Tuomas Räsänen discovered two vulnerabilities in unADF, a tool to extract
files from an Amiga Disk File dump (.adf):
Monthly Archives: September 2016
Vuln: OpenSSL CVE-2016-6308 Denial of Service Vulnerability
OpenSSL CVE-2016-6308 Denial of Service Vulnerability
Vuln: OpenSSL CVE-2016-6307 Denial of Service Vulnerability
OpenSSL CVE-2016-6307 Denial of Service Vulnerability
Vuln: IBM Rational DOORS Next Generation CVE-2016-5955 Unspecified Cross Site Scripting Vulnerability
IBM Rational DOORS Next Generation CVE-2016-5955 Unspecified Cross Site Scripting Vulnerability
Vuln: OpenSSL CVE-2016-6306 Local Denial of Service Vulnerability
OpenSSL CVE-2016-6306 Local Denial of Service Vulnerability
Linux SELinux W+X AIO Protection Bypass
SELinux suffers from a protection bypass that allows for a memory mapping that is both readable and writable.
Adobe Flash Video Decompression Memory Corruption
Adobe Flash suffers from a memory corruption vulnerability in video decompression.
The secret security trick that will help protect Yahoo! users
Yawn, another data breach. This time it’s Yahoo! that’s affected. Despite news outlets proclaiming it’s the biggest breach of its kind, how many of us even lifted an eyebrow?
Are we in danger of becoming complacent when data breaches are being disclosed so frequently and seem to grow in size?
Every month, or less, another story hits the press about a data breach and we are told to hurry along and change our passwords. Now, don’t get wrong – this advice is good. Changing passwords, protecting email accounts, enabling two-step authentication and generally being more vigilant and secure about our online activities are all things that will help stop the bad guys getting too much access to our online life and private information.
But let’s consider the fact that the Yahoo! data breach, which happened in 2014, affects an estimated 500m user accounts and the data exposed may include email addresses, phone numbers, date of birth details, encrypted passwords and, in some cases, security questions. Even if you go and change your passwords today, there may already be an opportunity for cyber-criminals to reset or access your other online accounts as some of this information has already been released by the hackers.
In the face of a breach with such far-reaching implications, maybe it is not that we are complacent, but that we simply don’t know what we can do after the fact. There are a few simple actions we can take, however, that will help.
Stop trusting the traditional password and move to two-step authentication, if you haven’t already. This may sound complicated but it’s a concept you already know from every time you use your ATM card. You have the card and you know the PIN; but without both parts, the card will not work in an ATM machine.
For an online account, the two factors might be your phone and the contents of a text message sent to you at login. It doesn’t have to be inconvenient, either. Some companies only invoke this stronger login process when you try accessing an account from a new device, which seems like a good compromise.
For Yahoo! users, it might be a relief to know that Yahoo! has a fairly unique security system that is called account key. If you are about to change your Yahoo! password, I recommend taking the extra step and switching this service on.
It simplifies logging in by connecting your login request with the Yahoo! app on your phone. The browser login screen asks for your Yahoo! ID, then displays a page that says it’s waiting for confirmation to login.
Meanwhile, your phone will receive a notification asking you to confirm the login with a simple click of a button – yes or no.
Red Hat Security Advisory 2016-1931-01
Red Hat Security Advisory 2016-1931-01 – Red Hat JBoss Fuse, based on Apache ServiceMix, provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat JBoss A-MQ, based on Apache ActiveMQ, is a standards compliant messaging system that is tailored for use in mission critical applications. This patch is an update to Red Hat JBoss Fuse 6.2.1 and Red Hat JBoss A-MQ 6.2.1. It includes several bug fixes, which are documented in the readme.txt file included with the patch files. Multiple security issues have been addressed.
Ubuntu Security Notice USN-3087-2
Ubuntu Security Notice 3087-2 – USN-3087-1 fixed vulnerabilities in OpenSSL. The fix for CVE-2016-2182 was incomplete and caused a regression when parsing certificates. This update fixes the problem. Shi Lei discovered that OpenSSL incorrectly handled the OCSP Status Request extension. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. Guido Vranken discovered that OpenSSL used undefined behaviour when performing pointer arithmetic. A remote attacker could possibly use this issue to cause OpenSSL to crash, resulting in a denial of service. This issue has only been addressed in Ubuntu 16.04 LTS in this update. CAsar Pereida, Billy Brumley, and Yuval Yarom discovered that OpenSSL did not properly use constant-time operations when performing DSA signing. A remote attacker could possibly use this issue to perform a cache-timing attack and recover private DSA keys. Quan Luo discovered that OpenSSL did not properly restrict the lifetime of queue entries in the DTLS implementation. A remote attacker could possibly use this issue to consume memory, resulting in a denial of service. Shi Lei discovered that OpenSSL incorrectly handled memory in the TS_OBJ_print_bio function. A remote attacker could possibly use this issue to cause a denial of service. It was discovered that the OpenSSL incorrectly handled the DTLS anti-replay feature. A remote attacker could possibly use this issue to cause a denial of service. Various other issues were also addressed.