Monthly Archives: April 2016

Typo3

Arbitrary File Disclosure in Form Component

Component Type: TYPO3 CMS

Release Date: April 12, 2016

 

Vulnerable subcomponent: Form

Vulnerability Type: Arbitrary File Disclosure

Affected Versions: Versions 6.2.0 to 6.2.19

Severity: High

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:C/I:N/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly validate user input, the form component is susceptible to Arbitrary File Disclosure. A valid backend user account is needed to exploit this vulnerability. Only forms are vulnerable, which contain upload fields.

Solution: Update to TYPO3 versions 6.2.20 that fix the problem described.

Credits: Thanks to Gerrit Venema who discovered and reported the issues.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Typo3

Cross-Site Scripting in TYPO3 Backend

Component Type: TYPO3 CMS

Release Date: April 12, 2016

 

Vulnerable subcomponent: Backend

Vulnerability Type: Cross-Site Scripting

Affected Versions: Versions 6.2.0 to 6.2.19, 7.6.0 to 7.6.4 and 8.0.0

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:P/I:P/A:N/E:P/RL:O/RC:C

CVE: not assigned yet

Problem Description: Failing to properly encode user input, some backend components are vulnerable to Cross-Site Scripting. A valid backend user account is needed to exploit this vulnerability.

Solution: Update to TYPO3 versions 6.2.20, 7.6.5 or 8.0.1 that fix the problem described.

Credits: Thanks to Georg Ringer, Nicole Cordes and Alexander Grein who discovered and reported the issues.

 

General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.

General Note: All security related code changes are tagged so that you can easily look them up on our review system.

Avast

Mid-Valley Literacy Center protects its people with Avast for Business

The Mid-Valley Literacy Center is a 501(c)(3) nonprofit located in Keizer, Oregon, where adults come to improve their literacy skills in order to increase their economic stability and overall quality of life. With 25 staff members, the majority of which are volunteers, the center found itself trying to manage a variety of platforms and deal with the complexities that come with allowing their staff to use their personal devices for work purposes.   

Alan Scott (center) and fellow Mid-Valley Literacy Center staff members having a blast during a company fundraiser.Alan Scott (center) and fellow Mid-Valley Literacy Center staff members having a blast during a company fundraiser.

Microsft

3152550 – Update to Improve Wireless Mouse Input Filtering – Version: 1.0

Revision Note: V1.0 (April 12, 2016): Advisory published.
Summary: Microsoft is announcing the availability of an update to improve input filtering for certain Microsoft wireless mouse devices. The update enhances security by filtering out QWERTY key packets in keystroke communications issued from receiving USB wireless dongles to wireless mouse devices. This improvement is part of ongoing efforts to improve the effectiveness of security in Windows and Microsoft devices. For more information, see Microsoft Knowledge Base Article 3152550.

Microsft

MS16-039 – Critical: Security Update for Microsoft Graphics Component (3148522) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (April 12, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows, Microsoft .NET Framework, Microsoft Office, Skype for Business, and Microsoft Lync. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted document or visits a webpage that contains specially crafted embedded fonts.

Microsft

MS16-045 – Important: Security Update for Windows Hyper-V (3143118) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (April 12, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an authenticated attacker on a guest operating system runs a specially crafted application that causes the Hyper-V host operating system to execute arbitrary code. Customers who have not enabled the Hyper-V role are not affected.

Microsft

MS16-042 – Critical: Security Update for Microsoft Office (3148775) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (April 12, 2016): Bulletin published.
Summary: This security update resolves vulnerabilities in Microsoft Office. The most severe of the vulnerabilities could allow remote code execution if a user opens a specially crafted Microsoft Office file. An attacker who successfully exploited the vulnerabilities could run arbitrary code in the context of the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.