The importance of ensuring information security on critical infrastructure has been recognized for years, yet there are still cases that illustrate the need for improvement.
The post Critical infrastructure: It’s time to make security a priority appeared first on We Live Security.
Release Date: May 24, 2016
Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.
Affected Versions: version 6.2.7 and below
Vulnerability Type: Missing Access Check
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C (What’s that?)
Problem Description: Failing to properly sanitize user input, the extension might be vulnerable to information disclosure or remote code execution.
Solution: Updated versions 1.4.3, 6.0.4 and 6.2.8 are available from the TYPO3 Extension Manager and at http://typo3.org/extensions/repository/download/sf_register/1.4.3/t3x/, http://typo3.org/extensions/repository/download/sf_register/6.0.4/t3x/ and http://typo3.org/extensions/repository/download/sf_register/6.2.8/t3x/. Users of the extension are advised to update the extension as soon as possible.
Note: Further information can be found in the TYPO3-CORE-SA-2016-013 advisory.
Credits: Credits go to Oliver Hader who discovered and reported the issue.
General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.
Kaspersky Lab today published a new study that reveals almost half (43%) of connected consumers today do not know what ransomware is, despite the recent aggressive spread of this type of cyber threat.
Posted by Advisories Advisories on May 24
Mogwai Security Advisory MSA-2016-01
———————————————————————-
Title: PowerFolder Remote Code Execution Vulnerability
Product: PowerFolder Server
Affected versions: 10.4.321 (Linux/Windows) (Other version might be also
affected)
Impact: high
Remote: yes
Product link: https://www.powerfolder.com
Reported: 02/03/2016
by:…
Something odd is happening in the world of ransomware – morality, advanced business strategy, or mom got angry.
The post Ransomware turns over a new leaf … maybe appeared first on Avira Blog.
A new release of the AVG Cleaner for Android 3 is now out just in time for spring. (Get it or update to the newest version here, if you haven’t already.) Our engineers have been hard at work finding new ways to clean up even more long-forgotten or useless stuff from your phone. Our latest release (3.1.0.1. to be exact) also cleans out WhatsApp photos, screenshots, and huge videos.
We’ll walk you through the three new additions:
Number 1: WhatsApp cleaning
You think that your apps, music, or photos consume all your phone’s storage? Think again. A big hidden memory eater are your messaging apps. All the photos you send and receive in WhatsApp are stored on your phone. Depending on how active you and your friends are, this can quickly get out of hand.
When using WhatApp, you see associated files when you tap on the name of your friend:
In this example, it is just two photos. Now multiply that by every conversation you have had and every photo you have sent or received. AVG Cleaner reveals how quickly it adds up, and lets you just as quickly clean out files replicated from your photo library.
Number 2: screenshots
I don’t think one day of my life goes by without me taking a screenshot of an app or desktop software. Screenshots are now used by almost everyone to create quick reminders, share a message, show someone a snapshot of Facebook, provide guidance on an app – and for lots of other quick and dirty uses.
Unfortunately, these shots don’t delete themselves. They also have a tendency to consume a lot of free space. On my Galaxy S6, the average screenshot of an app (e.g., Facebook or Google Maps) or a game is 1-2 Megabytes. That’s because Android stores these shots in uncompressed PNG format, which sports decent quality but can eat up quite a lot of storage.
Our AVG Cleaner for Android shows you leftover screenshots and – with a tap – helps you get rid of them.
Number 3: huge video
Being more of a tech guy than most, I knew that WhatsApp and screenshots could weigh heavily on my phone. But I completely overlooked large videos that I either took myself or downloaded from the web. I forgot I had almost a gig of these files hidden away when I could’ve used that space for apps or photos that I actually needed.
Our Cleaner takes care of it. It detects and helps you get rid of these huge videos once and for all!
Component Type: TYPO3 CMS
Release Date: May 24, 2016
Vulnerability Type: Missing access check
Affected Versions: Versions 4.3.0 up to 8.1.0
Severity: Critical
Suggested CVSS v2.0: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:F/RL:O/RC:C
CVE: not assigned yet
Problem Description: Extbase request handling fails to implement a proper access check for requested controller/ action combinations, which makes it possible for an attacker to execute arbitrary Extbase actions by crafting a special request. To successfully exploit this vulnerability, an attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation. The missing access check inevitably leads to information disclosure or remote code execution, depending on the action that an attacker is able to execute.
Solution: Update to TYPO3 versions 6.2.24, 7.6.8 or 8.1.1 that fix the problem described.
Alternative Solution: Apply the patches suitable for your TYPO3 branch manually.
Alternative Solution: Download the zip archive which contains a folder with a script and patches for all affected TYPO3 versions. (Please note: If you were quick and applied the zip file before the regression was fixed, you need to download this undo zip archive, which contains a script to revert the patches. After running the script, you have to use the script from above to secure your TYPO3 CMS instances.)
Notes: TYPO3 installations with at least one publicly available Extbase action, are exploitable without any further authentication.
TYPO3 installations without publicly available Extbase actions, are still exploitable for authenticated backend users with access to a backend module, which is based on Extbase.
Important Note: The fix introduced changes in the internal request handling of Extbase. In case an such unlikely incompatibility with any extension (that relies on internal API) occurs, the TYPO3 installation still remains fully available and functional, with only little minor issues in Extbase form validation handling.
Users of any TYPO3 version from 4.3.0 to 8.1.0 are strongly encouraged to upgrade or to at least apply the patches provided below.
Please note, that patching a not supported TYPO3 version can be considered only as temporary mitigation. Upgrade to a supported versions should be performed as soon as possible.
Credits: Thanks to Stefan Horlacher from Arcus Security GmbH who discovered and reported the issue, Alex Kellner, who also reported the issue and Oliver Hader for discovering a related vulnerability.
General Advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list.
General Note: All security related code changes are tagged so that you can easily look them up on our review system.
Kaspersky Lab Announces Security Awareness Training Products for Businesses
Whitepaper that discusses how Cisco IP Communicator only uses MAC addresses for authentication allowing you to spoof other callers.
[slackware-security] curl (SSA:2016-141-01)
