Posts tagged Apple

1 min Apple

Apple Silicon Support on Insight Agent

We are pleased to announce the general availability of native support of Apple Silicon chips for the Rapid7 Insight Agent.

9 min Vulnerability Disclosure

Vulntober: Multiple Mobile Browser Address Bar Spoofing Vulnerabilities

Today, we're announcing a coordinated vulnerability disclosure on a set of address bar spoofing vulnerabilities that affect a number of mobile browsers.

5 min Exploits

macOS Keychain Security : What You Need To Know

If you follow the infosec twitterverse or have been keeping an eye on macOS news sites, you’ve likely seen a tweet [] (with accompanying video) from Patrick Wardle (@patrickwardle []) that purports to demonstrate dumping and exfiltration of something called the “keychain” without an associated privilege escalation prompt. Patrick also has a more in-depth Q&A blog post [

1 min Microsoft

Cisco Enable / Privileged Exec Support

In Nexpose [] version 6.4.28, we are adding support for privileged elevation on Cisco devices through enable command for those that are running SSH version 2. A fully privileged policy scan provides more accurate information on the target's compliance status, and the ability to do so through enable password, while keeping the actual user privilege low, adds an additional layer of security for your devices. This allows our users to run fully privileged po

4 min Microsoft

Attacking Microsoft Office - OpenOffice with Metasploit Macro Exploits

It is fair to say that Microsoft Office and OpenOffice are some of the most popular applications in the world. We use them for writing papers, making slides for presentations, analyzing sales or financial data, and more. This software is so important to businesses that, even in developing countries, workers that are proficient in an Office suite can make a decent living based on this skill alone. Unfortunately, high popularity for software also means more high-value targets in the eyes of an

4 min Android

Pokemon Go, Security, and Obsolescence

Pokemon Go started it. The crusty old house cell phone, which we had years ago ported from a genuine AT&T land line to a T-Mobile account, suddenly caught the attention of my middle son. > "Hey Dad, can I use that phone to catch Pokemon at the park?" "Sure! Have fun, and don't come back until sundown!" A few minutes later, he had hunted down his first Pikachu, which apparently required running around the block in Texas summer heat a few times. Sweat-soaked but proud, he happily presented hi

5 min Vulnerability Management

Using the National Vunerability Database to Reveal Vulnerability Trends Over Time

This is a guest post by Ismail Guneydas. Ismail Guneydas is senior technical leader with over ten years of experience in vulnerability management, digital forensics, e-Crime investigations and teaching. Currently he is a senior vulnerability manager at Kimberly-Clark and an adjunct faculty at Texas A&M. He has M.S.  in computer science and MBA degrees. 2015 is in the past, so now is as good a time as any to get some numbers together from the year that was and analyze them.  For this blog post,

12 min Apple

Reduced Annoyances and Increased Security on iOS 9: A Win Win!

Introduction Early this year, I posted an article [/2015/02/26/the-gif-guide-to-ios-security] on iOS Hardening that used animated GIFs to explain most of the recommended settings. Since then, iOS 9 was released, bringing along many new features [], including better support for Two-Factor Authentication, as iMessage and FaceTime now work without the need for app-specific passwords, and as your trusted devices now automatically get trusted when you authentic

2 min Windows

Metasploit Framework Open Source Installers

Rapid7 has long supplied universal Metasploit installers for Linux and Windows. These installers contain both the open source Metasploit Framework as well as commercial extensions, which include a graphical user interface, metamodules, wizards, social engineering tools and integration with other Rapid7 tools. While these features are very useful, we recognized that they are not for everyone. According to our recent survey of Metasploit Community users, most only used it for the open source comp

5 min Apple

Top 10 list of iOS Security Configuration GIFs you can send your friends and relatives

Easily share these animated iOS Security tips with friends and relatives! While iOS is generally considered to be quite secure, a few configuration items can improve its security. Some changes have very little functionality impact, while others are more visible but probably only needed in specific environments. This guide contains some of the most important, obvious ones, and contains a GIF for each configuration step to be taken. If you already know everything about iOS security, use this a

3 min Apple

Metasploit Weekly Update: There's a Bug In Your Brain

Running Malicious Code in Safari The most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementor, Joe Vennix []. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack [] , which is not technically a vulnerability or a bug or anything -- it's a feature that ends up being a kind of a huge risk. Here's how it goes:

4 min Android

National Cyber Security Awareness Month: Keeping Mobile Devices Safe

To mark National Cyber Security Awareness Month, we're trying to help you educate your users on security risks and how to protect themselves, and by extension your organization. Every week in October we'll provide a short primer email on a different topic relating to user risk. The idea is that you can copy and paste it into an email and send it around your organization to promote better security awareness among your users.  The first post was on phishing [/2013/10/02/national-cyber-security-awa

2 min Product Updates

Weekly Update: Apple OSX Privilege Escalation

Sudo password bypass on OSX This week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the notion that their computing platform of choice is bulletproof. Joe Vennix [], the principle author of this module, is, in fact, of that very same Apple-based developer crowd, and usually bu

4 min Apple

Abusing Safari's webarchive file format

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS [] Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model behind webarchives that allows us to execute script in the context of any domain (a Universal Cross-site S

3 min Metasploit

Mobile Pwning: Using Metasploit on iOS

Have you ever wanted to run an exploit but found yourself away from your desk? Wouldn't it be awesome if you could launch a full version of the Metasploit Framework from your phone or tablet? As you might have guessed, now you can. With an adventurous spirit and a few commands, you can be running the Metasploit Framework on your iPad or iPhone in just a few short minutes. Warning: To install Metasploit, you'll need root access to your device – which is accomplished by following your favorite ja