Security
Original release date: September 16, 2014
Adobe has released security updates for Adobe Reader and Acrobat for Windows and Macintosh. Exploitation of these vulnerabilities could potentially allow an attacker to take control of the affected system.
US-CERT encourages users and administrators to review Adobe Security Bulletin APSB14-20 and apply the necessary updates.
This product is provided subject to this Notification and this Privacy & Use policy.
Adobe released a new version of Reader and Acrobat, patching eight security vulnerabilities in the PDF reader. The patches were delayed a weeks because of issues during regression testing.
The researcher who originally discovered the same-origin policy bypass in the Android browser said he reported the vulnerability to Google some time ago, but that the company’s Android security team said it was unable to reproduce the issue. Rafay Baloch said he first reported the vulnerability to Google on Aug. 13, informing the company’s Android […]
USB & WiFi Flash Drive version 1.3 suffers from a code execution vulnerability.
WordPress Slideshow Gallery plugin version 1.4.6 shell upload exploit.
This bulletin summary notes that MS14-055 has undergone a major revision increment as of September 15, 2014.
EMC Documentum Content Server contains fixes for multiple privilege escalation vulnerabilities that can be potentially leveraged by a malicious attacker to compromise the affected system. Versions affected include 7.1, 7.0, 6.7 SP2, and prior to 6.7 SP2.
Red Hat Security Advisory 2014-1245-01 – Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center. It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
Red Hat Security Advisory 2014-1194-01 – The Conga project is a management system for remote workstations. It consists of luci, which is a secure web-based front end, and ricci, which is a secure daemon that dispatches incoming messages to underlying management modules. It was discovered that Plone, included as a part of luci, did not properly protect the administrator interface. A remote attacker could use this flaw to inject a specially crafted Python statement or script into Plone’s restricted Python sandbox that, when the administrator interface was accessed, would be executed with the privileges of that administrator user.
Red Hat Security Advisory 2014-1246-01 – Network Security Services is a set of libraries designed to support the cross-platform development of security-enabled client and server applications. A flaw was found in the way TLS False Start was implemented in NSS. An attacker could use this flaw to potentially return unencrypted information from the server. A race condition was found in the way NSS implemented session ticket handling as specified by RFC 5077. An attacker could use this flaw to crash an application using NSS or, in rare cases, execute arbitrary code with the privileges of the user running that application.