Security Flaws & Fixes - W/E - 091418
Adobe's Flash Player and ColdFusion Receive Necessary Updates (09/12/2018)
Security updates for Adobe's Flash Player and ColdFusion were released on September 11. The ColdFusion advisory alleviates nine bugs, including four critical issues that could lead to remote code execution situations.
Security updates for Adobe's Flash Player and ColdFusion were released on September 11. The ColdFusion advisory alleviates nine bugs, including four critical issues that could lead to remote code execution situations.
Advisories Detail Vulnerabilities in Fuji Electric's V-Server and V-Server Lite (09/12/2018)
ICS-CERT posted an advisory for Fuji Electric's V-Server due to multiple vulnerabilities that could result in, among other things, a denial-of-service condition. V-Server VPR 4.0.3.0 and prior are affected by these issues. A second advisory was released for Fuji Electric's V-Server Lite due to a classic buffer overflow vulnerability.
ICS-CERT posted an advisory for Fuji Electric's V-Server due to multiple vulnerabilities that could result in, among other things, a denial-of-service condition. V-Server VPR 4.0.3.0 and prior are affected by these issues. A second advisory was released for Fuji Electric's V-Server Lite due to a classic buffer overflow vulnerability.
Chrome for Android Receives Security Update (09/12/2018)
Google updated Chrome to version 69.0.3497.91 for Android. The release contains bug fixes and improvements.
Google updated Chrome to version 69.0.3497.91 for Android. The release contains bug fixes and improvements.
Computer Weakness Could Lead to Cold Boot Attacks (09/13/2018)
F-Secure has discovered a weakness in computers that attackers can use to steal encryption keys and other sensitive information. Current security measures aren't strong enough to offer protection. A thief needs physical access to the computer before the weakness can be exploited, but once that occurs, an attack can take place within minutes. The "cold boot" attack involves rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost. This technique has been known since 2008 although modern laptops overwrite RAM to prevent this kind of threat. However, researchers say that there are steps to take to disable the overwrite process and re-enable the cold boot attack.
F-Secure has discovered a weakness in computers that attackers can use to steal encryption keys and other sensitive information. Current security measures aren't strong enough to offer protection. A thief needs physical access to the computer before the weakness can be exploited, but once that occurs, an attack can take place within minutes. The "cold boot" attack involves rebooting a computer without following a proper shutdown process, then recovering data that remains briefly accessible in the RAM after the power is lost. This technique has been known since 2008 although modern laptops overwrite RAM to prevent this kind of threat. However, researchers say that there are steps to take to disable the overwrite process and re-enable the cold boot attack.
Google Fixes 50+ Bugs in Its Monthly Android Security Bulletin (09/11/2018)
The latest Android Security Bulletin contains fixes for more than 50 vulnerabilities in the operating system. Google warned that the most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The bulletin has been split into two parts, the 2018-09-01 security patch level with 24 vulnerabilities; and the 2018-09-05 security patch level, which resolves 35 issues.
The latest Android Security Bulletin contains fixes for more than 50 vulnerabilities in the operating system. Google warned that the most severe of these issues is a critical security vulnerability in Media framework that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process. The bulletin has been split into two parts, the 2018-09-01 security patch level with 24 vulnerabilities; and the 2018-09-05 security patch level, which resolves 35 issues.
Hackers Could Access Tesla Cars by Cloning Key Fobs (09/11/2018)
A team of researchers uncovered an attack method on Tesla's Passive Keyless Entry and Start (PKES) system. The group says that PKES, which is used to unlock doors and start engines, is built on the outdated proprietary DST40 cipher. They warn that the cipher can be used to clone a key fob and gain access to the vehicle.
A team of researchers uncovered an attack method on Tesla's Passive Keyless Entry and Start (PKES) system. The group says that PKES, which is used to unlock doors and start engines, is built on the outdated proprietary DST40 cipher. They warn that the cipher can be used to clone a key fob and gain access to the vehicle.
Ice Qube Thermal Management Center Found to Have Vulnerabilities (09/10/2018)
An ICS-CERT advisory discloses improper authentication and unprotected storage of credential vulnerabilities in Ice Qube's Thermal Management Center. The vendor has recommended that users upgrade to the latest version of (v4.13 or newer).
An ICS-CERT advisory discloses improper authentication and unprotected storage of credential vulnerabilities in Ice Qube's Thermal Management Center. The vendor has recommended that users upgrade to the latest version of (v4.13 or newer).
Microsoft Tightens Up Product Security by Releasing Monthly Fixes (09/12/2018)
Microsoft released its September batch of security fixes, alleviating a total of 61 vulnerabilities, which included 17 critical issues. Among the most notable are patches for a zero-day Windows Task Scheduler bug and two elevation of privilege issues. Users should immediately apply these updates as security experts have warned that some of these vulnerabilities are being actively exploited.
Microsoft released its September batch of security fixes, alleviating a total of 61 vulnerabilities, which included 17 critical issues. Among the most notable are patches for a zero-day Windows Task Scheduler bug and two elevation of privilege issues. Users should immediately apply these updates as security experts have warned that some of these vulnerabilities are being actively exploited.
Safari Exploitable by Address Spoofing Bug that Microsoft Patched in Edge (09/12/2018)
A security researcher uncovered an address bar spoofing vulnerability in both the Safari and Edge browsers. Rafay Baloch noted that both browsers allow JavaScript to update the address bar when the page is still loading. A malicious script can be inserted to update the address bar as the page continues to load. Both Microsoft and Apple received notification from Baloch in regards to this vulnerability in June. Microsoft patched it in its August edition of security fixes, but Apple has yet to release a patch.
A security researcher uncovered an address bar spoofing vulnerability in both the Safari and Edge browsers. Rafay Baloch noted that both browsers allow JavaScript to update the address bar when the page is still loading. A malicious script can be inserted to update the address bar as the page continues to load. Both Microsoft and Apple received notification from Baloch in regards to this vulnerability in June. Microsoft patched it in its August edition of security fixes, but Apple has yet to release a patch.
Siemens Releases a Batch of Security Advisories (09/11/2018)
Siemens has issued multiple advisories to address vulnerabilities within its products. Among the issues are an OpenSSL bug and a denial-of-service issue in the vendor's industrial products and a local privilege escalation vulnerability in the TD Keypad Designer.
Siemens has issued multiple advisories to address vulnerabilities within its products. Among the issues are an OpenSSL bug and a denial-of-service issue in the vendor's industrial products and a local privilege escalation vulnerability in the TD Keypad Designer.
VMware Squashes Bugs in AirWatch Agent, Content Locker (09/10/2018)
VMware has issued updates to plug security holes in AirWatch Agent and Content Locker.
VMware has issued updates to plug security holes in AirWatch Agent and Content Locker.
Zero-Day Tor Browser 7.x Exploit Bypasses NoScript to Launch Malicious Code (09/11/2018)
Zerodium disclosed a vulnerability affecting the Tor browser via tweet. According to the advisory, the Tor Browser 7.x is vulnerable to a zero-day bug that bypasses the NoScript 'Safest' security level which can enable attackers to run malicious code. Tor 8.x is not affected by this bug.
Zerodium disclosed a vulnerability affecting the Tor browser via tweet. According to the advisory, the Tor Browser 7.x is vulnerable to a zero-day bug that bypasses the NoScript 'Safest' security level which can enable attackers to run malicious code. Tor 8.x is not affected by this bug.