Monthly Archives: March 2015

Avira

Avira Launches Android Optimizer

Our team is excited to announce the release of Android Optimizer, a FREE mobile version of our PC optimization tool you already know called System Speedup. The app dramatically enhances your smartphone’s speed and performance in three easy steps: Analyze – Clean – Optimize. Our new app can be used not only to remove junk files but also to identify all previously installed apps threatening to slow down the device.

Android Optimizer excels at boosting the overall performance of smartphones and tablets through a powerful set of key features. You can access the app to safely remove sensitive data from the device, delete browsing and calls history and, consequently, improve the stamina of the battery. Another important advantage for Android users is that they will be able to benefit from more space for photos, videos and other apps.

Key Features

  • One Tap Boost: automatically cleans up junk files and frees up memory, without any data loss.
  • Memory Optimizer: shows a list of all active processes, their memory footprint, and enables the user to terminate the unwanted ones.
  • Application Manager: lists all current installed apps, their storage footprint, and enables the user to uninstall the unwanted ones.
  • Junk Cleaner: scans for and lists potentially useless files that fill up the storage on the device, including caches, duplicate files, large files and APK files (Android app kits).
  • Privacy Cleaner: Empowers the user to wipe sensitive data off their phones (browser history, call logs, clipboard data, Facebook cache, messenger cache, WhatsApp cache,…)

“Smartphones are the new feature phones if we look at the sales volume of these devices. Unfortunately, one year later to the purchase, Android devices tend to be technically obsolete. We decided to jump in and fix this problem, by making it easier for users to understand the background actions of their apps and empower them to optimize their devices with one tap”, said Andrei Petrus, Product Manager of Avira.

“We put together all the key features required to make any Android device feel as good as new.

Tweet

This comes on top of the best-in-class antivirus protection that our Mobile Security solution offers to the world”.

Download it now: http://www.avira.com/en/avira-android-optimizer/

The post Avira Launches Android Optimizer appeared first on Avira Blog.

Redhat

CWE update

In the past Red Hat Product Security assigned weakness IDs only to vulnerabilities that meet certain criteria, more precisely, only vulnerabilities with CVSS score higher than 7. Since the number of incoming vulnerabilities was high, this filtering allowed us to focus on vulnerabilities that matter most. However, it also makes statistics incomplete, missing low and moderate vulnerabilities.

In the previous year we started assigning weakness IDs to almost all vulnerabilities, greatly increasing the quantity of data used to generate statistics. This was a big commitment time-wise, but resulted in 13 times more vulnerabilities with assigned weakness IDs in 2014 than the year before. There are a few exceptions – for some vulnerabilities there are not enough information available to decide the types of weaknesses. These almost always come from big upstream vendors. For this reason bugs in mysql or OpenJDK do not have weaknesses assigned and are excluded from the CWE statistics. With the exceptions mentioned, there are always at least references to commits that fix the vulnerability available, so it is possible to assign correct weakness data to vulnerabilities in any open source project.

Part of using Common Weakness Enumeration (CWE) at Red Hat is CWE Coverage – a subset of weaknesses that we use to classify vulnerabilities. As everyone can notice after scrolling through the CWE list there are a lot of weaknesses that are very similar or describe the same issue in varying level of detail. This means different people can assign different weaknesses to the same vulnerability, a very undesirable outcome. Furthermore, this may skew resulting statistics, as vulnerabilities of the same nature may be described by different weaknesses. To counter these effects, Red Hat keeps CWE coverage, a subset of weaknesses we use, to prevent both. The coverage should contain weaknesses with similar level of detail (Weakness Base) and should not contain multiple overlapping weaknesses. However there is a possibility that a vulnerability would not fit into any of the weaknesses in our coverage and for this reason the coverage is regularly updated.

Maintenance of CWE coverage has been tied with the release of new CWE revisions by MITRE in past. Since we started assigning weakness IDs to much larger number of vulnerabilities we also gathered weaknesses missing in the coverage more quickly. Therefore the coverage has been updated and the changes are now included in the statistics. Current revision of Red Hat`s CWE Coverage can be found on the Customer Portal.

Apart from adding missing weaknesses we also removed a number of unused or unsuitable weaknesses. The first version of coverage was based on CWE Cross-Section maintained as view by MITRE. The CWE Cross-Section represents a subset of weaknesses at the abstraction level most useful for general audiences. While this was a good starting point, it quickly became evident that the Cross-Section has numerous deficiencies. Some of the most common weaknesses are not included, for example CWE-611 Improper Restriction of XML External Entity Reference (‘XXE’), which ranked as 10th most common weakness in our statistics for 2014. On the other hand, we have not included considerable number of weaknesses that were not relevant in open source, for example CWE-546 Suspicious Comment. After these changes current revision of the coverage has little in common with CWE Cross-Section, but represents structure of weaknesses usually specific to open source projects well.

Last but not least, all CWE related data are kept public and statistics (even for our internal use) are generated only from publicly available data.The weakness ID is stored in whiteboard of a vulnerability in bugzilla. This is rather cryptic format and requires tooling to get the statistics into a format that can be processed. Therefore, we are currently investigating the best way how to make the statistics available online for wider audience.

Ubuntu

USN-2523-1: Apache HTTP Server vulnerabilities

Ubuntu Security Notice USN-2523-1

10th March, 2015

apache2 vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Several security issues were fixed in the Apache HTTP Server.

Software description

  • apache2
    – Apache HTTP server

Details

Martin Holst Swende discovered that the mod_headers module allowed HTTP
trailers to replace HTTP headers during request processing. A remote
attacker could possibly use this issue to bypass RequestHeaders directives.
(CVE-2013-5704)

Mark Montague discovered that the mod_cache module incorrectly handled
empty HTTP Content-Type headers. A remote attacker could use this issue to
cause the server to stop responding, leading to a denial of service. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-3581)

Teguh P. Alko discovered that the mod_proxy_fcgi module incorrectly
handled long response headers. A remote attacker could use this issue to
cause the server to stop responding, leading to a denial of service. This
issue only affected Ubuntu 14.10. (CVE-2014-3583)

It was discovered that the mod_lua module incorrectly handled different
arguments within different contexts. A remote attacker could possibly use
this issue to bypass intended access restrictions. This issue only affected
Ubuntu 14.10. (CVE-2014-8109)

Guido Vranken discovered that the mod_lua module incorrectly handled a
specially crafted websocket PING in certain circumstances. A remote
attacker could possibly use this issue to cause the server to stop
responding, leading to a denial of service. This issue only affected
Ubuntu 14.10. (CVE-2015-0228)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
apache2.2-bin

2.4.10-1ubuntu1.1
Ubuntu 14.04 LTS:
apache2.2-bin

2.4.7-1ubuntu4.4
Ubuntu 12.04 LTS:
apache2.2-bin

2.2.22-1ubuntu1.8
Ubuntu 10.04 LTS:
apache2.2-bin

2.2.14-5ubuntu8.15

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-5704,

CVE-2014-3581,

CVE-2014-3583,

CVE-2014-8109,

CVE-2015-0228

Ubuntu

USN-2521-1: Oxide vulnerabilities

Ubuntu Security Notice USN-2521-1

10th March, 2015

oxide-qt vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Oxide.

Software description

  • oxide-qt
    – Web browser engine library for Qt (QML plugin)

Details

Several out-of-bounds write bugs were discovered in Skia. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to cause a denial of service via application
crash or execute arbitrary code with the privileges of the user invoking
the program. (CVE-2015-1213, CVE-2015-1214, CVE-2015-1215)

A use-after-free was discovered in the V8 bindings in Blink. If a user
were tricked in to opening a specially crafted website, an attacker could
potentially exploit this to cause a denial of service via renderer crash,
or execute arbitrary code with the privileges of the sandboxed render
process. (CVE-2015-1216)

Multiple type confusion bugs were discovered in the V8 bindings in Blink.
If a user were tricked in to opening a specially crafted website, an
attacker could potentially exploit these to cause a denial of service via
renderer crash, or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-1217, CVE-2015-1230)

Multiple use-after-free bugs were discovered in the DOM implementation in
Blink. If a user were tricked in to opening a specially crafted website,
an attacker could potentially exploit these to cause a denial of service
via renderer crash, or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-1218, CVE-2015-1223)

An integer overflow was discovered in Skia. If a user were tricked in to
opening a specially crafted website, an attacker could potentially exploit
this to cause a denial of service via application crash or execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2015-1219)

A use-after-free was discovered in the GIF image decoder in Blink. If a
user were tricked in to opening a specially crafted website, an attacker
could potentially exploit this to cause a denial of service via renderer
crash, or execute arbitrary code with the privileges of the sandboxed
render process. (CVE-2015-1220)

A use-after-free was discovered in Blink. If a user were tricked in to
opening a specially crafted website, an attacker could potentially
exploit this to cause a denial of service via renderer crash, or execute
arbitrary code with the privileges of the sandboxed render process.
(CVE-2015-1221)

Multiple use-after-free bugs were discovered in the service worker
implementation in Chromium. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit these
to cause a denial of service via application crash or execute arbitrary
code with the privileges of the user invoking the program. (CVE-2015-1222)

An out-of-bounds read was discovered in the VPX decoder implementation in
Chromium. If a user were tricked in to opening a specially crafted
website, an attacker could potentially exploit this to cause a denial of
service via renderer crash. (CVE-2015-1224)

It was discovered that Blink did not initialize memory for image drawing
in some circumstances. If a user were tricked in to opening a specially
crafted website, an attacker could potentially exploit this to read
uninitialized memory. (CVE-2015-1227)

It was discovered that Blink did not initialize memory for a data
structure in some circumstances. If a user were tricked in to opening a
specially crafted website, an attacker could potentially exploit this to
cause a denial of service via renderer crash, or execute arbitrary code
with the privileges of the sandboxed render process. (CVE-2015-1228)

It was discovered that a web proxy returning a 407 response could inject
cookies in to the originally requested domain. If a user connected to a
malicious web proxy, an attacker could potentially exploit this to conduct
session-fixation attacks. (CVE-2015-1229)

Multiple security issues were discovered in Chromium. If a user were
tricked in to opening a specially crafted website, an attacker could
potentially exploit these to read uninitialized memory, cause a denial
of service via application crash or execute arbitrary code with the
privileges of the user invoking the program. (CVE-2015-1231)

Multiple security issues were discovered in V8. If a user were tricked
in to opening a specially crafted website, an attacker could potentially
exploit these to read uninitialized memory, cause a denial of service via
renderer crash or execute arbitrary code with the privileges of the
sandboxed render process. (CVE-2015-2238)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
liboxideqtcore0

1.5.5-0ubuntu0.14.10.2
oxideqt-codecs

1.5.5-0ubuntu0.14.10.2
oxideqt-chromedriver

1.5.5-0ubuntu0.14.10.2
oxideqt-codecs-extra

1.5.5-0ubuntu0.14.10.2
Ubuntu 14.04 LTS:
liboxideqtcore0

1.5.5-0ubuntu0.14.04.3
oxideqt-codecs

1.5.5-0ubuntu0.14.04.3
oxideqt-chromedriver

1.5.5-0ubuntu0.14.04.3
oxideqt-codecs-extra

1.5.5-0ubuntu0.14.04.3

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-1213,

CVE-2015-1214,

CVE-2015-1215,

CVE-2015-1216,

CVE-2015-1217,

CVE-2015-1218,

CVE-2015-1219,

CVE-2015-1220,

CVE-2015-1221,

CVE-2015-1222,

CVE-2015-1223,

CVE-2015-1224,

CVE-2015-1227,

CVE-2015-1228,

CVE-2015-1229,

CVE-2015-1230,

CVE-2015-1231,

CVE-2015-2238

Ubuntu

USN-2522-3: ICU vulnerabilities

Ubuntu Security Notice USN-2522-3

10th March, 2015

icu vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 12.04 LTS

Summary

ICU could be made to crash or run programs as your login if it processed
specially crafted data.

Software description

  • icu
    – International Components for Unicode library

Details

USN-2522-1 fixed vulnerabilities in ICU. On Ubuntu 12.04 LTS, the font
patches caused a regression when using LibreOffice Calc. The patches have
now been updated to fix the regression.

We apologize for the inconvenience.

Original advisory details:

It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. This issue only affected
Ubuntu 12.04 LTS. (CVE-2013-1569, CVE-2013-2383, CVE-2013-2384,
CVE-2013-2419)

It was discovered that ICU incorrectly handled memory operations when
processing fonts. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-6585,
CVE-2014-6591)

It was discovered that ICU incorrectly handled memory operations when
processing regular expressions. If an application using ICU processed
crafted data, an attacker could cause it to crash or potentially execute
arbitrary code with the privileges of the user invoking the program.
(CVE-2014-7923, CVE-2014-7926, CVE-2014-9654)

It was discovered that ICU collator implementation incorrectly handled
memory operations. If an application using ICU processed crafted data, an
attacker could cause it to crash or potentially execute arbitrary code with
the privileges of the user invoking the program. (CVE-2014-7940)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 12.04 LTS:
libicu48

4.8.1.1-3ubuntu0.5

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2013-1569,

CVE-2013-2383,

CVE-2013-2384,

CVE-2013-2419,

CVE-2014-6585,

CVE-2014-6591

Ubuntu

USN-2524-1: eCryptfs vulnerability

Ubuntu Security Notice USN-2524-1

10th March, 2015

ecryptfs-utils vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.10
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS
  • Ubuntu 10.04 LTS

Summary

Sensitive information in encrypted home and Private directories could be
exposed if an attacker gained access to your files.

Software description

  • ecryptfs-utils
    – eCryptfs cryptographic filesystem utilities

Details

Sylvain Pelissier discovered that eCryptfs did not generate a random salt when
encrypting the mount passphrase with the login password. An attacker could use
this issue to discover the login password used to protect the mount passphrase
and gain unintended access to the encrypted files.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.10:
ecryptfs-utils

104-0ubuntu1.14.10.3
libecryptfs0

104-0ubuntu1.14.10.3
Ubuntu 14.04 LTS:
ecryptfs-utils

104-0ubuntu1.14.04.3
libecryptfs0

104-0ubuntu1.14.04.3
Ubuntu 12.04 LTS:
ecryptfs-utils

96-0ubuntu3.4
libecryptfs0

96-0ubuntu3.4
Ubuntu 10.04 LTS:
ecryptfs-utils

83-0ubuntu3.2.10.04.6
libecryptfs0

83-0ubuntu3.2.10.04.6

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to log out of all sessions and then log
back in to make all the necessary changes.

References

CVE-2014-9687