Cross-site scripting (XSS) vulnerability in the Zendesk Feedback Tab module 7.x-1.x before 7.x-1.1 for Drupal allows remote administrators with the “Configure Zendesk Feedback Tab” permission to inject arbitrary web script or HTML via unspecified vectors.
Monthly Archives: September 2015
IC3 Issues Alert on IoT Devices
Original release date: September 11, 2015
The Internet Crime Complaint Center (IC3) has issued an alert to individuals and businesses about the security risks involved with the Internet of Things (IoT). IoT refers to the emerging network of devices (e.g., smart TVs, home automation systems) that connect to one another via the Internet, often automatically sending and receiving data.
US-CERT encourages individuals and businesses to review the IC3 Alert for more information regarding IoT vulnerabilities and mitigation techniques.
This product is provided subject to this Notification and this Privacy & Use policy.
Ads: Love or hate?
Ad-injection is an increasingly annoying and dangerous problem
Malvertising attacks. Image via Google Security Blog
There are basically two reactions people have when they see ads in their browser. Some think they add interesting content and possibilities, insights and ideas or even, opportunities. The other group considers them as a distraction, an invasion and a disruption to what they were doing.
But most everyone will agree, once you begin something on your laptop or mobile, especially if it’s work-related task, you want to continue what you started. Lots of people get so into what they’re doing that they don’t see or think of anything else, and when an unwelcome ad comes through, it breaks the concentration. Some will say this is a man’s perspective. But even some women I talk to agree; even though they always say they are multitasking and (cough, cough) never lose focus.
When it comes to security, ads are becoming more and more a vehicle for malware. Ad-injecting malware is really a threat nowadays. Once on your device – computer or mobile – the malware will drop new ads into any (or most) sites you visit, sending ad revenue back to remote cybercriminals. For example, malicious porn ads use this type of redirection and clicking techniques.
Research conducted by Google from June to October of 2014 concluded that deceptive ad injection is a significant problem on the web today. They identified tens of millions of instances of ad injection and detected 5.3 million different IP addresses infected with adware, 5% of the total testing group. The research also found that Superfish, one of the notorious businesses that have ad injection libraries, was alive and well, not only pre-installed on Lenovo laptops, but breaking SSL protections for any other computer running it in background.
Ways to control unwanted ads in your browser
Inside Avast, we are convinced that adware toolbars and browser add-ons play an important role in the ads market.
Our Browser Cleanup feature detects millions of different adwares that target browsers.
TIP: Run Avast Browser Cleanup on your computer. It has identified more than 60 million different browser add-ons which are often bundled with free software, such as video players, Java and Flash updates.
Besides toolbars and browser add-ons, free software is often bundled with unwanted extra programs making it bloatware and a PUPs vector. Again, all the ad revenue is driven back to the bundles creators. Do we really need to see – and worse, have all that garbage installed in background?
TIP: Slow down when installing free software. Read all the screens and make sure you uncheck any boxes that ask you to install a 3rd party program that you don’t know anything about. You may even consider testing it in the Avast Sandbox first.
Another door for unwanted ads to enter is through outdated software which can be a backdoor for malvertising.
TIP: Keep your browser and software up-to-date. Avast Software Updater can help you keep up with that task.
You could read our blog to learn how to reduce data collection of Windows 10 or to correctly set your Facebook settings. However, there are other measures when it comes to webpages. There are two major ad blockers for browsers: AdBlock and uBlock.
TIP: Visit our user forum to learn and discuss the right ads protection for you. You will find some of our Evangelists that can guide you with easy-to-understand hints.
Follow Avast on Facebook, Twitter, YouTube, and Google+ where we keep you updated on cybersecurity news every day.
Red Hat Security Advisory 2015-1766-01
Red Hat Security Advisory 2015-1766-01 – Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. It was found that Django incorrectly handled the session store. A session could be created by anonymously accessing the django.contrib.auth.views.logout view if it was not decorated correctly with django.contrib.auth.decorators.login_required. A remote attacker could use this flaw to fill up the session store or cause other users’ session records to be evicted by requesting a large number of new sessions.
Red Hat Security Advisory 2015-1769-01
Red Hat Security Advisory 2015-1769-01 – Libunwind provides a C ABI to determine the call-chain of a program. An off-by-one array indexing error was found in the libunwind API, which could cause an error when reading untrusted binaries or dwarf debug info data. Red Hat products do not call the API in this way; and it is unlikely that any exploitable attack vector exists in current builds or supported usage. This issue was discovered by Paolo Bonzini of Red Hat. All users of libunwind are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.
Red Hat Security Advisory 2015-1767-01
Red Hat Security Advisory 2015-1767-01 – Django is a high-level Python Web framework that encourages rapid development and a clean, pragmatic design. It focuses on automating as much as possible and adhering to the DRY principle. It was found that Django incorrectly handled the session store. A session could be created by anonymously accessing the django.contrib.auth.views.logout view if it was not decorated correctly with django.contrib.auth.decorators.login_required. A remote attacker could use this flaw to fill up the session store or cause other users’ session records to be evicted by requesting a large number of new sessions.
Debian Security Advisory 3355-1
Debian Linux Security Advisory 3355-1 – Florian Weimer of Red Hat Product Security discovered that libvdpau, the VDPAU wrapper library, did not properly validate environment variables, allowing local attackers to gain additional privileges.
Ubuntu Security Notice USN-2739-1
Ubuntu Security Notice 2739-1 – It was discovered that FreeType did not correctly handle certain malformed font files. If a user were tricked into using a specially crafted font file, a remote attacker could cause FreeType to crash or hang, resulting in a denial of service, or possibly expose uninitialized memory.
Red Hat Security Advisory 2015-1768-01
Red Hat Security Advisory 2015-1768-01 – Libunwind provides a C ABI to determine the call-chain of a program. An off-by-one array indexing error was found in the libunwind API, which could cause an error when reading untrusted binaries or dwarf debug info data. Red Hat products do not call the API in this way; and it is unlikely that any exploitable attack vector exists in current builds or supported usage. This issue was discovered by Paolo Bonzini of Red Hat. All users of libunwind are advised to upgrade to these updated packages, which contain a backported patch to correct this issue.