-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:183 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : phpmyadmin Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated phpmyadmin package fixes security vulnerability: In phpMyAdmin before 4.2.9, by deceiving a logged-in user to click on a crafted URL, it is possible to perform remote code execution and in some cases, create a root account due to a DOM based XSS vulnerability in the micro history feature (CVE-2014-6300). _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6300 http://advisories.mageia.org/MGASA-2014-0383.html _______
[ MDVSA-2014:182 ] zarafa
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:182 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : zarafa Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated zarafa packages fix security vulnerabilities: Robert Scheck reported that Zarafa's WebAccess stored session information, including login credentials, on-disk in PHP session files. This session file would contain a user's username and password to the Zarafa IMAP server (CVE-2014-0103). Robert Scheck discovered that the Zarafa Collaboration Platform has multiple incorrect default permissions (CVE-2014-5447, CVE-2014-5448, CVE-2014-5449, CVE-2014-5450). _______________________________________________
[ MDVSA-2014:181 ] dump
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2014:181 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : dump Date : September 24, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated dump packages fix security vulnerability: An integer overflow in liblzo before 2.07 allows attackers to cause a denial of service or possibly code execution in applications using performing LZO decompression on a compressed payload from the attacker (CVE-2014-4607). The dump package is built with a bundled copy of minilzo, which is a part of liblzo containing the vulnerable code. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?nam
More Trouble For jQuery As Second Compromise Reported
The website for JavaScript library jQuery is under attack for the second time in a week.
Avast! Mobile Security gets award from AV Comparatives
AV Comparatives awarded avast! Mobile Security for its malware protection and highly developed theft-protection.
Most people would not dream of neglecting the security of their PCs or laptop, but those same folks forget that the device in their pocket is just as powerful, if not more so. You’ve heard it before –your expensive smartphone, which stores personal data, private photos, Internet banking information and even company data, is an attractive target for cybercrooks and thieves.
AV Comparatives, an independent organization which tests antivirus products and mobile security solutions, released new testing results and gave avast! Mobile Security the highest “Approved Award†for Android security products.
avast! Mobile Security has a wide range of features with innovative functionality. We particularly liked the wide range of configuration options and remote commands, which provide the user with a comprehensive remote control function,” wrote the authors of the final report.
AV Comparatives gives avast! Mobile Security it’s Approved Award for mobile security and anti-theft features.
Malware protection
Mobile phones attacks are getting more and more sophisticated, and it is growing exponentially. “We now have more than 1 million malicious samples in our database, up from 100,000 in 2011,†said Avast’s CCO, OndÅ™ej VlÄek. “Mobile threats are increasing – we expect them to reach the same magnitude as PC malware by 2018.â€
avast! Mobile Security scans all installed applications for malware and has various real-time protection shields which protect against
- Malicious apps and phishing sites
- Sites containing malware
- Typo-squatting if an incorrect URL is entered
- Incoming messages with phishing/malware URLs
- Malicious behavior during read or write processes
Anti-theft protection
Avast! Anti-theft is a stand-alone app that can be installed separately from avast! Mobile Security. The app is hidden from view, and can be accessed remotely for functions such as lock, locate and wipe, redirection of calls, texts and call logs, etc.
In addition to the malware and anti-theft protection, AV Comparatives liked the standalone avast! Mobile Backup which enables personal data to be backed up to Google Drive.
The Backup, App Locker and Privacy Scan features, which were promised last year, have now been implemented and complete the program’s functionality. (avast! Mobile Security) is a very comprehensive security product with a wide range of configuration options.
Protect your Android smartphone and tablet with avast! Mobile Security and Antivirus from the Google Play store.
Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on Facebook, Twitter and Google+. Business owners – check out our business products.
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
This Metasploit module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. This Metasploit module has been tested successfully on Windows XP SP3 with IE6 and Windows 7 SP1 with IE8 and IE 9.
EMC AlphaStor Device Manager Opcode 0x75 Command Injection
This Metasploit module exploits a flaw within the Device Manager (rrobtd.exe). When parsing the 0x75 command, the process does not properly filter user supplied input allowing for arbitrary command injection. This Metasploit module has been tested successfully on EMC AlphaStor 4.0 build 116 with Windows 2003 SP2 and Windows 2008 R2.
Health Insurance Marketplaces Could Improve Information Security
The marketplaces set up to provide health insurance to Americans under Obamacare are generally doing a good job of protecting personally identifiable information but can also improve security practices.
Suricata 2.0.3 Out Of Bounds Access
It was found out that the application parser for SSH integrated in Suricata version 2.0.3 contains a flaw that might lead to an out-of-bounds access. For this reason a denial of service towards the Suricata monitoring software might be possible using crafted packets on the monitoring interface.
X2Engine CRM 4.2.1 Cross Site Scripting
X2Engine CRM version 4.2.1 suffers from a cross site scripting vulnerability.