GNU linker (ld) in GNU Binutils 2.28 is vulnerable to a heap-based buffer overflow while processing a bogus input script, leading to a program crash. This relates to lack of ” termination of a name field in ldlex.l.
Monthly Archives: March 2017
Linkit – Moderately Critical – Access Bypass – DRUPAL-SA-CONTRIB-2017-033
- Advisory ID: DRUPAL-SA-CONTRIB-2017-033
- Project: Linkit- Enriched linking experience (third-party module)
- Version: 8.x
- Date: 2017-March-22
- Security risk: 10/25 ( Moderately Critical) AC:Basic/A:User/CI:Some/II:None/E:Theoretical/TD:Default
- Vulnerability: Access bypass
Description
Linkit provides an easy interface for internal and external linking with WYSIWYG editors by using an autocomplete field.
When searching for entities, this module doesn’t always enforce the access restrictions and users may see information about entities they should not be able to access.
This is mitigated by the fact that a user must have access to a text format that uses Linkit.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Linkit 8.x-4.x versions prior to 8.x-4.3.
Drupal core is not affected. If you do not use the contributed Linkit- Enriched linking experience module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Linkit module for Drupal 8.x, upgrade to Linkit 8.x-4.3
Also see the Linkit- Enriched linking experience project page.
Reported by
- Ben Dougherty of the Drupal Security Team
Fixed by
- Emil Stjerneman the module maintainer
- Ben Dougherty of the Drupal Security Team
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Office Hours – Moderately Critical – Cross Site Scripting – DRUPAL-SA-CONTRIB-2017-032
- Advisory ID: DRUPAL-SA-CONTRIB-2017-032
- Project: Office Hours (third-party module)
- Version: 7.x
- Date: 2017-March-22
- Security risk: 10/25 ( Moderately Critical) AC:Basic/A:Admin/CI:None/II:Some/E:Theoretical/TD:All
- Vulnerability: Cross Site Scripting
Description
This module enables you to show the office hours of a location to the public.
The module doesn’t sufficiently filter user input for malicious Cross Site Scripting (xss).
This vulnerability is mitigated by the fact that an attacker must have a role with a permission to add fields to an entity.
CVE identifier(s) issued
- A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.
Versions affected
- Office Hours 7.x-1.x versions prior to 7.x-1.6.
Drupal core is not affected. If you do not use the contributed Office Hours module, there is nothing you need to do.
Solution
Install the latest version:
- If you use the Office Hours module for Drupal 7.x, upgrade to office_hours 7.x-1.6
Also see the Office Hours project page.
Reported by
Fixed by
Coordinated by
- Michael Hess of the Drupal Security Team
Contact and More Information
The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.
Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.
Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity
Drupal version:
HackITAll hackathon – 60 students, 20 teams, 3 winners, 1 Polly
“HackITAll” is hackathon held each year by the LSAC (Automatic Control & Computers Student’s League). 2017 was the second edition of this event and Avira was happy to be the sole sponsor. HackITAll took place on March 18-19, 2017, and was a classical 24-hour hackathon. It brought together 60 IT students, most of which are […]
The post HackITAll hackathon – 60 students, 20 teams, 3 winners, 1 Polly appeared first on Avira Blog.
Spring Cleaning: Get Rid of Those Cookies from Your Browser!
Pretty much every day, you accept a few new cookie warnings without actually reading them. Websites are required to inform you that they’re storing cookie files that gather data about your preferences on your own computer. The European Commission has just proposed to simplify these warnings. In addition to cookies that websites create, the memory cached on your browser stores temporary files so that pages load more quickly.
All those cookies start to pile up, believe it or not. Your computer can actually end up getting sluggish after gorging on all those digital cookies. Now that I’ve put it into perspective for you, you can appreciate the seriousness of the situation.
Sometimes what we chalk up to possible malware is actually just an information overload slowing down your browser. That’s why it is recommendable that you do a little bit of tidying up every now and again and clean out the cookie cache. And if you use a shared computer, this could have the additional benefit of protecting your privacy.
Chrome, Firefox, Edge… How Do I Clear Out the Cookies?
Chrome
In the case of Chrome, the most popular browser, you have the option in the icon of the three vertical points located at the top right of the window. Just click the icon and go to More tools and Clear browsing data. Chrome allows you to select the exact information you want to delete: you can delete cookies, files and cached images, browsing history or passwords, and specify a date range. It also offers an alternative path from Settings, Show Advanced Settings and Privacy.
Firefox
To remove your little trail of crumbs in Mozilla Firefox, click on the icon of the three horizontal stripes and select History and Clear recent history. You’ll see a window that allows you to decide the time period for which you’d like to do the cleaning. From the Details tab, you can choose the information you want to delete. And from the same menu, you can access Options, Privacy and History. There you will find the option “Use a custom configuration” for the history, which allows you to decide which browsing data will be cleared when Firefox closes.
Safari
For their part, users of Apple computers can clean out the Safari browser from the Preferences and Privacy menus. Among the available options are to change the configuration of cookies and accepted data from certain websites, delete information of specific pages individually or all at the same time, and see which sites store that data in Details.
Edge
If you’ve already installed Windows 10 on your computer, you’re sure to have saved personal information on Microsoft Edge. To clean it, select More, Settings (the little gear), Clear scan data and check the boxes of the data you want to delete in Choose what to delete. From Advanced Settings you can tell Edge to stop collecting or storing certain information.
Opera
Finally, Opera users remove cookies and clear the cache much like users of Chrome. By clicking on the icon at the top right of the window, you can click Delete browsing data and select the items you want to delete and from when you want to delete them.
Now you know where to find the virtual duster on your personal or corporate computer, so go and do some spring cleaning!
The post Spring Cleaning: Get Rid of Those Cookies from Your Browser! appeared first on Panda Security Mediacenter.
Should You Share Your Netflix Password?
What you need to know before sharing your Netflix account details
Is it illegal to share your Netflix password? As of July last year, a court ruling in the US asserted that it is, in fact, a federal crime to share passwords for online streaming services.
If you share your Netflix password with people you trust though, the truth is that there’s no real need to stress out. It is very unlikely that Netflix are actively coming after password sharers.
Reed Hastings, Netflix CEO, spoke on the subject at CES last year:
“We love people sharing Netflix whether they’re two people on a couch or 10 people on a couch. That’s a positive thing, not a negative thing.”
The new court ruling was part of the 30 year old Computer Fraud and Abuse Act (CFAA). For obvious reasons, it’s difficult to legislate for online activity, and the CFAA is known for its uncertain, ambiguous and sometimes murky rulings.
Whilst password sharing may be a contentious subject, drawing widely differing opinions from legislators and the CEOs of streaming services, it’s important to look at the impact that account sharing could have on a user.
Reed Hastings recently told Business Insider that, “as long as they aren’t selling them, members can use their passwords however they please.”
Is this advisable though? Probably not.
The first question on your mind when someone asks if they can use your Netflix account, is do you trust that person? Even if they pinky promise they’ll stop using it after that House of Cards binge. This may seem obvious, but bad things can happen if your Netflix password is passed on enough times that it falls into the wrong hands.
Without you knowing, it’s possible, for example, that your account details could be sold on the black market. It could become part of a Netflix scam that sees your account being used a lure to infect people’s systems with ransomware. If you’re “recently watched” section is coming up with shows you’ve never seen, it may be that your account is being used by strangers.
Or the friend who promised to stop after House of Cards simply couldn’t resist.
It’s Safe To Share, If You Trust The Other Person
The truth is that Netflix also have their own way of dealing with over sharing of passwords. Their basic account setting allows for one stream at a time. The standard account allows for two. It’s a simple way of stopping one password being shared with hundreds of people.
Netflix is famous for having encouraged binge watching of shows, and it simply wouldn’t be possible if users had to co-ordinate and share out the use of one account. Hastings relies on the concurrent streaming limit, as well as their relatively inexpensive service being enough of a draw to stop people sharing passwords. It is very unlikely that they would ever try to prosecute users.
“Password sharing is something you have to learn to live with”
Hastings has emphasized as well that there’s no plan to add any other type of restriction to account sharing. “Password sharing is something you have to learn to live with, because there’s so much legitimate password sharing, like you sharing with your spouse, with your kids… so there’s no bright line, and we’re doing fine as is,” he said.
Anyone remember, the early days of online sharing when Metallica received a mighty backlash for having called out thousands of their own fans -who had shared their music online- as criminals? Maybe Hastings knows this type of stance would be bad press, especially for a company whose modus operandi, after all, is online sharing.
There is talk of what’s appropriate ethically though. Something that seems completely fair, considering Hasting’s and Netflix’s relaxed stance towards their service’s members.
“We usually like to think that a husband and wife can share an account and that’s perfectly appropriate and acceptable,” said Hastings during a 2013 earnings call. “If you mean, ‘Hey, I got my password from my boyfriend’s uncle,’ then that’s not what we would consider appropriate.”
The post Should You Share Your Netflix Password? appeared first on Panda Security Mediacenter.
LastPass Fixes Three Password Theft Vulnerabilities
LastPass has fixed three bugs in the password manager discovered by Google research Tavis Ormandy in the last 24 hours.
CVE-2014-9839
magick/colormap-private.h in ImageMagick 6.8.9-9 allows remote attackers to cause a denial of service (out-of-bounds access).
CVE-2017-6970
AlienVault USM and OSSIM before 5.3.7 and NfSen before 1.3.8 allow local users to execute arbitrary commands in a privileged context via an NfSen socket, aka AlienVault ID ENG-104863.
CVE-2014-9835
Heap overflow in ImageMagick 6.8.9-9 via a crafted wpf file.