Security Flaws & Fixes - W/E - 072817
Authentication Vulnerabilities Detected in Opteva ATMs (07/27/2017)
IOActive has discovered two vulnerabilities in Opteva ATMs with the AFD platform that, when combined, may allow an unauthorized user to vend notes from the device. Although Opteva separates its privilege and authentication requirements, the ATM is still vulnerable to a malicious attacker, compromising its integrity and causing unauthenticated vending from the AFD. Diebold has confirmed receipt of IOActive's notification, but has yet to say if it will make any remediations.
IOActive has discovered two vulnerabilities in Opteva ATMs with the AFD platform that, when combined, may allow an unauthorized user to vend notes from the device. Although Opteva separates its privilege and authentication requirements, the ATM is still vulnerable to a malicious attacker, compromising its integrity and causing unauthenticated vending from the AFD. Diebold has confirmed receipt of IOActive's notification, but has yet to say if it will make any remediations.
Critical Vulnerabilities Identified in Outdated Inmarsat AmosConnect 8 (07/24/2017)
SQL injection and backdoor account privilege takeover bugs have been uncovered in AmosConnect 8 (AC8) from Inmarsat. According to a vulnerability alert, AC8 has been deemed end-of-life and is no longer supported. Customers can contact Inmarsat Customer Service to obtain further information/updates for the replacement email client.
SQL injection and backdoor account privilege takeover bugs have been uncovered in AmosConnect 8 (AC8) from Inmarsat. According to a vulnerability alert, AC8 has been deemed end-of-life and is no longer supported. Customers can contact Inmarsat Customer Service to obtain further information/updates for the replacement email client.
Cryptographic Weakness Found in Telerik Web UI (07/25/2017)
A vulnerability note warns that the Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. Telerik has posted updated information for specific versions.
A vulnerability note warns that the Telerik Web UI, versions R2 2017 (2017.2.503) and prior, is vulnerable to a cryptographic weakness which an attacker can exploit to extract encryption keys. A remote, unauthenticated attacker could perform arbitrary file upload and downloads, cross-site scripting attacks, leak the MachineKey, or compromise the ASP.NET ViewState. Telerik has posted updated information for specific versions.
Google Releases Chrome 60 (07/26/2017)
Chrome 60 has been released for the stable channel for Windows, Mac, and Linux and contains 40 security updates. Google announced Chrome 60.0.3112.78 on July 25,
Chrome 60 has been released for the stable channel for Windows, Mac, and Linux and contains 40 security updates. Google announced Chrome 60.0.3112.78 on July 25,
IBM Issues Update for Cisco MDS Switches (07/24/2017)
IBM issued an advisory to address vulnerabilities in its Cisco MDS Series Switches Data Center Network Manager (DCNM) Software. When exploited, an attacker could use these vulnerabilities to take over an affected system. The vulnerabilities have been patched.
IBM issued an advisory to address vulnerabilities in its Cisco MDS Series Switches Data Center Network Manager (DCNM) Software. When exploited, an attacker could use these vulnerabilities to take over an affected system. The vulnerabilities have been patched.
ISOC: Security Is Top Concern for Asia-Pacific Internet Users (07/26/2017)
The Internet Society's (ISOC) annual Survey on Internet Policy Issues in Asia-Pacific shows that cyber security is now the top concern for Internet users in the region, followed by access, data protection, connectivity, and privacy. The concerns over security, which this year displaced access as the number one issue, highlight the fears people in the region have when going online. A number of respondents expressed concern over increased surveillance that violates privacy rights, how censorship and the blocking of sites affects freedom of expression, the need to regulate fake news, and the lack of online child protection. More than half (55 percent) of the respondents indicate that they are either highly unlikely or unlikely to use online services if there are no guarantees that their personal information will be fully protected, and 90 percent of Internet users are very uncomfortable or uncomfortable with providing bank and credit card details online. A larger percentage of the population trust traditional services such as banks, public authorities, and health institutions, but have less trust in strictly online service providers. Data was gathered from more than 2,000 people in 40 economies across the Asia-Pacific region.
The Internet Society's (ISOC) annual Survey on Internet Policy Issues in Asia-Pacific shows that cyber security is now the top concern for Internet users in the region, followed by access, data protection, connectivity, and privacy. The concerns over security, which this year displaced access as the number one issue, highlight the fears people in the region have when going online. A number of respondents expressed concern over increased surveillance that violates privacy rights, how censorship and the blocking of sites affects freedom of expression, the need to regulate fake news, and the lack of online child protection. More than half (55 percent) of the respondents indicate that they are either highly unlikely or unlikely to use online services if there are no guarantees that their personal information will be fully protected, and 90 percent of Internet users are very uncomfortable or uncomfortable with providing bank and credit card details online. A larger percentage of the population trust traditional services such as banks, public authorities, and health institutions, but have less trust in strictly online service providers. Data was gathered from more than 2,000 people in 40 economies across the Asia-Pacific region.
Joomla! 3.7.4 Fixes Vulnerabilities, Bugs in Earlier Versions (07/26/2017)
The newest version of Joomla! has been released and includes two vulnerability updates and more than 50 bug fixes. The latest version is 3.7.4.
The newest version of Joomla! has been released and includes two vulnerability updates and more than 50 bug fixes. The latest version is 3.7.4.
Report: Security Control Systems at the IRS Remain Weak (07/26/2017)
According to a new report from the Government Accountability Office (GAO), the Internal Revenue Service (IRS) continues to be plagued with deficiencies that limit security control effectiveness for protecting the confidentiality, integrity, and availability of the IRS's key financial and tax processing systems. Although the IRS has addressed previously reported control weaknesses, the GAO noted that the agency hasn't effectively implemented components of its information security program.
According to a new report from the Government Accountability Office (GAO), the Internal Revenue Service (IRS) continues to be plagued with deficiencies that limit security control effectiveness for protecting the confidentiality, integrity, and availability of the IRS's key financial and tax processing systems. Although the IRS has addressed previously reported control weaknesses, the GAO noted that the agency hasn't effectively implemented components of its information security program.
Vulnerabilities Found in NXP i.MX Product Family (07/26/2017)
NXP's i.MX product family is affected by stack buffer overflow and improper certification validation vulnerabilities, according to an advisory from ICS-CERT. Because this is a hardware vulnerability, there are no software workarounds available. Users should read the advisory to glean information on how to mitigate risks.
NXP's i.MX product family is affected by stack buffer overflow and improper certification validation vulnerabilities, according to an advisory from ICS-CERT. Because this is a hardware vulnerability, there are no software workarounds available. Users should read the advisory to glean information on how to mitigate risks.