All posts by 007admin

Panda Security

Panda Security will continue to support and provide protection for Windows XP

Panda Security, The Cloud Security Company, today announced that its 2014 consumer solutions (Panda Global Protection 2014, Panda Internet Security 2014 and Panda Antivirus Pro 2014), as well as Panda Gold Protection and Panda Cloud Antivirus Pro, will continue to provide the same level of service to Windows XP users, despite the fact that Microsoft support for the operating system officially ended on April 8.

Microsoft launched Windows XP on October 25, 2001, and now, after almost 13 years, the Redmond company has decided to stop providing support for the popular platform. This means that users will no longer receive technical assistance, automatic security updates or fixes to help protect their PCs. However, as previously announced last January, Panda Security products will continue to support Windows XP systems for the foreseeable future.

“Windows XP’s end of life does not mean that computers will stop working from one day to the next. April 8 will be no more dangerous for Windows XP users than April 7. The only thing that’s going to happen is that, officially, Microsoft is no longer going to support XP and there will be no more updates”, explained Hervé Lambert, Retail Product Marketing Manager at Panda Security. “It is very important for us to keep our commitments to our customers. Therefore, users with a Panda Security product installed on their systems will continue to enjoy maximum protection for Windows XP”. 

Advice for Windows XP and Office 2003 users

Microsoft’s decision affects all Windows XP users worldwide. In this context, computers with Windows XP and Office 2003 will still work, but they might become more vulnerable to security risks.

“These vulnerabilities or security holes will leave an open door on computers, and these holes could lead to, say, a Web page infecting users’ computers simply when they visit it. This is something that happens at present, which is why we often remind users of the importance of applying all security updates, both to the operating system and to other software they have installed. However, from April 8, there will be no more updates for Windows XP and Office 2003, and consequently the risk of an attack will increase over time. It is a question of ‘when’ rather than ‘if’ new vulnerabilities will appear”, said Lambert.

Windows XP users who have a Panda Security 2014 consumer product installed on their  systems (Panda Global Protection 2014, Panda Internet Security 2014 and Panda Antivirus Pro 2014), as well as Panda Gold Protection or Panda Cloud Antivirus, will continue to enjoy the same level of protection on their computers.

“At Panda Security we advise users to upgrade to a newer version that offers greater security such as Windows 7, Windows 8.1, Mac OS X or GNU/Linux. There is no need to panic if you have Windows XP, though it is time to think seriously about whether you ought to migrate to a more current operating system and protect it with a robust security solution”, concluded Lambert.

NVD

CVE-2014-0636 (rsa_bsafe)

EMC RSA BSAFE Micro Edition Suite (MES) 3.2.x before 3.2.6 and 4.0.x before 4.0.5 does not properly validate X.509 certificate chains, which allows man-in-the-middle attackers to spoof SSL servers via a crafted certificate chain.

Panda Security

Panda Cloud Systems Management Now Allows Management of Windows, Mac and Linux devices as well as tablets and smartphones

Panda Security, The Cloud Security Company, today announced the addition of significant enhancements and new features to Panda Cloud Systems Management (PCSM), its remote management and monitoring solution designed to help organizations manage, monitor and support all types of devices on their computer networks, both in the office and on the road.

The new features incorporated in Panda Cloud Systems Management include printer management via SNMP, which allows IT administrators to configure monitors and alerts to control printer status, track toner and paper usage, etc. This feature will extend to routers and switches in future releases.

Activity Log

The new version of Panda Cloud Systems Management also boasts a new activity log feature. Every action that takes place on users’ computers is logged in a report, giving administrators the ability to search, filter and export log data. This feature provides detailed, comprehensive visibility into network activity, so that administrators can see at any time which actions have been performed by each user and when.

Additionally, the solution provides additional security measures, such as two-factor authentication to access the PCSM Web console. “With this new feature it will be extremely difficult, if not impossible, to compromise user accounts”, said Manuel Santamaría, Product Manager Director at Panda Security.

Linux Device Management

The new version of Panda Cloud Systems Management adds Linux support to its cross-platform management capabilities. Panda Security understands that today’s enterprise environments consist of multiple operating systems and platforms, and helps IT administrators deal with this situation by offering them PCSM, a unified solution for managing Windows, Mac, iOS, Android and now Linux devices.

This feature is available for Linux computers running Ubuntu and Red Hat, and includes hardware and software inventory. Additionally, the solution supports remote access to network computers via a command line interface, and includes advanced system utilities such as Shell, Restart, Shutdown, File Transfer, Quick Jobs and Wake on LAN.

“The new features incorporated into PCSM deliver significant benefits to companies, easing IT management and reducing costs,” explained Santamaría. “With the launch of this new service, Panda Security reinforces its commitment to providing comprehensive solutions that reduce the complexity of security management. Thanks to Panda Cloud Systems Management, partners have an easy-to-use, centralized management tool that reduces maintenance time and costs, improves margins and revenue and provides added value for customers.”

More information about Panda Cloud Systems Management here.

Typo3

Captcha Bypass in extension "powermail" (powermail)

Release Date: April 10, 2014

Bulletin update: September 18, 2014 (added CVE)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: powermail: Version 2.0.0 – 2.0.10

Vulnerability Type: Captcha Bypass

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-6288

Problem Description: The extension powermail offers the use of a captch validation to secure forms. It was possible to bypass the captcha validation and submit forms.

Important Note: Other field validators weren’t involved so any other validation worked as expected.

Solution: Updated version 2.0.11 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/2.0.11/t3x/. Users of the extension are advised to update the extension as soon as possible as long as they use captchas in their forms.

Credits: Credits go to Jigal van Hemert who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

IBM

OpenSSL heartbeat information disclosure

A serious vulnerability in the popular open source cryptographic library OpenSSL has been disclosed and Proof-of-Concept (POC) exploit code is publicly available. This affects deployments using 1.0.1 and 1.0.2-beta releases with TLS heartbeat extension enabled. Successful exploitation allows an attacker to remotely read system memory contents without even needing to log on to the server. It is highly advised to update all the affected products as soon as a patch for the particular product is available and to proactively get updates from the affected vendors.

Wordpress

WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

US-CERT

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Original release date: April 08, 2014

Systems Affected

  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

Revision History

  • Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Microsft

MS14-017 – Critical: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (April 8, 2014): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsft

MS14-020 – Important: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution – Important (2950145) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (April 8, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.