Spyware, viruses, & security forum: NEWS - January 29, 2013

The Rails developers have released Ruby on Rails 3.0.20 and 2.3.16 which contain one, and only one, "extremely critical security fix". The problem only affects Rails 3.0.x and 2.3.x with Rails 3.1.x and 3.2.x not affected. Users of the 2.3 and 3.0 branches are advised to update as soon as possible, or to apply patches if they cannot upgrade. If they cannot do that either, a workaround of setting

ActiveSupport::JSON.backend = "JSONGem"

in the application's initialisation code will, at least, prevent the vulnerable code from being called.

The problem is related to the flaw discovered earlier this month where the XML formatted parameters could include YAML serialised data which, when deserialised, would create live objects within the server which could be used to exploit it. The exploit went wild quickly and a number of servers were compromised.

Continued : http://www.h-online.com/security/news/item/Rails-developers-close-another-extremely-critical-flaw-1793511.html

Also: Some Versions of Ruby on Rails Vulnerable to New Parsing Attack

See Vulnerabilities & Fixes: Ruby on Rails JSON Parser YAML Handling Vulnerability

Google Dangles More Than $3 Million For Security Researchers To Crack Chrome OS

Google on Monday said they are offering up serious money the security research community to help them find and fix vulnerabilities in Chrome OS.

Researchers at this year's Pwn2Own contest at the CanSecWest conference in Vancouver will already be working to find vulnerabilities in web browsers and browser plug-ins, and now Google has followed up saying that it would offer up big bucks to those who can compromise its Chrome OS.

The competition, dubbed "Pwnium 3", will have a focus on Chrome OS and Google is offering up to a total of up to $3.14159 million in rewards for vulnerabilities discovered in the operating system.

Hoping that the larger rewards will incentivize hackers to step up to the challenge in cracking the security defenses of Chrome OS, Google said it would reward researchers at the following levels:

Continued : http://www.securityweek.com/google-dangles-more-3-million-security-researchers-crack-chrome-os

Also:
Google offers exploit bounties for Pwn2Own and Pwnium
Google offers $3.14159 MILLION in prizes for hacking Chrome OS
Google Offers $3.14159 Million Dollars for Any Chrome OS Hack in Pwnium 3

Regulators in the Netherlands and Canada say the popular messaging application WhatsApp is violating internationally accepted privacy norms by stockpiling phone numbers belonging to people who don't even use the service.

Officials in both countries say WhatsApp Inc. is going through its users' address books and copying every single phone number before transmitting them to the Mountain View, California-based company's servers.

Many communications services ask for access to their customer's address books to help connect them with friends. But under Canadian and Dutch law, personal information belonging to nonusers must be destroyed once it's no longer being used.

Canada's Office of the Privacy Commissioner and the Dutch Data Protection Authority also criticized WhatsApp for weak security and sloppy encryption.

Continued: http://www.usnews.com/news/technology/articles/2013/01/29/canada-holland-whatsapp-violates-privacy-norms

Also:
WhatsApp privacy weaknesses could trigger prosecutions
Netherlands, Canada Say WhatsApp Still Violates Privacy Laws
WhatsApp's privacy investigated by joint Canadian-Dutch probe

ESET discovered a social engineering Trojan horse that managed to steal the login credentials of more than 16,000 Facebook users.

The 'PokerAgent' Trojan targeted Zynga Poker, the most popular online poker site in the world. Zynga Poker hosts the Texas Hold'Em Poker App for Facebook. According to APPData, the game has more than 35 million active monthly users.

Specifically, the malware was designed to steal users' Facebook login details and link them with user information for the online poker game. ESET first began studying the Trojan in early 2012. However, thanks to proactive generic detection of this threat, ESET users were protected against the Trojan as early as December 2011. [Screenshot]

Because 'PokerAgent' was most active in Israel, ESET contacted the Israeli CERT as well as the Israeli police in early 2012. Because of the ongoing investigation, ESET was not able to publicly disclose any details about the threat. However, in addition to working with the Israeli CERT team, Facebook was also notified and took immediate preventive measures to protect their members and thwart future attacks on the hijacked accounts.

Continued: http://www.net-security.org/malware_news.php?id=2388