Glype Proxy version 1.4.9 suffers from a local address filer bypass vulnerability.
Joomla Face Gallery 1.0 SQL Injection / File Download
Joomla Face Gallery component version 1.0 suffers from remote SQL injection and arbitrary file download vulnerabilities.
Home Depot data breach – ‘warnings ignored since 2008’
Home Depot staff repeatedly ignored the concerns of employees about the security of its systems, prior to the Home Depot data breach, now thought to be the largest in history.
The post Home Depot data breach – ‘warnings ignored since 2008’ appeared first on We Live Security.
Facebook to start charging $2.99/month? It’s nonsense!
Thousands of Facebook addicts are feverishly sharing a “news report” claiming that from November 1st you’ll be paying $2.99 every month to access the site.
The post Facebook to start charging $2.99/month? It’s nonsense! appeared first on We Live Security.
SB14-265: Vulnerability Summary for the Week of September 15, 2014
Original release date: September 22, 2014
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.
The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
-
High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0
-
Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9
-
Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9
Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.
High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — acrobat | Use-after-free vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors. | 2014-09-17 | 10.0 | CVE-2014-0560 |
| adobe — acrobat | Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0567. | 2014-09-17 | 10.0 | CVE-2014-0561 |
| adobe — acrobat | Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to cause a denial of service (memory corruption) via unspecified vectors. | 2014-09-17 | 7.8 | CVE-2014-0563 |
| adobe — acrobat | Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0566. | 2014-09-17 | 10.0 | CVE-2014-0565 |
| adobe — acrobat | Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2014-0565. | 2014-09-17 | 10.0 | CVE-2014-0566 |
| adobe — acrobat | Heap-based buffer overflow in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows and OS X allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2014-0561. | 2014-09-17 | 10.0 | CVE-2014-0567 |
| adobe — acrobat | Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on Windows allow attackers to bypass a sandbox protection mechanism, and consequently execute native code in a privileged context, via unspecified vectors. | 2014-09-17 | 10.0 | CVE-2014-0568 |
| apple — apple_tv | The IOAcceleratorFamily API implementation in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device crash) via an application that uses crafted arguments. | 2014-09-18 | 7.8 | CVE-2014-4369 APPLE APPLE |
| apple — apple_tv | The IntelAccelerator driver in the IOAcceleratorFamily subsystem in Apple iOS before 8 and Apple TV before 7 allows attackers to cause a denial of service (NULL pointer dereference and device restart) via a crafted application. | 2014-09-18 | 7.8 | CVE-2014-4373 APPLE APPLE |
| apple — apple_tv | Double free vulnerability in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (device crash) via vectors related to Mach ports. | 2014-09-18 | 7.2 | CVE-2014-4375 APPLE APPLE |
| apple — mac_os_x | IOKit in IOAcceleratorFamily in Apple OS X before 10.9.5 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted API arguments. | 2014-09-19 | 10.0 | CVE-2014-4376 |
| apple — apple_tv | An unspecified IOHIDFamily function in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking to prevent reading of kernel pointers, which allows attackers to bypass the ASLR protection mechanism via a crafted application. | 2014-09-18 | 7.1 | CVE-2014-4379 APPLE APPLE |
| apple — apple_tv | The IOHIDFamily kernel extension in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code in the kernel’s context via a crafted application. | 2014-09-18 | 9.3 | CVE-2014-4380 APPLE APPLE |
| apple — apple_tv | Libnotify in Apple iOS before 8 and Apple TV before 7 lacks proper bounds checking on write operations, which allows attackers to execute arbitrary code as root via a crafted application. | 2014-09-18 | 9.3 | CVE-2014-4381 APPLE APPLE |
| apple — apple_tv | IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4418. | 2014-09-18 | 9.3 | CVE-2014-4388 APPLE APPLE |
| apple — apple_tv | Integer overflow in IOKit in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted API arguments. | 2014-09-18 | 9.3 | CVE-2014-4389 APPLE APPLE |
| apple — mac_os_x | Bluetooth in Apple OS X before 10.9.5 does not properly validate API calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application. | 2014-09-19 | 9.3 | CVE-2014-4390 |
| apple — mac_os_x | Buffer overflow in the shader compiler in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted GLSL shader. | 2014-09-19 | 10.0 | CVE-2014-4393 |
| apple — mac_os_x | An unspecified IOAcceleratorFamily function in Apple OS X before 10.9.5 lacks proper bounds checking on read operations, which allows attackers to execute arbitrary code in a privileged context via a crafted application. | 2014-09-19 | 9.3 | CVE-2014-4402 |
| apple — apple_tv | Heap-based buffer overflow in IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context via an application that provides crafted key-mapping properties. | 2014-09-18 | 9.3 | CVE-2014-4404 APPLE APPLE |
| apple — apple_tv | IOHIDFamily in Apple iOS before 8 and Apple TV before 7 allows attackers to execute arbitrary code in a privileged context or cause a denial of service (NULL pointer dereference) via an application that provides crafted key-mapping properties. | 2014-09-18 | 9.3 | CVE-2014-4405 APPLE APPLE |
| apple — apple_tv | IOKit in Apple iOS before 8 and Apple TV before 7 does not properly validate IODataQueue object metadata, which allows attackers to execute arbitrary code in a privileged context via an application that provides crafted values in unspecified metadata fields, a different vulnerability than CVE-2014-4388. | 2014-09-18 | 9.3 | CVE-2014-4418 APPLE APPLE |
| apple — os_x_server | SQL injection vulnerability in Wiki Server in CoreCollaboration in Apple OS X Server before 2.2.3 and 3.x before 3.2.1 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2014-09-19 | 7.5 | CVE-2014-4424 |
| ecava — integraxor | Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to read or write to arbitrary files, and obtain sensitive information or cause a denial of service (disk consumption), via the CSV export feature. | 2014-09-15 | 9.0 | CVE-2014-2375 |
| ecava — integraxor | SQL injection vulnerability in Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. | 2014-09-15 | 7.5 | CVE-2014-2376 |
| emc — documentum_content_server | EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subtypes of protected system types, which allows remote authenticated users to obtain super-user privileges for system-object creation, and bypass intended restrictions on data access and server actions, via unspecified vectors. | 2014-09-17 | 8.5 | CVE-2014-4621 BUGTRAQ |
| emc — documentum_content_server | EMC Documentum Content Server before 6.7 SP2 P17, 7.0 through P15, and 7.1 before P08 does not properly check authorization for subgroups of privileged groups, which allows remote authenticated sysadmins to gain super-user privileges, and bypass intended restrictions on data access and server actions, via unspecified vectors. | 2014-09-17 | 7.1 | CVE-2014-4622 BUGTRAQ |
| microsoft — office | Microsoft Office 2003 SP1 and SP2, Office XP SP3, Office 2000 SP3, Office 2004 for Mac, and Office X for Mac do not properly parse record lengths, which allows remote attackers to execute arbitrary code via a malformed control in an Office document, aka “Microsoft Office Control Vulnerability.” | 2014-09-19 | 9.3 | CVE-2006-1318 |
| mpay24_project — mpay24 | SQL injection vulnerability in confirm.php in the mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to execute arbitrary SQL commands via the TID parameter. | 2014-09-12 | 7.5 | CVE-2014-2008 XF OSVDB |
| mpexsolutions — mx-smartimer | SQL injection vulnerability in Login.aspx in MPEX Business Solutions MX-SmartTimer before 13.19.18 allows remote attackers to execute arbitrary SQL commands via the ct100%24CPHContent%24password parameter. | 2014-09-12 | 7.5 | CVE-2014-5440 XF FULLDISC MISC |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe — acrobat | Cross-site scripting (XSS) vulnerability in Adobe Reader and Acrobat 10.x before 10.1.12 and 11.x before 11.0.09 on OS X allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka “Universal XSS (UXSS).” | 2014-09-17 | 4.3 | CVE-2014-0562 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter. | 2014-09-20 | 6.8 | CVE-2014-0985 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter. | 2014-09-20 | 6.8 | CVE-2014-0986 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter. | 2014-09-20 | 6.8 | CVE-2014-0987 MISC |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter. | 2014-09-20 | 6.8 | CVE-2014-0988 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter. | 2014-09-20 | 6.8 | CVE-2014-0989 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the UserName parameter. | 2014-09-20 | 6.8 | CVE-2014-0990 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the projectname parameter. | 2014-09-20 | 6.8 | CVE-2014-0991 |
| advantech — advantech_webaccess | Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the password parameter. | 2014-09-20 | 6.8 | CVE-2014-0992 |
| apple — mac_os_x | QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted movie file with RLE encoding. | 2014-09-19 | 6.8 | CVE-2014-1391 |
| apple — mac_os_x | Buffer overflow in QT Media Foundation in Apple OS X before 10.9.5 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted MIDI file. | 2014-09-19 | 6.8 | CVE-2014-4350 |
| apple — iphone_os | Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS. | 2014-09-18 | 4.3 | CVE-2014-4353 APPLE |
| apple — iphone_os | Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session. | 2014-09-18 | 5.8 | CVE-2014-4354 APPLE |
| apple — iphone_os | The Home & Lock Screen subsystem in Apple iOS before 8 does not properly restrict the private API for app prominence, which allows attackers to determine the frontmost app by leveraging access to a crafted background app. | 2014-09-18 | 5.0 | CVE-2014-4361 APPLE |
| apple — iphone_os | The Sandbox Profiles implementation in Apple iOS before 8 does not properly restrict the third-party app sandbox profile, which allows attackers to obtain sensitive Apple ID information via a crafted app. | 2014-09-18 | 5.0 | CVE-2014-4362 APPLE |
| apple — iphone_os | Safari in Apple iOS before 8 does not properly restrict the autofilling of passwords in forms, which allows remote attackers to obtain sensitive information via (1) an http web site, (2) an https web site with an unacceptable X.509 certificate, or (3) an IFRAME element. | 2014-09-18 | 5.0 | CVE-2014-4363 APPLE |
| apple — apple_tv | The 802.1X subsystem in Apple iOS before 8 and Apple TV before 7 does not require strong authentication methods, which allows remote attackers to calculate credentials by offering LEAP authentication from a crafted Wi-Fi AP and then performing a cryptographic attack against the MS-CHAPv1 hash. | 2014-09-18 | 4.3 | CVE-2014-4364 APPLE APPLE |
| apple — iphone_os | Mail in Apple iOS before 8 does not prevent sending a LOGIN command to a LOGINDISABLED IMAP server, which allows remote attackers to obtain sensitive cleartext information by sniffing the network. | 2014-09-18 | 5.0 | CVE-2014-4366 APPLE |
| apple — iphone_os | The Accessibility subsystem in Apple iOS before 8 allows attackers to interfere with screen locking via vectors related to AssistiveTouch events. | 2014-09-18 | 6.9 | CVE-2014-4368 APPLE |
| apple — iphone_os | NSXMLParser in Foundation in Apple iOS before 8 allows attackers to read arbitrary files via XML data containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. | 2014-09-18 | 5.0 | CVE-2014-4374 APPLE |
| apple — apple_tv | Integer overflow in CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted PDF document. | 2014-09-18 | 6.8 | CVE-2014-4377 APPLE APPLE |
| apple — apple_tv | CoreGraphics in Apple iOS before 8 and Apple TV before 7 allows remote attackers to obtain sensitive information or cause a denial of service (out-of-bounds read and application crash) via a crafted PDF document. | 2014-09-18 | 5.8 | CVE-2014-4378 APPLE APPLE |
| apple — apple_tv | The Assets subsystem in Apple iOS before 8 and Apple TV before 7 allows man-in-the-middle attackers to spoof a device’s update status via a crafted Last-Modified HTTP response header. | 2014-09-18 | 4.3 | CVE-2014-4383 APPLE APPLE |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4394 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4395 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4396 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4397 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4399, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4398 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4400, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4399 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4401, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4400 |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4416. | 2014-09-19 | 6.9 | CVE-2014-4401 |
| apple — os_x_server | Cross-site scripting (XSS) vulnerability in Xcode Server in CoreCollaboration in Apple OS X Server before 3.2.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-19 | 4.3 | CVE-2014-4406 |
| apple — apple_tv | IOKit in Apple iOS before 8 and Apple TV before 7 does not properly initialize kernel memory, which allows attackers to obtain sensitive memory-content information via an application that makes crafted IOKit function calls. | 2014-09-18 | 4.3 | CVE-2014-4407 APPLE APPLE |
| apple — apple_tv | The rt_setgate function in the kernel in Apple iOS before 8 and Apple TV before 7 allows local users to gain privileges or cause a denial of service (out-of-bounds read and device crash) via a crafted call. | 2014-09-18 | 6.9 | CVE-2014-4408 APPLE APPLE |
| apple — iphone_os | WebKit in Apple iOS before 8 makes it easier for remote attackers to track users during private browsing via a crafted web site that reads HTML5 application-cache data that had been stored during normal browsing. | 2014-09-18 | 4.3 | CVE-2014-4409 APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4410 APPLE APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4411 APPLE APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4412 APPLE APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4413 APPLE APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4414 APPLE APPLE |
| apple — apple_tv | WebKit, as used in Apple iOS before 8 and Apple TV before 7, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other WebKit CVEs listed in APPLE-SA-2014-09-17-1 and APPLE-SA-2014-09-17-2. | 2014-09-18 | 6.8 | CVE-2014-4415 APPLE APPLE |
| apple — mac_os_x | An unspecified integrated graphics driver routine in the Intel Graphics Driver subsystem in Apple OS X before 10.9.5 does not properly validate calls, which allows attackers to execute arbitrary code in a privileged context via a crafted application, a different vulnerability than CVE-2014-4394, CVE-2014-4395, CVE-2014-4396, CVE-2014-4397, CVE-2014-4398, CVE-2014-4399, CVE-2014-4400, and CVE-2014-4401. | 2014-09-19 | 6.9 | CVE-2014-4416 |
| apple — apple_tv | The kernel in Apple iOS before 8 and Apple TV before 7 uses a predictable random number generator during the early portion of the boot process, which allows attackers to bypass certain kernel-hardening protection mechanisms by using a user-space process to observe data related to the random numbers. | 2014-09-18 | 6.8 | CVE-2014-4422 APPLE APPLE |
| apple — iphone_os | The Accounts subsystem in Apple iOS before 8 allows attackers to bypass a sandbox protection mechanism and obtain an active iCloud account’s Apple ID and metadata via a crafted application. | 2014-09-18 | 4.3 | CVE-2014-4423 APPLE |
| blackcat-cms — blackcat_cms | Cross-site scripting (XSS) vulnerability in cattranslate.php in the CatTranslate JQuery plugin in BlackCat CMS 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the msg parameter. | 2014-09-12 | 4.3 | CVE-2014-5259 MISC XF BUGTRAQ MISC |
| ecava — integraxor | Ecava IntegraXor SCADA Server Stable 4.1.4360 and earlier and Beta 4.1.4392 and earlier allows remote attackers to discover full pathnames via an application tag. | 2014-09-15 | 5.0 | CVE-2014-2377 |
| embarcadero — embarcadero_c++builder_xe6 | Buffer overflow in the Vcl.Graphics.TPicture.Bitmap implementation in the Visual Component Library (VCL) in Embarcadero Delphi XE6 20.0.15596.9843 and C++ Builder XE6 20.0.15596.9843 allows remote attackers to execute arbitrary code via a crafted BMP file. | 2014-09-15 | 6.8 | CVE-2014-0993 MISC |
| episerver — episerver | Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. | 2014-09-17 | 4.3 | CVE-2012-1032 XF BID SECUNIA OSVDB |
| facebook — facebook | Cross-site scripting (XSS) vulnerability in the Facebook app 14.0 and the Facebook Messenger app 10.0 for iOS allows remote attackers to inject arbitrary web script or HTML via a crafted filename extension that is improperly handled during MIME sniffing of chat traffic. | 2014-09-15 | 4.3 | CVE-2014-6392 FULLDISC |
| fatfreecrm — fat_free_crm | Multiple cross-site scripting (XSS) vulnerabilities in app/views/layouts/application.html.haml in Fat Free CRM before 0.13.3 allow remote attackers to inject arbitrary web script or HTML via the (1) username, (2) first name, or (3) last name in a (a) create or (b) edit user action. | 2014-09-12 | 4.3 | CVE-2014-5441 CONFIRM MISC |
| ibm — integration_bus | The web user interface in IBM WebSphere Message Broker 8.0 before 8.0.0.6 and IBM Integration Bus 9.0 before 9.0.0.3 allows remote authenticated users to obtain sensitive information by reading the error page. | 2014-09-18 | 4.0 | CVE-2014-4819 XF |
| ibm — integration_bus_manufacturing_pack | Cross-site scripting (XSS) vulnerability in IBM Integration Bus Manufacturing Pack 1.x before 1.0.0.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-18 | 4.3 | CVE-2014-4820 XF |
| ibm — qradar_security_information_and_event_manager | SQL injection vulnerability in IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. | 2014-09-18 | 6.5 | CVE-2014-4824 XF |
| ibm — qradar_security_information_and_event_manager | IBM Security QRadar SIEM 7.2 before 7.2.3 Patch 1 does not properly handle SSH connections, which allows remote attackers to obtain sensitive cleartext information by sniffing the network. | 2014-09-18 | 4.3 | CVE-2014-4826 XF |
| mailenable — mailenable | Multiple cross-site scripting (XSS) vulnerabilities in MailEnable Enterprise 6.5 allow remote attackers to inject arbitrary web script or HTML via the (1) From, (2) To, or (3) Subject header or (4) body in an SMTP e-mail message. | 2014-09-19 | 4.3 | CVE-2012-2588 XF BID EXPLOIT-DB SECUNIA OSVDB |
| mini_mail_dashboard_widget_project — mini_mail_dashboard_widget | Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email. | 2014-09-17 | 4.3 | CVE-2012-2583 XF BID EXPLOIT-DB OSVDB |
| moodle — moodle | The forum_print_latest_discussions function in mod/forum/lib.php in Moodle through 2.4.11, 2.5.x before 2.5.8, 2.6.x before 2.6.5, and 2.7.x before 2.7.2 allows remote authenticated users to bypass the individual answer-posting requirement without the mod/forum:viewqandawithoutposting capability, and discover an author’s username, by leveraging the student role and visiting a Q&A forum. | 2014-09-15 | 4.0 | CVE-2014-3617 MLIST CONFIRM |
| mpay24_project — mpay24 | The mPAY24 payment module before 1.6 for PrestaShop allows remote attackers to obtain credentials, the installation path, and other sensitive information via a direct request to api/curllog.log. | 2014-09-12 | 5.0 | CVE-2014-2009 XF EXPLOIT-DB FULLDISC MISC OSVDB |
| mywebsql — mywebsql | Cross-site scripting (XSS) vulnerability in MyWebSQL 3.4 and earlier allows remote attackers to inject arbitrary web script or HTML via the table parameter to index.php. | 2014-09-12 | 4.3 | CVE-2014-4735 MISC XF BUGTRAQ MISC |
| nongnu — gksu | GKSu 2.0.2, when sudo-mode is not enabled, uses ” (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during installation of a VirtualBox extension pack. | 2014-09-18 | 6.8 | CVE-2014-2886 MISC MISC MISC |
| open-xchange — open-xchange_appsuite | Cross-site scripting (XSS) vulnerability in the backend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via a folder publication name. | 2014-09-17 | 4.3 | CVE-2014-5234 BID BUGTRAQ SECUNIA MISC |
| open-xchange — open-xchange_appsuite | Cross-site scripting (XSS) vulnerability in the frontend in Open-Xchange (OX) AppSuite before 7.4.2-rev33 and 7.6.x before 7.6.0-rev16 allows remote attackers to inject arbitrary web script or HTML via vectors related to unspecified fields in RSS feeds. | 2014-09-17 | 4.3 | CVE-2014-5235 BID BUGTRAQ SECUNIA MISC |
| orangehrm — orangehrm | SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from third party information. | 2014-09-17 | 6.5 | CVE-2012-1506 MISC XF BID SECUNIA OSVDB |
| orangehrm — orangehrm | Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index.php. | 2014-09-17 | 4.3 | CVE-2012-1507 MISC XF BID SECUNIA OSVDB OSVDB OSVDB |
| phorum — phorum | Cross-site scripting (XSS) vulnerability in the admin interface in Phorum before 5.2.19 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. | 2014-09-19 | 4.3 | CVE-2012-6659 SECUNIA |
| php365 — 365_links | Cross-site scripting (XSS) vulnerability in php365.com 365 Links 3.11 and earlier, 365 Links2 3.11 and earlier, 365 Links+ 2.10 and earlier, and 365 Links2+ 2.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-18 | 4.3 | CVE-2014-5317 CONFIRM JVNDB |
| powerdns — powerdns_recursor | Unspecified vulnerability in PowerDNS Recursor (aka pdns_recursor) 3.6.x before 3.6.1 allows remote attackers to cause a denial of service (crash) via an unknown sequence of malformed packets. | 2014-09-19 | 5.0 | CVE-2014-3614 XF SECUNIA CONFIRM |
| schneider-electric — vampset | Multiple stack-based buffer overflows in Schneider Electric VAMPSET 2.2.136 and earlier allow local users to cause a denial of service (application halt) via a malformed (1) setting file or (2) disturbance recording file. | 2014-09-15 | 4.4 | CVE-2014-5407 |
| schneider-electric — clearscada | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allows remote attackers to read database records by leveraging access to the guest account. | 2014-09-18 | 5.0 | CVE-2014-5412 |
| schneider-electric — clearscada | Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 uses the MD5 algorithm for an X.509 certificate, which makes it easier for remote attackers to spoof servers via a cryptographic attack against this algorithm. | 2014-09-18 | 5.0 | CVE-2014-5413 |
| spiceworks — spiceworks | SQL injection vulnerability in SpiceWorks 5.3.75941 allows remote authenticated users to execute arbitrary SQL commands via the id parameter to api_v2.json. NOTE: this entry was SPLIT per ADT2 due to different vulnerability types. CVE-2012-6658 is for the XSS. | 2014-09-17 | 6.5 | CVE-2012-2956 XF BID EXPLOIT-DB OSVDB |
| spiceworks — spiceworks | Multiple cross-site scripting (XSS) vulnerabilities in SpiceWorks 5.3.75941 allow remote attackers to inject arbitrary web script or HTML via the (1) syslocation, (2) syscontact, or (3) sysName configuration in snmpd.conf. NOTE: this entry was SPLIT from CVE-2012-2956 per ADT2 due to different vulnerability types. | 2014-09-17 | 4.3 | CVE-2012-6658 EXPLOIT-DB SECUNIA OSVDB |
| synology — diskstation_manager | Cross-site scripting (XSS) vulnerability in Synology Photo Station 5 for DiskStation Manager (DSM) 3.2-1955 allows remote attackers to inject arbitrary web script or HTML via the name parameter to photo/photo_one.php. | 2014-09-12 | 4.3 | CVE-2012-1556 XF BID SECUNIA OSVDB BUGTRAQ |
| vmware — nsx | VMware NSX 6.0 before 6.0.6, and vCloud Networking and Security (vCNS) 5.1 before 5.1.4.2 and 5.5 before 5.5.3, does not properly validate input, which allows attackers to obtain sensitive information via unspecified vectors. | 2014-09-15 | 5.0 | CVE-2014-3796 |
| wireshark — wireshark | Use-after-free vulnerability in the SDP dissector in Wireshark 1.10.x before 1.10.10 allows remote attackers to cause a denial of service (application crash) via a crafted packet that leverages split memory ownership between the SDP and RTP dissectors. | 2014-09-20 | 5.0 | CVE-2014-6421 CONFIRM CONFIRM |
| wireshark — wireshark | The SDP dissector in Wireshark 1.10.x before 1.10.10 creates duplicate hashtables for a media channel, which allows remote attackers to cause a denial of service (application crash) via a crafted packet to the RTP dissector. | 2014-09-20 | 5.0 | CVE-2014-6422 CONFIRM CONFIRM |
| wireshark — wireshark | The tvb_raw_text_add function in epan/dissectors/packet-megaco.c in the MEGACO dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (infinite loop) via an empty line. | 2014-09-20 | 5.0 | CVE-2014-6423 CONFIRM CONFIRM |
| wireshark — wireshark | The dissect_v9_v10_pdu_data function in epan/dissectors/packet-netflow.c in the Netflow dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 refers to incorrect offset and start variables, which allows remote attackers to cause a denial of service (uninitialized memory read and application crash) via a crafted packet. | 2014-09-20 | 5.0 | CVE-2014-6424 CONFIRM CONFIRM |
| wireshark — wireshark | The (1) get_quoted_string and (2) get_unquoted_string functions in epan/dissectors/packet-cups.c in the CUPS dissector in Wireshark 1.12.x before 1.12.1 allow remote attackers to cause a denial of service (buffer over-read and application crash) via a CUPS packet that lacks a trailing ” character. | 2014-09-20 | 5.0 | CVE-2014-6425 CONFIRM CONFIRM |
| wireshark — wireshark | The dissect_hip_tlv function in epan/dissectors/packet-hip.c in the HIP dissector in Wireshark 1.12.x before 1.12.1 does not properly handle a NULL tree, which allows remote attackers to cause a denial of service (infinite loop) via a crafted packet. | 2014-09-20 | 5.0 | CVE-2014-6426 CONFIRM |
| wireshark — wireshark | Off-by-one error in the is_rtsp_request_or_reply function in epan/dissectors/packet-rtsp.c in the RTSP dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted packet that triggers parsing of a token located one position beyond the current position. | 2014-09-20 | 5.0 | CVE-2014-6427 CONFIRM CONFIRM |
| wireshark — wireshark | The dissect_spdu function in epan/dissectors/packet-ses.c in the SES dissector in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not initialize a certain ID value, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. | 2014-09-20 | 5.0 | CVE-2014-6428 CONFIRM CONFIRM |
| wireshark — wireshark | The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not properly handle empty input data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. | 2014-09-20 | 5.0 | CVE-2014-6429 CONFIRM CONFIRM |
| wireshark — wireshark | The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not validate bitmask data, which allows remote attackers to cause a denial of service (application crash) via a crafted file. | 2014-09-20 | 5.0 | CVE-2014-6430 CONFIRM CONFIRM |
| wireshark — wireshark | Buffer overflow in the SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 allows remote attackers to cause a denial of service (application crash) via a crafted file that triggers writes of uncompressed bytes beyond the end of the output buffer. | 2014-09-20 | 5.0 | CVE-2014-6431 CONFIRM CONFIRM |
| wireshark — wireshark | The SnifferDecompress function in wiretap/ngsniffer.c in the DOS Sniffer file parser in Wireshark 1.10.x before 1.10.10 and 1.12.x before 1.12.1 does not prevent data overwrites during copy operations, which allows remote attackers to cause a denial of service (application crash) via a crafted file. | 2014-09-20 | 5.0 | CVE-2014-6432 CONFIRM CONFIRM |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| apple — iphone_os | Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID. | 2014-09-18 | 2.1 | CVE-2014-4352 APPLE |
| apple — iphone_os | Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen. | 2014-09-18 | 2.1 | CVE-2014-4356 APPLE |
| apple — apple_tv | Accounts Framework in Apple iOS before 8 and Apple TV before 7 allows attackers to obtain sensitive information by reading log data that was not intended to be present in a log. | 2014-09-18 | 2.1 | CVE-2014-4357 APPLE APPLE |
| apple — iphone_os | Apple iOS before 8 enables Voice Dial during all upgrade actions, which makes it easier for physically proximate attackers to launch unintended calls by speaking a telephone number. | 2014-09-18 | 2.1 | CVE-2014-4367 APPLE |
| apple — apple_tv | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4419, CVE-2014-4420, and CVE-2014-4421. | 2014-09-18 | 1.9 | CVE-2014-4371 APPLE APPLE |
| apple — apple_tv | syslogd in the syslog subsystem in Apple iOS before 8 and Apple TV before 7 allows local users to change the permissions of arbitrary files via a symlink attack on an unspecified file. | 2014-09-18 | 3.6 | CVE-2014-4372 APPLE APPLE |
| apple — iphone_os | Directory traversal vulnerability in the App Installation feature in Apple iOS before 8 allows local users to install unverified apps by triggering code-signature validation of an unintended bundle. | 2014-09-18 | 1.9 | CVE-2014-4384 APPLE |
| apple — iphone_os | Race condition in the App Installation feature in Apple iOS before 8 allows local users to gain privileges and install unverified apps by leveraging /tmp write access. | 2014-09-18 | 1.9 | CVE-2014-4386 APPLE |
| apple — mac_os_x | The kernel in Apple OS X before 10.9.5 allows local users to obtain sensitive address information and bypass the ASLR protection mechanism by leveraging predictability of the location of the CPU Global Descriptor Table. | 2014-09-19 | 2.1 | CVE-2014-4403 |
| apple — apple_tv | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4420, and CVE-2014-4421. | 2014-09-18 | 1.9 | CVE-2014-4419 APPLE APPLE |
| apple — apple_tv | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4421. | 2014-09-18 | 1.9 | CVE-2014-4420 APPLE APPLE |
| apple — apple_tv | The network-statistics interface in the kernel in Apple iOS before 8 and Apple TV before 7 does not properly initialize memory, which allows attackers to obtain sensitive memory-content and memory-layout information via a crafted application, a different vulnerability than CVE-2014-4371, CVE-2014-4419, and CVE-2014-4420. | 2014-09-18 | 1.9 | CVE-2014-4421 APPLE APPLE |
| ibm — storwize_v7000_unified_software | IBM SONAS and System Storage Storwize V7000 Unified (aka V7000U) 1.3.x and 1.4.x before 1.4.3.4 store the chkauth password in the audit log, which allows local users to obtain sensitive information by reading this log file. | 2014-09-15 | 2.1 | CVE-2014-3077 XF |
| ibm — filenet_content_foundation | Cross-site scripting (XSS) vulnerability in Content Navigator in Content Engine in IBM FileNet Content Manager 5.2.x before 5.2.0.3-P8CPE-IF003 and Content Foundation 5.2.x before 5.2.0.3-P8CPE-IF003 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL. | 2014-09-15 | 3.5 | CVE-2014-4763 XF |
| schneider-electric — clearscada | Multiple cross-site scripting (XSS) vulnerabilities in Schneider Electric StruxureWare SCADA Expert ClearSCADA 2010 R3 through 2014 R1 allow remote authenticated users to inject arbitrary web script or HTML via unspecified vectors. | 2014-09-18 | 3.5 | CVE-2014-5411 |
| yealink — gigabit_color_ip_phone_sip-t32g | Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com. | 2014-09-17 | 3.5 | CVE-2012-1417 XF BID OSVDB EXPLOIT-DB SECUNIA MISC BUGTRAQ |
Â
This product is provided subject to this Notification and this Privacy & Use policy.
Virus Bulletin presentations update
Updated information on ESET presentations at Virus Bulletin 2014.
The post Virus Bulletin presentations update appeared first on We Live Security.
How to safely access the Internet while on vacation
Posting your latest vacation photos to Facebook whenever you want is easy to do now even while abroad, especially as the EU has now capped roaming costs in Europe. Maximum price caps for data roaming have been introduced at 23 euro cents per Megabyte, with an automatic cost-brake kicking in to cut off the mobile Internet connection once the limit of 59.90 euros per month has been reached. That said, roaming charges further afield can be much higher, with costs varying depending on the cellular network provider even in a few European countries like Switzerland. You really need to know the terms of your cell phone contract, even if you only want to connect to the Internet occasionally to, for example, retrieve the weather forecast. Most installed apps communicate constantly with the Internet in the background; they also collect data, send location information, and attempt to download and install their latest versions. What’s more, it’s tedious and sometimes completely impossible to deactivate these resource-hungry apps.
Protect your wallet
The best thing to do is to contact your network provider before going on vacation, as contracts are not always clear and transparent – especially those notorious bundle deals which combine SMS, talk-time, and data allowances. If you use up your allowance for data and you’re still in credit in terms of your SMS and talk-time allowances, the bundle offer remains valid, but data is charged at a much higher standard price. In such cases, it makes more sense to buy a temporary international roaming bundle. Many providers offer these and they often include cheap-rate talk-time and SMS allowances. You can now also do this while abroad. They will send you information on the current tariff conditions when you first register with the foreign network and provide you with updated conditions afterwards.
Monitor your usage
Knowledge is power, and that also applies to the costs you accumulate. Many providers offer an app which lets you see how much you’ll be charged for the talk-time you’ve used. This lets you pull the emergency brake and deactivate the mobile data connection if it gets too expensive. Another option is to use your precious data resources more economically. Opera and Chrome browsers let you compress websites before you download them, resulting in data savings of 80 to 90%. However, this method has one disadvantage: since Opera and Google servers compress the data, they can tell which websites you’ve been visiting.
Pros and cons of WiFi hotspots
Privacy and data security are important vacation topics anyway. WiFi hotspots are often used to connect cheaply to the Internet. One global company offering access is Fon, which says it has over 13 million hotspots worldwide at around 3 US dollars per day to use. This would pave the way for unrestricted surfing, were it not for one or two digital threats lurking around every corner. WiFi hotspots are notorious for their lax security. Anyone can see the wireless signals, with communication often continuing over an unsecured connection once the user has logged in. The user has no influence on this as the hotspot provider defines how the connection is secured. What’s more, anyone who has access to the hotspot provider’s Wi-Fi network and is near the hotspot can see the data.
Best approach for now
The easiest way to avoid such risks is to use a Virtual Private Network (VPN). This encrypted tunnel protects information right from the start to the end of its transfer. To use it, you need to have software installed on your mobile phone, tablet or notebook and a node which creates the tunnel only after you have logged in correctly. Companies like OpenVPN and Hotspot Shield offer free or reasonably priced VPN connections. These types of connection are merely a restricted type of VPN where the connection between the device and the server is secured by the provider; after that, data packets escape into the Internet unencrypted. Despite this, at least third parties in the direct vicinity of the hotspot cannot eavesdrop on the network connection. That said, the question remains as to whether the VPN provider handles the information with due care; after all, it can read all the data as plain, unencrypted text.
Public PCs at hotel or Internet cafes can be extremely dangerous to use while on vacation. The computers are often infected with viruses and Trojans that log key strokes (with spyware known as ‘keyloggers’) to intercept your private data. If you absolutely need to transfer sensitive information using such a device, you should take a secure operating system environment with you on a DVD or write-protected USB stick and use this to boot the computer.
The best thing to do is to send as little personal information as possible over an unsecured connection while on vacation. In addition, you should enable the firewall on your device and install the latest version of a security software solution such as Avira Antivirus Pro, Avira Internet Security Suite or Avira Free Antivirus (also available for iOS & Android).
The post How to safely access the Internet while on vacation appeared first on Avira Blog.
Popular topics are also popular with hackers
Events and topics that are interesting to a large number of people make great malware campaigns for hackers, as they tend to target the largest possible groups for their endeavors. If they’re going to plant a trap online, then they’re probably not going to do it with a method that very few people are interested in.
The recent World Cup is a good example of a major event that hackers used for illicit purposes. An article from EnterpriseAppsTech highlighted that 375 fake World Cup apps were created to target Android devices — in addition to approximately 2,000 daily cyber attacks that took place during the World Cup event.
The World Cup may be over (although Avira is still reveling in Germany’s win), but there are plenty of other events and topics to watch out for when clicking or tapping through the Internet. As a first step in protecting yourself, make it a practice to think twice before you engage with content that you find about extremely popular things online. This could be content related to celebrities, entertainment (movies, television, music, games), sporting events, top news stories, and so on. Just be careful, always.
The good news is that with a proper amount of caution and our security software running quietly in the background, you can feel safe while you research any of those popular topics that everyone is talking about.
The post Popular topics are also popular with hackers appeared first on Avira Blog.
Tips and tricks how to improve smartphone battery life
Although not all things were better in the past, mobile phone batteries definitely were. The classic Nokias and Samsungs, which you could use only to make calls, would easily last for up to two weeks in standby mode. Conversely, you’ll be lucky to get a full 24 hours of battery power from one of the latest smartphones. This is due to improved and more powerful components, countless additional functions, and of course the energy consumption of dozens of apps. That said, even the most heavily used smartphones can have a bit longer battery-life if you follow a few simple tricks.
Built-in ways to save some power
A few hours of battery life can be gained by using your phone’s onboard tools. For instance, your screen is an immense consumer of energy. The screensaver should be activated as soon as possible; 30 seconds of waiting time is usually enough. Both Android and iOS offer automatic brightness controls that you should limit to lower maximum levels. One trick in particular helps save power on modern OLED and AMOLED (organic-LED) screens, such as those used on the Samsung S5: Only active pixels consume power; black pixels do not. Background images with large black areas are less draining on the battery than a colorful, bright image – so choose your images wisely.
Control larger data updates manually
Next up for making a big difference are the interfaces to the outside world. Bluetooth, WiFi, and GPS consume a disproportionately high amount of power. If you don’t need to use the smartphone’s wireless connections, deactivate them. In most cases, it’s also possible to throttle the data-connection speed and save power in the process by using UMTS instead of LTE or 3G instead of UMTS. A reduced bandwidth is also more than fine if you’re just checking your emails occasionally. What’s more, push services like email and regularly staying in touch via the Internet really drain the battery. If you collect your emails at the press of a button and also update Facebook manually, your battery will last much longer.
Be discerning about the apps you use
In this respect, apps that are sponsored by ads are also fatal. Compared to paid apps, they communicate more often with the developer to share location data and other information – pushing the charging indicator into the red. Widgets for weather forecasts or audio streaming of Internet radio services are power hungry as well. It’s also worthwhile to deactivate automatic app updates. Downloading an update doesn’t just require a lot of power; the apps constantly checking to see if a new version is available also drains battery. The Google Play Store is configured by default to download app updates automatically.
Double-check app permissions
Depending on your version of iOS or Android, it can become a real game of hide and seek to find out whether apps remain active in the background. Later mobile OS versions make it easier for users to find out which apps are the most power-hungry. In most cases you can also remove the app’s permission to remain active in the background. If the operating system doesn’t reveal any (or very little) information about how power is being consumed, other apps can help. One Touch Battery Saver (Android, free) provides information on how much power apps are consuming and switches off Bluetooth, WiFi, and GPS positioning automatically, according to predefined rules. Other apps like Juice Defender (Android, free) and Tasker (Android, € 4.49) use profiles for specific situations that only allow you to use essential apps and interfaces.
Apple makes it difficult for apps to save power actively. The security model implemented in iOS prevents intervening in other apps’ runtime behavior. As such, most apps primarily supply users with information, based on which they must then decide which apps they want to continue to have running. Battery HD+ (iOS, free) also does a detailed job of helping reveal the most power-hungry apps, as does Battery Doctor Pro (iOS, free). It’s worthwhile checking on a regular basis as even reliable apps suck the battery dry as a result of faulty updates. Scotty Loveless describes in even more detail all the steps for getting maximum life out of iOS devices in the “ultimate guide to solving iOS battery drain.”
The future is just… different
There is little to criticize when it comes to advancements in rechargeable batteries and technology. The memory effect of the past is no longer an issue for standard li-ion and li-polymer batteries, plus they’re charged to perfection using extremely smart charging circuits. The old rule of “only recharge the battery once it’s completely flat†is no longer valid. Modern batteries can and should be connected to the charger as often as possible. Extreme temperatures, however, are still public enemy number one, with heat in particular causing batteries to lose storage capacity rapidly. As such, never leave your smartphone or tablet in direct sunlight or in the car during summer.
And if, despite all of these tips and tricks, some of you find your battery doesn’t pack enough power to keep your smart phone running as long as you’d like, you can always buy an additional battery. These are available in stick form or as a slim gadget for handbag or briefcase. There are also some really stylish rechargeable battery packs out there which additionally serve as smartphone cases.
The post Tips and tricks how to improve smartphone battery life appeared first on Avira Blog.
What to do with your old smartphone?
This September, Apple will start shipping the new iPhone 6 devices. There are apparently record numbers of pre-orders, and you may be one of the millions.
If you’re thinking of getting rid of your current smartphone and upgrading— whether it’s for a new iPhone, Android or Amazon Fire Phone—you’re not alone. Every few years, smartphone users turn to newer models for more functions and better features.
Part exchange
If you are ready to upgrade, many carriers offer the opportunity to exchange your old phone for credit. This can help take the sting out of some expensive handset or contract costs. You should contact your service provider to see if they have a scheme and they should be able to tell you up front what rate they can give you on your old device.
Selling online
If you would rather sell your device, there are a number of sites and tools that you can use to ensure you get a fair price and a safe transaction. Here are some tips for those of you looking to sell your old device online:
- Act quickly. Smartphones depreciate in value with time. For example, Usell.com, one such smartphone vendor, calculates the following: One week after a new iPhone launch, old iPhones lose about 5% in value; two weeks after launch, old iPhones depreciate about 12%. By weeks three and four, old phones are worth about 20% less.
- Other sites also encourage you to act fast. For example, online behemoth eBay is offering an added incentive for turning your older model around. It’s offering a $100 coupon to you if your smartphone doesn’t sell by Oct. 24.
- Make sure you price it right. Many sites will use algorithms to advise you on the going price range. It’s very similar to sites that advise you what to pay for a car.  For example, to mention eBay again, it will suggest what price to pick depending on make, model, year, packaging, etc. Glyde compares the amount you can sell it for on its site against prices on Apple and Amazon, among others.
Donating
Consider donating. Your contribution can be deducted from your income tax to the extent allowed by law. One national nonprofit that is worthy of these donations is Cell Phones for Soldiers. It takes your phone, then re-sells it and turns that money into calling cards for the troops.  It’s an impressive organization: Since 2004, Cell Phones for Soldiers has provided more than 210 million minutes of free talk time and currently it mails approximately 3,200 calling cards each week.
There are many other nonprofits that would love your phone too. Even if you’re not upgrading,  you may have an older cell phone lying around. Chances are you do. One survey by ecoATM estimates 60% of American households have an older phone lying around. Nonprofits would love to take these off your hands.
Keep, gift or recycle
Of course, there is no concrete reason why you need to sell or give your phone to charity when keeping it as a backup could be very useful. Parents especially might enjoy giving their device to a child who is nagging for an “upgrade”. If you aren’t thinking of keeping your phone as a backup, use these tips to get the best value in regenerating and recycling your phone. Anything is better than your phone ending up in a landfill…You can read some pretty stunning information about e-waste here.
Clean up your device
Whatever you decide to do, make sure your smartphone is cleaned before you do sell or give it to anyone. I can’t stress this enough! Remember that your mobile device is a vast bank of your personal data, contacts, saved passwords and web history. Handing it over to a stranger or even a friend could result in a loss of your privacy. Check out this blog post by Tony Anscombe for how to safely recycle your old technology.
Enjoy your new phone, and make the most of your older model.
