Quick Cookie Notification

This site uses cookies, including for analytics, personalization, and advertising purposes. For more information or to change your cookie settings, click here.

If you continue to browse this site without changing your cookie settings, you agree to this use.


View Cookie Policy for full details

Rapid7 Blog

Apple  

Federal Friday - 7.18.14 - Mobile Movement

Happy Friday, Federal friends! The Midsummer classic is behind us which means we're heading into the dog-days of summer. I hope you all have some nice quality time planned with your families so you can get out and enjoy the weather, especially with the Winter…

Weekly Metasploit Update: Zeroing in on Mobile

The Android Exploit MixinThis week, Rapid7's Joe Vennix refactored our tried and true methods for exploiting the addJavascriptInterface vulnerability, which happens to be present on a ton of consumer Android devices and Google Play store-approved apps, which means a couple things for Android exploit developers.…

Metasploit Weekly Update: There's a Bug In Your Brain

Running Malicious Code in SafariThe most fun module this week, in my humble opinion, is from Rapid7's own Javascript Dementor, Joe Vennix. Joe wrote up this crafty implementation of a Safari User-Assisted Download and Run Attack, which is not technically a vulnerability or a bug…

12 Days of HaXmas: Apple Safari Makes Password Stealing Fun and Easy? Yes, Please!

This post is the second in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.If you are reading this blog post, I reckon you are somewhat a…

Federal Friday - 12.20.13 - Deck the Halls Edition

'Tis the season to be jolly! Happy Holidays everyone!While it's amazing that Christmas is next week, it's not amazing how much shopping I still need to do (shh, don't tell my wife).Being that the season of gift giving is here it make sense…

National Cyber Security Awareness Month: Keeping Mobile Devices Safe

To mark National Cyber Security Awareness Month, we're trying to help you educate your users on security risks and how to protect themselves, and by extension your organization. Every week in October we'll provide a short primer email on a different topic relating to user…

Federal Friday - 9.13.13 - Apple's Touch ID Release

Welcome to another edition of Federal Friday! It's been a busy week around here with 2 FISMA presentations earlier in the week and the ongoing effort to close out FY13 on 9/30. Plus the world came to a technological halt this week with the…

Weekly Update: Meterpreter Updates, VMWare, the OSX spycam, Retabbing, and more!

Meterpreter UpdatesThis is a big week for Meterpreter. For starters, we've landed a new Meterpreter Python payload. Yes, yes, I know, you thought that Metasploit was all Ruby all the time, but this and the Python payloads for bind shells from Spencer McIntyre should help…

Weekly Update: Apple OSX Privilege Escalation

Sudo password bypass on OSXThis week's update includes a nifty local exploit for OSX, the sudo bug described in CVE-2013-1775. We don't have nearly enough of these Apple desktop exploits, and it's always useful to disabuse the Apple-based cool-kids web app developer crowd of the…

Abusing Safari's webarchive file format

tldr: For now, don't open .webarchive files, and check the Metasploit module, Apple Safari .webarchive File Format UXSS Safari's webarchive format saves all the resources in a web page - images, scripts, stylesheets - into a single file. A flaw exists in the security model…

Mobile Pwning: Using Metasploit on iOS

Have you ever wanted to run an exploit but found yourself away from your desk? Wouldn't it be awesome if you could launch a full version of the Metasploit Framework from your phone or tablet? As you might have guessed, now you can. With an…

iPhone notifications

If something is seriously broken in your application, you want to know about it immediately. But you can’t study your logs all the time – you have better thing to do (like coding right…). That’s why Logentries provides real-time alerts through both email and…

Apple OS X Java Woes

Oracle recently announced that they would provide stand alone updates in the future for Java Runtime Environment for Mac users. Many people including myself were excited when we heard the news, but..... so far this hasn't happened. Mac OS X users including yours truly are…

Myth Busted: Apple is Hacker Proof

Update 4/4/2012: Apple released a patch for Java last night.The first thing I'd like to say is that I am an Apple fanboy and can usually be found defending them vigorously like any loyal fanboy would. I hear time and time again…

SOC Monkey - FREE and in the App Store now!

The name's Monkey.  SOC Monkey.I'm here to provide you with a new free app for the iPhone/iPad/iPod Touch that will search through infosec topics that are trending on the social web.  I'll also rank them based on what the biggest…