Wednesday, October 31, 2018
Mozilla Releases Security Update for Thunderbird ESR
Mozilla has released a security update to address vulnerabilities in Thunderbird ESR. An attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Mozilla Security Advisory for Thunderbird ESR 60.3 and apply the necessary update.
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2DezYoK
Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera
Vulnerability Spotlight: Multiple Vulnerabilities in Yi Technology Home Camera
Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.
Overview
Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.
The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.
It includes all the functions that one would expect from an IoT device, including the ability to view the camera’s feed from anywhere, offline storage, subscription-based cloud storage and easy setup.
Read the complete details here
Tags:
from Cisco Blog » Security https://ift.tt/2QakSUf
Cisco Adaptive Security Appliance Software and Cisco Firepower Threat Defense Software Denial of Service Vulnerability
Cisco will release free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
https://www.cisco.com/c/en/us/products/end-user-license-agreement.html
Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.
When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.
In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.
Customers Without Service Contracts
Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.
Fixed Releases
Software updates that address the vulnerability described in this advisory are not currently available. This section of the advisory will be updated once fixed software is available.
from Cisco Security Advisory https://ift.tt/2F6EQ1d
Anatomy of a sextortion scam
Anatomy of a sextortion scam
Since this July, attackers are increasingly spreading sextortion-type attacks across the internet. Cisco Talos has been investigating these campaigns over the past few months. In many cases the spammers harvested email addresses and passwords from a publicly available data breach, and then used this data to facilitate their sextortion attacks. While the attackers do not actually have any compromising videos showing the victim, the emails claim to have explicit videos that they will distribute if the victim doesn’t pay the extortion payment by a certain time. By including the recipient’s password along with their demands for payment, the attackers hope to legitimize their claims about having compromising material concerning the victim. While these attacks have been in the wild for months, Talos wanted to take a closer look at some of these campaigns to see why users were being tricked into sending the attackers large amounts of bitcoin despite the attackers’ empty threats. By examining some of the sextortion spam campaigns in detail, our researchers were able to gain insight into how these criminals operate.
Tags:
from Cisco Blog » Security https://ift.tt/2CTjUIb
Apple's New MacBook Disconnects Microphone "Physically" When Lid is Closed
Apple introduces a new privacy feature for all new MacBooks that "at some extent" will prevent hackers and malicious applications from eavesdropping on your conversations.
Apple's custom T2 security chip in the latest MacBooks includes a new hardware feature that physically disconnects the MacBook's built-in microphone whenever the user closes the lid, the company revealed yesterday at its event at the Brooklyn Academy of Music in New York.
Though the new T2 chip is already present in the 2018 MacBook Pro models launched earlier this year, this new feature got unveiled when Apple launched the new Retina MacBook Air and published a full security guide for T2 Chip yesterday.
"This disconnect is implemented in hardware alone, and therefore prevents any software, even with root or kernel privileges in macOS, and even the software on the T2 chip, from engaging the microphone when the lid is closed," Apple explained in the guide [PDF].
The tech giant further added that "the camera is not disconnected in hardware because its field of view is completely obstructed with the lid closed."
Is It Helpful? Not Much
This feature is excellent as it makes impossible for malware to access your built-in microphone when the lid is closed, but
honestly, it doesn't helpwhen you are most vulnerable, i.e. while working.
Mac users will be still prone to malware, like the infamous
FruitFly malware, that can secretly turn on your
MacBook camera and microphoneto record video and audio when your laptop lid is not closed.
In my opinion, such physical hardware disconnect feature would be more helpful if manufacturers could offer a manual switch using which users can turn on or off their device's microphone or camera, whenever required.
More About Apple T2 Security Chip
Anyway, besides this, Apple’s T2 chip also offers other security features that are impressive like including the Secure Enclave coprocessor that protects your MacBook's encryption keys, fingerprint data, and secure boot features.
Along with the security and convenience of Touch ID, MacBooks with the T2 chip provide "a level of privacy and security protections never before seen on Mac," according to Apple.
The T2 chip offers some non-security features as well, like an image signal processor that enables enhanced tone mapping, controls the ambient sensor, the system management controller (SMC), white balancing to the FaceTime HD camera, Apple video encoder, audio controller, and enables "Hey Siri."
from The Hacker News https://ift.tt/2OZERs5
USN-3805-1: curl vulnerabilities
curl vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in curl.
Software Description
- curl - HTTP, HTTPS, and FTP client and client libraries
Details
Harry Sintonen discovered that curl incorrectly handled SASL authentication. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-16839)
Brian Carpenter discovered that curl incorrectly handled memory when closing certain handles. A remote attacker could use this issue to cause curl to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2018-16840)
Brian Carpenter discovered that the curl command-line tool incorrectly handled error messages. A remote attacker could possibly use this issue to obtain sensitive information. (CVE-2018-16842)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- curl - 7.61.0-1ubuntu2.2
- libcurl3-gnutls - 7.61.0-1ubuntu2.2
- libcurl3-nss - 7.61.0-1ubuntu2.2
- libcurl4 - 7.61.0-1ubuntu2.2
- Ubuntu 18.04 LTS
- curl - 7.58.0-2ubuntu3.5
- libcurl3-gnutls - 7.58.0-2ubuntu3.5
- libcurl3-nss - 7.58.0-2ubuntu3.5
- libcurl4 - 7.58.0-2ubuntu3.5
- Ubuntu 16.04 LTS
- curl - 7.47.0-1ubuntu2.11
- libcurl3 - 7.47.0-1ubuntu2.11
- libcurl3-gnutls - 7.47.0-1ubuntu2.11
- libcurl3-nss - 7.47.0-1ubuntu2.11
- Ubuntu 14.04 LTS
- curl - 7.35.0-1ubuntu2.19
- libcurl3 - 7.35.0-1ubuntu2.19
- libcurl3-gnutls - 7.35.0-1ubuntu2.19
- libcurl3-nss - 7.35.0-1ubuntu2.19
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2CSrX7S
IBM Security Bulletin: IBM Robotic Process Automation could disclose sensitive information in a web request (CVE-2018-1878)
Oct 31, 2018 9:01 am EDT
Categorized: Medium Severity
Share this post:
IBM Robotic Process Automation could disclose sensitive information in a web request that could aid in future attacks against the system
CVE(s): CVE-2018-1878
Affected product(s) and affected version(s):
Affected IBM Robotic Process Automation with Automation Anywhere | Affected Versions |
IBM Robotic Process Automation with Automation Anywhere | 11.0 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10735977
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151714
from IBM Product Security Incident Response Team https://ift.tt/2qsxKtL
IBM Security Bulletin: Passwords are unencrypted locally in IBM Robotic Process Automation with Automation Anywhere (CVE-2018-1877)
Oct 31, 2018 9:01 am EDT
Categorized: Medium Severity
Share this post:
IBM Robotic Process Automation could store highly sensitive information in the form of unencrypted passwords that would be available to a local user.
CVE(s): CVE-2018-1877
Affected product(s) and affected version(s):
Affected IBM Robotic Process Automation with Automation Anywhere | Affected Versions |
IBM Robotic Process Automation with Automation Anywhere | 11.0 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10735973
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151713
from IBM Product Security Incident Response Team https://ift.tt/2qsxJWJ
IBM Security Bulletin: Passwords printed to log files in IBM Robotic Process Automation with Automation Anywhere (CVE-2018-1876)
Oct 31, 2018 9:01 am EDT
Categorized: Medium Severity
Share this post:
IBM Robotic Process Automation with Automation Anywhere log files may contain plain text password in some cases
CVE(s): CVE-2018-1876
Affected product(s) and affected version(s):
Affected IBM Robotic Process Automation with Automation Anywhere | Affected Versions |
IBM Robotic Process Automation with Automation Anywhere | 11.0 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10735967
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/151707
from IBM Product Security Incident Response Team https://ift.tt/2qkJvSI
IBM Security Bulletin: ViewONE is vulnerable to XXE attack when opening PDF documents
Oct 31, 2018 9:01 am EDT | High Severity
ViewONE is vulnerable to XXE attack when opening PDF documents. CVE(s): CVE-2018-1835 Affected product(s) and affected version(s): Daeja ViewONE 5.0 Refer to the following reference URLs for remediation and additional vulnerability details:Source Bulletin: https://ift.tt/2qsxGKx Database: https://ift.tt/2qsxHhz ...read more
from IBM Product Security Incident Response Team https://ift.tt/2qmESaY
IBM Security Bulletin: IBM RackSwitch firmware products are affected by vulnerabilities in Python (CVE-2016-5636 CVE-2017-1000158)
Oct 31, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
Vulnerabilities in Python have been addressed by IBM RackSwitch firmware products listed below.
CVE(s): CVE-2016-5636, CVE-2017-1000158
Affected product(s) and affected version(s):
Product |
Affected Version |
IBM RackSwitch G8000 |
7.1 |
IBM RackSwitch G8052 |
7.9 |
IBM RackSwitch G8052 |
7.11 |
IBM RackSwitch G8124/G8124E |
7.9 |
IBM RackSwitch G8124/G8124E |
7.11 |
IBM RackSwitch G8264 |
7.9 |
IBM RackSwitch G8264 |
7.11 |
IBM RackSwitch G8264CS |
7.8 |
IBM RackSwitch G8264T |
7.9 |
IBM RackSwitch G8316 |
7.9 |
IBM RackSwitch G8332 |
7.7 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10737147
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/114309
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/135119
from IBM Product Security Incident Response Team https://ift.tt/2qsxECp
IBM Security Bulletin: IBM Flex System switch firmware products are affected by vulnerabilities in Python (CVE-2016-5636 CVE-2017-1000158)
Oct 31, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
Vulnerabilities in Python have been addressed by the IBM Flex System switch firmware products listed below.
CVE(s): CVE-2016-5636, CVE-2017-1000158
Affected product(s) and affected version(s):
Product |
Affected Version |
IBM Flex System Fabric EN4093/EN4093R 10Gb Scalable Switch firmware |
7.8 |
IBM Flex System EN2092 1Gb Ethernet Scalable firmware |
7.8 |
IBM Flex System Fabric GbFSIM 10Gb Scalable Switch firmware |
7.8 |
IBM Flex System CN4093 10Gb ScSE firmware |
7.8 |
G8264CS_SI_Fabric_Image |
7.8 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10737125
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/114309
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/135119
from IBM Product Security Incident Response Team https://ift.tt/2qiYFYG
IBM Security Bulletin: IBM BladeCenter Switch Modules are affected by vulnerabilities in python (CVE-2016-5636 CVE-2017-1000158)
Oct 31, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
IBM BladeCenter Switch Modules have addressed the following vulnerabilities in Python.
CVE(s): CVE-2016-5636, CVE-2017-1000158
Affected product(s) and affected version(s):
Product |
Affected Version |
IBM 1/10 Gb Uplink Ethernet Switch Module | 6.8 |
IBM 1/10 Gb Uplink Ethernet Switch Module | 7.4 |
IBM BladeCenter Virtual Fabric 10Gb Switch Module | 6.8 |
IBM BladeCenter Virtual Fabric 10Gb Switch Module |
7.8 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10736105
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/114309
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/135119
from IBM Product Security Incident Response Team https://ift.tt/2qsxBXf
IBM Security Bulletin: Remote Code Execution vulnerability in IBM Robotic Process Automation with Automation Anywhere (CVE-2018-1552)
Oct 31, 2018 9:00 am EDT
Categorized: Medium Severity
Share this post:
IBM Robotic Process Automation with Automation Anywhere is vulnerable to a remote code execution vulnerability
CVE(s): CVE-2018-1552
Affected product(s) and affected version(s):
Affected IBM Robotic Process Automation with Automation Anywhere | Affected Versions |
IBM Robotic Process Automation with Automation Anywhere | 10.0, 11.0 |
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22016247
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/142889
from IBM Product Security Incident Response Team https://ift.tt/2qsxzi5
Tuesday, October 30, 2018
New iPhone Passcode Bypass Found Hours After Apple Releases iOS 12.1
It's only been a few hours since Apple releases
iOS 12.1and an iPhone enthusiast has managed to find a passcode bypass hack, once again, that could allow anyone to see all contacts' private information on a locked iPhone.
Jose Rodriguez, a Spanish security researcher, contacted The Hacker News and confirmed that he discovered an iPhone passcode bypass bug in the latest version of its iOS mobile operating system, iOS 12.1, released by Apple today.
To demonstrate the bug, Rodriguez shared a video with The Hacker News, as shown below, describing how the new iPhone hack works, which is relatively simple to perform than his previous passcode bypass findings.
Instead, the issue resides in a new feature, called
Group FaceTime, introduced by Apple with iOS 12.1, which makes it easy for users to video chat with more people than ever before—maximum 32 people.
How Does the New iPhone Passcode Bypass Attack Work?
Unlike his previous passcode bypass hacks, the new method works even without having Siri or VoiceOver screen reader feature enabled on a target iPhone, and is trivial to execute.
Here are steps to execute the new passcode bypass hack:
- Call the target iPhone from any other iPhone (if you don't know the target's phone number, you can ask Siri "who I am," or ask Siri to make a call to your phone number digit by digit), or use Siri to call on your own iPhone.
- As soon as the call connects, initiate the "Facetime" video call from the same screen.
- Now go to the bottom right menu and select "Add Person."
- Press the plus icon (+) to access the complete contact list of the targeted iPhone, and by doing 3D Touch on each contact, you can see more information.
"In a passcode-locked iPhone with latest iOS released today Tuesday, you receive a phone call, or you ask Siri make a phone call (can be digit by digit), and, by changing the call to FaceTime you can access to the contacts list, and by doing 3D Touch on each contact you can see more contact information," Rodriguez told The Hacker News.
Also, it should be noted that since the attack utilizes Apple's Facetime, the hack would only work if the devices involved in the process are iPhones.
The new passcode bypass method seems to work on all current iPhone models, including iPhone X and XS devices, running the latest version of the Apple mobile operating system, i.e., iOS 12.1.
Since there's no workaround to temporarily fix the issue, users can just wait for Apple to issue a software update to address the new iPhone passcode bypass bug as soon as possible.
Rodriguez has previously discovered a series of iPhone passcode bypass hacks. Around two weeks ago, he found an
iPhone bypass hackthat works in 12.0.1 and takes advantage of Siri and VoiceOver screen reader to get through your phone's defenses, allowing attackers to access photos and contacts on a locked iPhone.
Rodriguez discovered a similar
bug in iOS 12in late last month that also takes advantage of Siri and VoiceOver screen reader, and allows attackers with physical access to your iPhone to access your contacts and photos.
from The Hacker News https://ift.tt/2CRD555
USN-3804-1: OpenJDK vulnerabilities
openjdk-8, openjdk-lts vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
Summary
Several security issues were fixed in OpenJDK.
Software Description
- openjdk-lts - Open Source Java implementation
- openjdk-8 - Open Source Java implementation
Details
It was discovered that the Security component of OpenJDK did not properly ensure that manifest elements were signed before use. An attacker could possibly use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3136)
Artem Smotrakov discovered that the HTTP client redirection handler implementation in OpenJDK did not clear potentially sensitive information in HTTP headers when following redirections to different hosts. An attacker could use this to expose sensitive information. (CVE-2018-3139)
It was discovered that the Java Naming and Directory Interface (JNDI) implementation in OpenJDK did not properly enforce restrictions specified by system properties in some situations. An attacker could potentially use this to execute arbitrary code. (CVE-2018-3149)
It was discovered that the Utility component of OpenJDK did not properly ensure all attributes in a JAR were signed before use. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. This issue only affected Ubuntu 18.04 LTS and Ubuntu 18.10. (CVE-2018-3150)
It was discovered that the Hotspot component of OpenJDK did not properly perform access checks in certain cases when performing field link resolution. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3169)
Felix Dörre discovered that the Java Secure Socket Extension (JSSE) implementation in OpenJDK did not ensure that the same endpoint identification algorithm was used during TLS session resumption as during initial session setup. An attacker could use this to expose sensitive information. (CVE-2018-3180)
Krzysztof Szafrański discovered that the Scripting component did not properly restrict access to the scripting engine in some situations. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3183)
Nelson William Gamazo Sanchez discovered an unspecified vulnerability in OpenJDK when the Java Usage Tracker is used. An attacker could use this to specially construct an untrusted Java application or applet that could escape sandbox restrictions. (CVE-2018-3211)
Tobias Ospelt discovered that the Resource Interchange File Format (RIFF) reader implementation in OpenJDK contained an infinite loop. An attacker could use this to cause a denial of service. This issue only affected Ubuntu 16.04 LTS. (CVE-2018-3214)
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- openjdk-11-jdk - 11.0.1+13-2ubuntu1
- openjdk-11-jre - 11.0.1+13-2ubuntu1
- openjdk-11-jre-headless - 11.0.1+13-2ubuntu1
- Ubuntu 18.04 LTS
- openjdk-11-jdk - 10.0.2+13-1ubuntu0.18.04.3
- openjdk-11-jre - 10.0.2+13-1ubuntu0.18.04.3
- openjdk-11-jre-headless - 10.0.2+13-1ubuntu0.18.04.3
- Ubuntu 16.04 LTS
- openjdk-8-jdk - 8u181-b13-1ubuntu0.16.04.1
- openjdk-8-jre - 8u181-b13-1ubuntu0.16.04.1
- openjdk-8-jre-headless - 8u181-b13-1ubuntu0.16.04.1
- openjdk-8-jre-jamvm - 8u181-b13-1ubuntu0.16.04.1
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
This update uses a new upstream release, which includes additional bug fixes. After a standard system update you need to restart any Java applications or applets to make all the necessary changes.
References
- CVE-2018-3136
- CVE-2018-3139
- CVE-2018-3149
- CVE-2018-3150
- CVE-2018-3169
- CVE-2018-3180
- CVE-2018-3183
- CVE-2018-3211
- CVE-2018-3214
from Ubuntu Security Notices https://ift.tt/2qhMrzw
USN-3803-1: Ghostscript vulnerabilities
ghostscript vulnerabilities
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 18.10
- Ubuntu 18.04 LTS
- Ubuntu 16.04 LTS
- Ubuntu 14.04 LTS
Summary
Several security issues were fixed in Ghostscript.
Software Description
- ghostscript - PostScript and PDF interpreter
Details
Tavis Ormandy discovered multiple security issues in Ghostscript. If a user or automated system were tricked into processing a specially crafted file, a remote attacker could possibly use these issues to access arbitrary files, execute arbitrary code, or cause a denial of service.
Update instructions
The problem can be corrected by updating your system to the following package versions:
- Ubuntu 18.10
- ghostscript - 9.25~dfsg+1-0ubuntu1.1
- libgs9 - 9.25~dfsg+1-0ubuntu1.1
- Ubuntu 18.04 LTS
- ghostscript - 9.25~dfsg+1-0ubuntu0.18.04.2
- libgs9 - 9.25~dfsg+1-0ubuntu0.18.04.2
- Ubuntu 16.04 LTS
- ghostscript - 9.25~dfsg+1-0ubuntu0.16.04.2
- libgs9 - 9.25~dfsg+1-0ubuntu0.16.04.2
- Ubuntu 14.04 LTS
- ghostscript - 9.25~dfsg+1-0ubuntu0.14.04.2
- libgs9 - 9.25~dfsg+1-0ubuntu0.14.04.2
To update your system, please follow these instructions: https://wiki.ubuntu.com/Security/Upgrades.
In general, a standard system update will make all the necessary changes.
References
from Ubuntu Security Notices https://ift.tt/2qj3vVV
Apple Releases Multiple Security Updates
Apple has released security updates to address vulnerabilities in multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.
NCCIC encourages users and administrators to review the Apple security pages for the following products and apply the necessary updates:
- Safari 12.0.1
- iCloud for Windows 7.8
- iTunes 12.9.1
- watchOS 5.1
- iOS 12.1
- tvOS 12.1
- macOS Mojave 10.14.1, Security Update 2018-001 High Sierra, Security Update 2018-005 Sierra
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2CR3LD6
Talos Vulnerability Discovery Year in Review – 2018
Talos Vulnerability Discovery Year in Review – 2018
Introduction
Cisco Talos’ Vulnerability Discovery Team investigates software and operating system vulnerabilities in order to discover them before malicious threat actors. We provide this information to vendors so that they can create patches and protect their customers as soon as possible. We strive to improve the security of our customers with detection content, which protects them while the vendor is creating, testing, and delivering the patch. These patches ultimately remove the vulnerability in question, which increases security not only for our customers, but for everyone. Once these patches become available, the Talos detection content becomes public, as well. You can find all of the release information via the Talos vulnerability information page here.
Over the past several years, our research team has improved the pace at which we disclose vulnerabilities. Talos increased the number of vulnerabilities it disclosed 22 percent year-over-year, and we hope to continue to grow that number. As of October 23rd, Cisco has updated it’s vendor vulnerability and discovery policy. You can read the complete details here.
Read the rest of the details on the Talos Blog
Tags:
from Cisco Blog » Security https://ift.tt/2SwSope
Windows 10 Bug Let UWP Apps Access All Files Without Users' Consent
Microsoft silently patched a bug in its
Windows 10operating system with the October 2018 update (version 1809) that allowed Microsoft Store apps with extensive file system permission to access all files on users' computers without their consent.
With Windows 10, Microsoft introduced a common platform, called
Universal Windows Platform(UWP), that allows apps to run on any device running Windows 10, including desktop PC, Xbox, IoT, Surface Hub, and Mixed-reality headset.
UWP apps have the ability to access certain API, files like pictures, music, or devices like camera and microphone, by declaring required permissions in their package manifest (configuration) file.
By default, UWP apps have access to directories, where the app is installed on the users’ system and where the app can store data (local, roaming and temporary folders).
However, to access other files on a system, including sensitive resources, Microsoft offers several types of capabilities that an application can use by declaring their permission in the manifest file.
One such extensive capability, called
broadFileSystemAccess(Broad Filesystem Access), allows an application to access the file system at the same level as the user who launched the app.
However, according to Microsoft, this is a restricted capability that, if used, will trigger a user-consent prompt while users first launch the app, asking them to grant or deny this permission to the app.
"On first use, the system will prompt the user to allow access. Access is configurable in Settings > Privacy > File system. If you submit an app to the Store that declares this capability, you will need to supply additional descriptions of why your app needs this capability, and how it intends to use it," Microsoft documentation says.
According to Windows app developer
Sébastien Lachance, Windows 10 version prior to October 2018 Update failed to display prompts for permission to access the file system due to a bug, apparently leaving users sensitive data exposed to apps downloaded from Windows Store.
In other words, until version 1809, the apps could actually be used to access the entire file system without prompting users for the permission.
Lachance
learnedabout the bug when one of his application that uses broadFileSystemAccess permission started crashing after he installed the Windows 10 October 2018 Update.
A Microsoft engineer later explained Lachance that since the latest Windows 10 update addressed the prompt issue by turning the 'broadFileSystemAccess' setting OFF by default, all UWP apps may need to be updated to prevent crashes.
In order to prevent crashes, Andrew suggested Windows app developers include a simple line of code in their affected software that will force their users to accept the new file access permission in the settings before launching the application.
Since Microsoft
haltedthe rollout of the Windows 10 October Update due to a file-wiping bug, users who don't have the update can restrict UWP apps access to the file system on their Windows 10 computer via Settings → Privacy → File system.
from The Hacker News https://ift.tt/2AzRdyq
IBM Security Bulletin: Code execution vulnerability with OpenID connect in WebSphere Application Server Liberty (CVE-2018-1851)
Oct 30, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
There is a potential code execution vulnerability in OpenID connect in WebSphere Application Server Liberty.
CVE(s): CVE-2018-1851
Affected product(s) and affected version(s):
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10735105
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/150999
from IBM Product Security Incident Response Team https://ift.tt/2qiHczz
IBM Security Bulletin: Vulnerability in the IBM FlashSystem model V840
Oct 30, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
There is a vulnerability to which the FlashSystem™ V840 is susceptible. An exploit of this vulnerability could make the system subject to an attack allowing an escalation of privilege. Only systems with 1.4 firmware installed are vulnerable.
CVE(s): CVE-2018-1822
Affected product(s) and affected version(s):
FlashSystem V840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10732968
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/150296
from IBM Product Security Incident Response Team https://ift.tt/2Rpsbro
IBM Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2018-10858)
Oct 30, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
A Samba vulnerability affects IBM Spectrum Scale SMB protocol access method to a heap-based buffer overflow, caused by improper bounds checking by libsmbclient. By sending an overly long filename, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
CVE(s): CVE-2018-10858
Affected product(s) and affected version(s):
IBM Spectrum Scale V5.0.0.0 thru V5.0.2.0
IBM Spectrum Scale V4.2.0.0 thru V4.2.3.10
IBM Spectrum Scale V4.1.1.0 thru V4.1.1.20
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10732876
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148710
from IBM Product Security Incident Response Team https://ift.tt/2RmdFk0
IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications
There are multiple vulnerabilities in IBM® SDK Java Technology Edition, Version 7 used by Content Collector for SAP Applications. These issues were disclosed as part of the IBM Java SDK updates in July 2018.
CVE(s): CVE-2017-3736, CVE-2017-3732, CVE-2016-0705, CVE-2018-1656, CVE-2018-2952, CVE-2018-12539
Affected product(s) and affected version(s):
IBM Content Collector for SAP Applications v4.0
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10737813
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134397
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/121313
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/111140
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/146815
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389
The post IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Content Collector for SAP Applications appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team https://ift.tt/2Rje4DU
IBM Security Bulletin: A vulnerability in IBM Java SDK affects IBM Spectrum Scale
Oct 30, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
There is a vulnerability in IBM SDK Java Technology Edition, Version 8 used by IBM Spectrum Scale. This issue was disclosed as part of the IBM Java SDK updates in Jul 2018.
CVE(s): CVE-2018-12539
Affected product(s) and affected version(s):
IBM Spectrum Scale V5.0.0.0 thru V5.0.2.0
IBM Spectrum Scale V4.2.0.0 thru V4.2.3.10
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10735169
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389
from IBM Product Security Incident Response Team https://ift.tt/2RrBkQf
IBM Security Bulletin: Multiple Vulnerabilities in IBM Java SDK affect IBM Integration Designer
Oct 30, 2018 9:01 am EDT
Categorized: High Severity
Share this post:
There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition, Version 7, that affect IBM Integration Designer for IBM Business Process Manager (BPM). Integration Designer has addressed the applicable CVEs.
CVE(s): CVE-2018-1656, CVE-2018-12539
Affected product(s) and affected version(s):
IBM Integration Designer V8.5.0.1, V8.5.5, V8.5.6, and V8.5.7.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www-01.ibm.com/support/docview.wss?uid=ibm10733845
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/144882
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/148389
from IBM Product Security Incident Response Team https://ift.tt/2RprZIG
Cisco Recognized as a Leader in Incident Response
It is never ideal to “go it alone” during a cybersecurity breach. Talk about a high-pressure situation. Getting access to experts is critical: with a strong support team, you’ll have more hands on deck so you can act quickly, and when you tap into skilled incident response experts, you have the benefit of their experience in other similar environments that can be applied to your situation.
IDC recently published an IDC MarketScape on Incident Response and made the same observation. The report states, “The experience that IR service providers gain from working on many different incidents at many different companies is an invaluable perspective that enterprises crave for strategic planning purposes.”
We are pleased that Cisco is positioned as a Leader in the report, titled “IDC MarketScape: US Incident Readiness, Response and Resiliency Services 2018 Vendor Assessment – Beyond the Big 5 Consultancies”[1](download excerpt here). I’m very proud that the work our team is doing is recognized in a report such as this.
When I came into Cisco 3 years ago, I was very firm in my stance that I wanted to build an incident response business and capability that I could not only be proud of and evangelize, but would more importantly treat our customers like I would have liked to have been treated when I was on the other side of the table (spending time leading incident response teams at other Fortune 500s). I am proud of the fantastic men and women on our IR team who have worked tirelessly to execute this vision and always put our customers first.
I understand that customers have a lot of factors they evaluate when choosing an IR vendor. The IDC report noted, “The main reasons to choose a provider is their technical acumen, reputation for security technology, security operational management, and threat visibility.”
Our experience at Cisco is the same. Our customers tell us the characteristics of our services they like best are:
- Experienced consultants and mature incident response operational processes: Our specialists leverage not only a deep toolset of forensics hardware and software, but also robust enterprise class tools such as Cisco AMP for Endpoints, Umbrella, and Stealthwatch, along with a proven process to deliver incident response. The aggregation and analysis of our unrivaled telemetry provides Cisco Incident Response experts with a clearer, deeper view of your network. Our experts also apply their knowledge to strengthen your security program with assessments, threat hunting, and tabletop exercises, to name a few of the proactive services we can provide.
- Access to Cisco Talos threat intelligence: Cisco Incident Response works hand-in-hand with Talos, the largest threat intelligence team in the world, to identify known and unknown threats, quantify and prioritize risk, and help minimize risk in the future.
- Unique and transparent pricing structure: Customers can choose from Emergency Incident Response (if you are actively fighting a breach) or proactive services (if you’d like to prepare for the unknown). No investment goes to waste. If you buy our Incident Response Retainer and do not experience a cyber attack during the year, those hours can be applied toward things like Proactive Threat Hunting or an assessment. We also employ a very simple approach that allows us to operate quickly, and with the freedom to ensure the financial impact to our customers is reasonable and allows flexibility to adjust as the scope of the incident become better known. We recognize that IR service hours can go very quickly, especially in emergency situations with a number of people working around the clock, so we provide a daily update to our clients that also includes an update on hours utilized so far so there are never any surprises.
If you are evaluating Incident Response services for your organizations, consider downloading this IDC MarketScape excerpt to learn more. We also encourage you to visit Cisco Incident Response Services on Cisco.com or contact us to have one of our experts speak with you.
[1]Source: IDC MarketScape: US Incident Readiness, Response and Resiliency Services 2018 Vendor Assessment – Beyond the Big 5 Consultancies”; #US44257117; September 2018.
from Cisco Blog » Security https://ift.tt/2yGLh59
ST18-005: Proper Disposal of Electronic Devices
Why is it important to dispose of electronic devices safely?
In addition to effectively securing sensitive information on electronic devices, it is important to follow best practices for electronic device disposal. Computers, smartphones, and cameras allow you to keep a great deal of information at your fingertips, but when you dispose of, donate, or recycle a device you may inadvertently disclose sensitive information which could be exploited by cyber criminals.
Types of electronic devices include:
- Computers, Smartphones, and Tablets — electronic devices that can automatically store and process data; most contain a central processing unit and memory, and use an operating system that runs programs and applications.
- Digital Media — these electronic devices create, store, and play digital content. Digital media devices include items like digital cameras and media players.
- External Hardware and Peripheral Devices — hardware devices that provide input and output for computers, such as printers, monitors, and external hard drives; these devices contain permanently stored digital characters.
- Gaming Consoles — electronic, digital, or computer devices that output a video signal or visual image to display a video game.
What are some effective methods for removing data from your device?
There are a variety of methods for permanently erasing data from your devices (also called sanitizing). Because methods of sanitization vary according to device, it is important to use the method that applies to that particular device.
Methods for sanitization include:
- Backing Up Data. Saving your data to another device or a second location (e.g., an external hard drive or the cloud) can help you recover your data if your device is stolen. Options for digital storage include cloud data services, CDs, DVDs, and removable flash drives or removable hard drives (see ST08-001 Using Caution with USB Drives and ST04-020 Protecting Portable Devices: Data Security for more information). Backing up your data can also help you identify exactly what information a thief may have been able to access.
- Deleting Data. Removing data from your device can be one method of sanitization. When you delete files from a device—although the files may appear to have been removed—data remains on the media even after a delete or format command is executed. Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on device and can be retrieved. Permanent data deletion requires several steps.
- Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
- Secure erase. This is a set of commands in the firmware of most computer hard drives. If you select a program that runs the secure erase command set, it will erase the data by overwriting all areas of the hard drive.
- Disk wiping. This is a utility that erases sensitive information on hard drives and securely wipes flash drives and secure digital cards.
- Smartphones and Tablets. Ensure that all data is removed from your device by performing a “hard reset.” This will return the device to its original factory settings. Each device has a different hard reset procedure, but most smartphones and tablets can be reset through their settings. In addition, physically remove the memory card and the subscriber identity module card, if your device has one.
- Digital Cameras, Media Players, and Gaming Consoles. Perform a standard factory reset (i.e., a hard reset) and physically remove the hard drive or memory card.
- Office Equipment (e.g., copiers, printers, fax machines, multifunction devices). Remove any memory cards from the equipment. Perform a full manufacture reset to restore the equipment to its factory default.
- Computers. Use a disk cleaning software designed to permanently remove the data stored on a computer hard drive to prevent the possibility of recovery.
- Overwriting. Another method of sanitization is to delete sensitive information and write new binary data over it. Using random data instead of easily identifiable patterns makes it harder for attackers to discover the original information underneath. Since data stored on a computer is written in binary code—strings of 0s and 1s—one method of overwriting is to zero-fill a hard disk and select programs that use all zeros in the last layer. Users should overwrite the entire hard disk and add multiple layers of new data (three to seven passes of new binary data) to prevent attackers from obtaining the original data.
- Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
- Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.
- Destroying. Physical destruction of a device is the ultimate way to prevent others from retrieving your information. Specialized services are available that will disintegrate, burn, melt, or pulverize your computer drive and other devices. These sanitization methods are designed to completely destroy the media and are typically carried out at an outsourced metal destruction or licensed incineration facility. If you choose not to use a service, you can destroy your hard drive by driving nails or drilling holes into the device yourself. The remaining physical pieces of the drive must be small enough (at least 1/125 inches) that your information cannot be reconstructed from them. There are also hardware devices available that erase CDs and DVDs by destroying their surface.
- Magnetic Media Degaussers. Degaussers expose devices to strong magnetic fields that remove the data that is magnetically stored on traditional magnetic media.
- Solid-State Destruction. The destruction of all data storage chip memory by crushing, shredding, or disintegration is called solid-state destruction. Solid-State Drives should be destroyed with devices that are specifically engineered for this purpose.
- CD and DVD Destruction. Many office and home paper shredders can shred CDs and DVDs (be sure to check that the shredder you are using can shred CDs and DVDs before attempting this method).
For more information, see the NIST Special Publication 800-88 Guidelines for Media Sanitization.
How can you safely dispose of out-of-date electronic devices?
Electronic waste (sometimes called e-waste) is a term used to describe electronics that are nearing the end of their useful life and are discarded, donated, or recycled. Although donating and recycling electronic devices conserves natural resources, you may still choose to dispose of e-waste by contacting your local landfill and requesting a designated e-waste drop off location. Be aware that although there are many options for disposal, it is your responsibility to ensure that the location chosen is reputable and certified. Visit the Environmental Protection Agency’s (EPA) Electronics Donation and Recycling webpage for additional information on donating and recycling electronics. For information on recycling regulations and facilities in your state, visit the EPA Regulations, Initiatives, and Research on Electronics Stewardship webpage.
Authors:
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2OfNiu0
National Cybersecurity Awareness Month: Staying Secure
National Cybersecurity Awareness Month is over, but your work securing your home and business systems and networks is not.
NCCIC recommends users and administrators subscribe to NCCIC National Cyber Awareness System product notifications to keep on top of cybersecurity threats as they emerge.
This product is provided subject to this Notification and this Privacy & Use policy.
from US-CERT National Cyber Alert System https://ift.tt/2Svr22O
Unpatched MS Word Flaw Could Allow Hackers to Infect Your Computer
Cybersecurity researchers have revealed an unpatched logical flaw in Microsoft Office 2016 and older versions that could allow an attacker to embed malicious code inside a document file, tricking users into running malware onto their computers.
Discovered by researchers at Cymulate, the bug abuses the '
Online Video' option in Word documents, a feature that allows users to embedded an online video with a link to YouTube, as shown.
When a user adds an online video link to an MS Word document, the Online Video feature automatically generates an HTML embed script, which is executed when the thumbnail inside the document is clicked by the viewer.
Researchers decided to go public with their
findingsthree months after Microsoft refused to acknowledge the reported issue as a security vulnerability.
How Does the New MS Word Attack Works?
Since the Word Doc files (.docx) are actually zip packages of its media and configuration files, it can easily be opened and edited.
According to the researchers, the configuration file called 'document.xml,' which is a default XML file used by Word and contains the generated embedded-video code, can be edited to replace the current video iFrame code with any HTML or javascript code that would run in the background.
In simple words, an attacker can exploit the bug by replacing the actual YouTube video with a malicious one that would get executed by the Internet Explorer Download Manager.
"Inside the .xml file, look for the embeddedHtml parameter (under WebVideoPr) which contains the Youtube iframe code," the researchers said.
"Save the changes in the document.xml file, update the docx package with the modified XML and open the document. No security warning is presented while opening this document with Microsoft Word."
Video Demonstration: MS Word Online Video Flaw
To prove the extent of the vulnerability, Cymulate researchers created a
proof-of-concept attack, demonstrating how a maliciously crafted document with an embed video, which if clicked, would prompt user to run an embedded executable (as a blob of a base64)–without downloading anything from the internet or displaying any security warning when the victim clicks on the video thumbnail.
The hack requires an attacker to convince victims into opening a document and then clicking on an embedded video link.
Cymulate researchers responsibly reported this bug, which impacts all users with MS Office 2016 and older versions of the productivity suite, three months ago to Microsoft, but the company refused to acknowledge it as a security vulnerability.
Apparently, Microsoft has no plans to fix the issue and says its software is "properly interpreting HTML as designed."
Meanwhile, researchers recommended enterprise administrators to block Word documents containing the embedded video tag: "embeddedHtml" in the Document.xml file, and end users are advised not to open uninvited email attachments from unknown or suspicious sources.
from The Hacker News https://ift.tt/2PvLVMD
Signal Secure Messaging App Now Encrypts Sender's Identity As Well
Signal, the popular end-to-end encrypted messaging app, is planning to roll out a new feature that aims to hide the sender's identity from potential attackers trying to intercept the communication.
Although messages send via secure messaging services, like
Signal,
WhatsApp, and
Telegram, are fully end-to-end encrypted as they transmit across their servers, each message leaves behind some of the metadata information that reveals who sent the message to whom and when.
The new feature, dubbed "
Sealed Sender," announced by Signal is going to further reduce the amount of information that is accessible to the company itself.
However, you should note that Signal never stores metadata or logs of information on its users like who sends messages to each other and when, but the new feature would protect the sender’s identity in case the communication is somehow intercepted.
How Does the Signal's Sealed Sender Feature Protect Metadata?
According to a
blog postpublished by Signal on Monday, the Sealed Sender feature uses an encrypted "envelope" containing the sender's identity and the message ciphertext, which is then decrypted at the end of the recipient with their own identity keys.
"While the service always needs to know where a message should be delivered, ideally it shouldn't need to know who the sender is," Signal developer Joshua Lund said. "It would be better if the service could handle packages where only the destination is written on the outside, with a blank space where the 'from' address used to be."
The whole process can be summarized in the following steps:
- The app encrypts the message using Signal Protocol, as usual.
- Include the sender certificate and encrypted message in an envelope.
- Encrypt the envelope using the sender and recipient identity keys.
- Without authenticating, send the encrypted envelope to the Signal server along with the recipient's delivery token.
- The message recipient can then decrypt the envelope by validating the identity key to know the sender of the message.
It should be noted that since the new technique eliminates the company's ability to validate sender's certificate that was being used to prevent abuse and spoofing, the service has introduced additional workarounds that still allow users to verify who sent the incoming messages.
Sealed Sender is currently in the beta version of the Signal app, so beta users can enable the feature via
Settings→
Sealed Sender, and enable "
Allow from Anyone" toggle, to receive 'sealed sender' messages from non-contacts and people with whom they haven't shared their profile or delivery token.
Besides protecting the Sender's identity, the company is also finding ways to encrypt IP addresses and other sensitive metadata information that could be revealed by analyzing users' network traffic.
The Sealed Sender feature will be enabled by default in the upcoming version of Signal.
from The Hacker News https://ift.tt/2qjtEUr