October 15, Help Net Security – (International) Attackers can use Siri, Google Now to secretly take over smartphones. Security researchers from the French Network and Information Security Agency discovered that attackers could use a laptop running GNU Radio, an amplifier, a universal software radio peripheral (USRP) software-defined radio, and antenna to take over smartphones with headphones plugged in via the Google Now and Siri personal assistants. The attack utilizes the device’s headphone cord as an antenna, and can enable hackers to force phones to send emails and messages, visit malicious sites, or become an eavesdropping device. Source
October 15, Securityweek – (International) Serious vulnerabilities patched in SAP products. SAP released 29 patches and support packages addressing 1 critical and 15 high priority issues, including missing authorization checks, information disclosure vulnerabilities, cross-site scripting (XSS) flaws, buffer overflows, and a structured query language (SQL) injection vulnerability, as well as a severe remote command execution vulnerability affecting the SAP HANA database management system. Source
October 14, Securityweek – (International) Zero-day flaw in Magento tool exploited in the wild. Security researchers from Trustwave discovered a vulnerability in a version of the Magmi mass importer tool for eBay’s Magento platform in which the tool’s “download_file.php” opens a specified file without conducting checks to guard against directory traversal attacks, potentially allowing access to sensitive files. Magento identified and contacted the owners of 1,700 potentially vulnerable Web sites. Source