Monthly Archives: November 2016

Panda Security

Searching for celebrity news on Google can be dangerous for your computer

celebrites-malware-panda-security

Something as apparently inoffensive as employees keeping up with the lives of ‘celebs’ on the Internet could be far more dangerous than you think for your company’s IT systems. Whether you like it or not, some employees take advantage of dead time (and not-so-dead time) to look for all the latest gossip and news on the Web.

There may not be anything too risky about reading reputable newspapers online to see the latest news or check out your team’s results (although there have been cases of malware-laden ads in online newspapers). However, gossip columns and other celebrity stories have become a serious threat for the security of computers and mobile devices.

Cyber-criminals are well aware of the interest generated by the lives of the stars, which is why they have come up with specific strategies to bait users into downloading malicious programs on their computers when they access this content.

Cyber-criminals are well-aware of the interest generated by the lives of the stars.

The first step that the average user takes when looking for information about celebs is to ask Google. Yet some searches are more risky than others. Some famous people and related events offer more potential for attackers, as was the case recently with Brad Pitt and Angelina Jolie after their separation became public.

New film or music releases are also a popular weapon for criminals whose aim is to infect users’ computers and devices looking for passwords and other confidential information. Whenever a new story breaks, searches related to those involved increase dramatically and it becomes easier to infect users with malware hidden on malicious websites with related stories.

New film or music releases are also a popular weapon for criminals.

In order to minimize the threat, apart from having an efficient policy for controlling the way your employees use your company’s devices, the most effective measure is awareness. Firstly, your company’s workers should learn to distinguish between trusted pages and those that could potentially be used by criminals to infiltrate your systems. They should also avoid any links to illegal downloads, whether direct or via ‘torrent’ (highly in demand when a new film or song is released).

Of course, you can get an additional guarantee of protection against malware that exploits users’ fascination with celebrity news by having a security solution to protect all your devices, such as Panda Security’s corporate solutions.

The post Searching for celebrity news on Google can be dangerous for your computer appeared first on Panda Security Mediacenter.

NVD

CVE-2016-9272

A Blind SQL Injection Vulnerability in Exponent CMS through 2.4.0, with the rerank array parameter, can lead to site database information disclosure and denial of service.

Typo3

Cross-Site Scripting in extension "HTML5 Video Player" (html5videoplayer)

Release Date: November 11, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 6.7.0 and below

Vulnerability Type: Cross-Site Scripting

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:F/RL:O/RC:C (What’s that?)

Problem Description: The extension is vulnerable to Cross-Site Scripting as authorized editors can insert data commands by using the url schemes “data:” or “javascript:”.

Solution: An updated version 6.7.1 is available from the TYPO3 Extension Manager and at https://typo3.org/extensions/repository/download/html5videoplayer/6.7.1/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Stephan Großberndt who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

Typo3

Multiple vulnerabilities in extension "TC Directmail " (tcdirectmail)

Release Date: November 11, 2016

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: version 3.1.1 and below

Vulnerability Type: Cross Site-Scripting, SQL Injection

Severity: Medium

Suggested CVSS v2.0: AV:N/AC:M/Au:S/C:P/I:P/A:P/E:F/RL:O/RC:C (What’s that?)

Problem Description: Failing to properly escape user input, the extension is susceptible to SQL Injection and Cross-Site Scripting. The vulnerabilities are exploitable only by users having access to the backend module and if at least one newsletter with the enabled option “Register clicked links” exists.

Solution: An updated version 3.1.2 is available from the TYPO3 extension manager and at https://typo3.org/extensions/repository/download/tcdirectmail/3.1.2/t3x/. Users of the extension are advised to update the extension as soon as possible.

Credits: Credits go to Torben Hansen who discovered and reported the vulnerability.

 

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.