VMware, contest organizers reported Friday morning on Twitter. The result was a "complete virtual machine escape."
History
2017: 01 02 03 04 05
2016: 01 02 03 04 05 06 07 08 09 10 11 12