Cross-site scripting (XSS) vulnerability in the cgi_puts function in cgi-bin/template.c in the template engine in CUPS before 2.0.3 allows remote attackers to inject arbitrary web script or HTML via the QUERY parameter to help/.
Monthly Archives: June 2015
CVE-2015-4216 (content_security_management_virtual_appliance, email_security_virtual_appliance, web_security_virtual_appliance)
The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH root authorized key across different customers’ installations, which makes it easier for remote attackers to bypass authentication by leveraging knowledge of a private key from another installation, aka Bug IDs CSCuu95988, CSCuu95994, and CSCuu96630.
CVE-2015-4217 (content_security_management_virtual_appliance, email_security_virtual_appliance, web_security_virtual_appliance)
The remote-support feature on Cisco Web Security Virtual Appliance (WSAv), Email Security Virtual Appliance (ESAv), and Security Management Virtual Appliance (SMAv) devices before 2015-06-25 uses the same default SSH host keys across different customers’ installations, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by leveraging knowledge of a private key from another installation, aka Bug IDs CSCus29681, CSCuu95676, and CSCuu96601.
CVE-2015-4221 (unified_communications_manager_im_and_presence_service)
Cisco Unified Communications Manager IM and Presence Service 9.1(1) does not properly restrict access to encrypted passwords, which allows remote attackers to determine cleartext passwords, and consequently execute arbitrary commands, by visiting an unspecified web page and then conducting a decryption attack, aka Bug ID CSCuq46194.
CVE-2015-4222 (unified_communications_manager_im_and_presence_service)
SQL injection vulnerability in Cisco Unified Communications Manager IM and Presence Service 9.1(1) allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCuq46325.
CVE-2015-4224 (wireless_lan_controller_software)
Cisco Wireless LAN Controller (WLC) devices with software 7.0(240.0) allow local users to execute arbitrary OS commands in a privileged context via crafted CLI commands, aka Bug ID CSCuj39474.
Do you accept app permissions without reading them? You should be more careful!
A smartphone is nothing without its apps. Looking around the apps store is something we do quite frequently, either by necessity or to see what’s new or which game is most popular. And probably, while you are there browsing you end up downloading one or two.
That’s when Android users have to accept certain permissions of their new application. Apple users approve these permits the first time they use the app or certain features.
Applications request access to certain data and features of your device. As expected, maps apps ask for permission to use GPS and locate your device. However, most applications ask for more permissions than they should, which means that we are taking a few risks just by accepting them.
One of the most shocking examples is the flashlight apps. For using them you don’t need to sing in and they are free. However, when installing the app we have to accept permissions which have nothing to do with the app’s purpose, as knowing their location thanks to GPS data, taking pictures, recording audio or even reading our text messages.
App Permissions – Read before accepting
Facing that avalanche of totally unnecessary permissions, the best thing users can do before installing an application is to look closely at what information the app wants to access.
Most of these times, these permissions do not respond to a real need for the application to function, but serve to create an advertising environment that adapts the location and the user’s interests. Hence a flashlight wants access to GPS or a QR code reader asks permission to view your browsing history and your web markers.
The users take several risks when they systematically accept these permissions. On the one hand, they are letting developers to know their location or their Internet habits, and the final destination of this information is not clear at all.
But the situation may be much more serious if there is a security breach in the application’s meat that allows cybercriminals to access your smartphone through these permissions.
So, giving full access to Internet could result in cybercriminals taking advantage of the connectivity to download malware to your device or to steal passwords transmitted through Wi-Fi.
However, security breaches and cybercriminals are not the only risks that a user may face when approving the requested permissions. In fact, they are not even the most common. The major risk is users handing over their data to apps development companies, and these companies end up sending their users’ private information to analysis or advertising companies.
These permissions can also lead, in the case of downloading malicious applications, to scams related with calling services and premium messages, which do not provide any service for the user but charge exorbitant prices for each message.
Finally, when you download and install an application, the best thing you can do is to stop and analyze if the permissions required are necessary and, especially, if the developer can be trusted.
Checking this before approving permissions willy-nilly can avoid any surprises, or at least, our data falling into anybody’s hands.
The post Do you accept app permissions without reading them? You should be more careful! appeared first on MediaCenter Panda Security.
Nucleus CMS 3.65 Cross Site Scripting
Nucleus CMS version 3.65 suffers from a persistent cross site scripting vulnerability.
Phone Scams: Increasing Numbers, Wider Scope
There’s a lot more to phone scams than tech support, giving rise to an escalating number of complaints. Here’s what two recent reports tell us.
The post Phone Scams: Increasing Numbers, Wider Scope appeared first on We Live Security.
Will your next password be an emoji?
Emoji’s such as smiley faces and others pictographs used commonly by many people nowadays have been put forward as a possible replacement to the humble password or PIN by a British start-up called Intelligent Environments.
As reported in The Guardian recently, the concept lends itself to our natural ability to remember pictures much more vividly than standard characters like letters and numbers.
Add to that research that shows 64% of millennials are using Emoji’s almost exclusively in their communication, and one wonders if this trend just might have some merit in the future.
The method proposed is that instead of entering your password or PIN, instead you would select a sequence of 4 Emoji pictures from a possible set of 44. The math behind this says that an Emoji “password” would therefore be one out of a possible 3,748,096 combinations.
However, the question of whether this would be more secure over the standard password, and in particular a 4-digit PIN is open for debate.
While technically your 4-digit PIN is only one from a combination of 10,000 choices, the implementation on your mobile device tends to be much more secure, by the fact that incorrect attempts will result in gradually increasing timeouts – making it much more difficult and impractical to crack easily.
And consider that, just as with passwords, it is possible that people will select Emoji sequences that are quite predictable. For example, selecting Emoji’s that tell a common story, like a Man, a love heart, a Woman, and a bunch of flowers; it’s quite possible people will end up selecting popular Emoji versions of the 1234 PIN equivalent.
On the positive side, think of how hard writing down your Emjoi “password” is going to be for those of us who aren’t artistically gifted.
If you are concerned about only using a 4-digit PIN on your mobile device, however, there are options you can change:
- On iPhone/iPad you can switch off the “Simple Passcode” option under settings and select a much longer password which is great if you’ve got the TouchID fingerprint reader.
- For Android users, depending on the version you have, you can select from PIN, Password, and also Smart Lock features. Using the Pattern option (where you draw a pattern on the screen) is not recommended as the smudge marks you leave on the screen can be enough to give it away!
For more information keeping your mobile device safe, check out the video below 6 Tips to Secure your Android Phone video.
Video
6 Tips to Secure Your Android Phone
Until next time, stay safe out there.
