Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

Posted on May 16, 2017 by mea

To exploit the flaw, Caballero says that an attacker can use server redirect requests combined with data URIs, which would allow him to confuse Edge’s SOP filter and load unauthorized resources on sensitive domains. The expert explains the attack step by step on his blog.

In the end, the attacker will be able to inject a password form on another domain, which the built-in Edge password manager will automatically fill in with the user’s credentials for that domain. Below is a video of the attack.

Source: Edge Security Flaw Allows Theft of Facebook and Twitter Credentials

ReactOS Project

Posted on March 31, 2017 by mea

Imagine running your favorite Windows applications and drivers in an open-source environment you can trust. That’s ReactOS. Not just an Open but also a Free operating system.

Source: Front Page | ReactOS Project

Need an SSH client on Windows? Don’t use Putty or CygWin…use Git

Posted on March 18, 2017 by mea

Ok, maybe not…but its very likely that if you are reading this and find yourself needing to SSH here and there, you also use GIT. Well many are unaware that git for windows bundles several Linux familiar tools. Many might use these in the git bash shell.

Source: Need an SSH client on Windows? Don’t use Putty or CygWin…use Git — Hurry Up and Wait!

Microsoft shows Windows 10 market share growing steadily, but the numbers are fake

Posted on February 2, 2017 by mea

That means that when Microsoft showed Windows 10 overtaking Windows 7, this apparently happened in August last year. Most other analysts don’t see that seismic shift happening globally until December 2017, at the earliest.

Source: Microsoft shows Windows 10 market share growing steadily, but the numbers are fake [Updated]

Configure Windows telemetry in your organization (Windows 10)

Posted on December 26, 2016 by mea

Microsoft does not intend to gather sensitive information, such as credit card numbers, usernames and passwords, email addresses, or other similarly sensitive information for Linguistic Data Collection. We guard against such events by using technologies to identify and remove sensitive information before linguistic data is sent from the user’s device. If we determine that sensitive information has been inadvertently received, we delete the information.

Source: Configure Windows telemetry in your organization (Windows 10)

Cyanogen Inc shutting down CyanogenMod nightly builds and other services, CM will live on as Lineage

Posted on December 25, 2016 by mea

The CyanogenMod team has posted an update of their own, confirming the shutdown of the CM infrastructure and outlining a plan to continue the open-source initiative as Lineage, which we suspected was going to be the case last week.

Source: Cyanogen Inc shutting down CyanogenMod nightly builds and other services, CM will live on as Lineage [Updated]

0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Posted on December 16, 2016 by mea

The exploit ending in .flac works as a drive-by attack when a Fedora 25 user visits a booby-trapped webpage. With nothing more than a click required, the file will open the desktop calculator. With modification, it could load any code an attacker chooses and execute it with the same system privileges afforded to the user. While users typically don’t have the same unfettered system privileges granted to root, the ones they do have are plenty powerful.

Source: 0-days hitting Fedora and Ubuntu open desktops to a world of hurt

Here’s a blurb from the researcher’s blog post about this:

Resolving all the above, I present here a full, working, reliable, 0day exploit for current Linux distributions (Ubuntu 16.04 LTS and Fedora 25). It’s a full drive-by download in the context of Fedora. It abuses cascading subtle side effects of an emulation misstep that at first appears extremely difficult to exploit but ends up presenting beautiful and 100% reliable exploitation possibilities.

Source: Redux: compromising Linux using… SNES Ricoh 5A22 processor opcodes?!

“Most serious” Linux privilege-escalation bug ever is under active exploit

Posted on October 21, 2016 by mea

The vulnerability, a variety known as a race condition, was found in the way Linux memory handles a duplication technique called copy on write. Untrusted users can exploit it to gain highly privileged write-access rights to memory mappings that would normally be read-only. More technical details about the vulnerability and exploit are available here, here, and here. Using the acronym derived from copy on write, some researchers have dubbed the vulnerability Dirty COW.

Source: “Most serious” Linux privilege-escalation bug ever is under active exploit (updated)

With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy

Posted on August 24, 2016 by mea

The tactics Microsoft employed to get users of earlier versions of Windows to upgrade to Windows 10 went from annoying to downright malicious. Some highlights: Microsoft installed an app in users’ system trays advertising the free upgrade to Windows 10. The app couldn’t be easily hidden or removed, but some enterprising users figured out a way. Then, the company kept changing the app and bundling it into various security patches, creating a cat-and-mouse game to uninstall it.

Source: With Windows 10, Microsoft Blatantly Disregards User Choice and Privacy: A Deep Dive | Electronic Frontier Foundation

And while users can disable some of these settings, it is not a guarantee that your computer will stop talking to Microsoft’s servers. A significant issue is the telemetry data the company receives. While Microsoft insists that it aggregates and anonymizes this data, it hasn’t explained just how it does so.

Alpine Linux

Posted on February 8, 2016 by mea

Alpine Linux is a security-oriented, lightweight Linux distribution based on musl libc and busybox.

Source: Alpine Linux | Alpine Linux

Bucktown Bell

Cut to the chase.

Category Archives: Operating Systems