Monthly Archives: November 2016

NVD

CVE-2016-5765 (host_access_management_and_security_server, reflection_for_the_web, reflection_security_gateway, reflection_zfe)

Administrative Server in Micro Focus Host Access Management and Security Server (MSS) and Reflection for the Web (RWeb) and Reflection Security Gateway (RSG) and Reflection ZFE (ZFE) allows remote unauthenticated attackers to read arbitrary files via a specially crafted URL that allows limited directory traversal. Applies to MSS 12.3 before 12.3.326 and MSS 12.2 before 12.2.342 and RSG 12.1 before 12.1.362 and RWeb 12.3 before 12.3.312 and RWeb 12.2 before 12.2.342 and RWeb 12.1 before 12.1.362 and ZFE 2.0.1 before 2.0.1.18 and ZFE 2.0.0 before 2.0.0.52 and ZFE 1.4.0 before 1.4.0.14.

Ubuntu

USN-3135-2: GStreamer Good Plugins vulnerability

Ubuntu Security Notice USN-3135-2

28th November, 2016

gst-plugins-good0.10, gst-plugins-good1.0 vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

GStreamer could be made to crash or run programs as your login if it opened
a specially crafted file.

Software description

  • gst-plugins-good0.10
    – GStreamer plugins

  • gst-plugins-good1.0
    – GStreamer plugins

Details

USN-3135-1 fixed a vulnerability in GStreamer Good Plugins. The original
security fix was incomplete. This update fixes the problem.

Original advisory details:

Chris Evans discovered that GStreamer Good Plugins did not correctly handle
malformed FLC movie files. If a user were tricked into opening a crafted
FLC movie file with a GStreamer application, an attacker could cause a
denial of service via application crash, or execute arbitrary code with the
privileges of the user invoking the program.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
gstreamer1.0-plugins-good

1.8.3-1ubuntu1.2
Ubuntu 16.04 LTS:
gstreamer1.0-plugins-good

1.8.2-1ubuntu0.3
Ubuntu 14.04 LTS:
gstreamer0.10-plugins-good

0.10.31-3+nmu1ubuntu5.2
gstreamer1.0-plugins-good

1.2.4-1~ubuntu1.3
Ubuntu 12.04 LTS:
gstreamer0.10-plugins-good

0.10.31-1ubuntu1.4

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

LP: 1643901

Ubuntu

USN-3138-1: python-cryptography vulnerability

Ubuntu Security Notice USN-3138-1

28th November, 2016

python-cryptography vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS

Summary

python-cryptography could generate incorrect keys.

Software description

  • python-cryptography
    – Cryptography Python library

Details

Markus Döring discovered that python-cryptography incorrectly handled
certain HKDF lengths. This could result in python-cryptography returning an
empty string instead of the expected derived key.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
python3-cryptography

1.5-2ubuntu0.1
python-cryptography

1.5-2ubuntu0.1
Ubuntu 16.04 LTS:
python3-cryptography

1.2.3-1ubuntu0.1
python-cryptography

1.2.3-1ubuntu0.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-9243

Ubuntu

USN-3139-1: Vim vulnerability

Ubuntu Security Notice USN-3139-1

28th November, 2016

vim vulnerability

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 16.10
  • Ubuntu 16.04 LTS
  • Ubuntu 14.04 LTS
  • Ubuntu 12.04 LTS

Summary

Vim could be made to run programs as your login if it opened a specially
crafted file.

Software description

  • vim
    – Vi IMproved – enhanced vi editor

Details

Florian Larysch discovered that the Vim text editor did not properly
validate values for the ‘filetype’, ‘syntax’, and ‘keymap’ options. An
attacker could trick a user into opening a file with specially crafted
modelines and possibly execute arbitrary code with the user’s privileges.

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 16.10:
vim-common

2:7.4.1829-1ubuntu2.1
vim-runtime

2:7.4.1829-1ubuntu2.1
vim-gui-common

2:7.4.1829-1ubuntu2.1
vim

2:7.4.1829-1ubuntu2.1
Ubuntu 16.04 LTS:
vim-common

2:7.4.1689-3ubuntu1.2
vim-runtime

2:7.4.1689-3ubuntu1.2
vim-gui-common

2:7.4.1689-3ubuntu1.2
vim

2:7.4.1689-3ubuntu1.2
Ubuntu 14.04 LTS:
vim-common

2:7.4.052-1ubuntu3.1
vim-runtime

2:7.4.052-1ubuntu3.1
vim-gui-common

2:7.4.052-1ubuntu3.1
vim

2:7.4.052-1ubuntu3.1
Ubuntu 12.04 LTS:
vim-common

2:7.3.429-2ubuntu2.2
vim-runtime

2:7.3.429-2ubuntu2.2
vim-gui-common

2:7.3.429-2ubuntu2.2
vim

2:7.3.429-2ubuntu2.2

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to restart Vim to make
all the necessary changes.

References

CVE-2016-1248

Panda Security

How To Evaluate a Next- generation Endpoint Protection

Adaptive-defense-document

We are lately seeing blogs attempting to publicly demonstrate that next-generation protection solutions, like Adaptive Defense, are vulnerable. These proofs of concept aim to demonstrate that there are malicious files that evade detection when reaching a system or attempting to run. The problem with these demonstrations is that the writer expects the malicious files to be stopped before being run. But that’s a mistake, and reveals a clear misunderstanding of this new protection model based on the continuous monitoring of process activities.

To be truly effective, a next-generation solution must provide continuous protection against all types of attacks. This means that it must offer continuous prevention, detection at runtime, visibility into every action taken, and intelligence to block malicious actions such as lateral movements.  It is not enough to provide detection at file level based on a list of malware files. Efficient security means being able to protect systems before, after and during an attack.

The cyber-security ‘war’ goes beyond the ‘battle’ of detecting malicious files when they reach a computer or attempt to run. It will be won by whoever is capable of efficiently, seamlessly and unobtrusively monitoring every process running on devices, blocking those that, despite being apparently and initially harmless, show malicious behaviors. Today’s malware is extremely sophisticated and should never be underestimated. But not ony that…

Protection is not only about detecting threats before, after and during an attack, it is also remeadiation and prevention.

That’s why a next-generation solution must also include response and remediation capabilities. These products are known in the security sector as EDR (Endpoint Detection and Response) solutions, and they incorporate forensic analysis tools capable of tracing every action taken on the endpoint in order to remediate and prevent present and future attacks.

Why past methodologies are no longer valid

Panda Adaptive Defense integrates all of those features into a single Next-Generation protection solution based on continuous monitoring, and which provides prevention, detection, visibility and intelligence to block known and unknown attacks. In addition to continuous monitoring via hundreds of sensors, Adaptive Defense also provides forensic analysis tools for efficient remediation and prevention.

When  you read these proofs of concept, you must understand that they are not real. The fact that a security solution doesn’t detect a file as malware at the time of reaching a system doesn’t mean that it is not efficient. On the contrary, in the particular case of Adaptive Defense, it is perfectly possible that the solution doesn’t detect the file at that time, but it will detect it as soon as it attempts to run, or will monitor and block it during an attack.

This ability is not present in traditional solutions based on a more or less generalist malware blacklisting strategy, and which rely on detecting malicious files on the system or when attempting to run. With these solutions, if a malicious file is not classified as malware, it will be allowed to run regardless of the actions it carries out during its life cycle.

Adaptive Defense might also let it run, albeit keeping an eye on it at all times and reporting its activities to our Machine Learning Intelligence platform. This system, which is in constant evolution and correlates data from thousands of endpoints with hundreds of sensors, will determine if the file’s activities constitute malicious behavior, in which case it will prevent it from running. Then, the file will be immediately classified either automatically or by a team of cyber-security experts. This analysis will determine with complete accuracy the nature of the attack. The old model doesn’t provide any of this.

Welcome to the Next-Generation Panda Security!

The post How To Evaluate a Next- generation Endpoint Protection appeared first on Panda Security Mediacenter.

Panda Security

How is Internet privacy upheld in the ‘digital afterlife’?

How do you account for someone’s digital presence after they’re no longer with us in the physical world?

The ‘digital afterlife’ is a concept that has been receiving increased attention from tech giants like Facebook and Google. Their aim is to make the passing of a loved one or relative easier, while also playing a role in celebrating people’s lives after they have passed away.

Internet Privacy

The issue of Internet privacy is, of course, a touchy one and this is magnified immensely in the difficult period after someone has passed away.

Whereas it used to be less clearly defined, Facebook recently felt the need to clarify the process that it adheres to after a user has passed away. If the social media giant is made aware of a user’s passing, there are two options; the account is memorialized or deleted. The account cannot remain active.

There’s an important reason for this, and that is the curious cyber security risks that come with leaving the page of a social media page unaccounted for after a user has passed away.

Unfortunately, the growing digital graveyard left by people’s data footprints as they lived their lives is not treated with the same reverence as its equivalent is in the physical world.

Cyber Security risks for a social media account

There are tangible cyber security risks for a social media account that isn’t being used, with reported incidents of deceased users’ accounts being hacked and taken over by spambots. These accounts are often used for advertising, with some users having reported seeing their deceased relative or friend’s account starting to like pages on the social media website months, or even years after that person has passed away.

People’s social media pages have also even been hacked after their deaths and distasteful messages left on their page as status updates.

These risks are the main reason that Facebook has recently clarified its policy on changes to a user’s account once they have passed away. In a recent statement, the tech company said, “if Facebook is made aware that a person has passed away, it’s our policy to memorialize the account.

Facebook though, has had issues with processing memorialization requests; there have been reported cases of it taking up to 6 months for a request from a family member to be processed, and others of people receiving no response at all.

With over a billion users, and some estimates claiming that more than 8,000 Facebook users die every day, it’s no easy task dealing with so many accounts and companies like Facebook and Google usually outsource such extensive undertakings.

Whilst the policy is strict on what happens to deceased users’ accounts, the social media giants don’t want this to take away from the freedom of deceased users’ loved ones in having a say in their relative’s digital afterlife.

Facebook have released a statement saying “there is more we can do to support those who are grieving and those who want a say in what happens to their account after death.” Google, meanwhile, have highlighted the importance of allowing people to “plan [their] digital afterlife.” Both companies allow users to designate a contact who will have access to their memorialized account after they have passed away.

Facebook ‘legacy contacts’ and Google+ ‘trusted contacts’ are able to curate their loved one’s social media pages after they have passed, by posting pictures and leaving updates whilst those who are already friends can leave parting messages.

Allowing this form of contact decreases the risk of cyber security being an issue in the digital afterlife.

The post How is Internet privacy upheld in the ‘digital afterlife’? appeared first on Panda Security Mediacenter.

Fedora

roundcubemail-1.2.3-1.fc24

**Version 1.2.3**

– Searching in both contacts and groups when LDAP addressbook with group_filters option is used
– Fix vulnerability in handling of mail()’s 5th argument
– Fix To: header encoding in mail sent with mail() method (#5475)
– Fix flickering of header topline in min-mode (#5426)
– Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
– Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
– Fix regression where creation of default folders wasn’t functioning without prefix (#5460)
– Enigma: Fix bug where last records on keys list were hidden (#5461)
– Enigma: Fix key search with keyword containing non-ascii characters (#5459)
– Fix bug where deleting folders with subfolders could fail in some cases (#5466)
– Fix bug where IMAP password could be exposed via error message (#5472)
– Fix bug where it wasn’t possible to store more that 2MB objects in memcache/apc,
Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
– Fix “Illegal string offset” warning in rcube::log_bug() on PHP 7.1 (#5508)
– Fix storing “empty” values in rcube_cache/rcube_cache_shared (#5519)
– Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
– Fix displaying attached images with wrong Content-Type specified (#5527)

Fedora

roundcubemail-1.2.3-1.fc25

**Version 1.2.3**

– Searching in both contacts and groups when LDAP addressbook with group_filters option is used
– Fix vulnerability in handling of mail()’s 5th argument
– Fix To: header encoding in mail sent with mail() method (#5475)
– Fix flickering of header topline in min-mode (#5426)
– Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
– Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
– Fix regression where creation of default folders wasn’t functioning without prefix (#5460)
– Enigma: Fix bug where last records on keys list were hidden (#5461)
– Enigma: Fix key search with keyword containing non-ascii characters (#5459)
– Fix bug where deleting folders with subfolders could fail in some cases (#5466)
– Fix bug where IMAP password could be exposed via error message (#5472)
– Fix bug where it wasn’t possible to store more that 2MB objects in memcache/apc,
Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
– Fix “Illegal string offset” warning in rcube::log_bug() on PHP 7.1 (#5508)
– Fix storing “empty” values in rcube_cache/rcube_cache_shared (#5519)
– Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
– Fix displaying attached images with wrong Content-Type specified (#5527)

Fedora

roundcubemail-1.2.3-1.fc23

**Version 1.2.3**

– Searching in both contacts and groups when LDAP addressbook with group_filters option is used
– Fix vulnerability in handling of mail()’s 5th argument
– Fix To: header encoding in mail sent with mail() method (#5475)
– Fix flickering of header topline in min-mode (#5426)
– Fix bug where folders list would scroll to top when clicking on subscription checkbox (#5447)
– Fix decoding of GB2312/GBK text when iconv is not installed (#5448)
– Fix regression where creation of default folders wasn’t functioning without prefix (#5460)
– Enigma: Fix bug where last records on keys list were hidden (#5461)
– Enigma: Fix key search with keyword containing non-ascii characters (#5459)
– Fix bug where deleting folders with subfolders could fail in some cases (#5466)
– Fix bug where IMAP password could be exposed via error message (#5472)
– Fix bug where it wasn’t possible to store more that 2MB objects in memcache/apc,
Added memcache_max_allowed_packet and apc_max_allowed_packet settings (#5452)
– Fix “Illegal string offset” warning in rcube::log_bug() on PHP 7.1 (#5508)
– Fix storing “empty” values in rcube_cache/rcube_cache_shared (#5519)
– Fix missing content check when image resize fails on attachment thumbnail generation (#5485)
– Fix displaying attached images with wrong Content-Type specified (#5527)