Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted TIFF image embedded in the XFA stream in a PDF document, aka “Read Access Violation starting at FoxitReader.”
Monthly Archives: October 2016
CVE-2016-8877 (phantompdf, reader)
Heap buffer overflow (Out-of-Bounds write) vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows allows remote attackers to execute arbitrary code via a crafted JPEG2000 image embedded in a PDF document, aka a “corrupted suffix pattern” issue.
CVE-2016-8878 (phantompdf, reader)
Out-of-Bounds read vulnerability in Foxit Reader and PhantomPDF before 8.1 on Windows, when the gflags app is enabled, allows remote attackers to execute arbitrary code via a crafted BMP image embedded in the XFA stream in a PDF document, aka “Data from Faulting Address may be used as a return value starting at FOXITREADER.”
CVE-2016-8879 (phantompdf, reader)
The thumbnail shell extension plugin (FoxitThumbnailHndlr_x86.dll) in Foxit Reader and PhantomPDF before 8.1 on Windows allows remote attackers to cause a denial of service (out-of-bounds write and application crash) via a crafted JPEG2000 image embedded in a PDF document, aka an “Exploitable – Heap Corruption” issue.
Signature recognition, a reliable replacement for passwords?
Biometrics continue to stand first in line to replace traditional passwords. All those whose employees use long and complex combinations of letters and numbers will be looking forward to a system whereby all that is required is for a fingerprint or iris pattern to be recognized by a sensor in order to access the services that employees have to use every day.
Nevertheless, in addition to these two popular systems which some latest generation mobile devices already incorporate, other biometric-based systems have been put forward as the alternative that will finally consign traditional passwords to history. This is the case with signature recognition.
What is it?
The truth is that this is a system that has been around for decades, in one form or another. Whenever you pay by credit card and have to sign a digital screen with an e-pencil, signature recognition is being used to confirm your identity. What’s happening is that your signature pattern is being contrasted with the one that your bank has stored in its systems.
This is not however a simple comparison of both images. The security software doesn’t just place the two signatures next to each other to see if they coincide, or at least, if they are similar. In reality, signature recognition compares the way that both images have been created, looking for a similar behavioral pattern.
Advantages and Disadvantages
So although it may be relatively simple to forge a signature, replicating the speed and pressure that was used to make the signature is practically impossible. As such, signature recognition using the most advanced technologies appears to be the perfect replacement for passwords for operating corporate bank accounts.
However, as with all secure identification methods, there are also downsides. One of the major setbacks is that the way we sign things varies for a number of reasons, which is a serious challenge. For the system to be practical, it is essential to be able to distinguish between a slow signature due to an injury and one that is the result of an attempted fraud.
Moreover, it is not an efficient way, at least at present, of accessing services. In fact, when you sign for something when paying for it, this data is not being used in real time. Instead, the data is sent to your bank to be validated later.
The current failings, however, of signature recognition will not see the door closed on this technology. It is more than likely that future corporate banking operations will be authorized through a simple signature on a tablet or smartphone.
The post Signature recognition, a reliable replacement for passwords? appeared first on Panda Security Mediacenter.
docker-1.12.3-2.git91ae1d1.fc25
built docker @projectatomic/docker-1.12 commit 91ae1d1
S9Y Serendipity 2.0.4 Cross Site Scripting
S9Y Serendipity version 2.0.4 suffers from a cross site scripting vulnerability.
Adobe Acrobat and Reader Memory Corruption (APSB16-33: CVE-2016-6956; CVE-2016-6956)
A memory corruption vulnerability exists in Adobe Reader and Acrobat. The vulnerability is due to out-of-bounds error while accessing unintended memory in a specially crafted PDF file. A remote attacker can exploit this vulnerability by enticing a target user to open a specially crafted PDF file.
Adobe Acrobat and Reader Use After Free (APSB16-33: CVE-2016-6953; CVE-2016-6953)
A use after free vulnerability exists in Adobe Acrobat and Reader. The vulnerability is due to an error in the way Adobe Acrobat and Reader handles objects in memory. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted PDF file.
Adobe Reader Memory Corruption (APSB16-33: CVE-2016-6974; CVE-2016-6974; CVE-2016-6975; CVE-2016-6976; CVE-2016-6977)
A memory corruption vulnerability exists in Adobe Reader and Acrobat. The vulnerability is due to an error in the way Adobe Acrobat and Reader handles objects in memory. A remote attacker can exploit this vulnerability by enticing the user to open a specially crafted PDF file.