Skype Vulnerability

Please note that there appears to be a security vulnerability in Skype allowing an attacker to gain access to Skype accounts:

Here’s how it works:
> Sign up for a new Skype account. Use the victim’s email. A warning will come up that an account with that email already exists, but you can still proceed with filling out the form and account creation.
> Log in to the Skype client with your new account.
> https://login.skype.com/account/password-reset-request[2] – request a password reset using the victim’s email.
> You will get a password reset notification and token in your skype client. Follow the link to pick the victim’s account and reset the password.
> It appears the only way to safeguard yourself for now is to change your main Skype account email to one that’s not publicly known.

Source:
http://www.reddit.com/r/netsec/comments/13664q/skype_vulnerability_allowing_hijacking_of_any/

Update 12:27 CET: This was quickly remedied by Skype.

Zero-day Microsoft Internet Explorer

A new high risk zero Internet Explorer day exploit is currently being active in the wild.

That means that anyone using Internet Explorer 7,8 or 9 to browse the internet has the potential of getting infected by simply visiting a webpage with the specific bad code in it. The code will then download an exploit pack to your computer and can give the unauthorized people access into the infrastructure.

There is currently no patch or solution to the issue from Microsoft, so the only viable option is to switch to another browser. Thinking “I won’t click any links from unknown people” is unfortunately not enough, as it’s getting more and more common for these kind of people to either hack known sites and add the code, or to purchase banner space etc for well known sites which then launches the code without you noticing anything at all.

Two browsers you could use are:
Firefox: http://www.getfirefoxcom
Chrome: http://www.google.com/chrome/

For more information: http://www.kb.cert.org/vuls/id/480095

Update: Since, Microsoft has released an update. Run Windows Update to get the latest versions available.

High Risk Java vulnerability

There is currently an extremely high risk Java vulnerability out in the wild that can potentially cause havoc for a lot of users and systems. All someone has to do is get you to visit a site with the bad code, which can then run an exploit kit on your system under the same user as the Java process, which means they’ll most likely be taking over your entire system.

This is not only relevant for sysadmins, but for anyone being connected to the internet. A website you open could potentially have the code on it, and the person would then have access to your PC to install key loggers, or whatever they want – which could be used to breach not only your own PC but your corporate network.

There is currently no fix for this issue, which is why it’s highly recommended to disable the Java plugin in your browsers. If you need to use Java Applets, then it’s suggested to use NoScript with Firefox as you can then whitelist sites you wish to use Java on, and block it on the rest.

You can find more information here:
https://www.us-cert.gov/cas/techalerts/TA12-240A.html
http://www.kb.cert.org/vuls/id/636312

High Risk Java Vulnerability

There is an extremely high risk exploit out that can potentially cause havoc for a lot of users/systems. All someone has to do is get you to visit a site with the bad code, which will then run an exploit kit under the same user as the Java process which means they’ll most likely be taking over your entire system.
This is not only relevant for sysadmins, but for anyone being connected to the internet. A website you open could potentially have the code on it, and the person would then have access to your PC to install key loggers, or whatever they want.

There is currently no fix for this issue, which is why it’s highly recommended to disable Java in your browsers. If you need to use Java Applets then it’s suggested to use a secondary browser or virtual environment to be used only with this.

You can find more information here:
https://www.us-cert.gov/cas/techalerts/TA12-240A.html
http://www.kb.cert.org/vuls/id/636312