Microsoft Windows 8.1, Windows Server 2012 Gold and R2, Windows RT 8.1, and Windows 10 Gold and 1511 allow attackers to bypass the Secure Boot protection mechanism by leveraging (1) administrative or (2) physical access to install a crafted boot manager, aka “Secure Boot Security Feature Bypass.”
Monthly Archives: August 2016
CVE-2016-3321
Microsoft Internet Explorer 10 and 11 load different files for attempts to open a file:// URL depending on whether the file exists, which allows local users to enumerate files via vectors involving a file:// URL and an HTML5 sandbox iframe, aka “Internet Explorer Information Disclosure Vulnerability.”
CVE-2016-3322
Microsoft Internet Explorer 11 and Edge allow remote attackers to execute arbitrary code via a crafted web page, aka “Microsoft Browser Memory Corruption Vulnerability,” a different vulnerability than CVE-2016-3289.
CVE-2016-3326
Microsoft Internet Explorer 9 through 11 and Edge allow remote attackers to obtain sensitive information via a crafted web page, aka “Microsoft Browser Information Disclosure Vulnerability,” a different vulnerability than CVE-2016-3327.
CVE-2016-3327
Microsoft Internet Explorer 9 through 11 and Edge allow remote attackers to obtain sensitive information via a crafted web page, aka “Microsoft Browser Information Disclosure Vulnerability,” a different vulnerability than CVE-2016-3326.
CVE-2016-3329
Microsoft Internet Explorer 9 through 11 and Edge allow remote attackers to determine the existence of files via a crafted webpage, aka “Internet Explorer Information Disclosure Vulnerability.”
Don’t believe everything you read about ‘unsafe’ security products
Online reports about the safety of security products can be very alarming, which is why we want to address those concerns and provide assurance that we take them very seriously.
You may recently have read about the discovery of a vulnerability in a number of online security products, specifically regarding ‘code hooking.’ The issue, when originally found, affected a number of antivirus companies, including AVG.
We took this vulnerability in our products very seriously when we first learned of it in December 2015, and we resolved it within two days. In fact, enSilo, the research company that identified the issue, credited our fast response in an article titled ‘Learning from AVG on Doing it Right’.
The new articles on this topic arose from enSilo’s ‘Captain Hook’ report, which details potential security issues regarding the incorrect implementation of code hooking and injection techniques. There is no reference to AVG in this report, and any media articles mentioning AVG in conjunction with this report are inaccurate.
enSilo has not disclosed any new vulnerability or security issue with our products, which they confirmed when we contacted them. Our previous experience with enSilo indicates they are a responsible company that reports issues to vendors prior to disclosing them publicly.
AVG encourages developers and researchers to report any issues with our products through our proactive bug bounty program. This process allows us to investigate potential issues fully and take the steps to fix or mitigate as necessary without unduly alarming our users.
I would like to thank enSilo for their valued partnership to date in helping us to protect our customers in an ever-changing security landscape.
CVE-2016-4168
Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5.6.1, 6.0, and 6.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
CVE-2016-4169
Adobe Experience Manager 6.0, 6.1, and 6.2 allow attackers to obtain sensitive audit log event information via unspecified vectors.
CVE-2016-4170
Cross-site scripting (XSS) vulnerability in Adobe Experience Manager 5.6.1, 6.0, 6.1, and 6.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.