Severity Rating: Important
Revision Note: V1.0 (June 10, 2014): Bulletin published.
Summary: This security update resolves one privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a specially crafted file is opened in an affected version of Microsoft Word. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
Monthly Archives: June 2014
CVE-2014-3969 (xen)
Xen 4.4.x, when running on an ARM system, does not properly check write permissions on virtual addresses, which allows local guest administrators to gain privileges via unspecified vectors.
WatchGuard Technologies a Leader in Three Key Unified Threat Management and Next-Generation Firewall Categories in Frost and Sullivan Report
FreeBSD-SA-14:14.openssl
Panda Security launches Panda GateDefender eSeries 5.5, now with Application Control
Panda Security, The Cloud Security Company, today announced the inclusion of new and enhanced features in version 5.50 of Panda GateDefender eSeries, the company’s unified perimeter security device that protects against all types of threats. The new version includes a new, improved configuration wizard, next-generation VPN technologies, a new firewall for application control and real-time monitoring of corporate networks.
Panda GateDefender eSeries enables mid-size and large companies to protect their corporate network and increase their productivity, and is available in three different versions -hardware, software and virtual- to suit the needs of every type of organization. In addition, its Web interface allows centralized and flexible management from a single console, accessible from the cloud at any time.
New Features
Panda GateDefender eSeries 5.50 includes robust, next-generation VPN technologies that enable very fast and highly scalable VPN connections, while managing granular access permissions to the network. Additionally, the solution includes a new application control feature capable of identifying and blocking more than 170 applications including Facebook, Skype, Spotify or WhatsApp to improve productivity. Also, the new Panda GateDefender eSeries includes an improved configuration wizard with a new network mode that allows the use of outgoing firewalls and application control in bridge mode.
The solution also allows real-time monitoring of corporate networks through an intuitive interface that enables organizations to generate extremely granular, customized reports.
These new features add to the many benefits already provided by the solution:
– Flexible, cloud-based management to centrally monitor, manage and update appliances quickly and easily, anywhere, anytime.
– Increased user productivity and optimized resource usage thanks to spam neutralization, restricted access to unproductive content and services, and bandwidth usage control.
– Complete protection against all types of infections and intrusion attempts right from the start. Faster response to new malware threats via automatic updates and queries to the cloud.
– High Internet availability. Its routing policies allow configuration of multiple high-availability lines, as well as installation of multiple appliances in parallel to deliver fault-tolerant, secure connectivity.
– Flexible, seamless integration with existing IT infrastructures thanks to the wide range of available versions: hardware, virtual and software appliances.
CVE-2014-3959 (big-ip_access_policy_manager, big-ip_advanced_firewall_manager, big-ip_analytics, big-ip_application_acceleration_manager, big-ip_application_security_manager, big-ip_edge_gateway, big-ip_global_traffic_manager, big-ip_link_controller, big-ip_local_traffic_manager, big-ip_policy_enforcement_manager, big-ip_protocol_security_module, big-ip_wan_optimization_manager, big-ip_webaccelerator, enterprise_manager)
Cross-site scripting (XSS) vulnerability in list.jsp in the Configuration utility in F5 BIG-IP LTM, AFM, Analytics, APM, ASM, GTM, and Link Controller 11.2.1 through 11.5.1, AAM 11.4.0 through 11.5.1 PEM 11.3.0 through 11.5.1, PSM 11.2.1 through 11.4.1, WebAccelerator and WOM 11.2.1 through 11.3.0, and Enterprise Manager 3.0.0 through 3.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
Cross-Site Scripting in news
Release Date: June 3, 2014
Bulletin update: September 4, 2014 (affected version clarification)
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 2.3.0 and below of 2.x.x branch, version 3.0.0 of 3.x.x branch
Vulnerability Type: Cross-Site Scripting
Severity: Medium
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:H/RL:O/RC:C (What’s that?)
Related CVEs: CVE-2011-3642, CVE-2013-1464
Problem Description: The extension bundles flash files for video and audio playback. Old versions of FlowPlayer and flashmedia are susceptible to Cross-Site Scripting. No authentication is required to exploit this vulnerability.
Solution: Updated versions 2.3.1 and 3.0.1 are available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/news/2.3.1/ and http://typo3.org/extensions/repository/download/news/3.0.1/t3x/. Users of the extension are advised to update the extension as soon as possible.
Credits: Credits go to Markus Pieton and Vytautas Paulikas who discovered and reported the issues.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.