Tweet
MS vulnerability
A vulnerability found in Microsoft's Internet Explorer allows hackers to
track the movements of your mouse cursor across the screen, which
could in turn reveal data entered on virtual keyboards.
Virtual keyboards and keypads can be used to reduce the chance of a
keylogger recording every keystroke and therefore being able to "read"
your passwords. However Spider.io discovered that Internet Explorer
versions 6 to 10 make it possible for your mouse cursor to be tracked
anywhere on screen, even if the IE tab is minimized. You can see a
video demonstration of the vulnerability embedded in this post, or you
can try it yourself at this__http://iedataleak.spider.io/demo (provided
you are browsing with IE).
On a separate note vulnerability in windows 8 will keep windows
tech's busy over Christmas.
[QUOTE]Justin Angel, an engineer working on Finnish phonemaker Nokia
Oyj.'s Windows Phone team, has made the curious decision of going
public with details of security flaws in partner Microsoft Corp.'s
Windows 8, which allow users to pirate games.
Windows 8 users can grab games via Windows Store. Paid titles
typically come with a "Trial" option, which allow users to play a level
or two of the game, before being prompted to purchase the title if
they want to keep playing. The trial process is controlled by a
Microsoft API.
But Mr. Angel reveals a fatal flaw in the scheme: Microsoft stores
the key/hash in plaintext and the algorithm to encrypt/decrypt the
data next to the app itself. In other words, while not for the novice,
power users can write small programs to decrypt the program's
permissions, write new permissions to make the game look
legitimately purchased, and then re-encrypt the permissions.
By exploit the flaws users cannot only get games for free, but they
can rid themselves of ads, albeit in a somewhat unethical manner.
But Mr. Angel does not stop there. He also shows off more security
flaws, showing how JavaScript injection attacks can be used to gain
access (for free) to in-app purchases. As an example he uses such
an attack to unlock purchasable levels in the popular game Cut The
Rope.[/QUOTE]
track the movements of your mouse cursor across the screen, which
could in turn reveal data entered on virtual keyboards.
Virtual keyboards and keypads can be used to reduce the chance of a
keylogger recording every keystroke and therefore being able to "read"
your passwords. However Spider.io discovered that Internet Explorer
versions 6 to 10 make it possible for your mouse cursor to be tracked
anywhere on screen, even if the IE tab is minimized. You can see a
video demonstration of the vulnerability embedded in this post, or you
can try it yourself at this__http://iedataleak.spider.io/demo (provided
you are browsing with IE).
On a separate note vulnerability in windows 8 will keep windows
tech's busy over Christmas.
[QUOTE]Justin Angel, an engineer working on Finnish phonemaker Nokia
Oyj.'s Windows Phone team, has made the curious decision of going
public with details of security flaws in partner Microsoft Corp.'s
Windows 8, which allow users to pirate games.
Windows 8 users can grab games via Windows Store. Paid titles
typically come with a "Trial" option, which allow users to play a level
or two of the game, before being prompted to purchase the title if
they want to keep playing. The trial process is controlled by a
Microsoft API.
But Mr. Angel reveals a fatal flaw in the scheme: Microsoft stores
the key/hash in plaintext and the algorithm to encrypt/decrypt the
data next to the app itself. In other words, while not for the novice,
power users can write small programs to decrypt the program's
permissions, write new permissions to make the game look
legitimately purchased, and then re-encrypt the permissions.
By exploit the flaws users cannot only get games for free, but they
can rid themselves of ads, albeit in a somewhat unethical manner.
But Mr. Angel does not stop there. He also shows off more security
flaws, showing how JavaScript injection attacks can be used to gain
access (for free) to in-app purchases. As an example he uses such
an attack to unlock purchasable levels in the popular game Cut The
Rope.[/QUOTE]
Comment