Monthly Archives: September 2014

ESET

Strong password – Chrome now offers ‘pronounceable’ choices

Leave a comment

Google Chrome will now recommend pronounceable but strong password choices, according to developer and Chrome “happiness evangelist” Francois Beaufort, who announced the new version of Chrome’s built-in password generator via his Google+ page.

But the security-conscious need not be too concerned – by ‘pronounceable’, the search giant does not exactly mean, “Password1”.

Instead, the example given of a strong password which is also pronounceable is “masOotitaiv6”, which may be MORE pronounceable than the average password generated via an algorithm, but remains fairly secure, and not too easy to say out loud.

Strong password: Say it loud

The Register reports that the new feature is currently being tested in an early developer version of the Chrome browser.

“Give it a try and go to any “sign up” page. As soon as you focus the password field, a nice overlay will suggest you a strong and pronounceable password that will be saved in your chrome passwords,” Beaufort said.

Beautfort continues to say that: “Chromium uses a C library that provides an implementation of FIPS 181 Automated Password Generator.” FIPS 181 is a standard random password generator, used widely on websites, and designed by the NIST (National Institute of Standards and Technology.

The new strong password feature is available to some users running the Canary early “test” version of Chrome, Beaufort says.

As well as pronounceability, the new feature automates the process of auto-generating and saving passwords within Chrome more heavily.

Watch out, LastPass?

The Register comments, “The update is Google’s latest encroachment into the territory of online password management dominated by LastPass and 1Password, who could well feel threatened as Chrome builds in functionality they once offered as third-party value adds.”

A We Live Security guide to generating strong password can be found here, while veteran security writer and researcher Graham Cluley offers some thoughts on the worst pitfalls awaiting those who ignore password advice here.

The post Strong password – Chrome now offers ‘pronounceable’ choices appeared first on We Live Security.

Security

SB14-251: Vulnerability Summary for the Week of September 1, 2014

Leave a comment

Original release date: September 08, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
arubanetworks — clearpass_policy_manager The management console in Aruba Networks ClearPass Policy Manager 6.3.0.60730 allows local users to execute arbitrary commands via shell metacharacters in certain arguments of a valid command, as demonstrated by the (1) system status-rasession and (2) network ping commands. 2014-08-29 9.0 CVE-2014-2593
MISC
XF
BID
OSVDB
check_mk_project — check_mk The wato component in Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object, related to an automation URL. 2014-09-02 9.3 CVE-2014-5340
BUGTRAQ
MISC
cisco — ios_xr Cisco IOS XR 4.3(.2) and earlier, as used in Cisco Carrier Routing System (CRS), allows remote attackers to cause a denial of service (CPU consumption and IPv6 packet drops) via a malformed IPv6 packet, aka Bug ID CSCuo95165. 2014-09-04 7.1 CVE-2014-3353
codeaurora — android-msm The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which allows attackers to gain privileges via a crafted application. 2014-08-31 7.2 CVE-2013-2595
codeaurora — android-msm Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that leverages /dev/msm_acdb access and provides a large size value in an ioctl argument. 2014-08-31 7.2 CVE-2013-2597
gnu — glibc Off-by-one error in the __gconv_translit_find function in gconv_trans.c in GNU C Library (aka glibc) allows context-dependent attackers to cause a denial of service (crash) or execute arbitrary code via vectors related to the CHARSET environment variable and gconv transliteration modules. 2014-08-29 7.5 CVE-2014-5119
CONFIRM
MISC
BID
MLIST
MLIST
FULLDISC
MISC
ibm — db2 Stack-based buffer overflow in IBM DB2 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to execute arbitrary code via a crafted ALTER MODULE statement. 2014-09-04 8.5 CVE-2014-3094
XF
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
mozilla — firefox Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. 2014-09-03 10.0 CVE-2014-1553
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
mozilla — firefox Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 32.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. 2014-09-03 10.0 CVE-2014-1554
CONFIRM
CONFIRM
CONFIRM
CONFIRM
mozilla — firefox Unspecified vulnerability in the browser engine in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. 2014-09-03 10.0 CVE-2014-1562
CONFIRM
mozilla — firefox Use-after-free vulnerability in the mozilla::DOMSVGLength::GetTearOff function in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via an SVG animation with DOM interaction that triggers incorrect cycle collection. 2014-09-03 10.0 CVE-2014-1563
CONFIRM
mozilla — firefox Use-after-free vulnerability in DirectionalityUtils.cpp in Mozilla Firefox before 32.0, Firefox ESR 24.x before 24.8 and 31.x before 31.1, and Thunderbird 24.x before 24.8 and 31.x before 31.1 allows remote attackers to execute arbitrary code via text that is improperly handled during the interaction between directionality resolution and layout. 2014-09-03 9.3 CVE-2014-1567
CONFIRM
novell — groupwise The client in Novell GroupWise before 8.0.3 HP4, 2012 before SP3, and 2014 before SP1 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (invalid pointer dereference) via unspecified vectors. 2014-09-04 10.0 CVE-2014-0610
CONFIRM
s3ql_project — s3ql S3QL 1.18.1 and earlier uses the pickle Python module unsafely, which allows remote attackers to execute arbitrary code via a crafted serialized object in (1) common.py or (2) local.py in backends/. 2014-09-02 7.5 CVE-2014-0485
MLIST
DEBIAN
solarwinds — log_and_event_manager SolarWinds Log and Event Manager before 6.0 uses “static” credentials, which makes it easier for remote attackers to obtain access to the database and execute arbitrary code via unspecified vectors, related to HyperSQL. 2014-09-04 7.5 CVE-2014-5504
MISC
CONFIRM
tibco — spotfire_server Unspecified vulnerability in the Authentication Module in TIBCO Spotfire Server before 4.5.2, 5.0.x before 5.0.3, 5.5.x before 5.5.2, 6.0.x before 6.0.3, and 6.5.x before 6.5.1 allows remote attackers to gain privileges, and obtain sensitive information or modify data, via unknown vectors. 2014-09-04 7.5 CVE-2014-5285
vmturbo — operations_manager vmtadmin.cgi in VMTurbo Operations Manager before 4.6 build 28657 allows remote attackers to execute arbitrary commands via shell metacharacters in the fileDate parameter in a DOWN call. 2014-08-29 7.5 CVE-2014-5073
XF
BID
OSVDB
EXPLOIT-DB
MISC
SECUNIA
MISC
MISC
zend — zend_framework The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider. 2014-09-04 7.5 CVE-2014-2685
MANDRIVA
MLIST
CONFIRM

Back to top

Medium Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
amazon — kindle The Amazon.com Kindle application before 4.5.0 for Android does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. 2014-08-30 5.8 CVE-2014-3908
JVNDB
JVN
apache — commons-httpclient http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. 2014-09-04 4.3 CVE-2012-6153
CONFIRM
BID
CONFIRM
REDHAT
apache — poi The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 2014-09-04 4.3 CVE-2014-3529
CONFIRM
SECUNIA
CONFIRM
apache — poi Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack. 2014-09-04 4.3 CVE-2014-3574
SECUNIA
CONFIRM
check_mk_project — check_mk Check_MK before 1.2.4p4 and 1.2.5 before 1.2.5i4 allows remote authenticated users to write check_mk config files (.mk files) to arbitrary locations via vectors related to row selections. 2014-09-02 4.9 CVE-2014-5339
BUGTRAQ
MISC
cisco — cloud_portal Cisco Intelligent Automation for Cloud (aka Cisco Cloud Portal) 2008.3_SP9 and earlier does not properly consider whether a session is a problematic NULL session, which allows remote attackers to obtain sensitive information via crafted packets, related to an “iFrame vulnerability,” aka Bug ID CSCuh84801. 2014-08-30 4.3 CVE-2014-3352
codeaurora — android-msm app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory locations within bootloader memory. 2014-08-31 6.6 CVE-2013-2598
codeaurora — android-msm A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption passwords via a logcat call. 2014-08-31 5.0 CVE-2013-2599
exim — exim The dmarc_process function in dmarc.c in Exim before 4.82.1, when EXPERIMENTAL_DMARC is enabled, allows remote attackers to execute arbitrary code via the From header in an email, which is passed to the expand_string function. 2014-09-04 6.8 CVE-2014-2957
CONFIRM
exim — exim expand.c in Exim before 4.83 expands mathematical comparisons twice, which allows local users to gain privileges and execute arbitrary commands via a crafted lookup value. 2014-09-04 4.6 CVE-2014-2972
CONFIRM
FEDORA
FEDORA
CONFIRM
freedesktop — poppler DCTStream.cc in Poppler before 0.13.3 allows remote attackers to cause a denial of service (crash) via a crafted PDF file. 2014-08-29 4.3 CVE-2010-5110
SUSE
CONFIRM
SECUNIA
MLIST
google — android_browser The Android Browser application 4.2.1 on Android allows remote attackers to bypass the Same Origin Policy via a crafted attribute containing a u0000 character, as demonstrated by an onclick=”window.open(‘u0000javascript: sequence. 2014-09-02 5.8 CVE-2014-6041
MISC
hl7 — c-cda Cross-site scripting (XSS) vulnerability in CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted reference element within a nonXMLBody element. 2014-09-02 4.3 CVE-2014-3861
MISC
hl7 — c-cda CDA.xsl in HL7 C-CDA 1.1 and earlier allows remote attackers to discover potentially sensitive URLs via a crafted reference element that triggers creation of an IMG element with an arbitrary URL in its SRC attribute, leading to information disclosure in a Referer log. 2014-09-02 4.3 CVE-2014-3862
MISC
hl7 — c-cda CDA.xsl in HL7 C-CDA 1.1 and earlier does not anticipate the possibility of invalid C-CDA documents with crafted XML attributes, which allows remote attackers to conduct XSS attacks via a document containing a table that is improperly handled during unrestricted xsl:copy operations. 2014-09-02 4.3 CVE-2014-5452
MISC
ibm — cognos_tm1 The client in IBM Cognos TM1 9.5.2.3 before IF5, 10.1.1.2 before IF1, 10.2.0.2 before IF1, and 10.2.2.0 before IF1 stores obfuscated passwords in memory, which allows remote authenticated users to obtain sensitive cleartext information via an unspecified security tool. 2014-09-04 4.0 CVE-2014-0863
XF
ibm — business_process_manager IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.x allow remote authenticated users to bypass intended access restrictions and send requests to internal services via a callService URL. 2014-09-04 4.0 CVE-2014-4758
XF
AIXAPAR
ibm — business_process_manager An unspecified Ajax service in the Content Management toolkit in IBM Business Process Manager (BPM) 8.5.x through 8.5.5 allows remote authenticated users to obtain sensitive information by performing a document-attachment search and then reading document properties in the search results. 2014-09-04 4.0 CVE-2014-4759
XF
iii — encore_discovery_solution Open redirect vulnerability in Innovative Interfaces Encore Discovery Solution 4.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in an unspecified parameter. 2014-08-29 5.8 CVE-2014-5127
BID
BUGTRAQ
iii — encore_discovery_solution Innovative Interfaces Encore Discovery Solution 4.3 places a session token in the URI, which might allow remote attackers to obtain sensitive information via unspecified vectors. 2014-08-29 5.0 CVE-2014-5128
BID
BUGTRAQ
iii — sierra Cross-site scripting (XSS) vulnerability in Innovative Interfaces Sierra Library Services Platform 1.2_3 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters. 2014-09-02 4.3 CVE-2014-5136
BUGTRAQ
iii — sierra Innovative Interfaces Sierra Library Services Platform 1.2_3 provides different responses for login request depending on whether the user account exists, which allows remote attackers to enumerate account names via a series of login requests, possibly related to the Webpac Pro submodule. 2014-09-02 5.0 CVE-2014-5137
BUGTRAQ
labanquepostale — labanquepostale The La Banque Postale application before 3.2.6 for Android does not prevent the launching of an activity by a component of another application, which allows attackers to obtain sensitive cached banking information via crafted intents, as demonstrated by the drozer framework. 2014-09-02 4.3 CVE-2014-5076
MISC
linux — linux_kernel The kvm_iommu_map_pages function in virt/kvm/iommu.c in the Linux kernel through 3.16.1 miscalculates the number of pages during the handling of a mapping failure, which allows guest OS users to (1) cause a denial of service (host OS memory corruption) or possibly have unspecified other impact by triggering a large gfn value or (2) cause a denial of service (host OS memory consumption) by triggering a small gfn value that leads to permanently pinned pages. 2014-08-31 4.3 CVE-2014-3601
CONFIRM
linux — linux_kernel Stack consumption vulnerability in the parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (uncontrolled recursion, and system crash or reboot) via a crafted iso9660 image with a CL entry referring to a directory entry that has a CL entry. 2014-08-31 4.0 CVE-2014-5471
MISC
CONFIRM
MLIST
linux — linux_kernel The parse_rock_ridge_inode_internal function in fs/isofs/rock.c in the Linux kernel through 3.16.1 allows local users to cause a denial of service (unkillable mount process) via a crafted iso9660 image with a self-referential CL entry. 2014-08-31 4.0 CVE-2014-5472
MISC
CONFIRM
MLIST
lua — lua Buffer overflow in the vararg functions in ldo.c in Lua 5.1 through 5.2.x before 5.2.3 allows context-dependent attackers to cause a denial of service (crash) via a small number of arguments to a function with a large number of fixed arguments. 2014-09-04 5.0 CVE-2014-5461
BID
MLIST
DEBIAN
DEBIAN
manageengine — device_expert ReadUsersFromMasterServlet in ManageEngine DeviceExpert before 5.9 build 5981 allows remote attackers to obtain user account credentials via a direct request. 2014-09-04 5.0 CVE-2014-5377
MISC
XF
BID
BUGTRAQ
EXPLOIT-DB
FULLDISC
FULLDISC
FULLDISC
MISC
mcafee — network_security_manager Cross-site request forgery (CSRF) vulnerability in the User Management module in McAfee Network Security Manager (NSM) before 6.1.15.39 7.1.5.x before 7.1.5.15, 7.1.15.x before 7.1.15.7, 7.5.x before 7.5.5.9, and 8.x before 8.1.7.3 allows remote attackers to hijack the authentication of users for requests that modify user accounts via unspecified vectors. 2014-08-29 6.8 CVE-2014-2390
SECTRACK
mcafee — web_gateway The Accounts tab in the administrative user interface in McAfee Web Gateway (MWG) before 7.3.2.9 and 7.4.x before 7.4.2 allows remote authenticated users to obtain the hashed user passwords via unspecified vectors. 2014-09-02 4.0 CVE-2014-6064
SECTRACK
mikejolley — download_monitor Cross-site scripting (XSS) vulnerability in the Download Monitor plugin before 3.3.5.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the dlsearch parameter to the default URI. 2014-09-04 4.3 CVE-2012-4768
CONFIRM
SECUNIA
MISC
OSVDB
BUGTRAQ
mozilla — firefox Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 do not properly initialize memory for GIF rendering, which allows remote attackers to obtain sensitive information from process memory via crafted web script that interacts with a CANVAS element associated with a malformed GIF image. 2014-09-03 4.3 CVE-2014-1564
CONFIRM
mozilla — firefox The mozilla::dom::AudioEventTimeline function in the Web Audio API implementation in Mozilla Firefox before 32.0, Firefox ESR 31.x before 31.1, and Thunderbird 31.x before 31.1 does not properly create audio timelines, which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (out-of-bounds read) via crafted API calls. 2014-09-03 5.0 CVE-2014-1565
CONFIRM
mozilla — firefox Mozilla Firefox before 31.1 on Android does not properly restrict copying of local files onto the SD card during processing of file: URLs, which allows attackers to obtain sensitive information from the Firefox profile directory via a crafted application. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-1515. 2014-09-03 4.3 CVE-2014-1566
CONFIRM
phorum — phorum Cross-site scripting (XSS) vulnerability in the group moderation screen in the control center (control.php) in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via the group parameter. 2014-09-04 4.3 CVE-2012-4234
MISC
XF
BID
SECUNIA
MISC
BUGTRAQ
plack_project — plack Plack::App::File in Plack before 1.0031 removes trailing slash characters from paths, which allows remote attackers to bypass the whitelist of generated files and obtain sensitive information via a crafted path, related to Plack::Middleware::Static. 2014-09-04 5.0 CVE-2014-5269
OSVDB
MLIST
FEDORA
FEDORA
CONFIRM
qpw.famvanakkeren — quick_post_widget Multiple cross-site scripting (XSS) vulnerabilities in Quick Post Widget plugin 1.9.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) Title, (2) Content, or (3) New category field to wordpress/ or (4) query string to wordpress/. 2014-09-03 4.3 CVE-2012-4226
XF
BID
MISC
MISC
BUGTRAQ
sap — crystal_reports Stack-based buffer overflow in SAP Crystal Reports allows remote attackers to execute arbitrary code via a crafted data source string in an RPT file. 2014-09-04 6.8 CVE-2014-5505
CONFIRM
MISC
CONFIRM
sap — crystal_reports Double free vulnerability in SAP Crystal Reports allows remote attackers to execute arbitrary code via crafted connection string record in an RPT file. 2014-09-04 6.8 CVE-2014-5506
CONFIRM
MISC
CONFIRM
sap — netweaver Buffer overflow in disp+work.exe 7000.52.12.34966 and 7200.117.19.50294 in the Dispatcher in SAP NetWeaver 7.00 and 7.20 allows remote authenticated users to cause a denial of service or execute arbitrary code via unspecified vectors. 2014-09-05 6.5 CVE-2014-6252
CONFIRM
SECUNIA
CONFIRM
MISC
sixapart — movable_type Cross-site scripting (XSS) vulnerability in Six Apart (formerly Six Apart KK) Movable Type (MT) Pro 5.13 allows remote attackers to inject arbitrary web script or HTML via the comment section. 2014-08-29 4.3 CVE-2012-1503
XF
BID
EXPLOIT-DB
MISC
MISC
OSVDB
torrentflux — torrentflux TorrentFlux 2.4 allows remote authenticated users to obtain other users’ cookies via the cid parameter in an editCookies action to profile.php. 2014-09-05 4.0 CVE-2014-6028
MISC
SECTRACK
MLIST
MLIST
torrentflux — torrentflux TorrentFlux 2.4 allows remote authenticated users to delete or modify other users’ cookies via the cid parameter in an editCookies action to profile.php. 2014-09-05 4.9 CVE-2014-6029
MISC
SECTRACK
MLIST
MLIST
werdswords — download_shortcode Directory traversal vulnerability in force-download.php in the Download Shortcode plugin 0.2.3 and earlier for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the file parameter. 2014-09-03 5.0 CVE-2014-5465
BID
EXPLOIT-DB
CONFIRM
wordpress_mobile_pack_project — wordpress_mobile_pack The WordPress Mobile Pack plugin before 2.0.2 for WordPress does not properly restrict access to password protected posts, which allows remote attackers to obtain sensitive information via an exportarticles action to export/content.php. 2014-08-29 5.0 CVE-2014-5337
MISC
BID
SECUNIA
xen — xen Xen 4.4.x, when running a 64-bit kernel on an ARM system, does not properly handle traps from the guest domain that use a different address width, which allows local guest users to cause a denial of service (host crash) via a crafted 32-bit process. 2014-08-29 4.3 CVE-2014-5147
xrms_crm_project — xrms_crm plugins/useradmin/fingeruser.php in XRMS CRM, possibly 1.99.2, allows remote authenticated users to execute arbitrary code via shell metacharacters in the username parameter. 2014-09-02 6.5 CVE-2014-5521
MLIST
MLIST
EXPLOIT-DB
FULLDISC
MISC
zohocorp — manageengine_eventlog_analyzer Multiple cross-site scripting (XSS) vulnerabilities in event/index2.do in ManageEngine EventLog Analyzer before 9.0 build 9002 allow remote attackers to inject arbitrary web script or HTML via the (1) width, (2) height, (3) url, (4) helpP, (5) tab, (6) module, (7) completeData, (8) RBBNAME, (9) TC, (10) rtype, (11) eventCriteria, (12) q, (13) flushCache, or (14) product parameter. 2014-08-29 4.3 CVE-2014-4930
BID
FULLDISC

Back to top

Low Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
codeaurora — android-msm The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary file via an attack on the sensor-settings file. 2014-08-31 3.3 CVE-2013-6124
dhcpcd_project — dhcpcd The get_option function in dhcpcd 4.0.0 through 6.x before 6.4.3 allows remote DHCP servers to cause a denial of service by resetting the DHO_OPTIONSOVERLOADED option in the (1) bootfile or (2) servername section, which triggers the option to be processed again. 2014-09-04 3.3 CVE-2014-6060
BID
MLIST
MLIST
MANDRIVA
CONFIRM
CONFIRM
eucalyptus — eucalyptus The Storage Controller (SC) component in Eucalyptus 3.4.2 through 4.0.x before 4.0.1, when Dell Equallogic SAN is used, logs the CHAP user credentials, which allows local users to obtain sensitive information by reading the logs. 2014-09-05 2.1 CVE-2014-5036
SECUNIA
SECUNIA
ganeti_project — ganeti The _UpgradeBeforeConfigurationChange function in lib/client/gnt_cluster.py in Ganeti 2.10.0 before 2.10.7 and 2.11.0 before 2.11.5 uses world-readable permissions for the configuration backup file, which allows local users to obtain SSL keys, remote API credentials, and other sensitive information by reading the file, related to the upgrade command. 2014-08-29 2.1 CVE-2014-5247
MISC
XF
BID
BUGTRAQ
MLIST
MISC
ibm — business_process_manager Cross-site scripting (XSS) vulnerability in IBM Business Process Manager (BPM) 7.5.x through 8.5.5 and WebSphere Lombardi Edition 7.2.0.x allows remote authenticated users to inject arbitrary web script or HTML via an uploaded file. 2014-09-04 3.5 CVE-2014-3075
XF
ibm — db2 The SQL engine in IBM DB2 9.5 through FP10, 9.7 through FP9a, 9.8 through FP5, 10.1 through FP4, and 10.5 before FP4 on Linux, UNIX, and Windows allows remote authenticated users to cause a denial of service (daemon crash) via a crafted UNION clause in a subquery of a SELECT statement. 2014-09-04 3.5 CVE-2014-3095
XF
AIXAPAR
AIXAPAR
AIXAPAR
AIXAPAR
ibm — db2 IBM DB2 10.5 before FP4 on Linux and AIX creates temporary files during CDE table LOAD operations, which allows local users to obtain sensitive information by reading a file while a LOAD is occurring. 2014-09-04 2.1 CVE-2014-4805
CONFIRM
opensuse — srvx Multiple integer overflows in the HelpServ module (mod-helpserv.c) in srvx 1.3.1 allow remote authenticated IRCops or HelpServ bot managers to cause a denial of service (infinite loop) via a large value in the EmptyInterval parameter or certain other interval configurations. 2014-09-05 3.5 CVE-2014-5508
BID
MLIST
MLIST

Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Panda Security

A website set up to shame the guilty: the list of companies that don’t protect customers’ data

Leave a comment

data company

There is an ever increasing amount of personal data circulating on the Internet, yet the security in place to safeguard this data is not evolving at the same rate. Many applications and Web services jeopardize user information by not employing any encryption system to protect it.

Given this situation, IT engineer Tony Webster has set up a website to draw attention to those who are reckless in their approach to safeguarding data. At HTTP Shaming you can find the names of the ‘guilty’ websites and how they are violating users’ privacy. If they abuse the trust of their users, it’s only fair that the users should know.

One of the names that appears on the website is Mashable. According to Webster, this news website enables users to connect using their social networks accounts and interact through them. The problem however is that all this activity is happening on an HTTP address, instead of the secure HTTPS internet protocol, which encrypts the information transmitted with the SSL (‘Secure Sockets Layer’) system.

SSL system
An SSL certificate, which guarantees the security of Internet communications, works by assigning keys to files exchanged between a client computer and the server of the company providing the service, so that only the company can access the file content.

If however you use the service offered by Mashable while connected to an open WiFi network, as with many public sites, your email address, alias and passwords could be stolen by cyber-criminals (those you use for Mashable as well as the social networks you use to access the page).

mashable
The TripIt travel planning site, where you can manage bookings, check timetables and flight schedules, and share all of this with other users, is another similar case.

In both the Tripit versions for smartphones and for websites, users are first asked to enter an email address and password. Webster highlighted this site as it does not encrypt the information displayed to others through the calendar feature. As is the case with Mashable, a criminal could discover your full name, phone number, email address and the last four digits of your credit card.

Those responsible for the website have reported this summer that the problem is now fixed and that security measures are now applied to all communications.

Such poor security practices also occur on other e-commerce sites where companies and customers exchange more sensitive information. Research by the IT security consultants High-Tech Bridge showed that 73% of the top 100 online stores don’t use the HTTPS protocol for data they consider less sensitive, and only two of them apply it in all cases.

The same applies to apps running on mobile devices. In a recent study by HP, a group of IT experts analyzed the security measures in place on 2,107 apps and found that 75% of them do not encrypt stored data. Some 18% didn’t even encrypt data exchanged across the Internet.

Webster’s list of shame now has 19 names, many of these put forward by others who wanted to take part in the project. These names include Creative Cloud, VLC and Adobe Flash Player. Even the Tumblr microblogging site, where the HTTP Shaming page is hosted, doesn’t have a secure protocol. In the worst cases, the IT engineer has directly contacted companies to let them know the error of their ways.

tumblr
Webster fails to understand why some companies are subjecting customers to unnecessary risks, as there is no reason not to use HTTPS, which is available to anyone offering services on the Internet.

The post A website set up to shame the guilty: the list of companies that don’t protect customers’ data appeared first on MediaCenter Panda Security.

Avira

Read before clicking: Potential app permission risks

Leave a comment

Who is allowed to do what – when it comes to the world of apps, this isn’t a straightforward question to answer. Whether you’ve got an iOS, BlackBerry or Android device, apps on all operating systems require your permission to access specific functions like network communications or the camera and microphone. While BlackBerry and Apple review the permissions prior to store approval, Google leaves this task up to the user. If you use an Android tablet or smartphone, you’ll be familiar with the list of app permissions requested prior to installation. You have a choice: Either you agree to all the app’s wishes or you have to do without the app – no ifs or buts.

Of course, many developers handle this situation responsibly, only asking for permissions the app actually needs to do its job. But the temptation to ask for a few more pieces of information than are needed is huge: Details about user preferences can be gleaned and data sold on straight away to make a little bit extra on the side. Free apps in particular are infamous in this respect. A while ago, the example of the Brightest Flashlight was in the media spotlight. While it didn’t require any permissions for it to work, it practically granted itself full access to the smartphone – the developer then sold all the data it harvested.

The app is still listed on the Play Store, it still asks for permission to access everything, and has meanwhile racked up over 50 million downloads.

An app tells you, more or less, everything it wants to know and influence prior to installation. It does this either when you actually download it or right at the bottom in the Play Store under “Permission” and “View details”. All the details of “dangerous” permissions are shown, whereas permission requests deemed less critical are not. To view them, you have to click the “Display all” tab. This can be problematic especially when it comes to updates for installed apps. This is due to a change to the Play Store’s permissions-management system (version 4.8) which saw Google introduce “simplified permissions”. Permissions are now divided into the following 13 groups:

  • In-app purchases
  • Device & app history
  • Cellular data settings
  • Identity
  • Contacts/Calendar
  • Location
  • SMS
  • Phone
  • Photos/Media/Files
  • Camera/Microphone
  • Wi-Fi connection information
  • Device ID & call information
  • Other

If you initially granted permission during installation and another permission has since changed in the same group, you are no longer informed about it. The newly requested permission is granted without so much as a whisper. To some degree the groups are also fairly unclear and this has some really surprising impacts. For instance, the “Phone” group includes the following functions: Directly call telephone numbers (including chargeable numbers), write call log, read call log, reroute outgoing calls, and modify phone state.

If you want to learn more about which app can do what, take a look at “Settings” and then “Application manager” followed by choosing the app’s name and “Permissions”. The free app Permission Viewer makes things a bit easier.

It lists every app (incl. internal system apps) and displays apps’ permission levels using colored bars. That said, knowing about potential weaknesses does not lead to greater security. To do that, you need the help of other apps such as App Guard by Backes SRT. The security company, a spin-off of Saarland University, offers a security and data-protection app for Android smartphones and tablets with Android version 2.3 and later for € 3.99. There’s also a free demo version which can monitor up to four apps. App Guard lets you monitor other apps and make subsequent changes to their permissions. Superfluous permissions can be revoked without needing root access.

By contrast, App Ops Starter is free but it only works on Android versions 4.3 to 4.4.1. The app starts Android’s integrated but hidden “App Ops” mode. It’s also possible to revoke individual permissions from apps without root access. Rooting your device opens up further options to monitor and change access permissions such as by using XPrivacy.

Everyone has to be clear about one thing: people who experiment with permissions can render an app unusable. Less experienced users should stay away from system services; otherwise the entire Android operating system could quickly become unstable.

 

The post Read before clicking: Potential app permission risks appeared first on Avira Blog.

Avira

Your holidays start on the Internet: tips for booking vacations online

Leave a comment

Everything is possible online nowadays: reading newspapers, ordering books and clothes, flirting, checking out recipes – and of course booking vacations online. Hotel comparison sites are immensely popular, every airlines offer online booking services, and instead of combing through endless travel-agency brochures, you now simply visit Expedia, Opodo or Travelocity. While it’s all very easy and convenient, it isn’t without its risks. Whether it’s a dodgy low-cost website which goes bust before your vacation starts or a seemingly harmless invoice attached to an email which is infected with a virus – at Avira we find that a little caution goes a long way.

Many problems with online booking stem from legal issues. In some instances, the difference between provider, organizer or contracting party is not clear to the customer. In case of questions and complaints, it is important to know whom to contact. Whether you can even make any claims and how easy that is differs immensely depending on the location of the company you signed the contract with. On top of that, costs often aren’t as transparent as they could and should be, with hidden additional transfer costs or trip-cancellation insurance suddenly selected on the final page before the last confirmation click without it ever being mentioned beforehand.

Low-cost portal or not, no operator offers its services for free. The cheaper the offer, the greater the risk that the small print conceals hidden costs. Free hotel room? Perhaps a minimum stay is involved, or you need to pay service and agency costs. Extremely cheap flight and accommodation? There may be compulsory shopping trips planned involving visits to carpet makers, jewelers, and leather factories.

Internet transactions always involve risks – even if they have become safer over the years. You should always transfer money over an encrypted connection. For that, the online travel agent has to offer a SSL-secured Web session. Operators usually make a specific point of mentioning this at the virtual checkout, but you can also tell the session is encrypted by the little padlock icon or the different color of the Web browser’s address bar. This type of encryption is extremely secure and cannot be cracked without a reasonable amount of effort – effectively meaning no risk is involved.

However, other risks are beyond the user’s control. Hackers often manage to crack the websites of legitimate online travel operators. In 2005 the Japanese tour operator Club Tourism had to admit that hackers had stolen the information of over 90,000 customers. In 2009 a website in the USA which government officials use to book travel was compromised. And only in April 2013 Traveltainment, a subsidiary of the Amadeus Group, had to concede that hackers had broken into its servers and stolen the personal details, including payment information, of an unknown number of customers. This theft caused harm when customers opened their emails containing phishing software which the thieves were able to send as they knew the customers’ email addresses and booking details. A comprehensive security software solution like Avira Antivirus Pro offers protection against such attacks and should therefore be a staple on every computer.

The post Your holidays start on the Internet: tips for booking vacations online appeared first on Avira Blog.

Security

Mozilla 1024-Bit Cert Deprecation Leaves 107,000 Sites Untrusted

Leave a comment

Data compiled from Rapid7’s Project Sonar scan found 107,000 websites running 1024-bit CA certificates that will soon be untrusted as Mozilla announces it will no longer support the shorter, weaker keys.