Monthly Archives: February 2015

NVD

CVE-2015-0611

The administrative web-management portal in Cisco IX 8 (.0.1) and earlier on Cisco TelePresence IX5000 devices does not properly restrict the device-recovery account’s access, which allows remote authenticated users to obtain HelpDesk-equivalent privileges by leveraging device-recovery authentication, aka Bug ID CSCus74174.

NVD

CVE-2015-0619

Memory leak in the embedded web server in the WebVPN subsystem in Cisco Adaptive Security Appliance (ASA) Software allows remote attackers to cause a denial of service (memory consumption and SSL outage) via multiple crafted HTTP requests, aka Bug ID CSCue05458.

Full Disclosure

[ANN] MSKB 3004375 available for Windows 2000 and later too (but NOT from Mcirosoft)

Posted by Stefan Kanthak on Feb 12

Hi @ll,

yesterday Microsoft published the security advisory 3004375
<https://technet.microsoft.com/en-us/library/security/3004375>
announcing an update which enables Windows 7 and newer to log
the command lines used to start processes to the event log.

If you want to have this functionality on older versions of
Windows too see <http://home.arcor.de/skanthak/appinit.html>
(but notice the license terms).

Limitation: command lines of…

Full Disclosure

Re: Major Internet Explorer Vulnerability – NOT Patched

Posted by Sijmen Ruwhof on Feb 12

Hi Joey,

In my research I found out that the ‘x-frame-options’ solution doesn’t
protect against session hijacking via session cookie theft. It is very
important that you also need to add ‘HttpOnly’ flags on all cookies.

I’ve published an overview of my research, additional mitigations and
supporting evidence in a web log article:

http://sijmen.ruwhof.net/weblog/427-mitigations-against-critical-universal-c