Posted by Sachin Wagh on Mar 16
Vulnerability Title: USB Pratirodh XML External Entity Injection
Vulnerability
Affekted Product: USB resistance
Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra
CVE-ID : CVE-2017-6895
Severity: Medium
Class: Twentieth [CWE-611]
Impact: XML External Entity, Information Disclosure, Denial Of Service,
Author: Sachin Wagh (@tiger_tigerboy)
*Description:*
USB Pratirodh is prone to an XML External Entity injection vulnerability.
XXE…
Posted by Sachin Wagh on Mar 16
Vulnerability Title: USB Pratirodh Insecure Password Storage Information
Disclosure Vulnerability
Affekted Product: USB resistance
Product Homepage: https://cdac.in/index.aspx?id=cs_eps_usb_pra
CVE-ID : CVE-2017-6911
Severity: Medium
*Description:*
USB Pratirodh is prone to sensitive information disclosure. Its Store
sensitive information such as username and password hash in usb.xml file.
An attacker with physical access to the system can…
Posted by Sachin Wagh on Mar 16
Vulnerability Title: Skype Insecure Library Loading Vulnerability
(api-ms-win-core-winrt-string-l1-1-0.dll)
Affected Product: Skype
Vendor Homepage: https://www.microsoft.com/en-us/
MSRC Case 32355 TRK:0001002846
CVE-ID : CVE-2017-6517
Severity: Medium
*Description:*
Microsoft Skype contains a DLL hijacking vulnerability that could allow an
unauthenticated attacker to execute arbitrary code on the targeted system.
This vulnerability exists due…
On the first day of Pwn2Own 2017 hackers poked holes in Adobe Reader, Apple Safari, Microsoft Edge, and Ubuntu Linux.
We were surprised by a recent research report that found enterprises are moving more quickly to managed security service providers (57 percent to provide 24×7 IT systems monitoring, 45 percent for threat detection and intelligence, and 41 percent for technology assessment and analysis). The results were surprising because SMBs are facing even more threats than enterprises, and they have less resources – tools, skills, and personnel.
Year Zero, the first delivery from WikiLeaks of the “biggest document leak” the Central Intelligence Agency has ever seen, is made up of over 8,000 files. The revelations they contain are causing quite a stir. If nothing else, they’ve shown that the CIA has at its disposal an enormous cyberespionage arsenal.
The documents detail how cyberweapons were prepared to make use of “zero day” attacks (which target vulnerabilities that haven’t been made public yet, and can therefore be easily exploited). These cyberweapons would be used to compromise the security of devices using iOS, Android, Windows, and macOS operating systems.
Something of considerable note from these leaks is that the CIA would not have to break the encryption protecting apps such as WhatsApp, Signal, or Telegram. By gaining access to the smartphone’s OS using malicious software, they are able to access all the information stored on it.
According to the documents, which have been deemed authentic by several security experts, the CIA even made use of security holes in other smart devices. The US agency worked with their British counterparts to develop a cyberespionage tool called Weeping Angel to use smart TVs as hidden microphones. So, how did the affected companies react? And what can the rest of us learn from this leak?
Apple reacted to the leak with a lengthy statement, pointing out that the security holes that the CIA used had already been patched in the latest version of iOS. The company also ensured that is would continue working to resolve any vulnerability and encouraged users to download the latest version of its OS.
Google claimed that Android and Chrome’s updates had already solved the problems, while Microsoft and Samsung have said they are investigating the issue. Although WikiLeaks hasn’t released technical aspects of the malware in question, they have announced their intention to share them with manufacturers.
For their part, the CIA is keeping pretty quiet about the whole thing. They’ve limited themselves to a “no comment” about the leaked documents and have stated that the revelations put US citizens in danger. It’s the first major challenge for CIA director Mike Pompeo, recently appointed by President Trump.
Keeping in mind that US intelligence is able to detect vulnerabilities even in the tech giants themselves and even develop cyberweapons to take advantage of them, what can a company learn from these leaks?
One of the first lessons to learn is that the security on our devices leaves much to be desired. Another, to avoid exposing our companies to zero day attacks, a perimeter-based security solution isn’t going to cut it. The only way to combat zero-day attacks: update, update, update, and spring for an advanced cybersecurity solution.
Panda Security’s Adaptive Defense 360, to name but one example, is not too shabby when it comes to top of the line security. It allows continuous monitoring through surveillance and logs of all activity at every workstation and detects advanced threats in real time. It stops untrusted software the moment it attempts to run, responds in a matter of seconds, and recovers instantaneously. It’s nice to know that your as-yet-unknown security holes (and there is always one or two lurking beneath the radar, even at companies like Google and Apple) won’t be much use to potential intruders.
The post In the Wake of the CIA WikiLeaks Case, Some Tips on Corporate Cybersecurity appeared first on Panda Security Mediacenter.
Another dangerous vulnerability has been discovered in Linux kernel that dates back to 2009 and affects a large number of Linux distros, including Red Hat, Debian, Fedora, OpenSUSE, and Ubuntu.
The latest Linux kernel flaw (CVE-2017-2636), which existed in the Linux kernel for the past seven years, allows a local unprivileged user to gain root privileges on affected systems or cause a denial
The 4.10.3 kernel rebase contains a number of new features, important fixes, and additional hardware support.
Prague, Czech Republic / Amsterdam, The Netherlands, March 16, 2017 – Today, Avast Software B.V. (“Avast“) enforced the judgement of the Enterprise Chamber of the Court of Appeal of Amsterdam, the Netherlands (the “Enterprise Court“) of 14 February 2017.
As announced on February 15, 2017, The Enterprise Court ordered all minority shareholders of AVG Technologies B.V. (“AVG“) to transfer their shares to Avast in exchange for a payment of EUR 22.84 per share in cash, increased by statutory interest to be calculated over the period from October 31, 2016 until the date of transfer of the shares.
Up until March 15, 2017, shareholders of AVG could voluntarily adhere to the judgment of the Enterprise Court by transferring their shares in AVG to Avast. On March 16, 2017, Avast enforced the judgement of the Enterprise Court by transferring the aggregate squeeze-out price of the remaining outstanding shares in AVG to the Consignment Fund of the Ministry of Finance of the Netherlands (the “Consignment Fund“).
As a result of the consignment, all remaining outstanding shares of AVG that were not yet held by Avast were transferred to Avast by operation of law as per 16 March 2017. The former holders of these shares should reach out to the Consignment Fund for payment of the squeeze-out price, which amounts to EUR 23.01 per share in AVG including statutory interest as per 16 March 2017.
Requests for payment of the squeeze-out price and questions with regard to claiming the squeeze-out price should be directed to the Consignment Fund. The contact details of the Consignment Fund are included below.
Ministry of Finance
Attn. The Consignment Fund
PO Box 20201
2500 EE THE HAGUE
THE NETHERLANDS
E-mail: [email protected]
About Avast
Avast (www.avast.com), the global leader in digital security products for businesses and consumers, protects over 400 million people online. Avast offers products under the Avast and AVG brands that protect people from threats on the internet and the evolving IoT threat landscape. The company’s threat detection network is among the most advanced in the world, using machine learning and artificial intelligence technologies to detect and stop threats in real time. Avast digital security products for Mobile, PC or Mac are top-ranked and certified by VB100, AV-Comparatives, AV-Test, OPSWAT, ICSA Labs, West Coast Labs and others. Avast is backed by leading global private equity firms CVC Capital Partners and Summit Partners.
Media Contact:
Zoe Kine, Avast PR Director
E-mail: [email protected]
www.avast.com
Machines can learn incredibly fast. Faster than us, actually. They are already changing our world, our business, and our life. Avast, as a part of the artificial intelligence revolution, is proud to be a gold partner of Machine Learning Prague 2017, held from April 21st to April 23rd in Prague, Czech Republic.
