Tuesday, October 31, 2017

Threat Research

Vulnerability Spotlight: The Circle of a Bug’s Life

Cisco Talos is disclosing several vulnerabilities identified in Circle with Disney. Circle with Disney is a network device designed to monitor the Internet use of children on a given network. Circle pairs wirelessly, with your home Wi-Fi and allows you to manage every device on the network, tablet, TV, or laptop. It can also pair via ethernet after the initial pairing. Using an iOS or Android app, families create unique profiles for every member of the home and from there, help shape each person’s online experience.

The security team at Circle Media has been exemplary to work with from initial vulnerability discovery to release. They have been responsive and open to communication. Additionally, the Circle with Disney was designed such that software updates are pushed down to customer devices when they become available. Customers who have received these updates are protected against these vulnerabilities.

Tags:

from Cisco Blog » Security http://ift.tt/2ij2eJY

USN-3470-2: Linux kernel (Trusty HWE) vulnerabilities

Ubuntu Security Notice USN-3470-2

31st October, 2017

linux-lts-trusty vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 12.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux-lts-trusty - Linux hardware enablement kernel from Trusty for Precise ESM

Details

USN-3470-1 fixed vulnerabilities in the Linux kernel for Ubuntu 14.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 14.04 LTS for Ubuntu
12.04 ESM.

Qian Zhang discovered a heap-based buffer overflow in the tipc_msg_build()
function in the Linux kernel. A local attacker could use to cause a denial
of service (system crash) or possibly execute arbitrary code with
administrative privileges. (CVE-2016-8632)

Dmitry Vyukov discovered that a race condition existed in the timerfd
subsystem of the Linux kernel when handling might_cancel queuing. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10661)

It was discovered that the Flash-Friendly File System (f2fs) implementation
in the Linux kernel did not properly validate superblock metadata. A local
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2017-10662, CVE-2017-10663)

Anthony Perard discovered that the Xen virtual block driver did not
properly initialize some data structures before passing them to user space.
A local attacker in a guest VM could use this to expose sensitive
information from the host OS or other guest VMs. (CVE-2017-10911)

It was discovered that a use-after-free vulnerability existed in the POSIX
message queue implementation in the Linux kernel. A local attacker could
use this to cause a denial of service (system crash) or possibly execute
arbitrary code. (CVE-2017-11176)

Dave Chinner discovered that the XFS filesystem did not enforce that the
realtime inode flag was settable only on filesystems on a realtime device.
A local attacker could use this to cause a denial of service (system
crash). (CVE-2017-14340)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 12.04 LTS:: linux-image-3.13.0-135-generic 3.13.0-135.184~precise1; linux-image-3.13.0-135-generic-lpae 3.13.0-135.184~precise1; linux-image-generic-lpae-lts-trusty 3.13.0.135.125; linux-image-generic-lts-trusty 3.13.0.135.125

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2016-8632, CVE-2017-10661, CVE-2017-10662, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

from Ubuntu Security Notices http://ift.tt/2h0dyOO

USN-3471-1: Quagga vulnerabilities

Ubuntu Security Notice USN-3471-1

31st October, 2017

quagga vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.10
Ubuntu 17.04
Ubuntu 16.04 LTS
Ubuntu 14.04 LTS

Summary

Several security issues were fixed in Quagga.

Software description

quagga - BGP/OSPF/RIP routing daemon

Details

Andreas Jaggi discovered that Quagga incorrectly handled certain BGP UPDATE
messages. A remote attacker could possibly use this issue to cause Quagga
to crash, resulting in a denial of service. (CVE-2017-16227)

Quentin Young discovered that Quagga incorrectly handled memory in the
telnet vty CLI. An attacker able to connect to the telnet interface could
possibly use this issue to cause Quagga to consume memory, resulting in a
denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu
16.04 LTS. (CVE-2017-5495)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.10:: quagga 1.1.1-3ubuntu0.1; quagga-bgpd 1.1.1-3ubuntu0.1
Ubuntu 17.04:: quagga 1.1.1-1ubuntu0.1; quagga-bgpd 1.1.1-1ubuntu0.1
Ubuntu 16.04 LTS:: quagga 0.99.24.1-2ubuntu1.3
Ubuntu 14.04 LTS:: quagga 0.99.22.4-3ubuntu1.4

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to restart Quagga to make all the
necessary changes.

References

CVE-2017-16227, CVE-2017-5495

from Ubuntu Security Notices http://ift.tt/2hsRnNX

Livestream: Senate hearing on Russian election hacking, as Google, Facebook, and Twitter testify

On Tuesday at 2:30pm ET, three US tech giants--Facebook, Google, and Twitter--at the center of the controversy on alleged Russian meddling in the 2016 US presidential election come to Washington for a public hearing that will be livestreamed.

Our sister site, CBSN, will be carrying live coverage. You can access CBSN live from your computer, mobile device, or TV streaming device (Roku, Apple TV, Xbox, Fire TV, etc.).

SEE: Cyberwar and the Future of Cybersecurity (a ZDNet/TechRepublic special report)

Scheduled to testify are:

Colin Stretch, General Counsel at Facebook
Sean Edgett, Acting General Counsel at Twitter
Richard Salgado, Director of Law Enforcement and Information Security at Google
Clint Watts, Robert A. Fox Fellow at the Foreign Policy Research Institute (Philadelphia, PA)
Michael S. Smith II, Terrorism Analyst (Charleston, SC)

They will be testifying before the Senate Committee on the Judiciary's Subcommittee on Crime and Terrorism. The title of the hearing is "Extremist Content and Russian Disinformation Online: Working with Tech to Find Solutions" and it's taking place in Room 216 of the Hart Senate Office Building--across the street from the US Capitol.

SEE: Video: How Russia and other state actors hack social media (TechRepublic)

They will testify before a nine-member committee that includes:

Lindsey Graham (R-SC), Chairman
John Cornyn (R-TX)
Ted Cruz (R-TX)
Ben Sasse (R-NE)
John Neely Kennedy (R-LA)
Sheldon Whitehouse (D-RI), Ranking Member
Dick Durbin (D-IL)
Amy Klobuchar (D-MN)
Chris Coons (D-DE)

Senator Lindsey Graham (R-SC) will chair the hearing in which Google, Facebook, and Twitter will testify.

Image: CBS News

The impact of these hearings on businesses could include new regulations for cybersecurity, social media marketing, and electronic communications in general. For tech companies, it could mean new levels of accountability and transparency. Stay tuned to ZDNet and TechRepublic for further analysis.

Also see

from Latest Topic for ZDNet in... http://ift.tt/2iSnMBm

Face ID is so good you won't miss the Home button

Image: Apple/CNET

We may never know whether the pursuit of a streamlined a phone as possible led to the development of Face ID, or if the enablement of Face ID (via increased processing power and a miniaturized depth camera) enabled the iPhone X. It's a classic case of the apple versus the seed.

However, there has been a fair amount of anxiety about the replacement of the Home button on the iPhone X. Not only has it been its most iconic -- practically only -- user interface manifestation but Apple has made good use of its circular presence over the years, piling on app switching, Siri activation, and most notably, Touch ID.

Like Face ID, Touch ID was brought about in some measure by an acquisition and represented improvements on existing modes of biometric recognition Indeed, the very switch from Touch ID to Face ID is very characteristic of Apple, which often bets big on way way of doing things (in this case, biometric authentication), whereas others sacrifice usability to preserve choice. Apple is willing to hold off on features until they can be implemented with the right user experience including, in this case, unseen security concerns.

Touch ID set a high bar for ease of use, but in my testing Face ID smashes through it on several fronts. For one, training Face ID consists solely of subtly rotating your head in front of the front-facing camera twice. It is a faster and easier process than having Touch ID learn a fingerprint, something you'd likely want to do at least twice (for each thumb).

Face ID also offers near-instant recognition that failed only once in many dozens of unlocking attempts in my first few hours with the iPhone X. Unlike Samsung's iris scanning in the S8 and Note 8, it has no problem with glasses. Also, Face ID works regardless of how you grip the phone as long as it is in a portrait orientation.

In addition to that orientation limitation, Face ID is so fast and seamless that it might authenticate transactions without permission if left unchecked. To prevent against this, Apple has required that Face ID be activated with a double-press of the power button when being used for, say, authorizing app store purchases. Also, as Touch ID usually would not work through gloves, Face ID will balk if you've taken dramatic steps to change your appearance, such as shaving off a well-developed beard or putting on a Halloween mask beyond the digital kind offered by the forthcoming depth-sensing version of Snapchat.

Face ID also raises a few issues when it comes to security. While Apple notes that the risk of Face ID accidentally activating for those over 13 is one in a million as opposed to Touch ID's one in 50,000 and that it is far more resilient to being spoofed by a photo than the face unlock feature introduced years ago in Android, To prevent against someone unlocking your phone by holding it up to your face while you sleep, Apple has made Face ID require open eyes by default. And it seems to hold up pretty well going head-to-head (literally) with twins.

The removal of the Home button requires some behavioral changes for veteran iPhone users. Swiping up to unlock isn't too dramatic a shift. Swiping down down from the top instead of up from the bottom for Control Center require unlearning and relearning. And having to swipe up and hold to enter the app switcher is simply less convenient, particularly given Apple's decision to require pressing and holding to to close apps. However, that is offset somewhat by new functionality of the swipe-up bar that allows easy switching among apps while keeping them running full-screen.

In all, these are acceptable tradeoffs for the transparent experience of Face ID, which leverages advanced technology in the name of simple minimalism. What offers an unlocking experience that's slicker than having to touch one button? Having no button to touch. Once you've looked at an iPhone with Face ID, you will not look back.

PREVIOUS AND RELATED COVERAGE

iPhone X selfie camera makes it all about you

Senior photographer James Martin spent 10 hours testing the front-facing camera in Apple's $1,000 phone. The common selfie will never be the same.

The next iPhone could run away from Home

As Apple joins other handset makers in stretching screens to the edges of the phone body, it may not be able to go Home again. That could press some users' buttons.

After the iPhone X: Predicting the future of the smartphone

What does the next ten years hold for the smartphone? Here's a few ideas.

from Latest Topic for ZDNet in... http://ift.tt/2z8coXR

Are you sure about that link? Crooks are using this trick to fool you into visiting bad websites

'Combosquatting' sees attackers taking advantage of the trust users have in legitimate brands.

Image: iStock

Internet users are at increasingly at risk of credential theft, malware infection and more as cyber criminals have come up with a new way of creating fake versions of real websites.

Rather than the tried-and-tested method of deploying false websites of known brands but with common spelling errors or switching characters, dubbed 'combosquatting', this new trick sees criminals register domains that combine a popular trademark with one or more phrases.

For example, attackers might register the name of a well-known bank with '-security.com' added on the end and send out links in a phishing email, hoping to fool unwary customers.

Users see the familiar bank name in the URL and could be convinced that it is legitimate and click through, with the result being credentials being phished, a malware infection or their computer becoming part of a botnet.

The malicious domains even included some which had previously been registered by the companies themselves, combining words with their trademarks. However, for reasons unknown, the registration of these legitimate sites were allowed to expire, allowing attackers to take them over in a combosquatting attack.

In a study of 468 billion DNS requests using a six-year data set, researchers at the Georgia Institute of Technology found 2.7 million combosquatting attack domains centred around 268 of the most popular trademark domain names.

The study, Hiding in Plain Sight: A Longitudinal Study of Combosquatting Abuse has been presented at the ACM Conference on Computer and Communications Security in Dallas, Texas.

It might seem like a very simple attack, but it is apparently successful for cyber criminals.

"This is a tactic that the adversaries are using more and more because they have seen that it works," said Manos Antonakakis, an assistant professor in the School of Electrical and Computer Engineering at the Georgia Institute of Technology.

"This attack is hiding in plain sight, but many people aren't computer-savvy enough to notice the difference in the URLs containing familiar trademarked names."

See also: What is phishing? How to protect yourself from scam emails and more

The study found that combosquatting is around one hundred times more common than typosquatting - where attackers register domains of brands, but with spelling errors.

"The result was mind-blowing. We found orders of magnitude more combosquatting domains than typosquatting domains, for instance," said Panagiotis Kintis, a Georgia Tech graduate research assistant and an author of the study.

He warns that the nature of the attack gives malicious actors almost an infinite number of options when registering domains - especially as it can be so cheap.

"The space for combosquatting is almost infinite because attackers can register as many domains as they want with any variation that they want. In some cases, registering a domain can cost less than a dollar."

While many phishing sites go offline as quickly as they go online, researchers found that combosquatting domains appear to be left active for far longer, with nearly 60 percent of the abusive domains examined in operation for almost three years.

Meanwhile, the number of combosquatting domains registered grew every year between 2011 and 2016, indicating attackers are very aware of the success they can have using this technique.

"Users unfortunately have to be better educated than they are now," said Antonakakis.

"Organizations can provide training in the on-boarding process that takes place for new employees, and they can protect their network perimeters to prevent users from being exposed to known combosquatting domains. More needs to be done to address this growing cybersecurity problem."

The study was conducted by researchers at Georgia Tech and Stony Brook University with the support of U.S. Department of Defense agencies, the National Science Foundation and the U.S. Department of Commerce.

READ MORE ON CYBER CRIME

from Latest Topic for ZDNet in... http://ift.tt/2yk4AD8

Vulnerability Spotlight: Multiple Vulnerabilities in Cesanta Mongoose Server

These vulnerabilities were discovered by Aleksandar Nikolic of Cisco Talos Today, Talos is disclosing several vulnerabilities that have been identified in Cesanta Mongoose server. Cesanta Mongoose is a library implementing a number of networking protocols, including HTTP, MQTT, MDNS and others. It is designed with embedded devices in mind and as such is used in […]

from Cisco Blog » Security http://ift.tt/2gPf16y

Android security: Coin miners show up in apps and sites to wear out your CPU

Two of the apps that Trend Micro has discovered use the popular Coinhive JavaScript in-browser Monero miner.

Image: Trend Micro/Google

Security researchers are concerned about the rise of cryptocurrency miners that are being embedded into websites and apps to use a device's resources without gaining permission.

Security firm Trend Micro discovered three Android apps on Google Play with two different miners.

Two of the apps, Recitiamo Santo Rosario Free and SafetyNet Wireless App, use the popular Coinhive JavaScript in-browser Monero miner, while a third app, called Car Wallpaper HD: mercedes, ferrari, bow and audi, includes a malicious version of the legitimate cpuminer library.

Google removed the apps after being alerted to their hidden mining capabilities.

The JavaScript miner runs inside the app's built-in browser but it gives no indication to the user that the miner is running. Trend Micro notes that the phone's CPU usage will be "exceptionally high" when the JavaScript code is running.

Trend Micro researchers say while using mobile devices probably returns insignificant earnings for the attackers, the malware still degrades the device's performance, causes wear and tear, and reduces its battery life.

Coinhive offers its mining service as an alternative to monetizing a website through ads. However, Trend Micro, Malwarebytes, Sucuri, and other security firms have found a recent surge in attackers adding Coinhive miner to compromise websites to borrow CPU power from PCs. Some sites were also keeping ads while silently running the miner rather than replacing ads.

It's the same miner that was founded embedded on The Pirate Bay, but the piracy site's developers were intentionally testing whether mining Monero could replace ads, which are often blocked by ad-blockers.

The key problem, and reason Malwarebytes recently decided to block script running from Coinhive.com, was that Coinhive allowed site owners to use it without first asking the visitor's permission.

The site owner can also configure the JavaScript miner to use only a certain amount of each visitor's system. The Pirate Bay, for example, said it mistakenly set the miner to use 100 percent of a visitor's CPU, but corrected the issue to only consume 20 to 30 percent and restricted the activity to one tab.

As Sucuri notes, Coinhive responded to the antivirus blocks by releasing a new version of the miner that runs scripts from the domain AuthedMine.com, which only allows a site to use a visitor's CPU after the user opts in. The site shows an example of what the opt-in UI looks like.

However, Coinhive still supports the older version with no opt-in user interface. And as BleepingComputer noted recently, there are now several Coinhive clones, including WordPress 'Coin Hive' plugins, and none of them asks for permission.

from Latest Topic for ZDNet in... http://ift.tt/2z05nX1

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows

Summary There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version Java 1.8.0 SR4 FP1 used by DB2 Recovery Expert for Linux, Unix and Windows. These issues were disclosed as part of the IBM Java SDK updates in Jul 2017.

CVE(s): CVE-2017-10115, CVE-2017-10116

Affected product(s) and affected version(s):

DB2 Recovery Expert for LUW 5.1
DB2 Recovery Expert for LUW 5.1 Interim Fix 1 (IF1)
DB2 Recovery Expert for LUW 5.1 Interim Fix 2 (IF2)
DB2 Recovery Expert for LUW 5.1 Interim Fix 3 (IF3)
DB2 Recovery Expert for LUW 5.1.0.1 (also called 5.1 Fix Pack 1)

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iPCGIv
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2wyaY8O

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect DB2 Recovery Expert for Linux, Unix and Windows appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2zkGA3b

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates July 2017

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7 SR10-FP5 used by IBM Tivoli Application Dependency Discovery Manager (TADDM). These issues were disclosed as part of the IBM Java SDK updates in July 2017

CVE(s): CVE-2017-10053, CVE-2017-10067, CVE-2017-10074, CVE-2017-10081, CVE-2017-10087, CVE-2017-10089, CVE-2017-10090, CVE-2017-10096, CVE-2017-10101, CVE-2017-10102, CVE-2017-10107, CVE-2017-10108, CVE-2017-10109, CVE-2017-10110, CVE-2017-10111, CVE-2017-10115, CVE-2017-10116, CVE-2017-10243

Affected product(s) and affected version(s):

TADDM 7.2.2.5
TADDM 7.3.0.3

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2iPCAAD
X-Force Database: http://ift.tt/2wEhie8
X-Force Database: http://ift.tt/2x4YZ1U
X-Force Database: http://ift.tt/2vEUffF
X-Force Database: http://ift.tt/2vEjNtH
X-Force Database: http://ift.tt/2x52GEP
X-Force Database: http://ift.tt/2vEW7Fc
X-Force Database: http://ift.tt/2x52Goj
X-Force Database: http://ift.tt/2x4LWxw
X-Force Database: http://ift.tt/2x4P6Bt
X-Force Database: http://ift.tt/2veVuCa
X-Force Database: http://ift.tt/2vECPQw
X-Force Database: http://ift.tt/2vff6pW
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2x4P64r
X-Force Database: http://ift.tt/2vENxqi
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2vQ1oZY

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Application Dependency Discovery Manager (TADDM) – IBM Java SDK updates July 2017 appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2iNOdYJ

IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Version 6, Version 7 and Version 8 used by Rational Directory Server (Tivoli) and Rational Directory Administrator. These issues were disclosed as part of the IBM Java SDK updates in July 2017. Install the recommended iFixes to upgrade the JRE in order to resolve these issues.

CVE(s): CVE-2017-10101, CVE-2017-10096, CVE-2017-10116, CVE-2017-10078, CVE-2017-10115, CVE-2017-10067, CVE-2017-10125, CVE-2017-10109, CVE-2017-10108, CVE-2017-10105, CVE-2017-1376

Affected product(s) and affected version(s):

Rational Directory Server (Tivoli) v5.2.1 and earlier.
Rational Directory Administrator v6.0.0.2 and earlier.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2zmh5yv
X-Force Database: http://ift.tt/2x4P6Bt
X-Force Database: http://ift.tt/2x4LWxw
X-Force Database: http://ift.tt/2wyaY8O
X-Force Database: http://ift.tt/2wEm9Mt
X-Force Database: http://ift.tt/2xsr7ZC
X-Force Database: http://ift.tt/2x4YZ1U
X-Force Database: http://ift.tt/2vfEyLU
X-Force Database: http://ift.tt/2vEvu3j
X-Force Database: http://ift.tt/2vff6pW
X-Force Database: http://ift.tt/2x588Yf
X-Force Database: http://ift.tt/2vfk1Hi

The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect Rational Directory Server (Tivoli) & Rational Directory Administrator appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2zlDQlY

IBM Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2017-5664)

Apache Tomcat is vulnerable to a security issue affecting the Rational Test Control Panel component in IBM Rational Test Workbench and Rational Test Virtualization Server.

CVE(s): CVE-2017-5664

Affected product(s) and affected version(s):

Rational Test Control Panel component in Rational Test Virtualization Server and Rational Test Workbench versions:

8.5
8.5.0.1
8.5.0.2
8.5.0.3
8.5.0.4

Versions 8.5.1 and later are unaffected as they do not use Apache Tomcat.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2zlWk5N
X-Force Database: http://ift.tt/2tbJRMe

The post IBM Security Bulletin: Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerability (CVE-2017-5664) appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2zkUmCD

IBM Security Bulletin: The BigFix Platform version 9.5 has security vulnerabilities that have been addressed via patch release 9.5.6

The BigFix Platform verions 9.5 has some vulnerabilities associated with the zlib library, as well as Cross Site Request Forgery, Missing Authentication for Critical Function, Cross Site Scripting and XML External Entity that have been addressed in patch release 9.5.6.

CVE(s): CVE-2016-9840, CVE-2016-9841, CVE-2016-9842, CVE-2016-9843, CVE-2017-1218, CVE-2017-1222, CVE-2017-1203, CVE-2017-1219

Affected product(s) and affected version(s):

BigFix Platform Version 9.1, BigFix Platform Version 9.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2zmh4KX
X-Force Database: http://ift.tt/2lLwOQm
X-Force Database: http://ift.tt/2mlzP6B
X-Force Database: http://ift.tt/2lLuetu
X-Force Database: http://ift.tt/2mlCjlv
X-Force Database: http://ift.tt/2u5GeJS
X-Force Database: http://ift.tt/2zT7hst
X-Force Database: http://ift.tt/2u5UwKc
X-Force Database: http://ift.tt/2tCatER

The post IBM Security Bulletin: The BigFix Platform version 9.5 has security vulnerabilities that have been addressed via patch release 9.5.6 appeared first on IBM PSIRT Blog.

from IBM Product Security Incident Response Team http://ift.tt/2iODywI

Yubico launches YubiHSM 2: The smallest, cheapest Hardware Security Module (HSM)

Yubico, the leading provider of authentication and encryption hardware devices, has today unveiled the YubiHSM 2, a new, cost-effective Hardware Security Module (HSM) for servers and IoT gateways.

Must read: Apple's iPhone X gamble shows signs of backfiring

But the YubiHSM 2 is different to existing HSM devices in that it is an ultra-slim "nano" USB key that slots inside a USB port, doing away with the need for bulky additional hardware, and offers flexibility for offline key transfer or backup.

YubiHSM 2

YubiHSM 2 features include:

Secure Microsoft's Active Directory Certificate Services - YubiHSM 2 provides a cost-effective hardware-backed key to secure digital keys used in a Microsoft-based PKI implementation. Deploying YubiHSM 2 to Microsoft Active Directory Certificate services not only guards the CA root keys but also protects all signing and verification services using the root key.
Enhance Protection for Cryptographic Keys - YubiHSM 2 offers a compelling option for secure generation, storage and management of digital keys including essential capabilities to generate, write, sign, decrypt, hash and wrap keys.
Enable Hardware-Based Cryptographic Operations - YubiHSM 2 can be used as a comprehensive cryptographic toolbox for a wide range of open source and commercial applications. The most common use case being hardware-based digital signature generation and verification. The YubiHSM 2 features can be accessed through Yubico's Key Storage Provider (KSP) for industry-standard PKCS#11 or Microsoft's CNG, or via native Windows, Linux and macOS libraries.
16 concurrent connections - Multiple applications can establish sessions with a YubiHSM to perform cryptographic operations. Sessions can be automatically terminated after inactivity or be long-lived to improve performance by eliminating session creation time.
Remote Management - Easily manage multiple deployed YubiHSMs remotely for the entire enterprise - eliminate on-call staff complexity and travel expense.
"Nano" form factor, low-power usage - The "Nano" form factor allows the HSM to be inserted completely into a USB-A port so it's completely concealed - no external parts that protrude out of the server back or front chassis. It uses minimal power, max of 30mA, for cost-savings on your power budget.
Broad platform support - Linux, Windows, and macOS.

Additional features include, optional network-sharing, role-based access controls, M of N wrap key backup and restore, tamper evident audit logging, and extensive cryptographic capabilities (RSA, ECC, ECDSA (ed25519), SHA-2, and AES).

"It's estimated that 95% of all IT breaches happen when a user credential or server gets hacked. For years Yubico has been protecting user accounts from remote hijacking with our unphishable YubiKey authentication devices, but we knew that millions of servers storing sensitive data were still lacking physical security," said Stina Ehrensvard, CEO and Founder, Yubico. "It was important to us that we brought a solution to market that embodied the signature Yubico standards of high-security, convenience, and affordability. Now, with the addition of YubiHSM 2, we can enable critical server security for organizations worldwide -- regardless of size or budget."

Units are available for purchase from Yubikey for $650.

See also:

from Latest Topic for ZDNet in... http://ift.tt/2gR8Yi6

Software code signing certificates worth more than guns on the Dark Web

Researchers have discovered that digital code signing certificates are being sold for more than is required to buy a gun in the web's underground markets.

On Tuesday, security researchers from Venafi said there is a flourishing trade in the sale of digital code signing certificates, which can be used to verify software applications.

These certificates are a fundamental way of ensuring software and apps are legitimate, but if compromised, can be used to install malware on networks and devices while avoiding detection.

A single certificate can fetch up to $1,200. Credit cards can go for as little as a few dollars, while US passports can be picked up for roughly $850 -- and a handgun may only set buyers back $600.

"We've known for a number of years that cybercriminals actively seek code signing certificates to distribute malware through computers," said Peter Warren, chairman of the CSRI. "The proof that there is now a significant criminal market for certificates throws our whole authentication system for the internet into doubt and points to an urgent need for the deployment of technology systems to counter the misuse of digital certificates."

The six-month investigation was carried out by the CSRI in partnership with the Cyber Security Centre at the University of Hertfordshire.

"With stolen code signing certificates, it's nearly impossible for organizations to detect malicious software," said Kevin Bocek, chief security strategist at Venfai. "Any cybercriminal can use them to make malware, ransomware, and even kinetic attacks trusted and effective."

"In addition, code signing certificates can be sold many times over before their value begins to diminish, making them huge money makers for hackers and dark web merchants," the executive added. "All of this is fuelling the demand for stolen code signing certificates."

In October, Flashpoint researchers uncovered another worrying trend in online underground marketplaces, of which remote access to PCs. Access to Windows XP desktop PCs is being sold for as little as $3, and attackers can tap into compromised Windows 10 systems for only $9.

Given this access, cyberattackers can spy on consumers and businesses without the need to compromise systems through phishing or malware campaigns.

Previous and related coverage

from Latest Topic for ZDNet in... http://ift.tt/2zUlNzw

Google: Russian groups did use our ads and YouTube to influence 2016 elections

Google general counsel Kent Walker: "There is no amount of interference that is acceptable."

Image: Bundesministerium für Wirtschaft und Energie/Google

Along with Facebook and Twitter, Google has now revealed details of Kremlin-linked groups buying ads and using YouTube to spread disinformation during the lead-up to US 2016 election.

Google has shared its report ahead of this week's series of congressional hearings, where lawyers from Facebook, Google and Twitter will be asked how non-US groups used major web platforms to influence voters.

Google says two accounts associated with Russian 'troll farm', the Internet Research Agency, spent $4,700 on Google ads during the election cycle.

Google said the ads were not targeted at specific states and did not target users with specific political leanings. This was the first election where Google offered to target ads based on users' "inferred political preferences", such as "left-leaning" or "right-leaning".

Also, it found 1,108 YouTube videos totaling 43 hours of content that were probably linked to this campaign and generated 309,000 US views during the run-up to the election. It said only three percent of the videos generated more than 5,000 views.

The YouTube videos were shared through 18 channels with English content that "appeared to be political" but also contained non-political videos. Google says it has suspended the channels.

"While we have found only limited activity on our services, we will continue to work to prevent all of it, because there is no amount of interference that is acceptable," said Kent Walker, a senior vice president and Google's general counsel in a blog.

Facebook previously reported that the Internet Research Agency spent $100,000 on Facebook ads that reached 10 million users.

However, as noted by The Washington Post, Facebook's legal counsel Colin Stretch plans to tell the Senate Judiciary Committee this week that the Internet Research Agency created about 80,000 inflammatory posts between 2015 and 2017 that 29 million US people may have seen in their newsfeed.

After factoring in likes and shares, Facebook estimates the posts were seen by as many as 126 million US users.

Similarly, Twitter has previously said it found 201 accounts used by Russian agents, but at a hearing this week its acting general counsel, Sean Edgett, will testify that nearly 37,000 accounts, mostly bots, generated 1.4 million election-related tweets which gained 288 million views.

Google also published an explanation of what it plans to do combat the misuse of its platform to spread disinformation in the future and another brief documenting new protections against phishing, such as the new Advanced Protection program for Gmail users who face a high risk of being targeted.

Future initiatives include publishing a transparency report for elections, and the creation of a publicly accessible database of election ads purchased on AdWords and YouTube. The database will include information about who bought each ad.

Also, to comply with US laws that restrict groups outside the US from running election ads, it will introduce a new checks to "proactively identify" who's buying a political ad and where they are based before running them.

Google said it had processes in place for the 2016 election that only allow US advertisers it already did business with to target users with a certain political persuasion.

from Latest Topic for ZDNet in... http://ift.tt/2z5uzgO

The nasty future of ransomware: Four ways the nightmare is about to get even worse

Video: All you need to know about ransomware in 60 seconds

2017 has been the year of ransomware. While the file-encrypting malware has existed in one form or another for almost three decades, over the last few months it's developed from a cybersecurity concern to a public menace. The term even made it into the dictionary in September.

In particular, 2017 had its own summer of ransomware: while incidents throughout 2016 showed the potential damage -- both operational and financial -- ransomware can cause to organisations, it was in the space of six weeks during May and June this year that the impact of ransomware really became apparent.

First WannaCry hit hundreds of thousands of systems around the globe, thanks to worm-like capabilities of a leaked NSA exploit being attached to the ransomware. The UK's National Health Service was particularly badly hit and thousands of appointments were cancelled.

Weeks later came another global ransomware epidemic in the form of Petya, equipped with similar worm-like features, plus the ability to irrecoverably wipe data from infected machines.

If making money from ransom was the end goal, neither campaign was successful. Those behind WannaCry -- intelligence agencies suspect North Korea -- eventually cashed out $140,000 from the Bitcoin wallets associated with the attack, something of a paltry sum considering the scale and impact of the campaign.

But what both WannaCry and Petya outbreaks managed to do was make it clear just how much of a problem ransomware has become. And it hasn't gone away again either with the recent Bad Rabbit ransomware attacks in Russia and Ukraine showing that malware writers are still working on new versions.

Ransomware as a diversion

We've already seen how ransomware can come with other malicious items in tow. For example, Petya included a wiper designed to irrecoverably destroy data on infected machines. It's a cunning tactic -- while the ransomware presents itself as the immediate problem, the attack may also be doing something else in the background.

"Ransomware will be the public face of what's going on, scary and visible, but behind the scenes a whole range of other things can be happening: machine infiltration, scraping of data, transfer of funds, all while you have a really big diversion happening," says Perry Carpenter, strategy officer at security company KnowBe4.

This could mean the ransomware infection could being the least of your problems. Trojan malware or stolen credentials could give attackers outright access to the network, even after the 'ransomware' infection has been dealt with, so organisations could potentially give in and pay a ransom to criminals who then remain able to exploit vulnerabilities in the network.

Another potential development of ransomware is the emergence strains that not only encrypt your data but also steal it.

Ransomware that blackmails you too

"How else might someone use access to a computer to make money? I think we might see more cases of ransomware which aren't just about data encryption and 'pay me and get it back' but more about doxxing -- gathering sensitive information and threatening to release it if you don't pay up," says Mark Dufresne, director of threat research and adversary prevention at security company Endgame.

This tactic has already been adopted by some families of ransomware. For instance, a form of Android ransomware has already used the threat of exposing private information to the victim's contacts as 'encouragement' for paying up. Meanwhile some forms of malware claim to be able to see the websites victims have been visiting, although it's unlikely the ransomware actually has this capability 0- yet.

"You can't solve that with good backups. If you've got compromising emails in your inbox, or anything which might be secretive or problematic, you're going to be incentivised to pay in order to stop that getting out," says Dufresne.

Enterprise ransomware

Another potential tactic could see criminals go after enterprise infrastructure. Locking users out of PCs is bad, but getting ransomware onto critical systems could be highly disruptive to businesses and highly lucrative for crooks.

"We're going to see an increased focus on the concept of enterprise ransomware, where they're moving away from targeting one specific machine to trying to spread virally throughout the organisation and trying to get as many machines as possible," says Dmitri Alperovitch, co-founder and CTO of security company Crowdstrike.

This would certainly take more effort than randomly distributing ransomware via email campaigns, but would lead to a bigger payoff.

"For a few hundred thousand dollars, nobody would think twice. I've no doubts that if the ransom asked was $10m, it'd still be paid," says Alperovitch. "All considerations go out the window when your business is down and you're facing hundreds of millions of dollars in damages, if you can, you'll pay at that point and the boards and CEO will make that decision without any hesitation."

"I've no doubts that if the ransom asked was $10m, it'd still be paid."

Image: iStock

New network attacks

But not every cybercriminal operation is going to spend time and resources in order go after specific targets -- ransomware will continue to be randomly distributed in spam emails because that still works.

And as demonstrated throughout 2017, the use of SMB exploits like EternalBlue or EternalRomance can aid that by helping ransomware easily spread itself across a network with minimal effort.

Cybercriminals aren't going to just forget about these exploits. Bad Rabbit has once again demonstrated how so many organisation simply haven't applied critical patches issued over half a year ago , so attackers will capitalise on newly discovered exploits -- and look to take advantage of lax patching by businesses and consumers.

"The next thing I would say is the big risk from malicious software is the addition of more network propagation. They'll be doing what they've traditionally done -- be it ransomware or malware -- but adding more network propagation," says Holly Williams, penetration test team leader at ‎Sec-1 Ltd.

Leaked NSA exploits have played a large role in aiding the spread of self-propagating malware: WannaCry took advantage of the EternalBlue SMB vulnerability, while BadRabbit exploited EternalRomance. But it won't take another NSA leak for ransomware writers to find a new means of attacking networks.

"There are many more methods which malware can use to propagate across a network and NotPetya chose a handful of those -- a published vulnerability and other features we've known about in pen testing for a long time. The ability to extract plain text credentials from a machine -- like NotPetya had -- has been around since 2012. The priority order of vulnerabilities changes," says Williams.

While 2017 might be viewed by many as the year ransomware was recognised as a real menace, it could be that there is still worse to come.

"Increasingly you'll see the criminals realise that's where the big money is. That's not a few thousand dollars but a few million dollars and that's a game changer," says Alperovitch.

Previous and related coverage

Cybersecurity spotlight: The ransomware battle [Tech Pro Research]

This ebook looks at how the malware works, who it's affecting, steps to avoid it, and what to do if you're attacked.

Bad Rabbit: Ten things you need to know about the latest ransomware outbreak

It's the third major outbreak of the year - here's what we know so far.

The global ransomware epidemic is just getting started [CNET]

WannaCry should have been a major warning to the world about ransomware. Then the GoldenEye strain of Petya ransomware arrived. What's next?

READ MORE ON CYBERCRIME

from Latest Topic for ZDNet in... http://ift.tt/2yhHb5o

Malaysia data breach comprises 46.2M mobile numbers

A massive cybersecurity breach is reported to have compromised personal data of 46.2 million mobile numbers in Malaysia, exposing details such as home addresses and SIM card information.

The breach affected both postpaid and prepaid numbers as well as subscribers from all major mobile carriers in the country, including Maxis, Altel, Digi, and Celcom, according to Lowyat.net. The local website earlier this month said it received information that personal data linked to millions of Malaysians were being peddled online.

Apart from customer data from local telcos, it added that the information included those that belonged to various websites such as Jobstreet.com, Malaysian Medical Association, and Malaysian Housing Loan Applications. Leaked data from Jobstreet.com, for instance, contained the candidate's login name, nationality, and hashed passwords.

Timestamps in the compromised data suggested that the breach occurred between 2014 and 2015, said Lowyat. It said it had handed the information to industry regulator, Malaysian Communications And Multimedia Commission (MCMC), which later released a statement confirming it was investigating the incident.

According to local reports, Communications and Multimedia Minister Datuk Seri Salleh Said Keruak said the police also was involved in the investigation.

Malaysia has a population of some 31.2 million, so some subscribers likely will hold more than one compromised mobile number. The report added that the list may contain inactive numbers as well as temporary ones issued to visitors to the country.

from Latest Topic for ZDNet in... http://ift.tt/2lxlhoY

USN-3469-2: Linux kernel (Xenial HWE) vulnerabilities

Ubuntu Security Notice USN-3469-2

31st October, 2017

linux-lts-xenial vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux-lts-xenial - Linux hardware enablement kernel from Xenial for Trusty

Details

USN-3469-1 fixed vulnerabilities in the Linux kernel for Ubuntu 16.04
LTS. This update provides the corresponding updates for the Linux
Hardware Enablement (HWE) kernel from Ubuntu 16.04 LTS for Ubuntu
14.04 LTS.

Bo Zhang discovered that the netlink wireless configuration interface in
the Linux kernel did not properly validate attributes when handling certain
requests. A local attacker with the CAP_NET_ADMIN could use this to cause a
denial of service (system crash). (CVE-2017-12153)

It was discovered that the nested KVM implementation in the Linux
kernel in some situations did not properly prevent second level guests
from reading and writing the hardware CR8 register. A local attacker
in a guest could use this to cause a denial of service (system crash).

It was discovered that the key management subsystem in the Linux kernel
did not properly restrict key reads on negatively instantiated keys. A
local attacker could use this to cause a denial of service (system crash).
(CVE-2017-12192)

It was discovered that an integer overflow existed in the sysfs interface
for the QLogic 24xx+ series SCSI driver in the Linux kernel. A local
privileged attacker could use this to cause a denial of service (system
crash). (CVE-2017-14051)

It was discovered that the ATI Radeon framebuffer driver in the Linux
kernel did not properly initialize a data structure returned to user space.
A local attacker could use this to expose sensitive information (kernel
memory). (CVE-2017-14156)

ChunYu Wang discovered that the iSCSI transport implementation in the Linux
kernel did not properly validate data structures. A local attacker could
use this to cause a denial of service (system crash). (CVE-2017-14489)

It was discovered that the generic SCSI driver in the Linux kernel did not
properly initialize data returned to user space in some situations. A local
attacker could use this to expose sensitive information (kernel memory).
(CVE-2017-14991)

Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in
the Linux kernel did not properly handle attempts to set reserved bits in a
task's extended state (xstate) area. A local attacker could use this to
cause a denial of service (system crash). (CVE-2017-15537)

Pengfei Wang discovered that the Turtle Beach MultiSound audio device
driver in the Linux kernel contained race conditions when fetching
from the ring-buffer. A local attacker could use this to cause a
denial of service (infinite loop). (CVE-2017-9984, CVE-2017-9985)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:: linux-image-powerpc-smp-lts-xenial 4.4.0.98.82; linux-image-4.4.0-98-generic-lpae 4.4.0-98.121~14.04.1; linux-image-generic-lts-xenial 4.4.0.98.82; linux-image-lowlatency-lts-xenial 4.4.0.98.82; linux-image-generic-lpae-lts-xenial 4.4.0.98.82; linux-image-4.4.0-98-powerpc64-emb 4.4.0-98.121~14.04.1; linux-image-4.4.0-98-generic 4.4.0-98.121~14.04.1; linux-image-powerpc64-emb-lts-xenial 4.4.0.98.82; linux-image-4.4.0-98-powerpc-smp 4.4.0-98.121~14.04.1; linux-image-4.4.0-98-powerpc64-smp 4.4.0-98.121~14.04.1; linux-image-powerpc64-smp-lts-xenial 4.4.0.98.82; linux-image-4.4.0-98-lowlatency 4.4.0-98.121~14.04.1; linux-image-4.4.0-98-powerpc-e500mc 4.4.0-98.121~14.04.1; linux-image-powerpc-e500mc-lts-xenial 4.4.0.98.82

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-10911, CVE-2017-12153, CVE-2017-12154, CVE-2017-12192, CVE-2017-14051, CVE-2017-14156, CVE-2017-14340, CVE-2017-14489, CVE-2017-14991, CVE-2017-15537, CVE-2017-9984, CVE-2017-9985

from Ubuntu Security Notices http://ift.tt/2z0dfHX

USN-3469-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3469-1

31st October, 2017

linux, linux-aws, linux-gke, linux-kvm, linux-raspi2, linux-snapdragon vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux - Linux kernel
linux-aws - Linux kernel for Amazon Web Services (AWS) systems
linux-gke - Linux kernel for Google Container Engine (GKE) systems
linux-kvm - Linux kernel for cloud environments
linux-raspi2 - Linux kernel for Raspberry Pi 2
linux-snapdragon - Linux kernel for Snapdragon processors

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:: linux-image-4.4.0-1009-kvm 4.4.0-1009.14; linux-image-powerpc-e500mc 4.4.0.98.103; linux-image-gke 4.4.0.1033.34; linux-image-4.4.0-98-powerpc64-smp 4.4.0-98.121; linux-image-aws 4.4.0.1039.41; linux-image-4.4.0-98-generic 4.4.0-98.121; linux-image-snapdragon 4.4.0.1078.70; linux-image-powerpc64-emb 4.4.0.98.103; linux-image-powerpc64-smp 4.4.0.98.103; linux-image-4.4.0-1033-gke 4.4.0-1033.33; linux-image-powerpc-smp 4.4.0.98.103; linux-image-generic 4.4.0.98.103; linux-image-4.4.0-98-powerpc64-emb 4.4.0-98.121; linux-image-4.4.0-98-powerpc-smp 4.4.0-98.121; linux-image-4.4.0-1076-raspi2 4.4.0-1076.84; linux-image-kvm 4.4.0.1009.9; linux-image-raspi2 4.4.0.1076.76; linux-image-4.4.0-98-generic-lpae 4.4.0-98.121; linux-image-generic-lpae 4.4.0.98.103; linux-image-4.4.0-1039-aws 4.4.0-1039.48; linux-image-4.4.0-1078-snapdragon 4.4.0-1078.83; linux-image-4.4.0-98-lowlatency 4.4.0-98.121; linux-image-4.4.0-98-powerpc-e500mc 4.4.0-98.121; linux-image-lowlatency 4.4.0.98.103

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-10911, CVE-2017-12153, CVE-2017-12154, CVE-2017-12192, CVE-2017-14051, CVE-2017-14156, CVE-2017-14340, CVE-2017-14489, CVE-2017-14991, CVE-2017-15537, CVE-2017-9984, CVE-2017-9985

from Ubuntu Security Notices http://ift.tt/2z4yjzm

USN-3470-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3470-1

31st October, 2017

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux - Linux kernel

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:: linux-image-3.13.0-135-lowlatency 3.13.0-135.184; linux-image-powerpc-smp 3.13.0.135.144; linux-image-3.13.0-135-generic 3.13.0-135.184; linux-image-3.13.0-135-powerpc-smp 3.13.0-135.184; linux-image-3.13.0-135-powerpc-e500mc 3.13.0-135.184; linux-image-generic 3.13.0.135.144; linux-image-3.13.0-135-generic-lpae 3.13.0-135.184; linux-image-powerpc-e500mc 3.13.0.135.144; linux-image-lowlatency 3.13.0.135.144; linux-image-powerpc-e500 3.13.0.135.144; linux-image-powerpc64-smp 3.13.0.135.144; linux-image-generic-lpae 3.13.0.135.144; linux-image-3.13.0-135-powerpc64-emb 3.13.0-135.184; linux-image-3.13.0-135-powerpc-e500 3.13.0-135.184; linux-image-powerpc64-emb 3.13.0.135.144; linux-image-3.13.0-135-powerpc64-smp 3.13.0-135.184

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2016-8632, CVE-2017-10661, CVE-2017-10662, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

from Ubuntu Security Notices http://ift.tt/2z0dsuJ

USN-3468-3: Linux kernel (GCP) vulnerabilities

Ubuntu Security Notice USN-3468-3

31st October, 2017

linux-gcp vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux-gcp - Linux kernel for Google Cloud Platform (GCP) systems

Details

It was discovered that the KVM subsystem in the Linux kernel did not
properly bound guest IRQs. A local attacker in a guest VM could use this to
cause a denial of service (host system crash). (CVE-2017-1000252)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:: linux-image-gcp 4.10.0.1008.10; linux-image-4.10.0-1008-gcp 4.10.0-1008.8

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

from Ubuntu Security Notices http://ift.tt/2iMlcwr

USN-3468-2: Linux kernel (HWE) vulnerabilities

Ubuntu Security Notice USN-3468-2

31st October, 2017

linux-hwe vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 16.04 LTS

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux-hwe - Linux hardware enablement (HWE) kernel

Details

USN-3468-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04.
This update provides the corresponding updates for the Linux Hardware
Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:: linux-image-lowlatency-hwe-16.04 4.10.0.38.40; linux-image-4.10.0-38-generic-lpae 4.10.0-38.42~16.04.1; linux-image-generic-hwe-16.04 4.10.0.38.40; linux-image-4.10.0-38-lowlatency 4.10.0-38.42~16.04.1; linux-image-4.10.0-38-generic 4.10.0-38.42~16.04.1; linux-image-generic-lpae-hwe-16.04 4.10.0.38.40

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

from Ubuntu Security Notices http://ift.tt/2zlWYAq

USN-3468-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-3468-1

31st October, 2017

linux, linux-raspi2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

Ubuntu 17.04

Summary

Several security issues were fixed in the Linux kernel.

Software description

linux - Linux kernel
linux-raspi2 - Linux kernel for Raspberry Pi 2

Details

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 17.04:: linux-image-generic-lpae 4.10.0.38.38; linux-image-lowlatency 4.10.0.38.38; linux-image-4.10.0-38-generic-lpae 4.10.0-38.42; linux-image-4.10.0-1020-raspi2 4.10.0-1020.23; linux-image-4.10.0-38-lowlatency 4.10.0-38.42; linux-image-generic 4.10.0.38.38; linux-image-4.10.0-38-generic 4.10.0-38.42; linux-image-raspi2 4.10.0.1020.21

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2017-1000252, CVE-2017-10663, CVE-2017-10911, CVE-2017-11176, CVE-2017-14340

from Ubuntu Security Notices http://ift.tt/2iMl9AL

Firefox 58 to Block Canvas Browser Fingerprinting By Default to Stop Online Tracking

Do you know? Thousands of websites use

HTML5 Canvas

—a method supported by all major browsers that allow websites to dynamically draw graphics on web pages—to track and potentially identify users across the websites by secretly fingerprinting their web browsers.

Over three years ago, the concern surrounding

browser fingerprinting

was highlighted by computer security experts from Princeton University and KU Leuven University in Belgium.

In 2014, the researchers demonstrated how browser's native Canvas element can be used to draw unique images to assign each user's device a number (a fingerprint) that uniquely identifies them.

These fingerprints are then used to detect when that specific user visits affiliated websites and create a profile of the user's web browsing habits, which is then shared among advertising partners for targeted advertisements.

Since then many third-party plugins and add-ons (ex.

Canvas Defender

) emerged online to help users identify and block Canvas fingerprinting, but no web browser except Tor browser by default blocks Canvas fingerprinting.

Good news—the wait is over.

Mozilla is testing a new feature in the upcoming version of its Firefox web browser that will grant users the ability to block canvas fingerprinting.

The browser will now explicitly ask user permission if any website or service attempts to use HTML5 Canvas Image Data in Firefox, according to a

discussion

on the Firefox bug tracking forum.

The permission prompt that Firefox displays reads:

"Will you allow [site] to use your HTML5 canvas image data? This may be used to uniquely identify your computer."

Once you get this message, it's up to you whether you want to allow access to canvas fingerprinting or just block it. You can also check the "always remember my decision" box to remember your choice on future visits as well.

Starting with Firefox 58, this feature would be made available for every Firefox user from January 2018, but those who want to try it early can install the latest pre-release version of the browser, i.e.

Firefox Nightly

Besides providing users control over canvas fingerprinting, Firefox 58 will also

remove

the controversial

WoSign

and its subsidiary

StartCom root certificates

from Mozilla's root store.

With the release of Firefox 52, Mozilla already stopped allowing websites to access the Battery Status API and the information about the website visitor’s device, and also implemented protection against system font fingerprinting.

from The Hacker News http://ift.tt/2xDbEGA

Highly Critical Flaw (CVSS Score 10) Lets Hackers Hijack Oracle Identity Manager

A highly critical vulnerability has been discovered in Oracle's enterprise identity management system that can be easily exploited by remote, unauthenticated attackers to take full control over the affected systems.

The critical vulnerability tracked as CVE-2017-10151, has been assigned the highest CVSS score of 10 and is easy to exploit without any user interaction, Oracle said in its

advisory

published Monday without revealing many details about the issue.

The vulnerability affects Oracle Identity Manager (OIM) component of Oracle Fusion Middleware—an enterprise identity management system that automatically manages users' access privileges within enterprises.

The security loophole is due to a "default account" that an unauthenticated attacker over the same network can access via HTTP to compromise Oracle Identity Manager.

Oracle has not released complete details of the vulnerability in an effort to prevent exploitation in the wild, but here the "default account" could be a secret account with hard-coded or no password.

"This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials," Oracle's advisory reads.

The easily exploitable vulnerability affects Oracle Identity Manager versions 11.1.1.7, 11.1.1.9, 11.1.2.1.0, 11.1.2.2.0, 11.1.2.3.0 and 12.2.1.3.0.

Oracle has released patches for all versions of its affected products, so you are advised to install the patches before hackers get a chance to exploit the vulnerability to target your enterprise.

"Due to the severity of this vulnerability, Oracle strongly recommends that customers apply the updates provided by this Security Alert without delay," the company warned.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of the vulnerability.

However, Oracle said it was

"likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions."

The security patch for this vulnerability comes just about two weeks after Oracle's regular Critical Patch Update (CPU) for October 2017, which patches a total of 252 vulnerabilities in its products, including 40 in Fusion Middleware out of which 26 are remotely exploitable without authentication.

from The Hacker News http://ift.tt/2lyjLCH