A new coalition, Let’s Encrypt, announced today they will grant free HTTPS certificates to any site that needs one in 2015.
Monthly Archives: November 2014
Microsoft Releases Patch for MS14-068 Vulnerability
Original release date: November 18, 2014
Microsoft has released an out-of-band patch for vulnerability MS14-068. This vulnerability is rated as critical and could allow for escalation of privileges. It affects only Windows Server systems and not client systems.
US-CERT encourages users and administrators to review Microsoft’s Security Bulletin and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Google Releases Open Source Tool for Testing Web App Security Scanners
Google today released to open source security scanning tool called Firing Range, which is designed to test for cross-site scripting (XSS) and other vulnerabilities on a massive scale.
WhatsApp Adds Encryption by Default to Android App
WhatsApp, a massively popular messaging app, recently added end-to-end encryption for some mobile clients, a move that brings a high level of security to millions of users. The change is the result of a partnership with Open Whisper Systems, the secure text and mobile OS company started by security researcher Moxie Marlinspike. Twitter acquired Open […]
CVE-2014-3613 (curl, libcurl)
cURL and libcurl before 7.38.0 does not properly handle IP addresses in cookie domain names, which allows remote attackers to set cookies for or send arbitrary cookies to certain sites, as demonstrated by a site at 192.168.0.1 setting cookies for a site at 127.168.0.1.
CVE-2014-3620 (curl, libcurl)
cURL and libcurl before 7.38.0 allow remote attackers to bypass the Same Origin Policy and set cookies for arbitrary sites by setting a cookie for a top-level domain.
CVE-2014-7146 (mantisbt)
The XmlImportExport plugin in MantisBT 1.2.17 and earlier allows remote attackers to execute arbitrary PHP code via a crafted (1) description field or (2) issuelink attribute in an XML file, which is not properly handled when executing the preg_replace function with the e modifier.
CVE-2014-7824 (d-bus)
D-Bus 1.3.0 through 1.6.x before 1.6.26, 1.8.x before 1.8.10, and 1.9.x before 1.9.2 allows local users to cause a denial of service (prevention of new connections and connection drop) by queuing the maximum number of file descriptors. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3636.1.
CVE-2014-8475 (freebsd)
FreeBSD 9.1, 9.2, and 10.0, when compiling OpenSSH with Kerberos support, uses incorrect library ordering when linking sshd, which causes symbols to be resolved incorrectly and allows remote attackers to cause a denial of service (sshd deadlock and prevention of new connections) by ending multiple connections before authentication is completed.
CVE-2014-8598 (mantisbt)
The XML Import/Export plugin in MantisBT 1.2.x does not restrict access, which allows remote attackers to (1) upload arbitrary XML files via the import page or (2) obtain sensitive information via the export page. NOTE: this issue can be combined with CVE-2014-7146 to execute arbitrary PHP code.