Monthly Archives: June 2016

Drupal

Node Embed – Less critical – Denial of Service – SA-CONTRIB-2016-034

Description

This module enables you to embed the contents of one node in the body field of another.

The module doesn’t sufficiently protect against a node being embedded in itself, or a loop being created of one node being embedded in another which is then itself embedded in the first node.

This vulnerability is mitigated by the fact that an attacker must have a role with the permission to create content which allows other content to be embedded.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All Node Embed 7.x-1.x versions.

Drupal core is not affected. If you do not use the contributed Node Embed module, there is nothing you need to do.

Solution

  • If you use the Node Embed module for Drupal 7.x you should uninstall it.

Also see the Node Embed project page.

Reported by

Fixed by

  • Not applicable.

Coordinated by

  • Not applicable.

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

Page Manager Search – Moderately Critical – Information disclosure – SA-CONTRIB-2016-032

Description

This module enables you to make Panels pages (and other pages managed by CTools’ Page Manager submodule) indexible and searchable through the standard Search module provided in Drupal core.

The module doesn’t block access to Page Manager pages which have been disabled.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Page Manager Search 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Page manager search module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Page manager search project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal

REST JSON – Multiple Vulnerabilities – Highly Critical – Unsupported – SA-CONTRIB-2016-033

Description

This module enables you to expose content, users and comments via a JSON API.
The module contains multiple vulnerabilities including

  • Node access bypass
  • Comment access bypass
  • User enumeration
  • Field access bypass
  • User registration bypass
  • Blocked user login
  • Session name guessing
  • Session enumeration

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • All 7.x-1.x versions

Drupal core is not affected. If you do not use the contributed REST JSON module, there is nothing you need to do.

Drupal core is not affected. If you do not use the contributed REST/JSON module, there is nothing you need to do.

Solution

If you use the REST JSON module for Drupal 7.x you should uninstall it.

Also see the REST/JSON project page.

Reported by

Fixed by

Not applicable

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Avast

Avast Cleanup is ready for beta testing

Become one of our Avast Cleanup beta testers!

Calling all beta testers!

We’ve got great news for you: Avast Cleanup, our PC-cleaning software, has undergone some big, exciting changes. The latest Avast Cleanup sports a brand-new design, includes exciting new features, and best of all, is now standalone – this means you can use it even without downloading Avast Antivirus products first.

We’ve now released the public beta version of Avast Cleanup and would love to receive your thoughts, opinions and insights on the program to help make it the very best it can be.

Hackers News

How to Run Android on your iPhone using this 3D Printed Phone Case

Hackers and geeks always tinkered with their devices, regardless of their operating system, and are always behind the ways to run Android on iPhone, iOS on Android phones, or Dual-Boot iOS and Android together in a single device.

Though there are many solutions available on the Internet to solve these queries, but recently a hardware hacker has demonstrated a new way to run Android OS

Hackers News

University Pays Hackers $20,000 to get back its Ransomware Infected Files

What’s the worst that could happen when a Ransomware malware hits University?

Last month, the IT department of the University from where I have done my graduation called me for helping them get rid of a Ransomware infection that locked down all its student’s results just a day before the announcement.

Unfortunately, there was no decrypter available for that specific ransomware sample, but

Panda Security

Why It Is Easier To Control Your Company’s iPhones With iOS 9

It is increasingly common for employees to use their personal technological devices to complete job-related work, whether it is responding to a corporate email from their Smartphone, managing a client relationship from the ease of their tablet, or performing typical work tasks at distance from home, using a personal laptop.

Teleworking, and a trend called BYOD (Bring Your Own Device), are at rise and have made the people in charge of security companies increasingly aware of the risks involved with the use of these devices. These devices should be treated with the same protection measures as office computers and systems.

Apple is aware of this and has included a set of tools to facilitate what is called MDM (Mobile Device Management) in iOS 9. This will help employees control their devices and access company resources more securely.

Thanks to these developments, companies can control the traffic of any employee’s iPhone, track IP addresses or install an application to track their location, for example. To respect employee privacy, the Smartphone will show their users that these actions are being taken on their devices, like someone is browsing their history or seeing the location of their device.

Companies can see any employee’s iPhone location.

In addition, the latest version of iOS allows for application white lists or black lists, which makes it possible for IT security managers to decide what can run and what cannot in employee devices. Same with passwords: If a website is not on the list of trusted sites, the user will not be able to save their user name and password for upcoming sessions (“Do you want to remember your username and password?”).

The MDM tools that Apple has added to its mobile operating system also allow managers to configure notifications that employees can receive on their phones; they can decide what will be displayed and what won’t, by adjusting the permissions of each app. Lastly, the person in charge for the company can block devices or erase their contents, remotely.

The person in charge for the company can block devices or erase their contents, remotely.

Thus, Apple has strengthened the security of their devices for the business environment, which requires even higher standards than usual for sensitive company information. It is a great step forward, but it is not the only measure that should be taken by IT security managers. They should always install a good anti-virus in each employee device, which is also essential to avoid malware and cyber-attacks. Let’s remember: a single infected mobile could cost your company thousands of euros.

The post Why It Is Easier To Control Your Company’s iPhones With iOS 9 appeared first on Panda Security Mediacenter.