The Flvplayer component in TYPO3 6.2.x before 6.2.16 allows remote attackers to embed Flash videos from external domains via unspecified vectors, aka “Cross-Site Flashing.”
Monthly Archives: January 2016
CVE-2015-8761
The Values module 7.x-1.x before 7.x-1.2 for Drupal does not properly check permissions, which allows remote administrators with the “Import value sets” permission to execute arbitrary PHP code via the exported values list in a ctools import.
Apple Releases Security Update for QuickTime
Original release date: January 08, 2016
Apple has released a security update to address multiple vulnerabilities in QuickTime for Windows 7 and Windows Vista. Exploitation of one of these vulnerabilities may allow an attacker to take control of an affected system.
Users and administrators are encouraged to review the Apple security update page for QuickTime 7.7.9 and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
Older IE Versions Losing Security Support on Tuesday
Tuesday’s impending deadline ending security support for Internet Explorer 8, 9 and 10 is putting companies on notices about moving off older versions of the browser.
WordPress AzonPop 1.0.0 SQL Injection
WordPress AzonPop plugin version 1.0.0 suffers from a remote SQL injection vulnerability.
IoT – The Biggest Security Threat to Everything
I’ve seen seven platform shifts in my lifetime, including the shift from mainframe to PC and the shift from desktop to mobile. With every shift, technology is getting closer to our skin—literally, given the wearables gracing many of our wrists. We are sharing information that is more personal and valuable—such as sleep patterns, health data, driving data, shopping habits and location—which companies are piecing together to create a mosaic of our individual lives. And they are doing so in the name of more personalized advertising.
At some point, people will balk at this loss of privacy, and that point is arriving quickly. In our latest MEF Global Consumer Trust Report, we learned that 36% of respondents reported online privacy and security concerns; 27% said privacy and security concerns prevent them from using apps; and 47% said they’d pay extra for a privacy-friendly app that guaranteed the data it collected would not be shared.
Contrast this sentiment of consumer concern with the Wild West atmosphere of the IoT. Companies are engaged in a massive, frenetic land grab in which access to the IoT and freedom to innovate are the prevailing values. In the Wild West, there was no principle of “privacy,” and even the idea of “security” as a human right was barely supported, depending on the whims of the local sheriff.
The IoT is similar, with speed, freedom and access as the chief values prioritized among hardware manufacturers and software companies. Everyone wants a piece of the IoT, but few are looking beyond their own homestead, to see what’s happening across the industry and to seek ways to ensure that the IoT remains a viable platform to deliver goods and services.
Now we’re faced with two roads—speed and trust—and they diverge. The road of speed is what we’ve been on—fast-paced innovation and growth in the IoT, which in itself has produced some pretty exciting technology. However, on this road we also find a lot of potholes and bad guys—ranging from legitimate commercial concerns that are inadvertently weakening the security of the IoT to learn more about consumers to full-fledged criminals who hack into systems to fulfil their desire for money and power.
In addition to direct breaches to secure credit card information, these criminals buy and sell intellectual property and private information—for example, information exploited from the Ashley Madison attack that can be used to blackmail targets. Health data is the next major target.
On the road of trust, it’s slower-going. Building the IoT sustainably requires industrywide participation and agreement upon standards. Companies will need to realize that they’re only as strong as the ecosystem they’re a part of, and that’s a tough mindset to adopt when you’re eagerly seeking a competitive advantage over everyone who crosses your path.
This week I addressed an audience at CES’s first-ever Cybersecurity Forum on this very topic. If attendees got only one thing from that talk, I hope it was that it’s up to us, the industry, to make the Internet of Things private and secure, and that will require a level of inquiry and accountability that we’re not accustomed to.
If you’re a device manufacturer or a software provider, think bigger and broader. Participate in standards groups; help define policies and start being part of a smart framework of the next-gen IoT.
As we go in to 2016, let’s tackle this challenge together. And in fact, there is no other way to tackle it. Hopefully, I’ll be standing in front of the crowd at next year’s CES celebrating our progress.
Microsoft ends support for older versions of Internet Explorer
Update from an older Internet Explorer to avoid security risks
After January 12th, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates.
People using Internet Explorer 8, 9, and 10 will no longer receive security or technical updates after Tuesday, January 12th. This means that the older versions of Internet Explorer can be exploited by hackers which puts your computer and your data at risk. One last patch will be released January 12th with a reminder to upgrade your browser. If you do not upgrade to Internet Explorer 11, you will begin to receive “End of Life” upgrade notifications urging you to make the switch to Internet Explorer 11. Windows 10 and Windows 8.1 users should upgrade to Internet Explorer 11. Windows 7 users with Internet Explorer 9 or 10 should upgrade to Internet Explorer 11.
Choose a different browser
If you want to stay with a Microsoft product, then you also have the option to switch to Microsoft Edge, their latest, most modern browser, but you must also be using Windows 10.
This is a good opportunity to try another browser like Google Chrome, Firefox, or Opera. We recommend Google Chrome as an alternative to Internet Explorer because of its security features and automatic updates.
There are plenty of alternative browsers to switch to as well; those that specialize in gaming, privacy, media consumption, and other things. Check out this listing of 10 obscure, highly specialized browsers from PCWorld.
How to check which version of Internet Explorer you are using
- 1. Open the browser
- 2. Click the gear or Question icon on the top right
- 3. Select ‘About Internet Explorer’ and a pop-up will appear with the version of your browser
Follow Avast on Facebook, Twitter, YouTube and Google+ where we keep you updated on cybersecurity news every day.
Threatpost News Wrap, January 8, 2016
Mike Mimoso and Chris Brook discuss the week in news: How the Dutch are opening encryption with open arms, the end of support for IE 8, 9, and 10, and the latest bounty offered up by Zerodium.
CES 2016: Day 2 – making smarter cars
Car security is rising to the fore here at CES 2016, which is not altogether surprising as 2015 was the year when car hacking really crossed over into the mainstream.
The post CES 2016: Day 2 – making smarter cars appeared first on We Live Security.
Linux/x86_64 Egghunter Shellcode
18 bytes small Linux/x86_64 egghunting shellcode.