Hey all,
Here are this week’s cyber updates:
(1) PHPMailer was found to
exposed to a critical remote code execution vulnerability
(CVE-2016-10033).
While the security researcher didn’t yet published a
working exploit (due to his responsible disclosure), by looking into the diff
between version 5.2.17 and 5.2.18 (the patched version) it appears that the
“from” email address is not validated. Thus, it is possible to inject commands
into that parameter that will later be executed by the OS.
PHPMailer is used by several open-source projects,
including: WordPress, Drupal, 1CRM, SugarCRM, Yii and Joomla.
Clients are requested to update their PHPMailer version immediately.
(2) An SQL injection
vulnerability exists in Panasonic Avionics, allowing malicious users to affect
the entertainment system in your flight. While illegal, you can try to exploit it the next time you fly with American Airlines, United, Virgin,
Emirates, Etihad, Qatar, FinnAir, KLM, Iberia, Scandinavian, Air France,
Singapore, or Aerolineas Argentinas. Just in case you had any doubt, I am not
telling you to hack these systems and I will definitely not bail you out if
you’ve chosen to so J
Here are all the details: http://blog.ioactive.com/2016/12/in-flight-hacking-system.html
(3) In a “surprising” timing
after this incident, Gogo, one of Panasonic Avionics major competitor, has
engaged with a new bug bounty program, asking security researches to
find vulnerabilities in their product.
The company’s products are used
by numerous airlines, such as: Aeroméxico, Aer Lingus, American Airlines, Air
Canada, Alaska Airlines, Beijing Capital, British Airways, Delta Air Lines,
GOL, Hainan Airlines, Iberia, Japan Airlines, JTA, United Airlines, Vietnam
Airlines, Virgin America and Virgin Atlantic.
Here are the details: https://www.scmagazine.com/gogo-launches-bug-bounty/article/627732/
(4) This Xmas has brought a
surprising “gift” to UK Groupon users. Many of them have reported that their
account was hacked.
Groupon says there hasn't been any security breach of
its own site or app, but acknowledges it's seen a series of cases where
fraudsters have managed to hack into Groupon accounts after accessing log-in
and password information via third party websites. In other words, Groupon
blames their clients and does not intend to do anything about it.
Here are all the details: http://www.moneysavingexpert.com/news/shopping/2016/12/fraudsters-target-groupon-accounts-to-make-unauthorised-purchases---check-now-if-youre-affected
Stay tuned for more updates,
Dan
Gurfinkel
Head of
Offensive Security & Response Unit