The BBC reports that there is currently one Wi-Fi hotspot for every 150 people in the world, but these unmonitored hotspots can potentially cause problems, experts have warned. ESET security expert Mark James highlighted that people’s desire for a ‘free lunch’ shouldn’t cloud their judgement when it comes to security and privacy issues, especially in cases
The post Rise of free Wi-Fi hotspots ‘presents serious security risks’ appeared first on We Live Security.
AMSTERDAM and SAN FRANCISCO – November 3, 2014 – The latest Digital Diaries research from AVG Technologies N.V. (NYSE: AVG), the online security company™ for 182 million active users, has found that almost a third of teens (28 percent) say they regret posting something online. The research also found 32 percent have had to ask someone to remove content posted online about them, because they didn’t like it (61 percent) or it was too personal (28 percent).
The global research, which questioned almost 4,000 teenagers aged 11-16 years old on the topic of online privacy, painted an overall picture of a struggle for control. Although 70 percent have changed their settings on Facebook to make it more difficult for people to find them and 71 percent say they understand what online privacy means, only 29 percent say they properly ‘know’ all of their Facebook friends.
Speaking in advance of this week’s Child Helpline International Youth Shadow Conference, which focuses on empowering young people through technology, Emily Cherry, Head of Participation at the NSPCC, commented on the results.
“Young people obviously want to get the most out of social media by sharing information. But they should be aware that people are not always who they appear to be online and may pose a threat to them. If we don’t act now and help to guide them, in particular around contact with strangers, we could be facing a privacy time bomb. Online is as important to young people as eating. It is the most important part of their world throughout the day. If we don’t get this right, we will be failing to give them the vital protection they need.â€
Even at this age, there are signs that teenagers have differing ideas of how much is too much when it comes to sharing online:
“Everyone assumes that just because today’s teenagers grew up with laptops and smartphones, they somehow have an innate understanding of how to keep themselves safe online and how to behave. The reality is that we have all – teenagers included – embraced technology without much question and the result has been the steady erosion of our online privacy,†said Tony Anscombe, Senior Security Evangelist at AVG Technologies.
“In a way, parents are just as guilty of this as their teens. I’ve talked previously about the concept of ‘sharenting’, where parents share content about their children online, creating a digital footprint for them that they have no control over. As a parent of a teenager myself, I believe we must take some of the responsibility for the social impact of new technologies – both by setting a standard for trust and consideration through our own online behavior, and by guiding theirs.â€
Also identified by the research was the struggle teens face retaining control of their online profile:
###
Note to Editors
Methodology:
AVG commissioned an online survey interviewing teenagers between the ages of 11-16 to identify privacy awareness and practices in the following markets; Australia, Brazil, Canada, Czech Republic, France, Germany, New Zealand, the United Kingdom and the United States. A total of 3,999 carried out the survey during September 2014. The market research company Research Now carried out the fieldwork using their proprietary panels.
Further Resources
More from Tony Anscombe
###
About AVG Technologies (NYSE: AVG)
AVG is the online security company providing leading software and services to secure devices, data and people. AVG has over 182 million active users, as of June 30, 2014, using AVG’s products and services including Internet security, performance optimization, and personal privacy and identity protection. By choosing AVG’s products, users become part of a trusted global community that engages directly with AVG to provide feedback and offer mutual support to other customers.
All trademarks are the property of their respective owners.
AVG kicked off its session with an informal lunch inside one of London’s most iconic landmarks, Tower Bridge.
We were very lucky to be joined by Maddie Moate and Luke Franks who have earned thousands of fans on social media. Maddie and Luke gave a talk to the group about how you can stay safe and private while using social media.
AVG’s own Tony Anscombe then led the group in an interactive sessions to demonstrate just how much they might be sharing online without realizing. In a few simple steps it is possible to find out some very personal information about a complete stranger using nothing but a few public websites.
In his final session, Tony gave some easy to follow advice on how we can all stay safer while using social media and debunked a myth that messages sent over apps like Snapchat cannot be saved.
Two primary school children, Felix and Tom conducted an interview with our two celebrity guests. They quizzed them on everything from technology addiction to online safety. You can read the full interview here.
After a long day discussing Internet safety, here are some of the best tips raised in our session:
If you have any tips on how to stay safe on social media, let us know on our Facebook community.
Original release date: November 03, 2014
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| allplayer — allplayer | Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file. | 2014-10-30 | 7.5 | CVE-2013-7409 EXPLOIT-DB EXPLOIT-DB EXPLOIT-DB EXPLOIT-DB EXPLOIT-DB MISC MISC MISC MISC OSVDB |
| bss — continuity_cms | SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter. | 2014-10-30 | 7.5 | CVE-2014-3446 MISC XF FULLDISC |
| django_piston_project — django_piston | emitters.py in Django Piston before 0.2.3 and 0.2.x before 0.2.2.1 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. | 2014-10-26 | 7.5 | CVE-2011-4103 MISC CONFIRM MLIST DEBIAN |
| django_tastypie_project — django_tastypie | The from_yaml method in serializers.py in Django Tastypie before 0.9.10 does not properly deserialize YAML data, which allows remote attackers to execute arbitrary Python code via vectors related to the yaml.load method. | 2014-10-26 | 7.5 | CVE-2011-4104 MISC CONFIRM MLIST |
| egroupware — egroupware | EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allows remote authenticated administrators to execute arbitrary PHP code via crafted callback values to the call_user_func PHP function, as demonstrated using the newsettings[system] parameter. NOTE: this can be exploited by remote attackers by leveraging CVE-2014-2987. | 2014-10-26 | 8.5 | CVE-2014-2988 MISC BUGTRAQ |
| etiko — etiko_cms | Multiple SQL injection vulnerabilities in Etiko CMS allow remote attackers to execute arbitrary SQL commands via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php. | 2014-10-28 | 7.5 | CVE-2014-8506 XF MISC |
| f5 — big-ip_analytics | F5 BIG-IP Analytics 11.x before 11.4.0 uses a predictable session cookie, which makes it easier for remote attackers to have unspecified impact by guessing the value. | 2014-10-26 | 7.5 | CVE-2013-7408 BID |
| freebsd — freebsd | Stack-based buffer overflow in rtsold in FreeBSD 9.1 through 10.1-RC2 allows remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted DNS parameters in a router advertisement message. | 2014-10-27 | 10.0 | CVE-2014-3954 SECTRACK |
| gnu — wget | Absolute path traversal vulnerability in GNU Wget before 1.16, when recursion is enabled, allows remote FTP servers to write to arbitrary files, and consequently execute arbitrary code, via a LIST response that references the same filename within two entries, one of which indicates that the filename is for a symlink. | 2014-10-29 | 9.3 | CVE-2014-4877 MISC MISC CONFIRM |
| ioquake3 — ioquake3_engine | server/sv_main.c in Quake3 Arena, as used in ioquake3 before r1762, OpenArena, Tremulous, and other products, allows remote attackers to cause a denial of service (network traffic amplification) via a spoofed (1) getstatus or (2) rcon request. | 2014-10-27 | 7.8 | CVE-2010-5077 MISC MISC BUGTRAQ MLIST MISC DEBIAN MISC MISC |
| libproxy_project — libproxy | Format string vulnerability in the print_proxies function in bin/proxy.c in libproxy 0.3.1 might allow context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via format string specifiers in a proxy name, as demonstrated using the http_proxy environment variable or a PAC file. | 2014-10-27 | 7.5 | CVE-2012-5580 CONFIRM CONFIRM CONFIRM XF BID |
| mcafee — network_data_loss_prevention | The MySQL database in McAfee Network Data Loss Prevention (NDLP) before 9.3 does not require a password, which makes it easier for remote attackers to obtain access. | 2014-10-29 | 7.5 | CVE-2014-8522 |
| mcafee — network_data_loss_prevention | Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information, affect integrity, or cause a denial of service via unknown vectors, related to simultaneous logins. | 2014-10-29 | 7.5 | CVE-2014-8530 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to execute arbitrary code via vectors related to ICMP redirection. | 2014-10-29 | 7.5 | CVE-2014-8533 |
| php — php | Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function that triggers calculation of a large length value. | 2014-10-29 | 7.5 | CVE-2014-3669 CONFIRM CONFIRM CONFIRM |
| python-gnupg_project — python-gnupg | The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using “$(” command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. | 2014-10-25 | 7.5 | CVE-2014-1927 CONFIRM CONFIRM DEBIAN SECUNIA SECUNIA MLIST MLIST |
| quixplorer — quixplorer | Directory traversal vulnerability in the zip download functionality in QuiXplorer before 2.5.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the selitems[] parameter in a download_selected action to index.php. | 2014-10-26 | 7.8 | CVE-2013-1641 MISC CONFIRM CONFIRM MISC XF SECUNIA |
| wordpress — wordpress | PHP remote file inclusion vulnerability in wp-links/links.all.php in WordPress 0.70 allows remote attackers to execute arbitrary PHP code via a URL in the $abspath variable. | 2014-10-27 | 7.5 | CVE-2003-1599 XF BID OSVDB MLIST |
| xrms_crm_project — xrms_crm | SQL injection vulnerability in XRMS CRM, possibly 1.99.2, allows remote attackers to execute arbitrary SQL commands via the user_id parameter to plugins/webform/new-form.php, which is not properly handled by plugins/useradmin/fingeruser.php. | 2014-10-26 | 7.5 | CVE-2014-5520 BID MLIST MLIST EXPLOIT-DB FULLDISC MISC |
| zohocorp — manageengine_eventlog_analyzer | Directory traversal vulnerability in the agentUpload servlet in ZOHO ManageEngine EventLog Analyzer 9.0 build 9002 and 8.2 build 8020 allows remote attackers to execute arbitrary code by uploading a ZIP file which contains an executable file with .. (dot dot) sequences in its name, then accessing the executable via a direct request to the file under the web root. | 2014-10-26 | 7.5 | CVE-2014-6037 MISC BID EXPLOIT-DB FULLDISC FULLDISC FULLDISC MISC OSVDB |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adaptivecomputing — torque_resource_manager | The tm_adopt function in lib/Libifl/tm.c in Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) 5.0.x, 4.5.x, 4.2.x, and earlier does not validate that the owner of the process also owns the adopted session id, which allows remote authenticated users to kill arbitrary processes via a crafted executable. | 2014-10-30 | 6.8 | CVE-2014-3684 DEBIAN SECUNIA SECUNIA MLIST MLIST |
| apache — cxf | The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service. | 2014-10-30 | 5.0 | CVE-2014-3584 XF BID SECUNIA MLIST |
| apache — cxf | Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors. | 2014-10-30 | 5.0 | CVE-2014-3623 CONFIRM XF BID SECUNIA MLIST |
| avamar_virtual_edition — 6.0 | EMC Avamar Data Store (ADS) and Avamar Virtual Edition (AVE) 6.x and 7.0.x through 7.0.2-43 do not require authentication for Java API calls, which allows remote attackers to discover grid MCUser and GSAN passwords via a crafted call. | 2014-10-25 | 5.0 | CVE-2014-4624 XF CONFIRM SECTRACK SECTRACK BID BUGTRAQ SECUNIA SECUNIA MISC MISC BUGTRAQ |
| bottle_project — bottle | Bottle 0.10.x before 0.10.12, 0.11.x before 0.11.7, and 0.12.x before 0.12.6 does not properly limit content types, which allows remote attackers to bypass intended access restrictions via an accepted Content-Type followed by a ; (semi-colon) and a Content-Type that would not be accepted, as demonstrated in YouCompleteMe to execute arbitrary code. | 2014-10-25 | 6.8 | CVE-2014-3137 CONFIRM MLIST DEBIAN |
| cisco — asr901 | Cisco IOS 15.4(3)S0b on ASR901 devices makes incorrect decisions to use the CPU for IPv4 packet processing, which allows remote attackers to cause a denial of service (BGP neighbor flapping) by sending many crafted IPv4 packets, aka Bug ID CSCuo29736. | 2014-10-28 | 5.0 | CVE-2014-3293 |
| cisco — unified_communications_manager | SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089. | 2014-10-31 | 6.5 | CVE-2014-3366 |
| cisco — unified_communications_manager | Multiple cross-site scripting (XSS) vulnerabilities in the CCM reports interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90589. | 2014-10-31 | 4.3 | CVE-2014-3372 |
| cisco — unified_communications_manager | Multiple cross-site scripting (XSS) vulnerabilities in the CCM Dialed Number Analyzer interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCup92550. | 2014-10-31 | 4.3 | CVE-2014-3373 |
| cisco — unified_communications_manager | Multiple cross-site scripting (XSS) vulnerabilities in the CCM admin interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90582. | 2014-10-31 | 4.3 | CVE-2014-3374 |
| cisco — unified_communications_manager | Multiple cross-site scripting (XSS) vulnerabilities in the CCM Service interface in the Server in Cisco Unified Communications Manager allow remote attackers to inject arbitrary web script or HTML via unspecified parameters, aka Bug ID CSCuq90597. | 2014-10-31 | 4.3 | CVE-2014-3375 |
| cisco — ios | The Ethernet Connectivity Fault Management (CFM) handling feature in Cisco IOS 12.2(33)SRE9a and earlier and IOS XE 3.13S and earlier allows remote attackers to cause a denial of service (device reload) via malformed CFM packets, aka Bug ID CSCuq93406. | 2014-10-25 | 6.1 | CVE-2014-3409 |
| cobbler_project — cobbler | The set_mgmt_parameters function in item.py in cobbler before 2.2.2 allows context-dependent attackers to execute arbitrary code via vectors related to the use of the yaml.load function instead of the yaml.safe_load function, as demonstrated using Puppet. | 2014-10-26 | 6.8 | CVE-2011-4953 CONFIRM CONFIRM SUSE |
| cpuminer_project — cpuminer | Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request. | 2014-10-24 | 6.0 | CVE-2014-6251 FULLDISC |
| deeproot_linux — deepofix | The SMTP server in DeepOfix 3.3 and earlier allows remote attackers to bypass authentication via an empty password, which triggers an LDAP anonymous bind. | 2014-10-26 | 5.0 | CVE-2013-6796 XF BID OSVDB EXPLOIT-DB MISC |
| dell — equallogic_ps4000_firmware | Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI. | 2014-10-30 | 5.0 | CVE-2013-3304 MISC BID EXPLOIT-DB |
| egroupware — egroupware | Multiple cross-site request forgery (CSRF) vulnerabilities in EGroupware Enterprise Line (EPL) before 1.1.20140505, EGroupware Community Edition before 1.8.007.20140506, and EGroupware before 14.1 beta allow remote attackers to hijack the authentication of administrators for requests that (1) create an administrator user via an admin.uiaccounts.add_user action to index.php or (2) modify settings via the newsettings parameter in an admin.uiconfig.index action to index.php. NOTE: vector 2 can be used to execute arbitrary PHP code by leveraging CVE-2014-2988. | 2014-10-26 | 6.8 | CVE-2014-2987 MISC BUGTRAQ CONFIRM SECUNIA |
| electric_cloud — electriccommander | Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files. | 2014-10-24 | 4.6 | CVE-2014-7180 XF BID MISC MISC FULLDISC MISC |
| emc — avamar | EMC Avamar 6.0.x, 6.1.x, and 7.0.x in Avamar Data Store (ADS) GEN4(S) and Avamar Virtual Edition (AVE), when Password Hardening before 2.0.0.4 is enabled, uses UNIX DES crypt for password hashing, which makes it easier for context-dependent attackers to obtain cleartext passwords via a brute-force attack. | 2014-10-25 | 5.0 | CVE-2014-4623 XF SECTRACK BID MISC BUGTRAQ |
| etiko — etiko_cms | Multiple cross-site scripting (XSS) vulnerabilities in Etiko CMS allow remote attackers to inject arbitrary web script or HTML via the (1) page_id parameter to loja/index.php or (2) article_id parameter to index.php. | 2014-10-28 | 4.3 | CVE-2014-8505 XF MISC |
| exponentcms — exponent_cms | Cross-site scripting (XSS) vulnerability in Exponent CMS 2.3.0 allows remote attackers to inject arbitrary web script or HTML via the src parameter in the search action to index.php. | 2014-10-26 | 4.3 | CVE-2014-6635 XF MISC |
| f5 — big-ip_access_policy_manager | Cross-site scripting (XSS) vulnerability in tmui/dashboard/echo.jsp in the Configuration utility in F5 BIG-IP LTM, APM, ASM, GTM, and Link Controller 11.0.0 before 11.6.0 and 10.1.0 through 10.2.4, AAM 11.4.0 before 11.6.0, AFM and PEM 11.3.0 before 11.6.0, Analytics 11.0.0 through 11.5.1, Edge Gateway, WebAccelerator, and WOM 11.0.0 through 11.3.0 and 10.1.0 through 10.2.4, and PSM 11.0.0 through 11.4.1 and 10.1.0 through 10.2.4 and Enterprise Manager 3.0.0 through 3.1.1 and 2.1.0 through 2.3.0 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-10-28 | 4.3 | CVE-2014-4023 |
| fal_sftp_project — fal_sftp | The fal_sftp extension before 0.2.6 for TYPO3 uses weak permissions for sFTP driver files and folders, which allows remote authenticated users to obtain sensitive information via unspecified vectors. | 2014-10-27 | 4.0 | CVE-2014-8327 XF |
| freebsd — freebsd | namei in FreeBSD 9.1 through 10.1-RC2 allows remote attackers to cause a denial of service (memory exhaustion) via vectors that trigger a sandboxed process to look up a large number of nonexistent path names. | 2014-10-27 | 5.0 | CVE-2014-3711 SECTRACK |
| freebsd — freebsd | routed in FreeBSD 8.4 through 10.1-RC2 allows remote attackers to cause a denial of service (assertion failure and daemon exit) via an RIP request from a source not on a directly connected network. | 2014-10-27 | 5.0 | CVE-2014-3955 SECTRACK SECUNIA |
| ghostscript — ghostscript | Untrusted search path vulnerability in Ghostscript 8.62 allows local users to execute arbitrary PostScript code via a Trojan horse Postscript library file in Encoding/ under the current working directory, a different vulnerability than CVE-2010-2055. | 2014-10-26 | 4.4 | CVE-2010-4820 CONFIRM MISC BID BUGTRAQ MLIST MISC |
| gnu — eglibc | Integer signedness error in Glibc before 2.13 and eglibc before 2.13, when using Supplemental Streaming SIMD Extensions 3 (SSSE3) optimization, allows context-dependent attackers to execute arbitrary code via a negative length parameter to (1) memcpy-ssse3-rep.S, (2) memcpy-ssse3.S, or (3) memset-sse2.S in sysdeps/i386/i686/multiarch/, which triggers an out-of-bounds read, as demonstrated using the memcpy function. | 2014-10-27 | 6.8 | CVE-2011-2702 CONFIRM MISC MISC OSVDB MISC CONFIRM MLIST MLIST |
| hp — hp-ux | Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors. | 2014-10-30 | 4.9 | CVE-2014-7877 |
| ibm — tivoli_composite_application_manager_for_transactions | The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before 7.2.0.3 IF28, 7.3 before 7.3.0.1 IF30, and 7.4 before 7.4.0.0 IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain credential information via a crafted certificate. | 2014-10-29 | 4.3 | CVE-2014-3051 XF |
| ibm — websphere_portal | Unspecified vulnerability in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 allows remote authenticated users to execute arbitrary code via unknown vectors. | 2014-10-28 | 6.5 | CVE-2014-4808 XF |
| ibm — websphere_portal | IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 provides different web-server error codes depending on whether a requested file exists, which allows remote attackers to determine the validity of filenames via a series of requests. | 2014-10-28 | 5.0 | CVE-2014-4821 XF |
| ibm — tririga_application_platform | Cross-site request forgery (CSRF) vulnerability in birtviewer.query in IBM TRIRIGA Application Platform 3.2 and 3.3 before 3.3.0.2, 3.3.1 before 3.3.1.3, 3.3.2 before 3.3.2.2, and 3.4 before 3.4.0.1 allows remote authenticated users to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2014-10-29 | 6.0 | CVE-2014-4839 XF |
| ibm — sterling_b2b_integrator | The Change Password feature in IBM Sterling B2B Integrator 5.2.x through 5.2.4 does not have a lockout protection mechanism for invalid login requests, which makes it easier for remote attackers to obtain admin access via a brute-force approach. | 2014-10-26 | 5.0 | CVE-2014-6099 XF AIXAPAR AIXAPAR |
| ibm — business_process_manager | Cross-site scripting (XSS) vulnerability in the redirect-login feature in IBM Business Process Manager (BPM) Advanced 7.5 through 8.5.5 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 2014-10-31 | 4.3 | CVE-2014-6101 XF |
| ibm — websphere_portal | Cross-site request forgery (CSRF) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences. | 2014-10-28 | 6.8 | CVE-2014-6125 XF AIXAPAR |
| ibm — websphere_portal | Cross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF03 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-10-28 | 4.3 | CVE-2014-6126 XF |
| ibm — tivoli_application_dependency_discovery_manager | Directory traversal vulnerability in BIRT-viewer in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0.0 through 7.2.0.10, 7.2.1.0 through 7.2.1.6, and 7.2.2.0 through 7.2.2.2 allows remote authenticated users to read arbitrary files via unspecified vectors. | 2014-10-29 | 5.0 | CVE-2014-6149 XF |
| ignite_realtime — smack_api | The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 2014-10-25 | 6.8 | CVE-2014-5075 SECUNIA CONFIRM |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to obtain sensitive information via vectors related to open network ports. | 2014-10-29 | 5.0 | CVE-2014-8520 |
| mcafee — network_data_loss_prevention | Cross-site request forgery (CSRF) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors. | 2014-10-29 | 6.8 | CVE-2014-8523 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 does not disable the autocomplete setting for the password and other fields, which allows remote attackers to obtain sensitive information via unspecified vectors. | 2014-10-29 | 5.0 | CVE-2014-8524 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie. | 2014-10-29 | 5.0 | CVE-2014-8525 |
| mcafee — network_data_loss_prevention | The TLS/SSL Server in McAfee Network Data Loss Prevention (NDLP) before 9.3 uses weak cipher algorithms, which makes it easier for remote authenticated users to execute arbitrary code via unspecified vectors. | 2014-10-29 | 6.5 | CVE-2014-8531 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to bypass intended restriction on unspecified functionality via unknown vectors. | 2014-10-29 | 4.6 | CVE-2014-8535 |
| not_yet_commons_ssl_project — not_yet_commons_ssl | Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | 2014-10-24 | 6.8 | CVE-2014-3604 MISC MISC XF |
| openstack — juno | OpenStack Identity (Keystone) before 2013.2.4, 2014.x before 2014.1.2, and Juno before Juno-2 allows remote authenticated trustees to gain access to an unauthorized project for which the trustor has certain roles via the project ID in a V2 API trust token request. | 2014-10-26 | 6.0 | CVE-2014-3520 CONFIRM SECUNIA |
| payment_for_webform_project — payment_for_webform | The Payment for Webform module 7.x-1.x before 7.x-1.5 for Drupal does not restrict access by anonymous users, which allows remote anonymous users to use the payment of other anonymous users when submitting a form that requires payment. | 2014-10-25 | 4.3 | CVE-2013-4594 SECUNIA MLIST |
| php — php | Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument to the xmlrpc_set_type function or (2) a crafted argument to the xmlrpc_decode function, related to an out-of-bounds read operation. | 2014-10-29 | 5.0 | CVE-2014-3668 CONFIRM CONFIRM CONFIRM |
| php — php | The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted JPEG image with TIFF thumbnail data that is improperly handled by the exif_thumbnail function. | 2014-10-29 | 6.8 | CVE-2014-3670 CONFIRM CONFIRM CONFIRM |
| pidgin — pidgin | The (1) bundled GnuTLS SSL/TLS plugin and the (2) bundled OpenSSL SSL/TLS plugin in libpurple in Pidgin before 2.10.10 do not properly consider the Basic Constraints extension during verification of X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate. | 2014-10-29 | 6.4 | CVE-2014-3694 |
| pidgin — pidgin | markup.c in the MXit protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a large length value in an emoticon response. | 2014-10-29 | 5.0 | CVE-2014-3695 |
| pidgin — pidgin | nmevent.c in the Novell GroupWise protocol plugin in libpurple in Pidgin before 2.10.10 allows remote servers to cause a denial of service (application crash) via a crafted server message that triggers a large memory allocation. | 2014-10-29 | 5.0 | CVE-2014-3696 |
| pidgin — pidgin | Absolute path traversal vulnerability in the untar_block function in win32/untar.c in Pidgin before 2.10.10 on Windows allows remote attackers to write to arbitrary files via a drive name in a tar archive of a smiley theme. | 2014-10-29 | 6.4 | CVE-2014-3697 |
| pidgin — pidgin | The jabber_idn_validate function in jutil.c in the Jabber protocol plugin in libpurple in Pidgin before 2.10.10 allows remote attackers to obtain sensitive information from process memory via a crafted XMPP message. | 2014-10-29 | 5.0 | CVE-2014-3698 |
| process-one — ejabberd | ejabberd before 2.1.13 does not enforce the starttls_required setting when compression is used, which causes clients to establish connections without encryption. | 2014-10-24 | 5.0 | CVE-2014-8760 MISC BID MLIST MLIST |
| python-gnupg_project — python-gnupg | The shell_quote function in python-gnupg 0.3.5 does not properly escape characters, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using “” (backslash) characters to form multi-command sequences, a different vulnerability than CVE-2014-1927. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. | 2014-10-25 | 4.6 | CVE-2014-1928 CONFIRM DEBIAN SECUNIA SECUNIA MLIST MLIST |
| python-gnupg_project — python-gnupg | python-gnupg 0.3.5 and 0.3.6 allows context-dependent attackers to have an unspecified impact via vectors related to “option injection through positional arguments.” NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323. | 2014-10-25 | 4.4 | CVE-2014-1929 DEBIAN SECUNIA MLIST MLIST |
| redhat — cloudforms_3.0_management_engine | The (1) get and (2) log methods in the AgentController in Red Hat CloudForms 3.0 Management Engine (CFME) 5.x allow remote attackers to insert arbitrary text into log files via unspecified vectors. | 2014-10-26 | 5.0 | CVE-2014-0136 BID |
| robert_ancell — lightdm | lightdm before 1.0.9 does not properly close file descriptors before opening a child process, which allows local users to write to the lightdm log or have other unspecified impact. | 2014-10-27 | 4.6 | CVE-2012-1111 CONFIRM CONFIRM MLIST MLIST SUSE |
| wp-football_project — wp-football | Multiple cross-site scripting (XSS) vulnerabilities in the wp-football plugin 1.1 and earlier for WordPress allow remote attackers to inject arbitrary web script or HTML via the league parameter to (1) football_classification.php, (2) football_criteria.php, (3) templates/template_default_preview.php, or (4) templates/template_worldCup_preview.php; the (5) f parameter to football-functions.php; the id parameter in an “action” action to (6) football_groups_list.php, (7) football_matches_list.php, (8) football_matches_phase.php, or (9) football_phases_list.php; or the (10) id_league parameter in a delete action to football_matches_load.php. | 2014-10-27 | 4.3 | CVE-2014-4586 MISC |
| wp_ban_project — wp_ban | WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header. | 2014-10-24 | 4.3 | CVE-2014-6230 MISC FULLDISC |
| xen — xen | Xen 4.4.x, when running on an ARM system and “handling an unknown system register access from 64-bit userspace,” returns to an instruction of the trap handler for kernel space faults instead of an instruction that is associated with faults in 64-bit userspace, which allows local guest users to cause a denial of service (crash) and possibly gain privileges via a crafted process. | 2014-10-26 | 4.4 | CVE-2014-5148 XF SECTRACK BID SECUNIA |
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| blackberry — blackberry_os | The BlackBerry World app before 5.0.0.262 on BlackBerry 10 OS 10.2.0, before 5.0.0.263 on BlackBerry 10 OS 10.2.1, and before 5.1.0.53 on BlackBerry 10 OS 10.3.0 does not properly validate download/update requests, which allows user-assisted man-in-the-middle attackers to spoof servers and trigger the download of a crafted app by modifying the client-server data stream. | 2014-10-25 | 3.5 | CVE-2014-6611 SECUNIA |
| chkrootkit_project — chkrootkit | The slapper function in chkrootkit before 0.50 does not properly quote file paths, which allows local users to execute arbitrary code via a Trojan horse executable. NOTE: this is only a vulnerability when /tmp is not mounted with the noexec option. | 2014-10-25 | 3.7 | CVE-2014-0476 UBUNTU MLIST DEBIAN |
| d-bus_project — d-bus | D-Bus 1.3.0 through 1.6.x before 1.6.24 and 1.8.x before 1.8.8 allows local users to (1) cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors or (2) cause a denial of service (disconnect) via multiple messages that combine to have more than the allowed number of file descriptors for a single sendmsg call. | 2014-10-25 | 1.9 | CVE-2014-3636 MLIST DEBIAN SECUNIA |
| emc — networker | The EMC NetWorker Module for MEDITECH (aka NMMEDI) 3.0 build 87 through 90, when EMC RecoverPoint and Plink are used, stores cleartext RecoverPoint Appliance credentials in nsrmedisv.raw log files, which allows local users to obtain sensitive information by reading these files. | 2014-10-25 | 2.1 | CVE-2014-4620 XF SECTRACK BID SECUNIA MISC BUGTRAQ |
| ibm — security_appscan_source | The installer in IBM Security AppScan Source 8.x and 9.x through 9.0.1 has an open network port for a debug service, which allows remote attackers to obtain sensitive information by connecting to this port. | 2014-10-26 | 1.8 | CVE-2014-4812 XF |
| ibm — websphere_portal | IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0 through 7.0.0.2 CF28, 8.0 through 8.0.0.1 CF14, and 8.5.0 before CF03 does not properly detect recursion during entity expansion, which allows remote authenticated users to cause a denial of service (memory and CPU consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564. | 2014-10-28 | 3.5 | CVE-2014-4814 XF |
| ibm — api_management | IBM API Management 3.x before 3.0.1.0 allows local users to obtain sensitive ciphertext information via unspecified vectors. | 2014-10-26 | 2.1 | CVE-2014-6133 XF AIXAPAR |
| ibm — tivoli_application_dependency_discovery_manager | IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.0.0 through 7.2.0.10, 7.2.1.0 through 7.2.1.6, and 7.2.2.0 through 7.2.2.2 does not require TADDM authentication for rptdesign downloads, which allows remote authenticated users to obtain sensitive database information via a crafted URL. | 2014-10-31 | 3.5 | CVE-2014-6148 XF |
| ibm — tivoli_application_dependency_discovery_manager | Cross-site scripting (XSS) vulnerability in IBM Tivoli Application Dependency Discovery Manager (TADDM) 7.2.1.0 through 7.2.1.6 and 7.2.2.0 through 7.2.2.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2014-10-31 | 3.5 | CVE-2014-6150 XF |
| ibm — tivoli_integrated_portal | CRLF injection vulnerability in IBM Tivoli Integrated Portal (TIP) 2.2.x allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. | 2014-10-25 | 3.5 | CVE-2014-6151 XF BID SECUNIA |
| ibm — tivoli_integrated_portal | Multiple cross-site scripting (XSS) vulnerabilities in IBM Tivoli Integrated Portal (TIP) 2.2.x allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-10-25 | 3.5 | CVE-2014-6152 XF BID SECUNIA |
| mcafee — endpoint_encryption_for_files_and_folders | The (1) Removable Media or (2) CD and DVD encryption offsite access options (formerly Endpoint Encryption for Removable Media or EERM) in McAfee File and Removable Media Protection (FRP) 4.3.0.x and Endpoint Encryption for Files and Folders (EEFF) 3.2.x through 4.2.x uses weak entropy, which make it easier fo local users to obtain passwords via a brute force attack. | 2014-10-29 | 2.1 | CVE-2014-8518 |
| mcafee — network_data_loss_prevention | Unspecified vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to read arbitrary files via unknown vectors. | 2014-10-29 | 2.1 | CVE-2014-8519 |
| mcafee — network_data_loss_prevention | Cross-site scripting (XSS) vulnerability in McAfee Network Data Loss Prevention (NDLP) before 9.3 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-10-29 | 3.5 | CVE-2014-8521 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information by reading a Java stack trace. | 2014-10-29 | 2.1 | CVE-2014-8526 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 allows local users to obtain sensitive information and affect integrity via vectors related to a “plain text password.” | 2014-10-29 | 3.6 | CVE-2014-8527 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 logs session IDs, which allows local users to obtain sensitive information by reading the audit log. | 2014-10-29 | 2.1 | CVE-2014-8528 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.3 stores the SSH key in cleartext, which allows local users to obtain sensitive information via unspecified vectors. | 2014-10-29 | 2.1 | CVE-2014-8529 |
| mcafee — network_data_loss_prevention | Unspecified vulnerability in McAfee Network Data Loss Prevention before (NDLP) before 9.3 allows local users to obtain sensitive information and impact integrity via unknown vectors, related to partition mounting. | 2014-10-29 | 3.6 | CVE-2014-8532 |
| mcafee — network_data_loss_prevention | Unspecified vulnerability in the login form in McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to cause a denial of service via a crafted value in the domain field. | 2014-10-29 | 2.1 | CVE-2014-8534 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading unspecified error messages. | 2014-10-29 | 2.1 | CVE-2014-8536 |
| mcafee — network_data_loss_prevention | McAfee Network Data Loss Prevention (NDLP) before 9.2.2 allows local users to obtain sensitive information by reading the logs. | 2014-10-29 | 2.1 | CVE-2014-8537 |
| vbulletin — vbulletin | Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name. | 2014-10-24 | 3.5 | CVE-2014-2021 MISC XF SECTRACK BID FULLDISC FULLDISC MISC |
This product is provided subject to this Notification and this Privacy & Use policy.
It’s not difficult to make your email account more secure. Often, all you need is to spend a little time looking into the security options available.
Last week we looked at how to make your Facebook account more secure and today we’re doing the same with one of the most popular webmail services: Gmail.
Below you can see a step-by-step guide to activating two-step verification in your Google webmail account.
Go to your inbox and click ‘Terms and Privacy‘
There you will see the option‘2-Step Verification’
From here you can activate 2-Step Verification. Â First, you have to enter the phone number to which the verification code will be sent.
The code will be sent immediately to your phone. Once you have received it you can enter it in Gmail.
Next, Gmail tells you that on trusted devices you will only be asked to enter the code once.
After this step, you only have to activate 2-step verification.
To complete the process, bear in mind that you have to confirm this account on all the devices on which you access Gmail (smartphones, tablets, etc).
As you can see, this is a simple process that helps prevent unauthorized access to your Gmail account, as when anyone tries to access the account, only you can verify that they have permission.
More | How to increase the privacy of your Gmail account
The post Two-step verification boosts Gmail security appeared first on MediaCenter Panda Security.
URL shorteners are a relatively new Internet service. As many social services on the Internet impose character limitations (Twitter is a prime example), these URL are very practical…
For example, you’d spend 64 characters to point to Wiki’s article about URL shorteners: http://en.wikipedia.org/wiki/URL_shortening. With an URL shortener, you can cut that down to 16 characters: http://bit.ly/c1htE.
URL shorteners, however, can be used to hide the real target of a link. Cyber criminals appreciate this “feature†– and use it to hide links to phishing or infected websites. These services usually have terms and conditions comparable to TinyURL:
“TinyURL was created as a free service to make posting long URLs easier, and may only be used for actual URLs. Using it for spamming or illegal purposes is forbidden and any such use will result in the TinyURL being disabled and you may be reported to all ISPs involved and to the proper governmental agencies. This service is provided without warranty of any kind.â€
Few seem to care about these terms, which are regularly flaunted in the pursuit of profit. Happily, however, certain services have started to filter shortened links through special services, even if this has so far failed to stem the flow of shortened SPAM URLs.
Below are statistics with the percentage of malicious links identified on 22 popular URL shortener services:
Phishing |
Malware |
|||
| # | Shortener | % | Shortener | % |
| 1 | tinyurl.com | 41.30 | k.im | 27.87 |
| 2 | bit.ly | 15.29 | notlong.com | 27.05 |
| 3 | r2me.com | 12.04 | tinyurl.com | 18.85 |
| 4 | snipurl.com | 7.16 | cli.gs | 7.38 |
| 5 | lu.mu | 6.50 | bit.ly | 7.38 |
| 6 | doiop.com | 4.52 | doiop.com | 4.10 |
| 7 | notlong.com | 3.55 | ad.ag | 2.46 |
| 8 | is.gd | 1.93 | is.gd | 1.64 |
| 9 | tiny.cc | 1.81 | tr.im | 0.82 |
| 10 | sn.im | 1.69 | snipurl.com | 0.82 |
| 11 | k.im | 0.96 | ow.ly | 0.82 |
| 12 | shorl.com | 0.66 | dwarfURL.com | 0.82 |
| 13 | tr.im | 0.60 | zi.ma | 0.00 |
| 14 | goo.gl | 0.54 | u.nu | 0.00 |
| 15 | ow.ly | 0.48 | tiny.cc | 0.00 |
| 16 | cli.gs | 0.30 | sn.im | 0.00 |
| 17 | u.nu | 0.18 | shorl.com | 0.00 |
| 18 | moourl.com | 0.18 | r2me.com | 0.00 |
| 19 | idek.net | 0.12 | moourl.com | 0.00 |
| 20 | dwarfURL.com | 0.12 | lu.mu | 0.00 |
| 21 | zi.ma | 0.06 | idek.net | 0.00 |
| 22 | ad.ag | 0.00 | goo.gl | 0.00 |
Source: Avira Virus Lab, taken from the month of July, 2010.
To give you an example, would you click on the following link?
www.ssl-albion-netbank.com/143.027.902
Probably not… The bank’s made-up name and use of random numbers would rightly give you misgivings. However, under a shortened guise – http://goo.gl/mDNuMg – one would not know that it’s a phishing website (in this case, a dead link).
The bottom line is that if you can, avoid clicking on shortened URL links. If you do need to click on shortened links, copy and paste the link into a link lengthener – such as http://longurl.org/, which displays the full version of the links without having to click on it (exists also as a browser extension for Chrome and Firefox).
Finally, we recommend you equip yourself with Avira’s free Browser Safety extension, also for Chrome and Firefox, which blocks infected websites before they load. To learn more about Browser Safety, visit Avira’s website here: https://www.avira.com/en/avira-browser-safety
The post Shortcut Express to Infected & Phishing Websites appeared first on Avira Blog.
